validating

package

v0.31.0-rc.1 Latest Latest Go to latest Published: Aug 6, 2024 License: Apache-2.0 Imports: 51 Imported by: 17

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/apiserver

Documentation ¶

Index ¶

Constants
func ErrorType(decision *PolicyDecision) celmetrics.ValidationErrorType
func NewDispatcher(authorizer authorizer.Authorizer, matcher generic.PolicyMatcher) generic.Dispatcher[PolicyHook]
func NewValidatingAdmissionPolicyAccessor(obj *v1.ValidatingAdmissionPolicy) generic.PolicyAccessor
func NewValidatingAdmissionPolicyBindingAccessor(obj *v1.ValidatingAdmissionPolicyBinding) generic.BindingAccessor
func Register(plugins *admission.Plugins)
type AuditAnnotationCondition
- func (v *AuditAnnotationCondition) GetExpression() string
- func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type
type CELPolicyEvaluator
type MessageExpressionCondition
- func (m *MessageExpressionCondition) GetExpression() string
- func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type
type Plugin
- func NewPlugin(_ io.Reader) *Plugin
- func (a *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate)
- func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error
type Policy
type PolicyAuditAnnotation
type PolicyAuditAnnotationAction
type PolicyBinding
type PolicyDecision
type PolicyDecisionAction
type PolicyDecisionEvaluation
type PolicyEvaluator
type PolicyHook
type TypeChecker
- func (c *TypeChecker) Check(policy *v1.ValidatingAdmissionPolicy) []v1.ExpressionWarning
- func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression string) TypeCheckingResults
- func (c *TypeChecker) CreateContext(policy *v1.ValidatingAdmissionPolicy) *TypeCheckingContext
type TypeCheckingContext
type TypeCheckingResult
- func (r *TypeCheckingResult) String() string
type TypeCheckingResults
- func (rs TypeCheckingResults) String() string
type ValidateResult
type ValidationCondition
- func (v *ValidationCondition) GetExpression() string
- func (v *ValidationCondition) ReturnTypes() []*celgo.Type
type ValidationFailureValue
type Validator
- func NewValidator(validationFilter cel.Filter, celMatcher matchconditions.Matcher, ...) Validator
type Variable
- func (v *Variable) GetExpression() string
- func (v *Variable) GetName() string
- func (v *Variable) ReturnTypes() []*celgo.Type

Constants ¶

View Source

const (
	// PluginName indicates the name of admission plug-in
	PluginName = "ValidatingAdmissionPolicy"
)

Variables ¶

This section is empty.

Functions ¶

func ErrorType ¶ added in v0.31.0

func ErrorType(decision *PolicyDecision) celmetrics.ValidationErrorType

ErrorType decodes the error to determine the error type that the metrics understand.

func NewDispatcher ¶

func NewDispatcher(
	authorizer authorizer.Authorizer,
	matcher generic.PolicyMatcher,
) generic.Dispatcher[PolicyHook]

func NewValidatingAdmissionPolicyAccessor ¶

func NewValidatingAdmissionPolicyAccessor(obj *v1.ValidatingAdmissionPolicy) generic.PolicyAccessor

func NewValidatingAdmissionPolicyBindingAccessor ¶

func NewValidatingAdmissionPolicyBindingAccessor(obj *v1.ValidatingAdmissionPolicyBinding) generic.BindingAccessor

Types ¶

type AuditAnnotationCondition ¶

type AuditAnnotationCondition struct {
	Key             string
	ValueExpression string
}

AuditAnnotationCondition contains the inputs needed to compile, evaluate and publish a cel audit annotation

func (*AuditAnnotationCondition) GetExpression ¶

func (v *AuditAnnotationCondition) GetExpression() string

func (*AuditAnnotationCondition) ReturnTypes ¶

func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type

type CELPolicyEvaluator ¶

type CELPolicyEvaluator interface {
	admission.InitializationValidator

	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
	HasSynced() bool
	Run(stopCh <-chan struct{})
}

type MessageExpressionCondition ¶

type MessageExpressionCondition struct {
	MessageExpression string
}

func (*MessageExpressionCondition) GetExpression ¶

func (m *MessageExpressionCondition) GetExpression() string

func (*MessageExpressionCondition) ReturnTypes ¶

func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type

type Plugin ¶

type Plugin struct {
	*generic.Plugin[PolicyHook]
}

func NewPlugin ¶

func NewPlugin(_ io.Reader) *Plugin

func (*Plugin) InspectFeatureGates ¶

func (a *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate)

func (*Plugin) Validate ¶

func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error

Validate makes an admission decision based on the request attributes.

type Policy ¶

type Policy = v1.ValidatingAdmissionPolicy

Plugin is an implementation of admission.Interface.

type PolicyAuditAnnotation ¶

type PolicyAuditAnnotation struct {
	Key     string
	Value   string
	Elapsed time.Duration
	Action  PolicyAuditAnnotationAction
	Error   string
}

type PolicyAuditAnnotationAction ¶

type PolicyAuditAnnotationAction string

const (
	// AuditAnnotationActionPublish indicates that the audit annotation should be
	// published with the audit event.
	AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish"
	// AuditAnnotationActionError indicates that the valueExpression resulted
	// in an error.
	AuditAnnotationActionError PolicyAuditAnnotationAction = "error"
	// AuditAnnotationActionExclude indicates that the audit annotation should be excluded
	// because the valueExpression evaluated to null, or because FailurePolicy is Ignore
	// and the expression failed with a parse error, type check error, or runtime error.
	AuditAnnotationActionExclude PolicyAuditAnnotationAction = "exclude"
)

type PolicyBinding ¶

type PolicyBinding = v1.ValidatingAdmissionPolicyBinding

type PolicyDecision ¶

type PolicyDecision struct {
	Action     PolicyDecisionAction
	Evaluation PolicyDecisionEvaluation
	Message    string
	Reason     metav1.StatusReason
	Elapsed    time.Duration
}

PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration

type PolicyDecisionAction ¶

type PolicyDecisionAction string

const (
	ActionAdmit PolicyDecisionAction = "admit"
	ActionDeny  PolicyDecisionAction = "deny"
)

type PolicyDecisionEvaluation ¶

type PolicyDecisionEvaluation string

const (
	EvalAdmit PolicyDecisionEvaluation = "admit"
	EvalError PolicyDecisionEvaluation = "error"
	EvalDeny  PolicyDecisionEvaluation = "deny"
)

type PolicyEvaluator ¶

type PolicyEvaluator = Validator

type PolicyHook ¶

type PolicyHook = generic.PolicyHook[*Policy, *PolicyBinding, PolicyEvaluator]

type TypeChecker ¶

type TypeChecker struct {
	SchemaResolver resolver.SchemaResolver
	RestMapper     meta.RESTMapper
}

func (*TypeChecker) Check ¶

func (c *TypeChecker) Check(policy *v1.ValidatingAdmissionPolicy) []v1.ExpressionWarning

Check preforms the type check against the given policy, and format the result as []ExpressionWarning that is ready to be set in policy.Status The result is nil if type checking returns no warning. The policy object is NOT mutated. The caller should update Status accordingly

func (*TypeChecker) CheckExpression ¶

func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression string) TypeCheckingResults

CheckExpression type checks a single expression, given the context

func (*TypeChecker) CreateContext ¶

func (c *TypeChecker) CreateContext(policy *v1.ValidatingAdmissionPolicy) *TypeCheckingContext

CreateContext resolves all types and their schemas from a policy definition and creates the context.

type TypeCheckingContext ¶

type TypeCheckingContext struct {
	// contains filtered or unexported fields
}

TypeCheckingContext holds information about the policy being type-checked. The struct is opaque to the caller.

type TypeCheckingResult ¶

type TypeCheckingResult struct {
	// GVK is the associated GVK
	GVK schema.GroupVersionKind
	// Issues contain machine-readable information about the typechecking result.
	Issues error
	// Err is the possible error that was encounter during type checking.
	Err error
}

TypeCheckingResult holds the issues found during type checking, any returned error, and the gvk that the type checking is performed against.

func (*TypeCheckingResult) String ¶

func (r *TypeCheckingResult) String() string

String converts the result to human-readable form as a string.

type TypeCheckingResults ¶

type TypeCheckingResults []*TypeCheckingResult

TypeCheckingResults is a collection of TypeCheckingResult

func (TypeCheckingResults) String ¶

func (rs TypeCheckingResults) String() string

type ValidateResult ¶

type ValidateResult struct {
	// Decisions specifies the outcome of the validation as well as the details about the decision.
	Decisions []PolicyDecision
	// AuditAnnotations specifies the audit annotations that should be recorded for the validation.
	AuditAnnotations []PolicyAuditAnnotation
}

ValidateResult defines the result of a Validator.Validate operation.

type ValidationCondition ¶

type ValidationCondition struct {
	Expression string
	Message    string
	Reason     *metav1.StatusReason
}

ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression

func (*ValidationCondition) GetExpression ¶

func (v *ValidationCondition) GetExpression() string

func (*ValidationCondition) ReturnTypes ¶

func (v *ValidationCondition) ReturnTypes() []*celgo.Type

type ValidationFailureValue ¶

type ValidationFailureValue struct {
	Message           string                                     `json:"message"`
	Policy            string                                     `json:"policy"`
	Binding           string                                     `json:"binding"`
	ExpressionIndex   int                                        `json:"expressionIndex"`
	ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions"`
}

validationFailureValue defines the JSON format of a "validation.policy.admission.k8s.io/validation_failure" audit annotation value.

type Validator ¶

type Validator interface {
	// Validate is used to take cel evaluations and convert into decisions
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult
}

Validator is contains logic for converting ValidationEvaluation to PolicyDecisions

func NewValidator ¶

func NewValidator(validationFilter cel.Filter, celMatcher matchconditions.Matcher, auditAnnotationFilter, messageFilter cel.Filter, failPolicy *v1.FailurePolicyType) Validator

type Variable ¶

type Variable struct {
	Name       string
	Expression string
}

Variable is a named expression for composition.

func (*Variable) GetExpression ¶

func (v *Variable) GetExpression() string

func (*Variable) GetName ¶

func (v *Variable) GetName() string

func (*Variable) ReturnTypes ¶

func (v *Variable) ReturnTypes() []*celgo.Type

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
metrics

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL