Documentation ¶
Overview ¶
Package v1alpha1 mirrors the same types of the Kubernetes admissionregistration.x-k8s.io v1alpha1, with markers that aids the generation of CRDs.
+k8s:deepcopy-gen=package +k8s:protobuf-gen=package +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +groupName=admissionregistration.x-k8s.io
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type AuditAnnotation
- type ExpressionWarning
- type FailurePolicyType
- type MatchCondition
- type MatchPolicyType
- type MatchResources
- type NamedRuleWithOperations
- type OperationType
- type ParamKind
- type ParamRef
- type Rule
- type RuleWithOperations
- type ScopeType
- type TypeChecking
- type ValidatingAdmissionPolicy
- type ValidatingAdmissionPolicyBinding
- type ValidatingAdmissionPolicyBindingList
- type ValidatingAdmissionPolicyBindingSpec
- type ValidatingAdmissionPolicyList
- type ValidatingAdmissionPolicySpec
- type ValidatingAdmissionPolicyStatus
- type Validation
- type ValidationAction
Constants ¶
const GroupName = "admissionregistration.x-k8s.io"
GroupName specifies the group name used to register the objects.
Variables ¶
var ( // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. SchemeBuilder runtime.SchemeBuilder // Depreciated: use Install instead AddToScheme = localSchemeBuilder.AddToScheme Install = localSchemeBuilder.AddToScheme )
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha1"}
GroupVersion specifies the group and the version used to register the objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AuditAnnotation ¶
type AuditAnnotation struct { // key specifies the audit annotation key. The audit annotation keys of // a ValidatingAdmissionPolicy must be unique. The key must be a qualified // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. // // The key is combined with the resource name of the // ValidatingAdmissionPolicy to construct an audit annotation key: // "{ValidatingAdmissionPolicy name}/{key}". // // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy // and the same audit annotation key, the annotation key will be identical. // In this case, the first annotation written with the key will be included // in the audit event and all subsequent annotations with the same key // will be discarded. // // Required. // +kubebuilder:validation:Required Key string `json:"key" protobuf:"bytes,1,opt,name=key"` // valueExpression represents the expression which is evaluated by CEL to // produce an audit annotation value. The expression must evaluate to either // a string or null value. If the expression evaluates to a string, the // audit annotation is included with the string value. If the expression // evaluates to null or empty string the audit annotation will be omitted. // The valueExpression may be no longer than 5kb in length. // If the result of the valueExpression is more than 10kb in length, it // will be truncated to 10kb. // // If multiple ValidatingAdmissionPolicyBinding resources match an // API request, then the valueExpression will be evaluated for // each binding. All unique values produced by the valueExpressions // will be joined together in a comma-separated list. // // Required. // +kubebuilder:validation:Required ValueExpression string `json:"valueExpression" protobuf:"bytes,2,opt,name=valueExpression"` }
AuditAnnotation describes how to produce an audit annotation for an API request.
func (*AuditAnnotation) DeepCopy ¶
func (in *AuditAnnotation) DeepCopy() *AuditAnnotation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditAnnotation.
func (*AuditAnnotation) DeepCopyInto ¶
func (in *AuditAnnotation) DeepCopyInto(out *AuditAnnotation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExpressionWarning ¶
type ExpressionWarning struct { // The path to the field that refers the expression. // For example, the reference to the expression of the first item of // validations is "spec.validations[0].expression" FieldRef string `json:"fieldRef" protobuf:"bytes,2,opt,name=fieldRef"` // The content of type checking information in a human-readable form. // Each line of the warning contains the type that the expression is checked // against, followed by the type check error from the compiler. Warning string `json:"warning" protobuf:"bytes,3,opt,name=warning"` }
ExpressionWarning is a warning information that targets a specific expression.
func (*ExpressionWarning) DeepCopy ¶
func (in *ExpressionWarning) DeepCopy() *ExpressionWarning
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExpressionWarning.
func (*ExpressionWarning) DeepCopyInto ¶
func (in *ExpressionWarning) DeepCopyInto(out *ExpressionWarning)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FailurePolicyType ¶
type FailurePolicyType string
FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +enum
const ( // Ignore means that an error calling the webhook is ignored. Ignore FailurePolicyType = "Ignore" // Fail means that an error calling the webhook causes the admission to fail. Fail FailurePolicyType = "Fail" )
type MatchCondition ¶
type MatchCondition v1.MatchCondition
func (*MatchCondition) DeepCopy ¶
func (in *MatchCondition) DeepCopy() *MatchCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchCondition.
func (*MatchCondition) DeepCopyInto ¶
func (in *MatchCondition) DeepCopyInto(out *MatchCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MatchPolicyType ¶
type MatchPolicyType string
MatchPolicyType specifies the type of match policy. +enum
const ( // Exact means requests should only be sent to the webhook if they exactly match a given rule. Exact MatchPolicyType = "Exact" // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. Equivalent MatchPolicyType = "Equivalent" )
type MatchResources ¶
type MatchResources struct { // NamespaceSelector decides whether to run the admission control policy on an object based // on whether the namespace for that object matches the selector. If the // object itself is a namespace, the matching is performed on // object.metadata.labels. If the object is another cluster scoped resource, // it never skips the policy. // // For example, to run the webhook on any objects whose namespace is not // associated with "runlevel" of "0" or "1"; you will set the selector as // follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "runlevel", // "operator": "NotIn", // "values": [ // "0", // "1" // ] // } // ] // } // // If instead you want to only run the policy on any objects whose // namespace is associated with the "environment" of "prod" or "staging"; // you will set the selector as follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "environment", // "operator": "In", // "values": [ // "prod", // "staging" // ] // } // ] // } // // See // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ // for more examples of label selectors. // // Default to the empty LabelSelector, which matches everything. // +optional // +kubebuilder:default={} NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,1,opt,name=namespaceSelector"` // ObjectSelector decides whether to run the validation based on if the // object has matching labels. objectSelector is evaluated against both // the oldObject and newObject that would be sent to the cel validation, and // is considered to match if either object matches the selector. A null // object (oldObject in the case of create, or newObject in the case of // delete) or an object that cannot have labels (like a // DeploymentRollback or a PodProxyOptions object) is not considered to // match. // Use the object selector only if the webhook is opt-in, because end // users may skip the admission webhook by setting the labels. // Default to the empty LabelSelector, which matches everything. // +optional // +kubebuilder:default={} ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,2,opt,name=objectSelector"` // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. // The policy cares about an operation if it matches _any_ Rule. // +listType=atomic // +optional ResourceRules []NamedRuleWithOperations `json:"resourceRules,omitempty" protobuf:"bytes,3,rep,name=resourceRules"` // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) // +listType=atomic // +optional ExcludeResourceRules []NamedRuleWithOperations `json:"excludeResourceRules,omitempty" protobuf:"bytes,4,rep,name=excludeResourceRules"` // matchPolicy defines how the "MatchResources" list is used to match incoming requests. // Allowed values are "Exact" or "Equivalent". // // - Exact: match a request only if it exactly matches a specified rule. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. // // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. // // Defaults to "Equivalent" // +optional // +kubebuilder:default=Equivalent MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,7,opt,name=matchPolicy,casttype=MatchPolicyType"` }
MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded) +structType=atomic
func (*MatchResources) DeepCopy ¶
func (in *MatchResources) DeepCopy() *MatchResources
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
func (*MatchResources) DeepCopyInto ¶
func (in *MatchResources) DeepCopyInto(out *MatchResources)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NamedRuleWithOperations ¶
type NamedRuleWithOperations struct { // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +listType=atomic // +optional ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,1,rep,name=resourceNames"` // RuleWithOperations is a tuple of Operations and Resources. RuleWithOperations `json:",inline" protobuf:"bytes,2,opt,name=ruleWithOperations"` }
NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. +structType=atomic
func (*NamedRuleWithOperations) DeepCopy ¶
func (in *NamedRuleWithOperations) DeepCopy() *NamedRuleWithOperations
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedRuleWithOperations.
func (*NamedRuleWithOperations) DeepCopyInto ¶
func (in *NamedRuleWithOperations) DeepCopyInto(out *NamedRuleWithOperations)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OperationType ¶
type OperationType = v1.OperationType
OperationType specifies an operation for a request. +enum
const ( OperationAll OperationType = v1.OperationAll Create OperationType = v1.Create Update OperationType = v1.Update Delete OperationType = v1.Delete Connect OperationType = v1.Connect )
The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go.
type ParamKind ¶
type ParamKind struct { // APIVersion is the API group version the resources belong to. // In format of "group/version". // Required. // +kubebuilder:validation:Required APIVersion string `json:"apiVersion" protobuf:"bytes,1,rep,name=apiVersion"` // Kind is the API kind the resources belong to. // Required. // +kubebuilder:validation:Required Kind string `json:"kind" protobuf:"bytes,2,rep,name=kind"` }
ParamKind is a tuple of Group Kind and Version. +structType=atomic
func (*ParamKind) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamKind.
func (*ParamKind) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ParamRef ¶
type ParamRef struct { // Name of the resource being referenced. Name string `json:"name,omitempty" protobuf:"bytes,1,rep,name=name"` // Namespace of the referenced resource. // Should be empty for the cluster-scoped resources // +optional Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,rep,name=namespace"` }
ParamRef references a parameter resource +structType=atomic
func (*ParamRef) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamRef.
func (*ParamRef) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Rule ¶
Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid.
type RuleWithOperations ¶
type RuleWithOperations = v1.RuleWithOperations
RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.
type ScopeType ¶
ScopeType specifies a scope for a Rule. +enum
const ( // ClusterScope means that scope is limited to cluster-scoped objects. // Namespace objects are cluster-scoped. ClusterScope ScopeType = v1.ClusterScope // NamespacedScope means that scope is limited to namespaced objects. NamespacedScope ScopeType = v1.NamespacedScope // AllScopes means that all scopes are included. AllScopes ScopeType = v1.AllScopes )
type TypeChecking ¶
type TypeChecking struct { // The type checking warnings for each expression. // +optional // +listType=atomic ExpressionWarnings []ExpressionWarning `json:"expressionWarnings,omitempty" protobuf:"bytes,1,rep,name=expressionWarnings"` }
TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy
func (*TypeChecking) DeepCopy ¶
func (in *TypeChecking) DeepCopy() *TypeChecking
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypeChecking.
func (*TypeChecking) DeepCopyInto ¶
func (in *TypeChecking) DeepCopyInto(out *TypeChecking)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicy ¶
type ValidatingAdmissionPolicy struct { metav1.TypeMeta `json:",inline"` // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Specification of the desired behavior of the ValidatingAdmissionPolicy. Spec ValidatingAdmissionPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy // behaves in the expected way. // Populated by the system. // Read-only. // +optional Status ValidatingAdmissionPolicyStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` }
ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +k8s:prerelease-lifecycle-gen:introduced=1.26 +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster
func (*ValidatingAdmissionPolicy) DeepCopy ¶
func (in *ValidatingAdmissionPolicy) DeepCopy() *ValidatingAdmissionPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicy.
func (*ValidatingAdmissionPolicy) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicy) DeepCopyInto(out *ValidatingAdmissionPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicy) DeepCopyObject ¶
func (in *ValidatingAdmissionPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBinding ¶
type ValidatingAdmissionPolicyBinding struct { metav1.TypeMeta `json:",inline"` // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. Spec ValidatingAdmissionPolicyBindingSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` }
ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +k8s:prerelease-lifecycle-gen:introduced=1.26 +kubebuilder:object:root=true +kubebuilder:resource:scope=Cluster
func (*ValidatingAdmissionPolicyBinding) DeepCopy ¶
func (in *ValidatingAdmissionPolicyBinding) DeepCopy() *ValidatingAdmissionPolicyBinding
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBinding.
func (*ValidatingAdmissionPolicyBinding) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicyBinding) DeepCopyInto(out *ValidatingAdmissionPolicyBinding)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyBinding) DeepCopyObject ¶
func (in *ValidatingAdmissionPolicyBinding) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBindingList ¶
type ValidatingAdmissionPolicyBindingList struct { metav1.TypeMeta `json:",inline"` // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // List of PolicyBinding. Items []ValidatingAdmissionPolicyBinding `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` }
ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +k8s:prerelease-lifecycle-gen:introduced=1.26
func (*ValidatingAdmissionPolicyBindingList) DeepCopy ¶
func (in *ValidatingAdmissionPolicyBindingList) DeepCopy() *ValidatingAdmissionPolicyBindingList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBindingList.
func (*ValidatingAdmissionPolicyBindingList) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicyBindingList) DeepCopyInto(out *ValidatingAdmissionPolicyBindingList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyBindingList) DeepCopyObject ¶
func (in *ValidatingAdmissionPolicyBindingList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBindingSpec ¶
type ValidatingAdmissionPolicyBindingSpec struct { // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. // If the referenced resource does not exist, this binding is considered invalid and will be ignored // Required. // +kubebuilder:validation:Required PolicyName string `json:"policyName" protobuf:"bytes,1,rep,name=policyName"` // ParamRef specifies the parameter resource used to configure the admission control policy. // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. // +optional ParamRef *ParamRef `json:"paramRef,omitempty" protobuf:"bytes,2,rep,name=paramRef"` // MatchResources declares what resources match this binding and will be validated by it. // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. // If this is unset, all resources matched by the policy are validated by this binding // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required. // +optional MatchResources *MatchResources `json:"matchResources,omitempty" protobuf:"bytes,3,rep,name=matchResources"` // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. // If a validation evaluates to false it is always enforced according to these actions. // // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy. // // validationActions is declared as a set of action values. Order does // not matter. validationActions may not contain duplicates of the same action. // // The supported actions values are: // // "Deny" specifies that a validation failure results in a denied request. // // "Warn" specifies that a validation failure is reported to the request client // in HTTP Warning headers, with a warning code of 299. Warnings can be sent // both for allowed or denied admission responses. // // "Audit" specifies that a validation failure is included in the published // audit event for the request. The audit event will contain a // `validation.policy.admission.k8s.io/validation_failure` audit annotation // with a value containing the details of the validation failures, formatted as // a JSON list of objects, each with the following fields: // - message: The validation failure message string // - policy: The resource name of the ValidatingAdmissionPolicy // - binding: The resource name of the ValidatingAdmissionPolicyBinding // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy // - validationActions: The enforcement actions enacted for the validation failure // Example audit annotation: // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"` // // Clients should expect to handle additional values by ignoring // any values not recognized. // // "Deny" and "Warn" may not be used together since this combination // needlessly duplicates the validation failure both in the // API response body and the HTTP warning headers. // // Required. // +kubebuilder:validation:Required // +listType=set ValidationActions []ValidationAction `json:"validationActions,omitempty" protobuf:"bytes,4,rep,name=validationActions"` }
ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
func (*ValidatingAdmissionPolicyBindingSpec) DeepCopy ¶
func (in *ValidatingAdmissionPolicyBindingSpec) DeepCopy() *ValidatingAdmissionPolicyBindingSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBindingSpec.
func (*ValidatingAdmissionPolicyBindingSpec) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicyBindingSpec) DeepCopyInto(out *ValidatingAdmissionPolicyBindingSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicyList ¶
type ValidatingAdmissionPolicyList struct { metav1.TypeMeta `json:",inline"` // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // List of ValidatingAdmissionPolicy. Items []ValidatingAdmissionPolicy `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` }
ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.
func (*ValidatingAdmissionPolicyList) DeepCopy ¶
func (in *ValidatingAdmissionPolicyList) DeepCopy() *ValidatingAdmissionPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyList.
func (*ValidatingAdmissionPolicyList) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicyList) DeepCopyInto(out *ValidatingAdmissionPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyList) DeepCopyObject ¶
func (in *ValidatingAdmissionPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicySpec ¶
type ValidatingAdmissionPolicySpec struct { // ParamKind specifies the kind of resources used to parameterize this policy. // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. // +optional ParamKind *ParamKind `json:"paramKind,omitempty" protobuf:"bytes,1,rep,name=paramKind"` // MatchConstraints specifies what resources this policy is designed to validate. // The AdmissionPolicy cares about a request if it matches _all_ Constraints. // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. // Required. // +kubebuilder:validation:Required MatchConstraints *MatchResources `json:"matchConstraints" protobuf:"bytes,2,rep,name=matchConstraints"` // Validations contain CEL expressions which is used to apply the validation. // Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is // required. // +listType=atomic // +optional Validations []Validation `json:"validations,omitempty" protobuf:"bytes,3,rep,name=validations"` // failurePolicy defines how to handle failures for the admission policy. Failures can // occur from CEL expression parse errors, type check errors, runtime errors and invalid // or mis-configured policy definitions or bindings. // // A policy is invalid if spec.paramKind refers to a non-existent Kind. // A binding is invalid if spec.paramRef.name refers to a non-existent resource. // // failurePolicy does not define how validations that evaluate to false are handled. // // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions // define how failures are enforced. // // Allowed values are Ignore or Fail. Defaults to Fail. // +optional // +kubebuilder:default=Fail FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"` // auditAnnotations contains CEL expressions which are used to produce audit // annotations for the audit event of the API request. // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is // required. // +listType=atomic // +optional AuditAnnotations []AuditAnnotation `json:"auditAnnotations,omitempty" protobuf:"bytes,5,rep,name=auditAnnotations"` // MatchConditions is a list of conditions that must be met for a request to be validated. // Match conditions filter requests that have already been matched by the rules, // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. // There are a maximum of 64 match conditions allowed. // // If a parameter object is provided, it can be accessed via the `params` handle in the same // manner as validation expressions. // // The exact matching logic is (in order): // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. // 3. If any matchCondition evaluates to an error (but none are FALSE): // - If failurePolicy=Fail, reject the request // - If failurePolicy=Ignore, the policy is skipped // // +patchMergeKey=name // +patchStrategy=merge // +listType=map // +listMapKey=name // +optional MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,6,rep,name=matchConditions"` }
ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
func (*ValidatingAdmissionPolicySpec) DeepCopy ¶
func (in *ValidatingAdmissionPolicySpec) DeepCopy() *ValidatingAdmissionPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicySpec.
func (*ValidatingAdmissionPolicySpec) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicySpec) DeepCopyInto(out *ValidatingAdmissionPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicyStatus ¶
type ValidatingAdmissionPolicyStatus struct { // The generation observed by the controller. // +optional ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` // The results of type checking for each expression. // Presence of this field indicates the completion of the type checking. // +optional TypeChecking *TypeChecking `json:"typeChecking,omitempty" protobuf:"bytes,2,opt,name=typeChecking"` // The conditions represent the latest available observations of a policy's current state. // +optional // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" protobuf:"bytes,3,rep,name=conditions"` }
ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
func (*ValidatingAdmissionPolicyStatus) DeepCopy ¶
func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyStatus.
func (*ValidatingAdmissionPolicyStatus) DeepCopyInto ¶
func (in *ValidatingAdmissionPolicyStatus) DeepCopyInto(out *ValidatingAdmissionPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Validation ¶
type Validation struct { // Expression represents the expression which will be evaluated by CEL. // ref: https://github.com/google/cel-spec // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables: // // - 'object' - The object from the incoming request. The value is null for DELETE requests. // - 'oldObject' - The existing object. The value is null for CREATE requests. // - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). // - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the // request resource. // // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the // object. No other metadata properties are accessible. // // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. // Accessible property names are escaped according to the following rules when accessed in the expression: // - '__' escapes to '__underscores__' // - '.' escapes to '__dot__' // - '-' escapes to '__dash__' // - '/' escapes to '__slash__' // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", // "import", "let", "loop", "package", "namespace", "return". // Examples: // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"} // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"} // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"} // // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and // non-intersecting elements in `Y` are appended, retaining their partial order. // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with // non-intersecting keys are appended, retaining their partial order. // Required. // +kubebuilder:validation:Required Expression string `json:"expression" protobuf:"bytes,1,opt,name=Expression"` // Message represents the message displayed when validation fails. The message is required if the Expression contains // line breaks. The message must not contain line breaks. // If unset, the message is "failed rule: {Rule}". // e.g. "must be a URL with the host matching spec.host" // If the Expression contains line breaks. Message is required. // The message must not contain line breaks. // If unset, the message is "failed Expression: {Expression}". // +optional Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"` // Reason represents a machine-readable description of why this validation failed. // If this is the first validation in the list to fail, this reason, as well as the // corresponding HTTP response code, are used in the // HTTP response to the client. // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". // If not set, StatusReasonInvalid is used in the response to the client. // +optional Reason *metav1.StatusReason `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"` // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. // Since messageExpression is used as a failure message, it must evaluate to a string. // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. // Example: // "object.x must be less than max ("+string(params.max)+")" // +optional MessageExpression string `json:"messageExpression,omitempty" protobuf:"bytes,4,opt,name=messageExpression"` }
Validation specifies the CEL expression which is used to apply the validation.
func (*Validation) DeepCopy ¶
func (in *Validation) DeepCopy() *Validation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
func (*Validation) DeepCopyInto ¶
func (in *Validation) DeepCopyInto(out *Validation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidationAction ¶
type ValidationAction string
ValidationAction specifies a policy enforcement action. +enum
const ( // Deny specifies that a validation failure results in a denied request. Deny ValidationAction = "Deny" // Warn specifies that a validation failure is reported to the request client // in HTTP Warning headers, with a warning code of 299. Warnings can be sent // both for allowed or denied admission responses. Warn ValidationAction = "Warn" // Audit specifies that a validation failure is included in the published // audit event for the request. The audit event will contain a // `validation.policy.admission.k8s.io/validation_failure` audit annotation // with a value containing the details of the validation failure. Audit ValidationAction = "Audit" )