Documentation ¶
Index ¶
- Constants
- Variables
- func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, ...) (unstructured.Unstructured, error)
- func Generate(policyContext PolicyContext) (resp response.EngineResponse)
- func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, ...) error
- func Mutate(policyContext PolicyContext) (resp response.EngineResponse)
- func Validate(policyContext PolicyContext) (resp response.EngineResponse)
- type EngineStats
- type PolicyContext
Constants ¶
View Source
const ( //PodControllers stores the list of Pod-controllers in csv string PodControllers = "DaemonSet,Deployment,Job,StatefulSet" //PodControllersAnnotation defines the annotation key for Pod-Controllers PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers" //PodTemplateAnnotation defines the annotation key for Pod-Template PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied" PodControllerRuleName = "podControllerAnnotation" )
Variables ¶
View Source
var ExcludeUserInfo = []string{"system:nodes", "system:serviceaccounts:kube-system", "system:kube-scheduler"}
Functions ¶
func ForceMutate ¶ added in v1.1.4
func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error)
ForceMutate does not check any conditions, it simply mutates the given resource
func Generate ¶
func Generate(policyContext PolicyContext) (resp response.EngineResponse)
Generate checks for validity of generate rule on the resource 1. validate variables to be susbtitute in the general ruleInfo (match,exclude,condition)
- the caller has to check the ruleResponse to determine whether the path exist
2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
func MatchesResourceDescription ¶ added in v0.8.0
func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo) error
MatchesResourceDescription checks if the resource matches resource description of the rule or not
func Mutate ¶
func Mutate(policyContext PolicyContext) (resp response.EngineResponse)
Mutate performs mutation. Overlay first and then mutation patches
func Validate ¶
func Validate(policyContext PolicyContext) (resp response.EngineResponse)
Validate applies validation rules from policy on the resource
Types ¶
type EngineStats ¶ added in v0.8.0
type EngineStats struct { // average time required to process the policy rules on a resource ExecutionTime time.Duration // Count of rules that were applied successfully RulesAppliedCount int }
EngineStats stores in the statistics for a single application of resource
type PolicyContext ¶ added in v1.0.0
type PolicyContext struct { // policy to be processed Policy kyverno.ClusterPolicy // resource to be processed NewResource unstructured.Unstructured // old Resource - Update operations OldResource unstructured.Unstructured AdmissionInfo kyverno.RequestInfo // Dynamic client - used by generate Client *client.Client // Contexts to store resources Context context.EvalInterface }
PolicyContext contains the contexts for engine to process
Source Files ¶
Click to show internal directories.
Click to hide internal directories.