generic

package
v0.30.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 3, 2024 License: Apache-2.0 Imports: 39 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CollectParams

func CollectParams(
	paramKind *v1.ParamKind,
	paramInformer informers.GenericInformer,
	paramScope meta.RESTScope,
	paramRef *v1.ParamRef,
	namespace string,
) ([]runtime.Object, error)

Returns params to use to evaluate a policy-binding with given param configuration. If the policy-binding has no param configuration, it returns a single-element list with a nil param.

Types

type BindingAccessor

type BindingAccessor interface {
	GetName() string
	GetNamespace() string

	// GetPolicyName returns the name of the (Validating/Mutating)AdmissionPolicy,
	// which is cluster-scoped, so namespace is usually left blank.
	// But we leave the door open to add a namespaced vesion in the future
	GetPolicyName() types.NamespacedName
	GetParamRef() *v1.ParamRef

	GetMatchResources() *v1.MatchResources
}

type Dispatcher

type Dispatcher[H Hook] interface {
	// Dispatch a request to the policies. Dispatcher may choose not to
	// call a hook, either because the rules of the hook does not match, or
	// the namespaceSelector or the objectSelector of the hook does not
	// match. A non-nil error means the request is rejected.
	Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []H) error
}

Dispatcher dispatches evaluates an admission request against the currently active hooks returned by the source.

func NewPolicyDispatcher

func NewPolicyDispatcher[P runtime.Object, B runtime.Object, E Evaluator](
	newPolicyAccessor func(P) PolicyAccessor,
	newBindingAccessor func(B) BindingAccessor,
	matcher *matching.Matcher,
	delegate dispatcherDelegate[P, B, E],
) Dispatcher[PolicyHook[P, B, E]]

type Evaluator

type Evaluator interface {
}

An evaluator represents a compiled CEL expression that can be evaluated a given a set of inputs used by the generic PolicyHook for Mutating and ValidatingAdmissionPolicy. Mutating and Validating may have different forms of evaluators

type FakeList

type FakeList[T runtime.Object] struct {
	metav1.TypeMeta
	metav1.ListMeta
	Items []T
}

func (*FakeList[P]) DeepCopyObject

func (fl *FakeList[P]) DeepCopyObject() runtime.Object

type Hook

type Hook interface {
}

Hook represents a dynamic admission hook. The hook may be a webhook or a policy. For webhook, the Hook may describe how to contact the endpoint, expected cert, etc. For policies, the hook may describe a compiled policy-binding pair.

type Plugin

type Plugin[H any] struct {
	*admission.Handler
	// contains filtered or unexported fields
}

AdmissionPolicyManager is an abstract admission plugin with all the infrastructure to define Admit or Validate on-top.

func NewPlugin

func NewPlugin[H any](
	handler *admission.Handler,
	sourceFactory sourceFactory[H],
	dispatcherFactory dispatcherFactory[H],
) *Plugin[H]

func (*Plugin[H]) Dispatch

func (c *Plugin[H]) Dispatch(
	ctx context.Context,
	a admission.Attributes,
	o admission.ObjectInterfaces,
) (err error)

func (*Plugin[H]) SetAuthorizer

func (c *Plugin[H]) SetAuthorizer(authorizer authorizer.Authorizer)

func (*Plugin[H]) SetDrainedNotification

func (c *Plugin[H]) SetDrainedNotification(stopCh <-chan struct{})

func (*Plugin[H]) SetDynamicClient

func (c *Plugin[H]) SetDynamicClient(client dynamic.Interface)

func (*Plugin[H]) SetEnabled

func (c *Plugin[H]) SetEnabled(enabled bool)

func (*Plugin[H]) SetExcludedAdmissionResources

func (c *Plugin[H]) SetExcludedAdmissionResources(excludedResources []schema.GroupResource)

func (*Plugin[H]) SetExternalKubeClientSet

func (c *Plugin[H]) SetExternalKubeClientSet(client kubernetes.Interface)

func (*Plugin[H]) SetExternalKubeInformerFactory

func (c *Plugin[H]) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)

func (*Plugin[H]) SetMatcher

func (c *Plugin[H]) SetMatcher(matcher *matching.Matcher)

func (*Plugin[H]) SetRESTMapper

func (c *Plugin[H]) SetRESTMapper(mapper meta.RESTMapper)

func (*Plugin[H]) ValidateInitialization

func (c *Plugin[H]) ValidateInitialization() error

ValidateInitialization - once clientset and informer factory are provided, creates and starts the admission controller

type PolicyAccessor

type PolicyAccessor interface {
	GetName() string
	GetNamespace() string
	GetParamKind() *v1.ParamKind
	GetMatchConstraints() *v1.MatchResources
}

type PolicyHook

type PolicyHook[P runtime.Object, B runtime.Object, E Evaluator] struct {
	Policy   P
	Bindings []B

	// ParamInformer is the informer for the param CRD for this policy, or nil if
	// there is no param or if there was a configuration error
	ParamInformer informers.GenericInformer
	ParamScope    meta.RESTScope

	Evaluator          E
	ConfigurationError error
}

type PolicyInvocation

type PolicyInvocation[P runtime.Object, B runtime.Object, E Evaluator] struct {
	// Relevant policy for this hook.
	// This field is always populated
	Policy P

	// Matched Kind for the request given the policy's matchconstraints
	// May be empty if there was an error matching the resource
	Kind schema.GroupVersionKind

	// Matched Resource for the request given the policy's matchconstraints
	// May be empty if there was an error matching the resource
	Resource schema.GroupVersionResource

	// Relevant binding for this hook.
	// May be empty if there was an error with the policy's configuration itself
	Binding B

	// Compiled policy evaluator
	Evaluator E

	// Params fetched by the binding to use to evaluate the policy
	Param runtime.Object

	// Error is set if there was an error with the policy or binding or its
	// params, etc
	Error error
}

A policy invocation is a single policy-binding-param tuple from a Policy Hook in the context of a specific request. The params have already been resolved and any error in configuration or setting up the invocation is stored in the Error field.

type PolicyMatcher

type PolicyMatcher interface {
	admission.InitializationValidator

	// DefinitionMatches says whether this policy definition matches the provided admission
	// resource request
	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition PolicyAccessor) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error)

	// BindingMatches says whether this policy definition matches the provided admission
	// resource request
	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error)

	// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
	// GetNamespace must return nil, nil
	GetNamespace(name string) (*corev1.Namespace, error)
}

Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes

func NewPolicyMatcher

func NewPolicyMatcher(m *matching.Matcher) PolicyMatcher

type PolicyTestContext

type PolicyTestContext[P runtime.Object, B runtime.Object, E Evaluator] struct {
	context.Context
	Plugin *Plugin[PolicyHook[P, B, E]]
	Source Source[PolicyHook[P, B, E]]
	Start  func() error
	// contains filtered or unexported fields
}

PolicyTestContext is everything you need to unit test a policy plugin

func NewPolicyTestContext

func NewPolicyTestContext[P, B runtime.Object, E Evaluator](
	newPolicyAccessor func(P) PolicyAccessor,
	newBindingAccessor func(B) BindingAccessor,
	compileFunc func(P) E,
	dispatcher dispatcherFactory[PolicyHook[P, B, E]],
	initialObjects []runtime.Object,
	paramMappings []meta.RESTMapping,
) (*PolicyTestContext[P, B, E], func(), error)

func (*PolicyTestContext[P, B, E]) DeleteAndWait

func (p *PolicyTestContext[P, B, E]) DeleteAndWait(object ...runtime.Object) error

Depending upon object type, waits afterward until the object is synced by the policy source

func (*PolicyTestContext[P, B, E]) Dispatch

func (p *PolicyTestContext[P, B, E]) Dispatch(
	new, old runtime.Object,
	operation admission.Operation,
) error

func (*PolicyTestContext[P, B, E]) Update

func (p *PolicyTestContext[P, B, E]) Update(objects ...runtime.Object) error

Update updates the given object in the test, or creates it if it doesn't exist

Be aware the Update will modify the ResourceVersion of the provided objects.

func (*PolicyTestContext[P, B, E]) UpdateAndWait

func (p *PolicyTestContext[P, B, E]) UpdateAndWait(objects ...runtime.Object) error

UpdateAndWait updates the given object in the test, or creates it if it doesn't exist Depending upon object type, waits afterward until the object is synced by the policy source

Be aware the UpdateAndWait will modify the ResourceVersion of the provided objects.

func (*PolicyTestContext[P, B, E]) WaitForReconcile

func (p *PolicyTestContext[P, B, E]) WaitForReconcile(timeoutCtx context.Context, object runtime.Object) error

Depending upon object type, waits afterward until the object is synced by the policy source. Note that policies that are not bound are skipped, so you should not try to wait for an unbound policy. Create both the binding and policy, then wait.

type Source

type Source[H Hook] interface {
	// Hooks returns the list of currently known admission hooks.
	Hooks() []H

	// Run the source. This method should be called only once at startup.
	Run(ctx context.Context) error

	// HasSynced returns true if the source has completed its initial sync.
	HasSynced() bool
}

Source can list dynamic admission plugins.

func NewPolicySource

func NewPolicySource[P runtime.Object, B runtime.Object, E Evaluator](
	policyInformer cache.SharedIndexInformer,
	bindingInformer cache.SharedIndexInformer,
	newPolicyAccessor func(P) PolicyAccessor,
	newBindingAccessor func(B) BindingAccessor,
	compiler func(P) E,
	paramInformerFactory informers.SharedInformerFactory,
	dynamicClient dynamic.Interface,
	restMapper meta.RESTMapper,
) Source[PolicyHook[P, B, E]]

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL