common

package
v0.5.0-rc14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// EnforceLabel is a that governs the PSS that is enforced for a namespace
	EnforceLabel = "pod-security.kubernetes.io/enforce"
	// EnforceVersionLabel is a label  that governs the PSS version that is enforced for a namespace
	EnforceVersionLabel = "pod-security.kubernetes.io/enforce-version"
	// AuditLabel is a label  that governs the PSS that is used for auditing a namespace
	AuditLabel = "pod-security.kubernetes.io/audit"
	// AuditVersionLabel is a label  that governs the PSS version that is used for auditing a namespace
	AuditVersionLabel = "pod-security.kubernetes.io/audit-version"
	// WarnLabel is a label  that governs the PSS that is used for warning about PSA violations in a namespace
	WarnLabel = "pod-security.kubernetes.io/warn"
	// WarnVersionLabel is a label  that governs the PSS version that is used for warning about PSA violations in a namespace
	WarnVersionLabel = "pod-security.kubernetes.io/warn-version"
)

Variables

This section is empty.

Functions

func CheckCreatorID

func CheckCreatorID(request *admission.Request, oldObj, newObj metav1.Object) *metav1.Status

func ConvertAuthnExtras

func ConvertAuthnExtras(extra map[string]authnv1.ExtraValue) map[string]authzv1.ExtraValue

ConvertAuthnExtras converts authnv1 type extras to authzv1 extras. Technically these are both type alias to string, so the conversion is straightforward

func IsCreatingPSAConfig

func IsCreatingPSAConfig(new map[string]string) bool

IsCreatingPSAConfig will indicate whether or not the labels being passed in are attempting to create PSA-related configuration.

func IsModifyingLabel added in v0.5.0

func IsModifyingLabel(oldLabels, newLabels map[string]string, label string) bool

ValidateLabel checks if a user is removing or modifying a label. If the label is newly added, return false.

func IsUpdatingPSAConfig

func IsUpdatingPSAConfig(old map[string]string, new map[string]string) bool

IsUpdatingPSAConfig will indicate whether or not the labels being passed in are attempting to update PSA-related configuration.

func SetCreatorIDAnnotation

func SetCreatorIDAnnotation(request *admission.Request, response *v1.AdmissionResponse, obj runtime.RawExtension, newObj metav1.Object) error

SetCreatorIDAnnotation sets the creatorID Annotation on the newObj based on the user specified in the request.

func ValidateRules added in v0.3.10

func ValidateRules(rules []rbacv1.PolicyRule, isNamespaced bool, fldPath *field.Path) error

ValidateRules calls on standard kubernetes RBAC functionality for the validation of policy rules to validate Rancher rules. This is currently used in the validation of globalroles and roletemplates.

Types

type CachedVerbChecker added in v0.5.0

type CachedVerbChecker struct {
	// contains filtered or unexported fields
}

CachedVerbChecker is used for caching if a request for a non-namespaced gvr with specified name has the given overrideVerb. This is meant to eliminate the need to perform multiple calls to the provided SubjectAccessReview for the overrideVerb. Each CachedVerbChecker is unique to the initial set up. If the caller needs to change what it is checking (different verb, resource name, resource type) a new CachedVerbChecker must be created. A CachedVerbChecker should not be shared between admitters. Each admitter must request a new CachedVerbChecker. Additionally, the CachedVerbChecker should not be shared between requests, even for the same admitter.

func NewCachedVerbChecker added in v0.5.0

NewCachedVerbChecker creates a new CachedVerbChecker

func (*CachedVerbChecker) HasVerb added in v0.5.0

func (c *CachedVerbChecker) HasVerb() bool

HasVerb returns if the request has the overrideVerb. Only checks the request the first time called, after that it returns the cached value.

func (*CachedVerbChecker) IsRulesAllowed added in v0.5.0

func (c *CachedVerbChecker) IsRulesAllowed(rules []v1.PolicyRule, resolver validation.AuthorizationRuleResolver, namespace string) error

IsRulesAllowed checks if the request has permissions to create the rules provided. Returns nil if the rules are allowed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL