Documentation ¶
Index ¶
- Variables
- func Parse(_ context.Context, document string) ([]*unstructured.Unstructured, error)
- func ParseClusterImagePolicies(ctx context.Context, document string) (cips []*v1alpha1.ClusterImagePolicy, warns error, err error)
- func Validate(ctx context.Context, document string) (warns error, err error)
- type Source
- type Verification
- type Verifier
- type WarningWriter
Constants ¶
This section is empty.
Variables ¶
var ( // ErrEmptyDocument is the error returned when no document body is // specified. ErrEmptyDocument = errors.New("document is required to create policy") // ErrUnknownType is the error returned when a type contained in the policy // is unrecognized. ErrUnknownType = errors.New("unknown type") )
Functions ¶
func Parse ¶
func Parse(_ context.Context, document string) ([]*unstructured.Unstructured, error)
Parse decodes a provided YAML document containing zero or more objects into a collection of unstructured.Unstructured objects.
func ParseClusterImagePolicies ¶
func ParseClusterImagePolicies(ctx context.Context, document string) (cips []*v1alpha1.ClusterImagePolicy, warns error, err error)
ParseClusterImagePolicies returns ClusterImagePolicy objects found in the policy document.
Types ¶
type Source ¶
type Source struct { // Data is a collection of one or more ClusterImagePolicy resources. Data string `yaml:"data,omitempty"` // Path is a path to a file containing one or more ClusterImagePolicy // resources. Path string `yaml:"path,omitempty"` // URL links to a file containing one or more ClusterImagePolicy resources. URL string `yaml:"url,omitempty"` }
Source contains a set of options for specifying policies. Exactly one of the fields may be specified for each Source entry.
type Verification ¶
type Verification struct { // NoMatchPolicy specifies the behavior when a base image doesn't match any // of the listed policies. It allows the values: allow, deny, and warn. NoMatchPolicy string `yaml:"no-match-policy,omitempty"` // Policies specifies a set of Sources for fetching policies to use to cover // images used as part of evaluation. For more information about what each // Source supports, see its usage. // Policies can be nil so that we can distinguish between an explicitly // specified empty list and when policies is unspecified. Policies *[]Source `yaml:"policies,omitempty"` }
func (*Verification) Validate ¶
func (v *Verification) Validate(ctx context.Context) (errs *apis.FieldError)
type Verifier ¶
type Verifier interface { // Verify checks that the provided reference satisfies the backing policies. // // For policies specifying `match:` criteria with apiVersion/kind, the // TypeMeta should be associated with `ctx` here using: // webhook.GetIncludeTypeMeta(ctx) // // For policies specifying `match:` criteria with label selectors, the // ObjectMeta should be associated with `ctx` here using: // webhook.GetIncludeObjectMeta(ctx) Verify(context.Context, name.Reference, authn.Keychain, ...ociremote.Option) error }
Verifier is the interface for checking that a given image digest satisfies the policies backing this interface.
func Compile ¶
func Compile(ctx context.Context, v Verification, ww WarningWriter) (Verifier, error)
Compile turns a Verification into an executable Verifier. Any compilation errors are returned here.
type WarningWriter ¶
type WarningWriter func(string, ...interface{})
WarningWriter is used to surface warning messages in a manner that is customizable by callers that's suitable for their execution environment. The signature is intended to match the standard format string signature (e.g. Printf, Infof, Logf, Errorf, Fatalf, ...), so functions like log.Printf or t.Errorf can be passed here directly.