cel

package
v0.32.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 16, 2025 License: Apache-2.0 Imports: 26 Imported by: 15

Documentation

Index

Constants

View Source
const (
	ObjectVarName                    = "object"
	OldObjectVarName                 = "oldObject"
	ParamsVarName                    = "params"
	RequestVarName                   = "request"
	NamespaceVarName                 = "namespaceObject"
	AuthorizerVarName                = "authorizer"
	RequestResourceAuthorizerVarName = "authorizer.requestResource"
	VariableVarName                  = "variables"
)
View Source
const VariablesTypeName = "kubernetes.variables"

Variables

This section is empty.

Functions

func BuildNamespaceType added in v0.28.0

func BuildNamespaceType() *apiservercel.DeclType

BuildNamespaceType generates a DeclType for Namespace. Certain nested fields in Namespace (e.g. managedFields, ownerReferences etc.) are omitted in the generated DeclType by design.

func BuildRequestType

func BuildRequestType() *apiservercel.DeclType

BuildRequestType generates a DeclType for AdmissionRequest. This may be replaced with a utility that converts the native type definition to apiservercel.DeclType once such a utility becomes available. The 'uid' field is omitted since it is not needed for in-process admission review. The 'object' and 'oldObject' fields are omitted since they are exposed as root level CEL variables.

func CreateNamespaceObject added in v0.28.0

func CreateNamespaceObject(namespace *v1.Namespace) *v1.Namespace

CreateNamespaceObject creates a Namespace object that is suitable for the CEL evaluation. If the namespace is nil, CreateNamespaceObject returns nil

Types

type CompilationResult

type CompilationResult struct {
	Program            cel.Program
	Error              *apiservercel.Error
	ExpressionAccessor ExpressionAccessor
	OutputType         *cel.Type
}

CompilationResult represents a compiled validations expression.

type Compiler added in v0.28.0

type Compiler interface {
	CompileCELExpression(expressionAccessor ExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult
}

Compiler provides a CEL expression compiler configured with the desired admission related CEL variables and environment mode.

func NewCompiler added in v0.28.0

func NewCompiler(env *environment.EnvSet) Compiler

type CompositedCompiler added in v0.28.0

type CompositedCompiler struct {
	Compiler
	ConditionCompiler
	MutatingCompiler

	CompositionEnv *CompositionEnv
}

CompositedCompiler compiles expressions with variable composition.

func NewCompositedCompiler added in v0.28.0

func NewCompositedCompiler(envSet *environment.EnvSet) (*CompositedCompiler, error)

func NewCompositedCompilerFromTemplate added in v0.30.0

func NewCompositedCompilerFromTemplate(context *CompositionEnv) *CompositedCompiler

func (*CompositedCompiler) CompileAndStoreVariable added in v0.28.0

func (*CompositedCompiler) CompileAndStoreVariables added in v0.28.0

func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type)

func (*CompositedCompiler) CompileCondition added in v0.32.0

func (c *CompositedCompiler) CompileCondition(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) ConditionEvaluator

func (*CompositedCompiler) CompileMutatingEvaluator added in v0.32.0

func (c *CompositedCompiler) CompileMutatingEvaluator(expression ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) MutatingEvaluator

CompileEvaluator compiles an mutatingEvaluator for the given expression, options and environment.

type CompositedConditionEvaluator added in v0.32.0

type CompositedConditionEvaluator struct {
	ConditionEvaluator
	// contains filtered or unexported fields
}

CompositedConditionEvaluator provides evaluation of a condition expression with variable composition. The expressions must return a boolean.

func (*CompositedConditionEvaluator) ForInput added in v0.32.0

func (f *CompositedConditionEvaluator) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)

type CompositedEvaluator added in v0.32.0

type CompositedEvaluator struct {
	MutatingEvaluator
	// contains filtered or unexported fields
}

CompositedEvaluator provides evaluation of a single expression with variable composition. The types that may returned by the expression is determined at compilation time.

type CompositionContext added in v0.28.0

type CompositionContext interface {
	context.Context
	Variables(activation any) ref.Val
	GetAndResetCost() int64
}

type CompositionEnv added in v0.28.0

type CompositionEnv struct {
	*environment.EnvSet

	MapType           *apiservercel.DeclType
	CompiledVariables map[string]CompilationResult
}

func NewCompositionEnv added in v0.28.0

func NewCompositionEnv(typeName string, baseEnvSet *environment.EnvSet) (*CompositionEnv, error)

func (*CompositionEnv) AddField added in v0.28.0

func (c *CompositionEnv) AddField(name string, celType *cel.Type)

func (*CompositionEnv) CreateContext added in v0.28.0

func (c *CompositionEnv) CreateContext(parent context.Context) CompositionContext

type ConditionCompiler added in v0.32.0

type ConditionCompiler interface {
	// CompileCondition is used for the cel expression compilation
	CompileCondition(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) ConditionEvaluator
}

ConditionCompiler contains a function to assist with converting types and values to/from CEL-typed values.

func NewConditionCompiler added in v0.32.0

func NewConditionCompiler(env *environment.EnvSet) ConditionCompiler

type ConditionEvaluator added in v0.32.0

type ConditionEvaluator interface {
	// ForInput converts compiled CEL-typed values into evaluated CEL-typed value.
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	// If cost budget is calculated, the condition should return the remaining budget.
	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)

	// CompilationErrors returns a list of errors from the compilation of the mutatingEvaluator
	CompilationErrors() []error
}

ConditionEvaluator contains the result of compiling a CEL expression that evaluates to a condition. This is used both for validation and pre-conditions. It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.

func NewCondition added in v0.32.0

func NewCondition(compilationResults []CompilationResult) ConditionEvaluator

type EvaluationResult

type EvaluationResult struct {
	EvalResult         ref.Val
	ExpressionAccessor ExpressionAccessor
	Elapsed            time.Duration
	Error              error
}

EvaluationResult contains the minimal required fields and metadata of a cel evaluation

type ExpressionAccessor

type ExpressionAccessor interface {
	GetExpression() string
	ReturnTypes() []*cel.Type
}

type MutatingCompiler added in v0.32.0

type MutatingCompiler interface {
	// CompileMutatingEvaluator is used for the cel expression compilation
	CompileMutatingEvaluator(expression ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) MutatingEvaluator
}

MutatingCompiler contains a function to assist with converting types and values to/from CEL-typed values.

type MutatingEvaluator added in v0.32.0

type MutatingEvaluator interface {
	// ForInput converts compiled CEL-typed values into a CEL-typed value representing a mutation.
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	// If cost budget is calculated, the condition should return the remaining budget.
	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) (EvaluationResult, int64, error)

	// CompilationErrors returns a list of errors from the compilation of the mutatingEvaluator
	CompilationErrors() []error
}

MutatingEvaluator contains the result of compiling a CEL expression that evaluates to a mutation. It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.

func NewMutatingEvaluator added in v0.32.0

func NewMutatingEvaluator(compilationResult CompilationResult) MutatingEvaluator

type NamedExpressionAccessor added in v0.28.0

type NamedExpressionAccessor interface {
	ExpressionAccessor

	GetName() string // follows the naming convention of ExpressionAccessor
}

NamedExpressionAccessor extends NamedExpressionAccessor with a name.

type OptionalVariableBindings

type OptionalVariableBindings struct {
	// VersionedParams provides the "params" variable binding. This variable binding may
	// be set to nil even when OptionalVariableDeclarations.HashParams is set to true.
	VersionedParams runtime.Object
	// Authorizer provides the authorizer used for the "authorizer" and
	// "authorizer.requestResource" variable bindings. If the expression was compiled with
	// OptionalVariableDeclarations.HasAuthorizer set to true this must be non-nil.
	Authorizer authorizer.Authorizer
}

OptionalVariableBindings provides expression bindings for optional CEL variables.

type OptionalVariableDeclarations

type OptionalVariableDeclarations struct {
	// HasParams specifies if the "params" variable is declared.
	// The "params" variable may still be bound to "null" when declared.
	HasParams bool
	// HasAuthorizer specifies if the "authorizer" and "authorizer.requestResource"
	// variables are declared. When declared, the authorizer variables are
	// expected to be non-null.
	HasAuthorizer bool
	// StrictCost specifies if the CEL cost limitation is strict for extended libraries as well as native libraries.
	StrictCost bool
	// HasPatchTypes specifies if JSONPatch, Object, Object.metadata and similar types are available in CEL. These can be used
	// to initialize the typed objects in CEL required to create patches.
	HasPatchTypes bool
}

OptionalVariableDeclarations declares which optional CEL variables are declared for an expression.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL