Documentation ¶
Index ¶
- func CollectParams(paramKind *v1.ParamKind, paramInformer informers.GenericInformer, ...) ([]runtime.Object, error)
- func SetPolicyRefreshIntervalForTests(interval time.Duration) func()
- type BindingAccessor
- type Dispatcher
- type Evaluator
- type FakeList
- type Hook
- type Plugin
- func (c *Plugin[H]) Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
- func (c *Plugin[H]) SetAuthorizer(authorizer authorizer.Authorizer)
- func (c *Plugin[H]) SetDrainedNotification(stopCh <-chan struct{})
- func (c *Plugin[H]) SetDynamicClient(client dynamic.Interface)
- func (c *Plugin[H]) SetEnabled(enabled bool)
- func (c *Plugin[H]) SetExcludedAdmissionResources(excludedResources []schema.GroupResource)
- func (c *Plugin[H]) SetExternalKubeClientSet(client kubernetes.Interface)
- func (c *Plugin[H]) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)
- func (c *Plugin[H]) SetMatcher(matcher *matching.Matcher)
- func (c *Plugin[H]) SetRESTMapper(mapper meta.RESTMapper)
- func (c *Plugin[H]) ValidateInitialization() error
- type PolicyAccessor
- type PolicyError
- type PolicyHook
- type PolicyInvocation
- type PolicyMatcher
- type PolicyTestContext
- func (p *PolicyTestContext[P, B, E]) DeleteAndWait(object ...runtime.Object) error
- func (p *PolicyTestContext[P, B, E]) Dispatch(new, old runtime.Object, operation admission.Operation) error
- func (p *PolicyTestContext[P, B, E]) Update(objects ...runtime.Object) error
- func (p *PolicyTestContext[P, B, E]) UpdateAndWait(objects ...runtime.Object) error
- func (p *PolicyTestContext[P, B, E]) WaitForReconcile(timeoutCtx context.Context, object runtime.Object) error
- type Source
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CollectParams ¶
func CollectParams( paramKind *v1.ParamKind, paramInformer informers.GenericInformer, paramScope meta.RESTScope, paramRef *v1.ParamRef, namespace string, ) ([]runtime.Object, error)
Returns params to use to evaluate a policy-binding with given param configuration. If the policy-binding has no param configuration, it returns a single-element list with a nil param.
func SetPolicyRefreshIntervalForTests ¶ added in v0.32.0
SetPolicyRefreshIntervalForTests allows the refresh interval to be overridden during tests. This should only be called from tests.
Types ¶
type BindingAccessor ¶
type BindingAccessor interface { GetName() string GetNamespace() string // GetPolicyName returns the name of the (Validating/Mutating)AdmissionPolicy, // which is cluster-scoped, so namespace is usually left blank. // But we leave the door open to add a namespaced vesion in the future GetPolicyName() types.NamespacedName GetParamRef() *v1.ParamRef GetMatchResources() *v1.MatchResources }
type Dispatcher ¶
type Dispatcher[H Hook] interface { // Start the dispatcher. This method should be called only once at startup. Start(ctx context.Context) error // Dispatch a request to the policies. Dispatcher may choose not to // call a hook, either because the rules of the hook does not match, or // the namespaceSelector or the objectSelector of the hook does not // match. A non-nil error means the request is rejected. Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []H) error }
Dispatcher dispatches evaluates an admission request against the currently active hooks returned by the source.
func NewPolicyDispatcher ¶
func NewPolicyDispatcher[P runtime.Object, B runtime.Object, E Evaluator]( newPolicyAccessor func(P) PolicyAccessor, newBindingAccessor func(B) BindingAccessor, matcher *matching.Matcher, delegate dispatcherDelegate[P, B, E], ) Dispatcher[PolicyHook[P, B, E]]
type Evaluator ¶
type Evaluator interface { }
An evaluator represents a compiled CEL expression that can be evaluated a given a set of inputs used by the generic PolicyHook for Mutating and ValidatingAdmissionPolicy. Mutating and Validating may have different forms of evaluators
type FakeList ¶
func (*FakeList[P]) DeepCopyObject ¶
type Hook ¶
type Hook interface { }
Hook represents a dynamic admission hook. The hook may be a webhook or a policy. For webhook, the Hook may describe how to contact the endpoint, expected cert, etc. For policies, the hook may describe a compiled policy-binding pair.
type Plugin ¶
AdmissionPolicyManager is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.
func (*Plugin[H]) Dispatch ¶
func (c *Plugin[H]) Dispatch( ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, ) (err error)
func (*Plugin[H]) SetAuthorizer ¶
func (c *Plugin[H]) SetAuthorizer(authorizer authorizer.Authorizer)
func (*Plugin[H]) SetDrainedNotification ¶
func (c *Plugin[H]) SetDrainedNotification(stopCh <-chan struct{})
func (*Plugin[H]) SetDynamicClient ¶
func (*Plugin[H]) SetEnabled ¶
func (*Plugin[H]) SetExcludedAdmissionResources ¶
func (c *Plugin[H]) SetExcludedAdmissionResources(excludedResources []schema.GroupResource)
func (*Plugin[H]) SetExternalKubeClientSet ¶
func (c *Plugin[H]) SetExternalKubeClientSet(client kubernetes.Interface)
func (*Plugin[H]) SetExternalKubeInformerFactory ¶
func (c *Plugin[H]) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)
func (*Plugin[H]) SetMatcher ¶
func (*Plugin[H]) SetRESTMapper ¶
func (c *Plugin[H]) SetRESTMapper(mapper meta.RESTMapper)
func (*Plugin[H]) ValidateInitialization ¶
ValidateInitialization - once clientset and informer factory are provided, creates and starts the admission controller
type PolicyAccessor ¶
type PolicyAccessor interface { GetName() string GetNamespace() string GetParamKind() *v1.ParamKind GetMatchConstraints() *v1.MatchResources GetFailurePolicy() *v1.FailurePolicyType }
type PolicyError ¶ added in v0.32.0
type PolicyError struct { Policy PolicyAccessor Binding BindingAccessor Message error Reason metav1.StatusReason }
func (PolicyError) Error ¶ added in v0.32.0
func (c PolicyError) Error() string
type PolicyHook ¶
type PolicyHook[P runtime.Object, B runtime.Object, E Evaluator] struct { Policy P Bindings []B // ParamInformer is the informer for the param CRD for this policy, or nil if // there is no param or if there was a configuration error ParamInformer informers.GenericInformer ParamScope meta.RESTScope Evaluator E ConfigurationError error }
type PolicyInvocation ¶
type PolicyInvocation[P runtime.Object, B runtime.Object, E Evaluator] struct { // Relevant policy for this hook. // This field is always populated Policy P // Matched Kind for the request given the policy's matchconstraints // May be empty if there was an error matching the resource Kind schema.GroupVersionKind // Matched Resource for the request given the policy's matchconstraints // May be empty if there was an error matching the resource Resource schema.GroupVersionResource // Relevant binding for this hook. // May be empty if there was an error with the policy's configuration itself Binding B // Compiled policy evaluator Evaluator E // Params fetched by the binding to use to evaluate the policy Param runtime.Object }
PolicyInvocation is a single policy-binding-param tuple from a Policy Hook in the context of a specific request. The params have already been resolved and any error in configuration or setting up the invocation is stored in the Error field.
type PolicyMatcher ¶
type PolicyMatcher interface { admission.InitializationValidator // DefinitionMatches says whether this policy definition matches the provided admission // resource request DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition PolicyAccessor) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error) // BindingMatches says whether this policy definition matches the provided admission // resource request BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error) // GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case // GetNamespace must return nil, nil GetNamespace(name string) (*corev1.Namespace, error) }
Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes
func NewPolicyMatcher ¶
func NewPolicyMatcher(m *matching.Matcher) PolicyMatcher
type PolicyTestContext ¶
type PolicyTestContext[P runtime.Object, B runtime.Object, E Evaluator] struct { context.Context Plugin *Plugin[PolicyHook[P, B, E]] Source Source[PolicyHook[P, B, E]] Start func() error // contains filtered or unexported fields }
PolicyTestContext is everything you need to unit test a policy plugin
func NewPolicyTestContext ¶
func NewPolicyTestContext[P, B runtime.Object, E Evaluator]( newPolicyAccessor func(P) PolicyAccessor, newBindingAccessor func(B) BindingAccessor, compileFunc func(P) E, dispatcher dispatcherFactory[PolicyHook[P, B, E]], initialObjects []runtime.Object, paramMappings []meta.RESTMapping, ) (*PolicyTestContext[P, B, E], func(), error)
func (*PolicyTestContext[P, B, E]) DeleteAndWait ¶
func (p *PolicyTestContext[P, B, E]) DeleteAndWait(object ...runtime.Object) error
Depending upon object type, waits afterward until the object is synced by the policy source
func (*PolicyTestContext[P, B, E]) Update ¶
func (p *PolicyTestContext[P, B, E]) Update(objects ...runtime.Object) error
Update updates the given object in the test, or creates it if it doesn't exist
Be aware the Update will modify the ResourceVersion of the provided objects.
func (*PolicyTestContext[P, B, E]) UpdateAndWait ¶
func (p *PolicyTestContext[P, B, E]) UpdateAndWait(objects ...runtime.Object) error
UpdateAndWait updates the given object in the test, or creates it if it doesn't exist Depending upon object type, waits afterward until the object is synced by the policy source
Be aware the UpdateAndWait will modify the ResourceVersion of the provided objects.
func (*PolicyTestContext[P, B, E]) WaitForReconcile ¶
func (p *PolicyTestContext[P, B, E]) WaitForReconcile(timeoutCtx context.Context, object runtime.Object) error
Depending upon object type, waits afterward until the object is synced by the policy source. Note that policies that are not bound are skipped, so you should not try to wait for an unbound policy. Create both the binding and policy, then wait.
type Source ¶
type Source[H Hook] interface { // Hooks returns the list of currently known admission hooks. Hooks() []H // Run the source. This method should be called only once at startup. Run(ctx context.Context) error // HasSynced returns true if the source has completed its initial sync. HasSynced() bool }
Source can list dynamic admission plugins.
func NewPolicySource ¶
func NewPolicySource[P runtime.Object, B runtime.Object, E Evaluator]( policyInformer cache.SharedIndexInformer, bindingInformer cache.SharedIndexInformer, newPolicyAccessor func(P) PolicyAccessor, newBindingAccessor func(B) BindingAccessor, compiler func(P) E, paramInformerFactory informers.SharedInformerFactory, dynamicClient dynamic.Interface, restMapper meta.RESTMapper, ) Source[PolicyHook[P, B, E]]