api

package
v3.6.0-alpha.2+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 7, 2017 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package api is the internal version of the API.

Index

Constants

View Source
const ConfigKind = "ImagePolicyConfig"
View Source
const IgnorePolicyRulesAnnotation = "alpha.image.policy.openshift.io/ignore-rules"

IgnorePolicyRulesAnnotation is a comma delimited list of rule names to omit from consideration in a given namespace. Loaded from the namespace.

View Source
const PluginName = "openshift.io/ImagePolicy"

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: runtime.APIVersionInternal}

Functions

func FailOnResolutionFailure

func FailOnResolutionFailure(imageResolutionType ImageResolutionType) bool

FailOnResolutionFailure returns true if you should fail when resolution fails

func RequestsResolution

func RequestsResolution(imageResolutionType ImageResolutionType) bool

RequestsResolution returns true if you should attempt to resolve image pull specs

func RewriteImagePullSpec

func RewriteImagePullSpec(imageResolutionType ImageResolutionType) bool

RewriteImagePullSpec returns true if you should rewrite image pull specs when resolution succeeds

Types

type ImageCondition

type ImageCondition struct {
	// Name is the name of this policy rule for reference. It must be unique across all rules.
	Name string
	// IgnoreNamespaceOverride prevents this condition from being overridden when the
	// `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.
	IgnoreNamespaceOverride bool

	// OnResources determines which resources this applies to. Defaults to 'pods' for ImageExecutionPolicyRules.
	OnResources []schema.GroupResource

	// InvertMatch means the value of the condition is logically inverted (true -> false, false -> true).
	InvertMatch bool

	// MatchIntegratedRegistry will only match image sources that originate from the configured integrated
	// registry.
	MatchIntegratedRegistry bool
	// MatchRegistries will match image references that point to the provided registries. If any of the listed
	// registries match, this condition is satisfied.
	MatchRegistries []string

	// SkipOnResolutionFailure allows the subsequent conditions to be bypassed if the integrated registry does
	// not have access to image metadata (no image exists matching the image digest).
	SkipOnResolutionFailure bool

	// MatchDockerImageLabels checks against the resolved image for the presence of a Docker label. All conditions
	// must match.
	MatchDockerImageLabels []ValueCondition
	// MatchImageLabels checks against the resolved image for a label. All conditions must match.
	MatchImageLabels []metav1.LabelSelector
	// MatchImageLabelSelectors is the processed form of MatchImageLabels. All conditions must match.
	MatchImageLabelSelectors []labels.Selector
	// MatchImageAnnotations checks against the resolved image for an annotation. All conditions must match.
	MatchImageAnnotations []ValueCondition
}

ImageCondition defines the conditions for matching a particular image source. The conditions below are all required (logical AND). If Reject is specified, the condition is false if all conditions match, and true otherwise.

type ImageExecutionPolicyRule

type ImageExecutionPolicyRule struct {
	ImageCondition

	// Reject means this rule, if it matches the condition, will cause an immediate failure. No
	// other rules will be considered.
	Reject bool
}

ImageExecutionPolicyRule determines whether a provided image may be used on the platform.

type ImagePolicyConfig

type ImagePolicyConfig struct {
	metav1.TypeMeta

	// ResolveImages indicates what kind of image resolution should be done.  If a rewriting policy is chosen,
	// then the image pull specs will be updated.
	ResolveImages ImageResolutionType

	// ResolutionRules allows more specific image resolution rules to be applied per resource. If
	// empty, it defaults to allowing local image stream lookups - "mysql" will map to the image stream
	// tag "mysql:latest" in the current namespace if the stream supports it.
	ResolutionRules []ImageResolutionPolicyRule

	// ExecutionRules determine whether the use of an image is allowed in an object with a pod spec.
	// By default, these rules only apply to pods, but may be extended to other resource types.
	ExecutionRules []ImageExecutionPolicyRule
}

ImagePolicyConfig is the configuration for controlling how images are used in the cluster.

func (*ImagePolicyConfig) GetObjectKind

func (obj *ImagePolicyConfig) GetObjectKind() schema.ObjectKind

type ImageResolutionPolicyRule

type ImageResolutionPolicyRule struct {
	// TargetResource is the identified group and resource. If Resource is *, this rule will apply
	// to all resources in that group.
	TargetResource metav1.GroupResource
	// LocalNames will allow single segment names to be interpreted as namespace local image
	// stream tags, but only if the target image stream tag has the "resolveLocalNames" field
	// set.
	LocalNames bool
}

ImageResolutionPolicyRule describes resolution rules based on resource.

type ImageResolutionType

type ImageResolutionType string

ImageResolutionType is an enumerated string that indicates how image pull spec resolution should be handled

var (
	// require resolution to succeed and rewrite the resource to use it
	RequiredRewrite ImageResolutionType = "RequiredRewrite"
	// require resolution to succeed, but don't rewrite the image pull spec
	Required ImageResolutionType = "Required"
	// attempt resolution, rewrite if successful
	AttemptRewrite ImageResolutionType = "AttemptRewrite"
	// attempt resolution, don't rewrite
	Attempt ImageResolutionType = "Attempt"
	// don't attempt resolution
	DoNotAttempt ImageResolutionType = "DoNotAttempt"
)

type ValueCondition

type ValueCondition struct {
	// Key is the name of a key in a map to retrieve.
	Key string
	// Set indicates the provided key exists in the map. This field is exclusive with Value.
	Set bool
	// Value indicates the provided key has the given value. This field is exclusive with Set.
	Value string
}

ValueCondition reflects whether the following key in a map is set or has a given value.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL