admission

package
v0.23.0-alpha.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 28, 2021 License: Apache-2.0 Imports: 22 Imported by: 5

Documentation

Overview

Package admission contains PodSecurity admission logic

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Admission 

type Admission struct {
	Configuration *admissionapi.PodSecurityConfiguration

	// Getting policy checks per level/version
	Evaluator policy.Evaluator

	// Metrics
	Metrics metrics.EvaluationRecorder

	// Arbitrary object --> PodSpec
	PodSpecExtractor PodSpecExtractor

	// API connections
	NamespaceGetter NamespaceGetter
	PodLister       PodLister
	// contains filtered or unexported fields
}

Admission implements the core admission logic for the Pod Security Admission controller. The admission logic can be

func (*Admission) CompleteConfiguration 

func (a *Admission) CompleteConfiguration() error

CompleteConfiguration() sets up default or derived configuration.

func (*Admission) EvaluatePod 

func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse

EvaluatePod evaluates the given policy against the given pod(-like) object. The enforce policy is only checked if enforce=true. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) EvaluatePodsInNamespace 

func (a *Admission) EvaluatePodsInNamespace(ctx context.Context, namespace string, enforce api.LevelVersion) []string

func (*Admission) PolicyToEvaluate 

func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, error)

func (*Admission) Validate 

func (a *Admission) Validate(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse

Validate admits an API request. The objects in admission attributes are expected to be external v1 objects that we care about. The returned response may be shared and must not be mutated.

func (*Admission) ValidateConfiguration 

func (a *Admission) ValidateConfiguration() error

ValidateConfiguration() ensures all required fields are set with valid values.

func (*Admission) ValidateNamespace 

func (a *Admission) ValidateNamespace(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse

ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid, and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePod 

func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse

ValidatePod evaluates a pod create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePodController 

func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes) *admissionv1.AdmissionResponse

ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

type Attributes 

type Attributes interface {
	// GetName is the name of the object associated with the request.
	GetName() string
	// GetNamespace is the namespace associated with the request (if any)
	GetNamespace() string
	// GetResource is the name of the resource being requested.  This is not the kind.  For example: pods
	GetResource() schema.GroupVersionResource
	// GetSubresource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind.
	// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
	// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
	GetSubresource() string
	// GetOperation is the operation being performed
	GetOperation() admissionv1.Operation

	// GetObject returns the typed Object from incoming request.
	// For objects in the core API group, the result must use the v1 API.
	GetObject() (runtime.Object, error)
	// GetOldObject returns the typed existing object. Only populated for UPDATE requests.
	// For objects in the core API group, the result must use the v1 API.
	GetOldObject() (runtime.Object, error)
	// GetUserName is the requesting user's authenticated name.
	GetUserName() string
}

Attributes exposes the admission request parameters consumed by the PodSecurity admission controller.

func RequestAttributes 

func RequestAttributes(request *admissionv1.AdmissionRequest, decoder runtime.Decoder) Attributes

RequestAttributes adapts an admission.Request to the Attributes interface.

type AttributesRecord 

type AttributesRecord struct {
	Name        string
	Namespace   string
	Resource    schema.GroupVersionResource
	Subresource string
	Operation   admissionv1.Operation
	Object      runtime.Object
	OldObject   runtime.Object
	Username    string
}

AttributesRecord is a simple struct implementing the Attributes interface.

func (*AttributesRecord) GetName 

func (a *AttributesRecord) GetName() string

func (*AttributesRecord) GetNamespace 

func (a *AttributesRecord) GetNamespace() string

func (*AttributesRecord) GetObject 

func (a *AttributesRecord) GetObject() (runtime.Object, error)

func (*AttributesRecord) GetOldObject 

func (a *AttributesRecord) GetOldObject() (runtime.Object, error)

func (*AttributesRecord) GetOperation 

func (a *AttributesRecord) GetOperation() admissionv1.Operation

func (*AttributesRecord) GetResource 

func (a *AttributesRecord) GetResource() schema.GroupVersionResource

func (*AttributesRecord) GetSubresource 

func (a *AttributesRecord) GetSubresource() string

func (*AttributesRecord) GetUserName 

func (a *AttributesRecord) GetUserName() string

type DefaultPodSpecExtractor 

type DefaultPodSpecExtractor struct{}

func (DefaultPodSpecExtractor) ExtractPodSpec 

func (DefaultPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)

func (DefaultPodSpecExtractor) HasPodSpec 

func (DefaultPodSpecExtractor) HasPodSpec(gr schema.GroupResource) bool

func (DefaultPodSpecExtractor) PodSpecResources 

func (DefaultPodSpecExtractor) PodSpecResources() []schema.GroupResource

type NamespaceGetter 

type NamespaceGetter interface {
	GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
}

func NamespaceGetterFromClient 

func NamespaceGetterFromClient(client kubernetes.Interface) NamespaceGetter

func NamespaceGetterFromListerAndClient 

func NamespaceGetterFromListerAndClient(lister corev1listers.NamespaceLister, client kubernetes.Interface) NamespaceGetter

type PodLister 

type PodLister interface {
	ListPods(ctx context.Context, namespace string) ([]*corev1.Pod, error)
}

func PodListerFromClient 

func PodListerFromClient(client kubernetes.Interface) PodLister

PodListerFromClient returns a PodLister that does live lists using the provided client.

func PodListerFromInformer 

func PodListerFromInformer(lister corev1listers.PodLister) PodLister

PodListerFromInformer returns a PodLister that does cached lists using the provided lister.

type PodSpecExtractor 

type PodSpecExtractor interface {
	// HasPodSpec returns true if the given resource type MAY contain an extractable PodSpec.
	HasPodSpec(schema.GroupResource) bool
	// ExtractPodSpec returns a pod spec and metadata to evaluate from the object.
	// An error returned here does not block admission of the pod-spec-containing object and is not returned to the user.
	// If the object has no pod spec, return `nil, nil, nil`.
	ExtractPodSpec(runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)
}

PodSpecExtractor extracts a PodSpec from pod-controller resources that embed a PodSpec. This interface can be extended to enforce policy on CRDs for custom pod-controllers.

Source Files

View all Source files

Directories

Path Synopsis
api
Package api contains PodSecurity admission configuration file types
 Package api contains PodSecurity admission configuration file types
load
scheme
v1alpha1
Package v1alpha1 contains PodSecurity admission configuration file types
 Package v1alpha1 contains PodSecurity admission configuration file types
validation

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.