Documentation
¶
Index ¶
- Variables
- func EvalValidatingAdmissionPolicy(...) (string, error)
- func EvalWebhook(...) (string, error)
- func NewActivation(inputData map[string]any, authorizer any, authorizerRequestResource any) interpreter.Activation
- type AdmissionRequest
- type Authorizer
- func (a Authorizer) ConvertToNative(typeDesc reflect.Type) (any, error)
- func (a Authorizer) ConvertToType(typeVal ref.Type) ref.Val
- func (a Authorizer) Equal(other ref.Val) ref.Val
- func (a *Authorizer) Receive(function string, overload string, args []ref.Val) ref.Val
- func (a Authorizer) Type() ref.Type
- func (a Authorizer) Value() any
- type CelAuditAnnotationsInfo
- type CelInformation
- type CelMatchConditionsInfo
- type CelValidationInfo
- type CelVariableInfo
- type Decision
- func (a Decision) ConvertToNative(typeDesc reflect.Type) (any, error)
- func (a Decision) ConvertToType(typeVal ref.Type) ref.Val
- func (a Decision) Equal(other ref.Val) ref.Val
- func (d *Decision) Receive(function string, overload string, args []ref.Val) ref.Val
- func (a Decision) Type() ref.Type
- func (a Decision) Value() any
- type EvalResponse
- type EvalResult
- type EvalVariable
- type GVKType
- type GVRType
- type GroupCheck
- func (a GroupCheck) ConvertToNative(typeDesc reflect.Type) (any, error)
- func (a GroupCheck) ConvertToType(typeVal ref.Type) ref.Val
- func (a GroupCheck) Equal(other ref.Val) ref.Val
- func (g *GroupCheck) Receive(function string, overload string, args []ref.Val) ref.Val
- func (a GroupCheck) Type() ref.Type
- func (a GroupCheck) Value() any
- type NamespaceConditionType
- type NamespaceMetadataType
- type NamespaceSpecType
- type NamespaceStatusType
- type NamespaceType
- type PathCheck
- func (a PathCheck) ConvertToNative(typeDesc reflect.Type) (any, error)
- func (a PathCheck) ConvertToType(typeVal ref.Type) ref.Val
- func (a PathCheck) Equal(other ref.Val) ref.Val
- func (p *PathCheck) Receive(function string, overload string, args []ref.Val) ref.Val
- func (a PathCheck) Type() ref.Type
- func (a PathCheck) Value() any
- type ResourceCheck
- func (a ResourceCheck) ConvertToNative(typeDesc reflect.Type) (any, error)
- func (a ResourceCheck) ConvertToType(typeVal ref.Type) ref.Val
- func (a ResourceCheck) Equal(other ref.Val) ref.Val
- func (r *ResourceCheck) Receive(function string, overload string, args []ref.Val) ref.Val
- func (a ResourceCheck) Type() ref.Type
- func (a ResourceCheck) Value() any
- type UserInfo
Constants ¶
This section is empty.
Variables ¶
View Source
var ( AuthorizerType = cel.OpaqueType("playground.k8s.Authorizer") PathCheckType = cel.OpaqueType("playground.k8s.PathCheck") GroupCheckType = cel.OpaqueType("playground.k8s.GroupCheck") ResourceCheckType = cel.OpaqueType("playground.k8s.ResourceCheck") DecisionType = cel.OpaqueType("playground.k8s.Decision") )
Functions ¶
func EvalValidatingAdmissionPolicy ¶
func EvalValidatingAdmissionPolicy(policyInput, oldObjectInput, objectValueInput, namespaceInput, requestInput, authorizerInput []byte) (string, error)
From
pkg/apis/admissionregistration/types.go#Validation
Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the API request(ref(/pkg/apis/admission/types.go#AdmissionRequest)). 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. 'variables' - Map of composited variables, from its name to its lazily evaluated value.
For example, a variable named 'foo' can be accessed as 'variables.foo'
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
KEV - check what metadata comment located below means The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.
Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression:
- '__' escapes to '__underscores__'
- '.' escapes to '__dot__'
- '-' escapes to '__dash__'
- '/' escapes to '__slash__'
- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let", "loop", "package", "namespace", "return".
Examples:
- Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
- Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
- Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
- 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and non-intersecting elements in `Y` are appended, retaining their partial order.
- 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with non-intersecting keys are appended, retaining their partial order.
