whitelist

package
v3.11.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 9, 2018 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type RegistryHostnameRetriever

type RegistryHostnameRetriever interface {
	InternalRegistryHostname() (string, bool)
	ExternalRegistryHostname() (string, bool)
}

RegistryHostnameRetriever represents an interface for retrieving the hostname of internal and external registry.

type RegistryWhitelister

type RegistryWhitelister interface {
	// AdmitHostname returns error if the given host is not allowed by the whitelist.
	AdmitHostname(host string, transport WhitelistTransport) error
	// AdmitPullSpec returns error if the given pull spec is allowed neither by the whitelist nor by the
	// collected whitelisted pull specs.
	AdmitPullSpec(pullSpec string, transport WhitelistTransport) error
	// AdmitDockerImageReference returns error if the given reference is allowed neither by the whitelist nor
	// by the collected whitelisted pull specs.
	AdmitDockerImageReference(ref *imageapi.DockerImageReference, transport WhitelistTransport) error
	// WhitelistRegistry extends internal whitelist for additional registry domain name. Accepted values are:
	//  <host>, <host>:<port>
	// where each component can contain wildcards like '*' or '??' to match wide range of registries. If the
	// port is omitted, the default will be appended based on the given transport. If the transport is "any",
	// the given glob will match hosts with both :80 and :443 ports.
	WhitelistRegistry(hostPortGlob string, transport WhitelistTransport) error
	// WhitelistPullSpecs allows to whitelist particular pull specs. References must match exactly one of the
	// given pull specs for it to be whitelisted.
	WhitelistPullSpecs(pullSpecs ...string)
	// Copy returns a deep copy of the whitelister. This is useful for temporarily whitelisting additional
	// registries/pullSpecs before a specific validation.
	Copy() RegistryWhitelister
}

RegistryWhitelister decides whether given image pull specs are allowed by system's image policy.

func NewRegistryWhitelister

func NewRegistryWhitelister(
	whitelist serverapi.AllowedRegistries,
	registryHostRetriever RegistryHostnameRetriever,
) (RegistryWhitelister, error)

NewRegistryWhitelister creates a whitelister that admits registry domains and pull specs based on the given list of allowed registries and the current domain name of the integrated Docker registry.

func WhitelistAllRegistries

func WhitelistAllRegistries() RegistryWhitelister

WhitelistAllRegistries returns a whitelister that will allow any given registry host name. TODO: make a new implementation of RegistryWhitelister instead that will not bother with pull specs

type WhitelistTransport

type WhitelistTransport string

WhitelistTransport says whether the associated registry host shall be treated as secure or insecure.

const (
	WhitelistTransportAny      WhitelistTransport = "any"
	WhitelistTransportSecure   WhitelistTransport = "secure"
	WhitelistTransportInsecure WhitelistTransport = "insecure"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL