Documentation ¶
Overview ¶
+kubebuilder:object:generate=true +groupName=match.gatekeeper.sh
Index ¶
Constants ¶
const Wildcard = "*"
Wildcard represents matching any Group, Version, or Kind. Only for use in Match, not ApplyTo.
Variables ¶
var ErrMatch = errors.New("failed to run Match criteria")
Functions ¶
func AppliesTo ¶
func AppliesTo(applyTo []ApplyTo, gvk schema.GroupVersionKind) bool
AppliesTo checks if any item the given slice of ApplyTo applies to the given object.
func IsNamespace ¶
Types ¶
type ApplyTo ¶
type ApplyTo struct { Groups []string `json:"groups,omitempty"` Kinds []string `json:"kinds,omitempty"` Versions []string `json:"versions,omitempty"` }
ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. +kubebuilder:object:generate=true
func (*ApplyTo) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplyTo.
func (*ApplyTo) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (ApplyTo) Flatten ¶
func (a ApplyTo) Flatten() []schema.GroupVersionKind
Flatten returns the set of GroupVersionKinds this ApplyTo matches. The GVKs are not guaranteed to be sorted or unique.
type DummyCRD ¶
type DummyCRD struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadataDummy,omitempty"` Match `json:"embeddedMatch,omitempty"` }
DummyCRD is a "dummy" CRD to hold the Match object, which we ultimately need to generate JSONSchemaProps. The TypeMeta and ObjectMeta fields are required for controller-gen to generate the CRD. +kubebuilder:resource:path="matchcrd"
func (*DummyCRD) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DummyCRD.
func (*DummyCRD) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Kinds ¶
type Kinds struct { // APIGroups is the API groups the resources belong to. '*' is all groups. // If '*' is present, the length of the slice must be one. // Required. APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,1,rep,name=apiGroups"` Kinds []string `json:"kinds,omitempty"` }
Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. +kubebuilder:object:generate=true
func (*Kinds) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kinds.
func (*Kinds) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Match ¶
type Match struct { // Source determines whether generated or original resources are matched. // Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of // `Generated` will only match generated resources, while `Original` will only // match regular resources. // +kubebuilder:validation:Enum=All;Generated;Original Source string `json:"source,omitempty"` Kinds []Kinds `json:"kinds,omitempty"` // Scope determines if cluster-scoped and/or namespaced-scoped resources // are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) Scope apiextensionsv1.ResourceScope `json:"scope,omitempty"` // Namespaces is a list of namespace names. If defined, a constraint only // applies to resources in a listed namespace. Namespaces also supports a // prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both // `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both // `kube-system` and `gatekeeper-system`. Namespaces []util.Wildcard `json:"namespaces,omitempty"` // ExcludedNamespaces is a list of namespace names. If defined, a // constraint only applies to resources not in a listed namespace. // ExcludedNamespaces also supports a prefix or suffix based glob. For example, // `excludedNamespaces: [kube-*]` matches both `kube-system` and // `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and // `gatekeeper-system`. ExcludedNamespaces []util.Wildcard `json:"excludedNamespaces,omitempty"` // LabelSelector is the combination of two optional fields: `matchLabels` // and `matchExpressions`. These two fields provide different methods of // selecting or excluding k8s objects based on the label keys and values // included in object metadata. All selection expressions from both // sections are ANDed to determine if an object meets the cumulative // requirements of the selector. LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"` // NamespaceSelector is a label selector against an object's containing // namespace or the object itself, if the object is a namespace. NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` // Name is the name of an object. If defined, it will match against objects with the specified // name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match // both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. Name util.Wildcard `json:"name,omitempty"` }
Match selects which objects are in scope. +kubebuilder:object:generate=true
func (*Match) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Match.
func (*Match) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.