validatingadmissionpolicy

package
v0.28.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 14, 2024 License: Apache-2.0 Imports: 54 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// PluginName indicates the name of admission plug-in
	PluginName = "ValidatingAdmissionPolicy"
)

Variables

This section is empty.

Functions

func NewPlugin

func NewPlugin() (admission.Interface, error)

func Register

func Register(plugins *admission.Plugins)

Register registers a plugin

Types

type AuditAnnotationCondition added in v0.27.0

type AuditAnnotationCondition struct {
	Key             string
	ValueExpression string
}

AuditAnnotationCondition contains the inputs needed to compile, evaluate and publish a cel audit annotation

func (*AuditAnnotationCondition) GetExpression added in v0.27.0

func (v *AuditAnnotationCondition) GetExpression() string

func (*AuditAnnotationCondition) ReturnTypes added in v0.27.0

func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type

type CELPolicyEvaluator

type CELPolicyEvaluator interface {
	admission.InitializationValidator

	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
	HasSynced() bool
	Run(stopCh <-chan struct{})
}

func NewAdmissionController

func NewAdmissionController(

	informerFactory informers.SharedInformerFactory,
	client kubernetes.Interface,
	restMapper meta.RESTMapper,
	dynamicClient dynamic.Interface,
	authz authorizer.Authorizer,
) CELPolicyEvaluator

type Matcher added in v0.27.0

type Matcher interface {
	admission.InitializationValidator

	// DefinitionMatches says whether this policy definition matches the provided admission
	// resource request
	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error)

	// BindingMatches says whether this policy definition matches the provided admission
	// resource request
	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1beta1.ValidatingAdmissionPolicyBinding) (bool, error)

	// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
	// GetNamespace must return nil, nil
	GetNamespace(name string) (*corev1.Namespace, error)
}

Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes

func NewMatcher added in v0.27.0

func NewMatcher(m *matching.Matcher) Matcher

type MessageExpressionCondition added in v0.27.0

type MessageExpressionCondition struct {
	MessageExpression string
}

func (*MessageExpressionCondition) GetExpression added in v0.27.0

func (m *MessageExpressionCondition) GetExpression() string

func (*MessageExpressionCondition) ReturnTypes added in v0.27.0

func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type

type PolicyAuditAnnotation added in v0.27.0

type PolicyAuditAnnotation struct {
	Key     string
	Value   string
	Elapsed time.Duration
	Action  PolicyAuditAnnotationAction
	Error   string
}

type PolicyAuditAnnotationAction added in v0.27.0

type PolicyAuditAnnotationAction string
const (
	// AuditAnnotationActionPublish indicates that the audit annotation should be
	// published with the audit event.
	AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish"
	// AuditAnnotationActionError indicates that the valueExpression resulted
	// in an error.
	AuditAnnotationActionError PolicyAuditAnnotationAction = "error"
	// AuditAnnotationActionExclude indicates that the audit annotation should be excluded
	// because the valueExpression evaluated to null, or because FailurePolicy is Ignore
	// and the expression failed with a parse error, type check error, or runtime error.
	AuditAnnotationActionExclude PolicyAuditAnnotationAction = "exclude"
)

type PolicyDecision added in v0.27.0

type PolicyDecision struct {
	Action     PolicyDecisionAction
	Evaluation PolicyDecisionEvaluation
	Message    string
	Reason     metav1.StatusReason
	Elapsed    time.Duration
}

PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration

type PolicyDecisionAction added in v0.27.0

type PolicyDecisionAction string
const (
	ActionAdmit PolicyDecisionAction = "admit"
	ActionDeny  PolicyDecisionAction = "deny"
)

type PolicyDecisionEvaluation added in v0.27.0

type PolicyDecisionEvaluation string
const (
	EvalAdmit PolicyDecisionEvaluation = "admit"
	EvalError PolicyDecisionEvaluation = "error"
	EvalDeny  PolicyDecisionEvaluation = "deny"
)

type TypeChecker added in v0.27.0

type TypeChecker struct {
	SchemaResolver resolver.SchemaResolver
	RestMapper     meta.RESTMapper
}

func (*TypeChecker) Check added in v0.27.0

Check preforms the type check against the given policy, and format the result as []ExpressionWarning that is ready to be set in policy.Status The result is nil if type checking returns no warning. The policy object is NOT mutated. The caller should update Status accordingly

func (*TypeChecker) CheckExpression added in v0.28.0

func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression string) TypeCheckingResults

CheckExpression type checks a single expression, given the context

func (*TypeChecker) CreateContext added in v0.28.0

CreateContext resolves all types and their schemas from a policy definition and creates the context.

type TypeCheckingContext added in v0.28.0

type TypeCheckingContext struct {
	// contains filtered or unexported fields
}

TypeCheckingContext holds information about the policy being type-checked. The struct is opaque to the caller.

type TypeCheckingResult added in v0.28.0

type TypeCheckingResult struct {
	// GVK is the associated GVK
	GVK schema.GroupVersionKind
	// Issues contain machine-readable information about the typechecking result.
	Issues *cel.Issues
	// Err is the possible error that was encounter during type checking.
	Err error
}

TypeCheckingResult holds the issues found during type checking, any returned error, and the gvk that the type checking is performed against.

func (*TypeCheckingResult) String added in v0.28.0

func (r *TypeCheckingResult) String() string

String converts the result to human-readable form as a string.

type TypeCheckingResults added in v0.28.0

type TypeCheckingResults []*TypeCheckingResult

TypeCheckingResults is a collection of TypeCheckingResult

func (TypeCheckingResults) String added in v0.28.0

func (rs TypeCheckingResults) String() string

type ValidateResult added in v0.27.0

type ValidateResult struct {
	// Decisions specifies the outcome of the validation as well as the details about the decision.
	Decisions []PolicyDecision
	// AuditAnnotations specifies the audit annotations that should be recorded for the validation.
	AuditAnnotations []PolicyAuditAnnotation
}

ValidateResult defines the result of a Validator.Validate operation.

type ValidationCondition added in v0.27.0

type ValidationCondition struct {
	Expression string
	Message    string
	Reason     *metav1.StatusReason
}

ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression

func (*ValidationCondition) GetExpression added in v0.27.0

func (v *ValidationCondition) GetExpression() string

func (*ValidationCondition) ReturnTypes added in v0.27.0

func (v *ValidationCondition) ReturnTypes() []*celgo.Type

type Validator

type Validator interface {
	// Validate is used to take cel evaluations and convert into decisions
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult
}

Validator is contains logic for converting ValidationEvaluation to PolicyDecisions

func NewValidator added in v0.27.0

func NewValidator(validationFilter cel.Filter, celMatcher matchconditions.Matcher, auditAnnotationFilter, messageFilter cel.Filter, failPolicy *v1.FailurePolicyType) Validator

type Variable added in v0.28.0

type Variable struct {
	Name       string
	Expression string
}

Variable is a named expression for composition.

func (*Variable) GetExpression added in v0.28.0

func (v *Variable) GetExpression() string

func (*Variable) GetName added in v0.28.0

func (v *Variable) GetName() string

func (*Variable) ReturnTypes added in v0.28.0

func (v *Variable) ReturnTypes() []*celgo.Type

Directories

Path Synopsis
internal
generic
Package generic contains a typed wrapper over cache SharedIndexInformer and Lister (maybe eventually should have a home there?)
Package generic contains a typed wrapper over cache SharedIndexInformer and Lister (maybe eventually should have a home there?)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL