engine

package

v0.6.0 Latest Latest Go to latest Published: Jul 21, 2019 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/shravanshetty1/kyverno

Documentation ¶

Index ¶

func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error)
func FormAbsolutePath(referencePath, absolutePath string) string
func Generate(client *client.Client, policy kubepolicy.Policy, rawResource []byte, ...) []*info.RuleInfo
func GenerateNew(client *client.Client, policy *v1alpha1.Policy, ns *corev1.Namespace) []*info.RuleInfo
func JoinPatches(patches [][]byte) []byte
func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, []*info.RuleInfo)
func ParseKindFromObject(bytes []byte) string
func ParseNameFromObject(bytes []byte) string
func ParseNamespaceFromObject(bytes []byte) string
func ParseRegexPolicyResourceName(policyResourceName string) (string, bool)
func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo
func ProcessOverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error)
func ProcessPatches(rule kubepolicy.Rule, resource []byte) (allPatches [][]byte, errs []error)
func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, ...) bool
func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([]*info.RuleInfo, error)
func ValidateValueWithPattern(value, pattern interface{}) bool
type ConditionAnchorValidationHandler
- func (cavh *ConditionAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, ...) error
type ExistanceAnchorValidationHandler
- func (eavh *ExistanceAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, ...) error
type NoAnchorValidationHandler
- func (navh *NoAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, ...) error
type Operator
type ValidationAnchorHandler
- func CreateAnchorHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler
- func NewConditionAnchorValidationHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler
- func NewExistanceAnchorValidationHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler
- func NewNoAnchorValidationHandler(path string) ValidationAnchorHandler

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ApplyPatches ¶

func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error)

ApplyPatches patches given resource with given patches and returns patched document

func FormAbsolutePath ¶ added in v0.4.0

func FormAbsolutePath(referencePath, absolutePath string) string

func Generate ¶

func Generate(client *client.Client, policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind, processExisting bool) []*info.RuleInfo

Generate should be called to process generate rules on the resource

func GenerateNew ¶ added in v0.6.0

func GenerateNew(client *client.Client, policy *v1alpha1.Policy, ns *corev1.Namespace) []*info.RuleInfo

GenerateNew apply generation rules on a resource

func JoinPatches ¶

func JoinPatches(patches [][]byte) []byte

JoinPatches joins array of serialized JSON patches to the single JSONPatch array

func Mutate ¶

func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, []*info.RuleInfo)

Mutate performs mutation. Overlay first and then mutation patches

func ParseKindFromObject ¶ added in v0.5.0

func ParseKindFromObject(bytes []byte) string

ParseKindFromObject get kind from resource

func ParseNameFromObject ¶

func ParseNameFromObject(bytes []byte) string

ParseNameFromObject extracts resource name from JSON obj

func ParseNamespaceFromObject ¶

func ParseNamespaceFromObject(bytes []byte) string

ParseNamespaceFromObject extracts the namespace from the JSON obj

func ParseRegexPolicyResourceName ¶

func ParseRegexPolicyResourceName(policyResourceName string) (string, bool)

ParseRegexPolicyResourceName returns true if policyResourceName is a regexp

func ProcessExisting ¶

func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo

As the logic to process the policies in stateless, we do not need to define struct and implement behaviors for it Instead we expose them as standalone functions passing the required atrributes The each function returns the changes that need to be applied on the resource the caller is responsible to apply the changes to the resource ProcessExisting checks for mutation and validation violations of existing resources

func ProcessOverlay ¶

func ProcessOverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error)

ProcessOverlay handles validating admission request Checks the target resources for rules defined in the policy

func ProcessPatches ¶

func ProcessPatches(rule kubepolicy.Rule, resource []byte) (allPatches [][]byte, errs []error)

ProcessPatches Returns array from separate patches that can be applied to the document Returns error ONLY in case when creation of resource should be denied.

func ResourceMeetsDescription ¶

func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool

ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule

func Validate ¶

func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([]*info.RuleInfo, error)

Validate handles validating admission request Checks the target resources for rules defined in the policy

func ValidateValueWithPattern ¶

func ValidateValueWithPattern(value, pattern interface{}) bool

ValidateValueWithPattern validates value with operators and wildcards

Types ¶

type ConditionAnchorValidationHandler ¶ added in v0.4.0

type ConditionAnchorValidationHandler struct {
	// contains filtered or unexported fields
}

ConditionAnchorValidationHandler performs validation only for array elements that pass condition in the anchor (key): value

func (*ConditionAnchorValidationHandler) Handle ¶ added in v0.4.0

func (cavh *ConditionAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, originPattern interface{}) error

Handle performs validation in context of ConditionAnchorValidationHandler

type ExistanceAnchorValidationHandler ¶ added in v0.4.0

type ExistanceAnchorValidationHandler struct {
	// contains filtered or unexported fields
}

ExistanceAnchorValidationHandler performs validation only for array elements that pass condition in the anchor AND requires an existance of at least one element that passes this condition ^(key): value

func (*ExistanceAnchorValidationHandler) Handle ¶ added in v0.4.0

func (eavh *ExistanceAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, originPattern interface{}) error

Handle performs validation in context of ExistanceAnchorValidationHandler

type NoAnchorValidationHandler ¶ added in v0.4.0

type NoAnchorValidationHandler struct {
	// contains filtered or unexported fields
}

NoAnchorValidationHandler just calls validateMap because no anchors were found in the pattern map

func (*NoAnchorValidationHandler) Handle ¶ added in v0.4.0

func (navh *NoAnchorValidationHandler) Handle(resourcePart []interface{}, patternPart map[string]interface{}, originPattern interface{}) error

Handle performs validation in context of NoAnchorValidationHandler

type Operator ¶

type Operator string

Operator is string alias that represents selection operators enum

const (
	// Equal stands for ==
	Equal Operator = ""
	// MoreEqual stands for >=
	MoreEqual Operator = ">="
	// LessEqual stands for <=
	LessEqual Operator = "<="
	// NotEqual stands for !
	NotEqual Operator = "!"
	// More stands for >
	More Operator = ">"
	// Less stands for <
	Less Operator = "<"
)

type ValidationAnchorHandler ¶ added in v0.4.0

type ValidationAnchorHandler interface {
	Handle(resourcePart []interface{}, patternPart map[string]interface{}, originPattern interface{}) error
}

ValidationAnchorHandler is an interface that represents a family of anchor handlers for array of maps resourcePart must be an array of dictionaries patternPart must be a dictionary with anchors

func CreateAnchorHandler ¶ added in v0.4.0

func CreateAnchorHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler

CreateAnchorHandler is a factory that create anchor handlers

func NewConditionAnchorValidationHandler ¶ added in v0.4.0

func NewConditionAnchorValidationHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler

NewConditionAnchorValidationHandler creates new instance of NoAnchorValidationHandler

func NewExistanceAnchorValidationHandler ¶ added in v0.4.0

func NewExistanceAnchorValidationHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler

NewExistanceAnchorValidationHandler creates new instance of NoAnchorValidationHandler

func NewNoAnchorValidationHandler ¶ added in v0.4.0

func NewNoAnchorValidationHandler(path string) ValidationAnchorHandler

NewNoAnchorValidationHandler creates new instance of NoAnchorValidationHandler

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL