Documentation ¶
Index ¶
Constants ¶
const ( // ScopedVarName is the variable name assigned to the locally scoped data element of a CEL validation // expression. ScopedVarName = "self" // OldScopedVarName is the variable name assigned to the existing value of the locally scoped data element of a // CEL validation expression. OldScopedVarName = "oldSelf" // PerCallLimit specify the actual cost limit per CEL validation call // current PerCallLimit gives roughly 0.1 second for each expression validation call PerCallLimit = 1000000 // RuntimeCELCostBudget is the overall cost budget for runtime CEL validation cost per CustomResource // current RuntimeCELCostBudget gives roughly 1 seconds for CR validation RuntimeCELCostBudget = 10000000 )
Variables ¶
This section is empty.
Functions ¶
func MapIsCorrelatable ¶ added in v0.24.0
MapIsCorrelatable returns true if the mapType can be used to correlate the data elements of a map after an update with the data elements of the map from before the updated.
func UnstructuredToVal ¶
func UnstructuredToVal(unstructured interface{}, schema *structuralschema.Structural) ref.Val
UnstructuredToVal converts a Kubernetes unstructured data element to a CEL Val. The root schema of custom resource schema is expected contain type meta and object meta schemas. If Embedded resources do not contain type meta and object meta schemas, they will be added automatically.
Types ¶
type CompilationResult ¶
type CompilationResult struct { Program cel.Program Error *apiservercel.Error // If true, the compiled expression contains a reference to the identifier "oldSelf", and its corresponding rule // is implicitly a transition rule. TransitionRule bool // Represents the worst-case cost of the compiled expression in terms of CEL's cost units, as used by cel.EstimateCost. MaxCost uint64 // MaxCardinality represents the worse case number of times this validation rule could be invoked if contained under an // unbounded map or list in an OpenAPIv3 schema. MaxCardinality uint64 }
CompilationResult represents the cel compilation result for one rule
func Compile ¶
func Compile(s *schema.Structural, declType *apiservercel.DeclType, perCallLimit uint64) ([]CompilationResult, error)
Compile compiles all the XValidations rules (without recursing into the schema) and returns a slice containing a CompilationResult for each ValidationRule, or an error. declType is expected to be a CEL DeclType corresponding to the structural schema. Each CompilationResult may contain: / - non-nil Program, nil Error: The program was compiled successfully
- nil Program, non-nil Error: Compilation resulted in an error
- nil Program, nil Error: The provided rule was empty so compilation was not attempted
perCallLimit was added for testing purpose only. Callers should always use const PerCallLimit as input.
type Validator ¶
type Validator struct { Items *Validator Properties map[string]Validator AdditionalProperties *Validator // contains filtered or unexported fields }
Validator parallels the structure of schema.Structural and includes the compiled CEL programs for the x-kubernetes-validations of each schema node.
func NewValidator ¶
func NewValidator(s *schema.Structural, isResourceRoot bool, perCallLimit uint64) *Validator
NewValidator returns compiles all the CEL programs defined in x-kubernetes-validations extensions of the Structural schema and returns a custom resource validator that contains nested validators for all items, properties and additionalProperties that transitively contain validator rules. Returns nil if there are no validator rules in the Structural schema. May return a validator containing only errors. Adding perCallLimit as input arg for testing purpose only. Callers should always use const PerCallLimit as input
func (*Validator) Validate ¶
func (s *Validator) Validate(ctx context.Context, fldPath *field.Path, sts *schema.Structural, obj, oldObj interface{}, costBudget int64) (errs field.ErrorList, remainingBudget int64)
Validate validates all x-kubernetes-validations rules in Validator against obj and returns any errors. If the validation rules exceed the costBudget, subsequent evaluations will be skipped, the list of errs returned will not be empty, and a negative remainingBudget will be returned. Most callers can ignore the returned remainingBudget value unless another validate call is going to be made context is passed for supporting context cancellation during cel validation