Documentation
¶
Index ¶
- Constants
- func BuildNamespaceType() *apiservercel.DeclType
- func BuildRequestType() *apiservercel.DeclType
- func CreateAdmissionRequest(attr admission.Attributes, equivalentGVR metav1.GroupVersionResource, ...) *admissionv1.AdmissionRequest
- func CreateNamespaceObject(namespace *v1.Namespace) *v1.Namespace
- type CompilationResult
- type Compiler
- type CompositedCompiler
- func (c *CompositedCompiler) Compile(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, ...) Filter
- func (c *CompositedCompiler) CompileAndStoreVariable(variable NamedExpressionAccessor, options OptionalVariableDeclarations, ...) CompilationResult
- func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, ...)
- type CompositedFilter
- type CompositionContext
- type CompositionEnv
- type EvaluationResult
- type ExpressionAccessor
- type Filter
- type FilterCompiler
- type NamedExpressionAccessor
- type OptionalVariableBindings
- type OptionalVariableDeclarations
Constants ¶
View Source
const ( ObjectVarName = "object" OldObjectVarName = "oldObject" ParamsVarName = "params" RequestVarName = "request" NamespaceVarName = "namespaceObject" AuthorizerVarName = "authorizer" RequestResourceAuthorizerVarName = "authorizer.requestResource" VariableVarName = "variables" )
View Source
const VariablesTypeName = "kubernetes.variables"
Variables ¶
This section is empty.
Functions ¶
func BuildNamespaceType ¶ added in v0.28.0
func BuildNamespaceType() *apiservercel.DeclType
BuildNamespaceType generates a DeclType for Namespace. Certain nested fields in Namespace (e.g. managedFields, ownerReferences etc.) are omitted in the generated DeclType by design.
func BuildRequestType ¶
func BuildRequestType() *apiservercel.DeclType
BuildRequestType generates a DeclType for AdmissionRequest. This may be replaced with a utility that converts the native type definition to apiservercel.DeclType once such a utility becomes available. The 'uid' field is omitted since it is not needed for in-process admission review. The 'object' and 'oldObject' fields are omitted since they are exposed as root level CEL variables.
func CreateAdmissionRequest ¶
func CreateAdmissionRequest(attr admission.Attributes, equivalentGVR metav1.GroupVersionResource, equivalentKind metav1.GroupVersionKind) *admissionv1.AdmissionRequest
Types ¶
type CompilationResult ¶
type CompilationResult struct {
Program cel.Program
Error *apiservercel.Error
ExpressionAccessor ExpressionAccessor
OutputType *cel.Type
}
CompilationResult represents a compiled validations expression.
type Compiler ¶ added in v0.28.0
type Compiler interface {
CompileCELExpression(expressionAccessor ExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult
}
Compiler provides a CEL expression compiler configured with the desired admission related CEL variables and environment mode.
func NewCompiler ¶ added in v0.28.0
func NewCompiler(env *environment.EnvSet) Compiler
type CompositedCompiler ¶ added in v0.28.0
type CompositedCompiler struct {
Compiler
FilterCompiler
CompositionEnv *CompositionEnv
}
func NewCompositedCompiler ¶ added in v0.28.0
func NewCompositedCompiler(envSet *environment.EnvSet) (*CompositedCompiler, error)
func NewCompositedCompilerFromTemplate ¶ added in v0.30.0
func NewCompositedCompilerFromTemplate(context *CompositionEnv) *CompositedCompiler
func (*CompositedCompiler) Compile ¶ added in v0.28.0
func (c *CompositedCompiler) Compile(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) Filter
func (*CompositedCompiler) CompileAndStoreVariable ¶ added in v0.28.0
func (c *CompositedCompiler) CompileAndStoreVariable(variable NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult
func (*CompositedCompiler) CompileAndStoreVariables ¶ added in v0.28.0
func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type)
type CompositedFilter ¶ added in v0.28.0
type CompositedFilter struct {
Filter
// contains filtered or unexported fields
}
func (*CompositedFilter) ForInput ¶ added in v0.28.0
func (f *CompositedFilter) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)
type CompositionContext ¶ added in v0.28.0
type CompositionEnv ¶ added in v0.28.0
type CompositionEnv struct {
*environment.EnvSet
MapType *apiservercel.DeclType
CompiledVariables map[string]CompilationResult
}
func NewCompositionEnv ¶ added in v0.28.0
func NewCompositionEnv(typeName string, baseEnvSet *environment.EnvSet) (*CompositionEnv, error)
func (*CompositionEnv) AddField ¶ added in v0.28.0
func (c *CompositionEnv) AddField(name string, celType *cel.Type)
func (*CompositionEnv) CreateContext ¶ added in v0.28.0
func (c *CompositionEnv) CreateContext(parent context.Context) CompositionContext
type EvaluationResult ¶
type EvaluationResult struct {
EvalResult ref.Val
ExpressionAccessor ExpressionAccessor
Elapsed time.Duration
Error error
}
EvaluationResult contains the minimal required fields and metadata of a cel evaluation
type ExpressionAccessor ¶
type Filter ¶
type Filter interface {
// ForInput converts compiled CEL-typed values into evaluated CEL-typed value.
// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
// If cost budget is calculated, the filter should return the remaining budget.
ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)
// CompilationErrors returns a list of errors from the compilation of the evaluator
CompilationErrors() []error
}
Filter contains a function to evaluate compiled CEL-typed values It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.
func NewFilter ¶
func NewFilter(compilationResults []CompilationResult) Filter
type FilterCompiler ¶
type FilterCompiler interface {
// Compile is used for the cel expression compilation
Compile(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) Filter
}
FilterCompiler contains a function to assist with converting types and values to/from CEL-typed values.
func NewFilterCompiler ¶
func NewFilterCompiler(env *environment.EnvSet) FilterCompiler
type NamedExpressionAccessor ¶ added in v0.28.0
type NamedExpressionAccessor interface {
ExpressionAccessor
GetName() string // follows the naming convention of ExpressionAccessor
}
NamedExpressionAccessor extends NamedExpressionAccessor with a name.
type OptionalVariableBindings ¶
type OptionalVariableBindings struct {
// VersionedParams provides the "params" variable binding. This variable binding may
// be set to nil even when OptionalVariableDeclarations.HashParams is set to true.
VersionedParams runtime.Object
// Authorizer provides the authorizer used for the "authorizer" and
// "authorizer.requestResource" variable bindings. If the expression was compiled with
// OptionalVariableDeclarations.HasAuthorizer set to true this must be non-nil.
Authorizer authorizer.Authorizer
}
OptionalVariableBindings provides expression bindings for optional CEL variables.
type OptionalVariableDeclarations ¶
type OptionalVariableDeclarations struct {
// HasParams specifies if the "params" variable is declared.
// The "params" variable may still be bound to "null" when declared.
HasParams bool
// HasAuthorizer specifies if the "authorizer" and "authorizer.requestResource"
// variables are declared. When declared, the authorizer variables are
// expected to be non-null.
HasAuthorizer bool
// StrictCost specifies if the CEL cost limitation is strict for extended libraries as well as native libraries.
StrictCost bool
}
OptionalVariableDeclarations declares which optional CEL variables are declared for an expression.
Source Files
Click to show internal directories.
Click to hide internal directories.