Documentation ¶
Index ¶
- Constants
- func NewDispatcher(authorizer authorizer.Authorizer, matcher generic.PolicyMatcher) generic.Dispatcher[PolicyHook]
- func NewValidatingAdmissionPolicyAccessor(obj *v1.ValidatingAdmissionPolicy) generic.PolicyAccessor
- func NewValidatingAdmissionPolicyBindingAccessor(obj *v1.ValidatingAdmissionPolicyBinding) generic.BindingAccessor
- func Register(plugins *admission.Plugins)
- type AuditAnnotationCondition
- type CELPolicyEvaluator
- type MessageExpressionCondition
- type Plugin
- type Policy
- type PolicyAuditAnnotation
- type PolicyAuditAnnotationAction
- type PolicyBinding
- type PolicyDecision
- type PolicyDecisionAction
- type PolicyDecisionEvaluation
- type PolicyEvaluator
- type PolicyHook
- type TypeChecker
- type TypeCheckingContext
- type TypeCheckingResult
- type TypeCheckingResults
- type ValidateResult
- type ValidationCondition
- type ValidationFailureValue
- type Validator
- type Variable
Constants ¶
const (
// PluginName indicates the name of admission plug-in
PluginName = "ValidatingAdmissionPolicy"
)
Variables ¶
This section is empty.
Functions ¶
func NewDispatcher ¶
func NewDispatcher( authorizer authorizer.Authorizer, matcher generic.PolicyMatcher, ) generic.Dispatcher[PolicyHook]
func NewValidatingAdmissionPolicyAccessor ¶
func NewValidatingAdmissionPolicyAccessor(obj *v1.ValidatingAdmissionPolicy) generic.PolicyAccessor
func NewValidatingAdmissionPolicyBindingAccessor ¶
func NewValidatingAdmissionPolicyBindingAccessor(obj *v1.ValidatingAdmissionPolicyBinding) generic.BindingAccessor
Types ¶
type AuditAnnotationCondition ¶
AuditAnnotationCondition contains the inputs needed to compile, evaluate and publish a cel audit annotation
func (*AuditAnnotationCondition) GetExpression ¶
func (v *AuditAnnotationCondition) GetExpression() string
func (*AuditAnnotationCondition) ReturnTypes ¶
func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type
type CELPolicyEvaluator ¶
type CELPolicyEvaluator interface { admission.InitializationValidator Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error HasSynced() bool Run(stopCh <-chan struct{}) }
type MessageExpressionCondition ¶
type MessageExpressionCondition struct {
MessageExpression string
}
func (*MessageExpressionCondition) GetExpression ¶
func (m *MessageExpressionCondition) GetExpression() string
func (*MessageExpressionCondition) ReturnTypes ¶
func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type
type Plugin ¶
type Plugin struct { *generic.Plugin[PolicyHook] }
func (*Plugin) InspectFeatureGates ¶
func (a *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate)
func (*Plugin) Validate ¶
func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error
Validate makes an admission decision based on the request attributes.
type Policy ¶
type Policy = v1.ValidatingAdmissionPolicy
Plugin is an implementation of admission.Interface.
type PolicyAuditAnnotation ¶
type PolicyAuditAnnotationAction ¶
type PolicyAuditAnnotationAction string
const ( // AuditAnnotationActionPublish indicates that the audit annotation should be // published with the audit event. AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish" // AuditAnnotationActionError indicates that the valueExpression resulted // in an error. AuditAnnotationActionError PolicyAuditAnnotationAction = "error" // AuditAnnotationActionExclude indicates that the audit annotation should be excluded // because the valueExpression evaluated to null, or because FailurePolicy is Ignore // and the expression failed with a parse error, type check error, or runtime error. AuditAnnotationActionExclude PolicyAuditAnnotationAction = "exclude" )
type PolicyBinding ¶
type PolicyBinding = v1.ValidatingAdmissionPolicyBinding
type PolicyDecision ¶
type PolicyDecision struct { Action PolicyDecisionAction Evaluation PolicyDecisionEvaluation Message string Reason metav1.StatusReason Elapsed time.Duration }
PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration
type PolicyDecisionAction ¶
type PolicyDecisionAction string
const ( ActionAdmit PolicyDecisionAction = "admit" ActionDeny PolicyDecisionAction = "deny" )
type PolicyDecisionEvaluation ¶
type PolicyDecisionEvaluation string
const ( EvalAdmit PolicyDecisionEvaluation = "admit" EvalError PolicyDecisionEvaluation = "error" EvalDeny PolicyDecisionEvaluation = "deny" )
type PolicyEvaluator ¶
type PolicyEvaluator = Validator
type PolicyHook ¶
type PolicyHook = generic.PolicyHook[*Policy, *PolicyBinding, PolicyEvaluator]
type TypeChecker ¶
type TypeChecker struct { SchemaResolver resolver.SchemaResolver RestMapper meta.RESTMapper }
func (*TypeChecker) Check ¶
func (c *TypeChecker) Check(policy *v1.ValidatingAdmissionPolicy) []v1.ExpressionWarning
Check preforms the type check against the given policy, and format the result as []ExpressionWarning that is ready to be set in policy.Status The result is nil if type checking returns no warning. The policy object is NOT mutated. The caller should update Status accordingly
func (*TypeChecker) CheckExpression ¶
func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression string) TypeCheckingResults
CheckExpression type checks a single expression, given the context
func (*TypeChecker) CreateContext ¶
func (c *TypeChecker) CreateContext(policy *v1.ValidatingAdmissionPolicy) *TypeCheckingContext
CreateContext resolves all types and their schemas from a policy definition and creates the context.
type TypeCheckingContext ¶
type TypeCheckingContext struct {
// contains filtered or unexported fields
}
TypeCheckingContext holds information about the policy being type-checked. The struct is opaque to the caller.
type TypeCheckingResult ¶
type TypeCheckingResult struct { // GVK is the associated GVK GVK schema.GroupVersionKind // Issues contain machine-readable information about the typechecking result. Issues error // Err is the possible error that was encounter during type checking. Err error }
TypeCheckingResult holds the issues found during type checking, any returned error, and the gvk that the type checking is performed against.
func (*TypeCheckingResult) String ¶
func (r *TypeCheckingResult) String() string
String converts the result to human-readable form as a string.
type TypeCheckingResults ¶
type TypeCheckingResults []*TypeCheckingResult
TypeCheckingResults is a collection of TypeCheckingResult
func (TypeCheckingResults) String ¶
func (rs TypeCheckingResults) String() string
type ValidateResult ¶
type ValidateResult struct { // Decisions specifies the outcome of the validation as well as the details about the decision. Decisions []PolicyDecision // AuditAnnotations specifies the audit annotations that should be recorded for the validation. AuditAnnotations []PolicyAuditAnnotation }
ValidateResult defines the result of a Validator.Validate operation.
type ValidationCondition ¶
type ValidationCondition struct { Expression string Message string Reason *metav1.StatusReason }
ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression
func (*ValidationCondition) GetExpression ¶
func (v *ValidationCondition) GetExpression() string
func (*ValidationCondition) ReturnTypes ¶
func (v *ValidationCondition) ReturnTypes() []*celgo.Type
type ValidationFailureValue ¶
type ValidationFailureValue struct { Message string `json:"message"` Policy string `json:"policy"` Binding string `json:"binding"` ExpressionIndex int `json:"expressionIndex"` ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions"` }
validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit annotation value.
type Validator ¶
type Validator interface { // Validate is used to take cel evaluations and convert into decisions // runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input. Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult }
Validator is contains logic for converting ValidationEvaluation to PolicyDecisions
func NewValidator ¶
func NewValidator(validationFilter cel.Filter, celMatcher matchconditions.Matcher, auditAnnotationFilter, messageFilter cel.Filter, failPolicy *v1.FailurePolicyType) Validator
type Variable ¶
Variable is a named expression for composition.