TODO: Support parameters
func EvalWebhook ¶
func NewActivation ¶
func NewActivation(inputData map[string]any, authorizer any, authorizerRequestResource any) interpreter.Activation
Types ¶
type AdmissionRequest ¶
type AdmissionRequest struct {
Kind GVKType `yaml:"kind"`
Resource GVRType `yaml:"resource"`
SubResource string `yaml:"subResource,omitempty"`
RequestKind *GVKType `yaml:"requestKind,omitempty"`
RequestResource *GVRType `yaml:"requestResource"`
RequestSubResource string `yaml:"requestSubResource,omitempty"`
Name string `yaml:"name"`
Namespace string `yaml:"namespace,omitempty"`
Operation string `yaml:"operation"`
UserInfo UserInfo `yaml:"userInfo"`
DryRun *bool `yaml:"dryRun,omitempty"`
}
return apiservercel.NewObjectType("kubernetes.AdmissionRequest", fields(
field("kind", gvkType, true),
field("resource", gvrType, true),
field("subResource", apiservercel.StringType, false),
field("requestKind", gvkType, true),
field("requestResource", gvrType, true),
field("requestSubResource", apiservercel.StringType, false),
field("name", apiservercel.StringType, true),
field("namespace", apiservercel.StringType, false),
field("operation", apiservercel.StringType, true),
field("userInfo", userInfoType, true),
field("dryRun", apiservercel.BoolType, false),
field("options", apiservercel.DynType, false),
))
type Authorizer ¶
type Authorizer struct {
Paths map[string]*PathCheck `yaml:"paths,omitempty"`
Groups map[string]*GroupCheck `yaml:"groups,omitempty"`
ServiceAccounts map[string]map[string]*Authorizer `yaml:"serviceAccounts,omitempty"`
// contains filtered or unexported fields
}
func (Authorizer) ConvertToNative ¶
ConvertToNative implements ref.Val.ConvertToNative.
func (Authorizer) ConvertToType ¶
ConvertToType implements ref.Val.ConvertToType.
type CelAuditAnnotationsInfo ¶
type CelAuditAnnotationsInfo struct {
// contains filtered or unexported fields
}
type CelInformation ¶
type CelInformation struct {
// contains filtered or unexported fields
}
type CelMatchConditionsInfo ¶
type CelMatchConditionsInfo struct {
// contains filtered or unexported fields
}
type CelValidationInfo ¶
type CelValidationInfo struct {
// contains filtered or unexported fields
}
type CelVariableInfo ¶
type CelVariableInfo struct {
// contains filtered or unexported fields
}
type Decision ¶
type Decision struct {
Error string `yaml:"error,omitempty"`
Decision string `yaml:"decision,omitempty"`
Reason string `yaml:"reason,omitempty"`
// contains filtered or unexported fields
}
func (Decision) ConvertToNative ¶
ConvertToNative implements ref.Val.ConvertToNative.
func (Decision) ConvertToType ¶
ConvertToType implements ref.Val.ConvertToType.
type EvalResponse ¶
type EvalResponse struct {
MatchConditionsVariables []*EvalVariable `json:"matchConditionVariables,omitempty"`
MatchConditions []*EvalResult `json:"matchConditions,omitempty"`
ValidationVariables []*EvalVariable `json:"validationVariables,omitempty"`
Validations []*EvalResult `json:"validations,omitempty"`
AuditAnnotations []*EvalResult `json:"auditAnnotations,omitempty"`
WebhookMatchConditions [][]*EvalResult `json:"webhookMatchConditions,omitempty"`
Cost *uint64 `json:"cost, omitempty"`
}
type EvalResult ¶
type EvalVariable ¶
type GVKType ¶
type GVKType struct {
Group string `yaml:"group"`
Version string `yaml:"version"`
Kind string `yaml:"kind"`
}
gvkType := apiservercel.NewObjectType("kubernetes.GroupVersionKind", fields(
field("group", apiservercel.StringType, true),
field("version", apiservercel.StringType, true),
field("kind", apiservercel.StringType, true),
))
type GVRType ¶
type GVRType struct {
Group string `yaml:"group"`
Version string `yaml:"version"`
Resource string `yaml:"resource"`
}
gvrType := apiservercel.NewObjectType("kubernetes.GroupVersionResource", fields(
field("group", apiservercel.StringType, true),
field("version", apiservercel.StringType, true),
field("resource", apiservercel.StringType, true),
))
type GroupCheck ¶
type GroupCheck struct {
Resources map[string]*ResourceCheck `json:"resources,omitempty"`
// contains filtered or unexported fields
}
func (GroupCheck) ConvertToNative ¶
ConvertToNative implements ref.Val.ConvertToNative.
func (GroupCheck) ConvertToType ¶
ConvertToType implements ref.Val.ConvertToType.
type NamespaceConditionType ¶
type NamespaceConditionType struct {
Status string `yaml:"status"`
Type string `yaml:"type"`
LastTransitionTime time.Time `yaml:"lastTransitionTime"`
Message string `yaml:"message"`
Reason string `yaml:"reason"`
}
conditionType := apiservercel.NewObjectType("kubernetes.NamespaceCondition", fields(
field("status", apiservercel.StringType, true),
field("type", apiservercel.StringType, true),
field("lastTransitionTime", apiservercel.TimestampType, true),
field("message", apiservercel.StringType, true),
field("reason", apiservercel.StringType, true),
))
type NamespaceMetadataType ¶
type NamespaceMetadataType struct {
Name string `yaml:"name"`
GenerateName string `yaml:"generateName"`
Namespace string `yaml:"namespace"`
Labels map[string]string `yaml:"labels"`
Annotations map[string]string `yaml:"annotations"`
UID string `yaml:"UID"`
CreationTimestamp time.Time `yaml:"creationTimestamp"`
DeletionGracePeriodSeconds int64 `yaml:"deletionGracePeriodSeconds"`
DeletionTimestamp time.Time `yaml:"deletionTimestamp"`
Generation int64 `yaml:"generation"`
ResourceVersion string `yaml:"resourceVersion"`
Finalizers []string `yaml:"finalizers"`
}
metadataType := apiservercel.NewObjectType("kubernetes.NamespaceMetadata", fields(
field("name", apiservercel.StringType, true),
field("generateName", apiservercel.StringType, true),
field("namespace", apiservercel.StringType, true),
field("labels", apiservercel.NewMapType(apiservercel.StringType, apiservercel.StringType, -1), true),
field("annotations", apiservercel.NewMapType(apiservercel.StringType, apiservercel.StringType, -1), true),
field("UID", apiservercel.StringType, true),
field("creationTimestamp", apiservercel.TimestampType, true),
field("deletionGracePeriodSeconds", apiservercel.IntType, true),
field("deletionTimestamp", apiservercel.TimestampType, true),
field("generation", apiservercel.IntType, true),
field("resourceVersion", apiservercel.StringType, true),
field("finalizers", apiservercel.NewListType(apiservercel.StringType, -1), true),
))
type NamespaceSpecType ¶
type NamespaceSpecType struct {
Finalizers []string `yaml:"finalizers"`
}
specType := apiservercel.NewObjectType("kubernetes.NamespaceSpec", fields(
field("finalizers", apiservercel.NewListType(apiservercel.StringType, -1), true),
))
type NamespaceStatusType ¶
type NamespaceStatusType struct {
Conditions []NamespaceConditionType `yaml:"conditions"`
Phase string `yaml:"phase"`
}
statusType := apiservercel.NewObjectType("kubernetes.NamespaceStatus", fields(
field("conditions", apiservercel.NewListType(conditionType, -1), true),
field("phase", apiservercel.StringType, true),
))
type NamespaceType ¶
type NamespaceType struct {
Metadata NamespaceMetadataType `yaml:"metadata"`
Spec NamespaceSpecType `yaml:"spec"`
Status NamespaceStatusType `yaml:"status"`
}
return apiservercel.NewObjectType("kubernetes.Namespace", fields(
field("metadata", metadataType, true),
field("spec", specType, true),
field("status", statusType, true),
))
type PathCheck ¶
type PathCheck struct {
Checks map[string]*Decision `yaml:"checks,omitempty"`
// contains filtered or unexported fields
}
func (PathCheck) ConvertToNative ¶
ConvertToNative implements ref.Val.ConvertToNative.
func (PathCheck) ConvertToType ¶
ConvertToType implements ref.Val.ConvertToType.
type ResourceCheck ¶
type ResourceCheck struct {
Subresources map[string]*ResourceCheck `yaml:"subresources,omitempty"`
Checks map[string]map[string]map[string]*Decision `yaml:"checks,omitempty"`
// contains filtered or unexported fields
}
func (ResourceCheck) ConvertToNative ¶
ConvertToNative implements ref.Val.ConvertToNative.
func (ResourceCheck) ConvertToType ¶
ConvertToType implements ref.Val.ConvertToType.
type UserInfo ¶
type UserInfo struct {
Username string `yaml:"username,omitempty"`
UID string `yaml:"uid,omitempty"`
Groups []string `yaml:"groups,omitempty"`
Extra map[string][]string `yaml:"extra,omitempty"`
}
userInfoType := apiservercel.NewObjectType("kubernetes.UserInfo", fields(
field("username", apiservercel.StringType, false),
field("uid", apiservercel.StringType, false),
field("groups", apiservercel.NewListType(apiservercel.StringType, -1), false),
field("extra", apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewListType(apiservercel.StringType, -1), -1), false),
))
Source Files
Click to show internal directories.
Click to hide internal directories.