Documentation ¶
Index ¶
Constants ¶
View Source
const ( BlockVAPBGenerationUntilAnnotation = "gatekeeper.sh/block-vapb-generation-until" ErrGenerateVAPBState = "error" GeneratedVAPBState = "generated" WaitVAPBState = "waiting" )
Variables ¶
View Source
var ( DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", false, "(alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.") DefaultGenerateVAP = flag.Bool("default-create-vap-for-templates", false, "(alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly.") DefaultWaitForVAPBGeneration = flag.Int("default-wait-for-vapb-generation", 30, "(alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created.") )
View Source
var ( ErrValidatingAdmissionPolicyAPIDisabled = errors.New("ValidatingAdmissionPolicy API is not enabled") ErrVAPConditionsNotSatisfied = errors.New("Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding") )
Functions ¶
func ShouldGenerateVAP ¶ added in v3.17.0
func ShouldGenerateVAP(ct *templates.ConstraintTemplate) (bool, error)
Types ¶
type Adder ¶
type Adder struct { CFClient *constraintclient.Client ConstraintsCache *ConstraintsCache WatchManager *watch.Manager ControllerSwitch *watch.ControllerSwitch Events <-chan event.GenericEvent Tracker *readiness.Tracker GetPod func(context.Context) (*corev1.Pod, error) ProcessExcluder *process.Excluder // IfWatching allows the reconciler to only execute functions if a constraint // template is currently being watched. It is designed to be atomic to avoid // race conditions between the constraint controller and the constraint template // controller IfWatching func(schema.GroupVersionKind, func() error) (bool, error) }
func (*Adder) Add ¶
Add creates a new Constraint Controller and adds it to the Manager. The Manager will set fields on the Controller and Start it when the Manager is Started.
func (*Adder) InjectCFClient ¶ added in v3.14.0
func (a *Adder) InjectCFClient(c *constraintclient.Client)
func (*Adder) InjectControllerSwitch ¶
func (a *Adder) InjectControllerSwitch(cs *watch.ControllerSwitch)
func (*Adder) InjectTracker ¶
func (*Adder) InjectWatchManager ¶
type ConstraintsCache ¶
type ConstraintsCache struct {
// contains filtered or unexported fields
}
func NewConstraintsCache ¶
func NewConstraintsCache() *ConstraintsCache
type ReconcileConstraint ¶
type ReconcileConstraint struct {
// contains filtered or unexported fields
}
ReconcileConstraint reconciles an arbitrary constraint object described by Kind.
type StatsReporter ¶
type StatsReporter interface {
// contains filtered or unexported methods
}
StatsReporter reports audit metrics.
Click to show internal directories.
Click to hide internal directories.