Documentation
¶
Overview ¶
Package admission contains PodSecurity admission logic
Index ¶
- type Admission
- func (a *Admission) CompleteConfiguration() error
- func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, ...) *admissionv1.AdmissionResponse
- func (a *Admission) EvaluatePodsInNamespace(ctx context.Context, namespace string, enforce api.LevelVersion) []string
- func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, field.ErrorList)
- func (a *Admission) Validate(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
- func (a *Admission) ValidateConfiguration() error
- func (a *Admission) ValidateNamespace(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
- func (a *Admission) ValidatePod(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
- func (a *Admission) ValidatePodController(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
- type DefaultPodSpecExtractor
- type NamespaceGetter
- type PodLister
- type PodSpecExtractor
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Admission ¶
type Admission struct {
Configuration *admissionapi.PodSecurityConfiguration
// Getting policy checks per level/version
Evaluator policy.Evaluator
// Metrics
Metrics metrics.Recorder
// Arbitrary object --> PodSpec
PodSpecExtractor PodSpecExtractor
// API connections
NamespaceGetter NamespaceGetter
PodLister PodLister
// contains filtered or unexported fields
}
Admission implements the core admission logic for the Pod Security Admission controller. The admission logic can be
func (*Admission) CompleteConfiguration ¶
CompleteConfiguration sets up default or derived configuration.
func (*Admission) EvaluatePod ¶
func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, attrs api.Attributes, enforce bool) *admissionv1.AdmissionResponse
EvaluatePod evaluates the given policy against the given pod(-like) object. The enforce policy is only checked if enforce=true. The returned response may be shared between evaluations and must not be mutated.
func (*Admission) EvaluatePodsInNamespace ¶
func (*Admission) PolicyToEvaluate ¶
func (*Admission) Validate ¶
func (a *Admission) Validate(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
Validate admits an API request. The objects in admission attributes are expected to be external v1 objects that we care about. The returned response may be shared and must not be mutated.
func (*Admission) ValidateConfiguration ¶
ValidateConfiguration ensures all required fields are set with valid values.
func (*Admission) ValidateNamespace ¶
func (a *Admission) ValidateNamespace(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid, and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace. The returned response may be shared between evaluations and must not be mutated.
func (*Admission) ValidatePod ¶
func (a *Admission) ValidatePod(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
ValidatePod evaluates a pod create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.
func (*Admission) ValidatePodController ¶
func (a *Admission) ValidatePodController(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse
ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.
type DefaultPodSpecExtractor ¶
type DefaultPodSpecExtractor struct{}
func (DefaultPodSpecExtractor) ExtractPodSpec ¶
func (DefaultPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)
func (DefaultPodSpecExtractor) HasPodSpec ¶
func (DefaultPodSpecExtractor) HasPodSpec(gr schema.GroupResource) bool
func (DefaultPodSpecExtractor) PodSpecResources ¶
func (DefaultPodSpecExtractor) PodSpecResources() []schema.GroupResource
type NamespaceGetter ¶
type NamespaceGetter interface {
GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
}
func NamespaceGetterFromClient ¶
func NamespaceGetterFromClient(client kubernetes.Interface) NamespaceGetter
func NamespaceGetterFromListerAndClient ¶
func NamespaceGetterFromListerAndClient(lister corev1listers.NamespaceLister, client kubernetes.Interface) NamespaceGetter
type PodLister ¶
func PodListerFromClient ¶
func PodListerFromClient(client kubernetes.Interface) PodLister
PodListerFromClient returns a PodLister that does live lists using the provided client.
func PodListerFromInformer ¶
func PodListerFromInformer(lister corev1listers.PodLister) PodLister
PodListerFromInformer returns a PodLister that does cached lists using the provided lister.
type PodSpecExtractor ¶
type PodSpecExtractor interface {
// HasPodSpec returns true if the given resource type MAY contain an extractable PodSpec.
HasPodSpec(schema.GroupResource) bool
// ExtractPodSpec returns a pod spec and metadata to evaluate from the object.
// An error returned here does not block admission of the pod-spec-containing object and is not returned to the user.
// If the object has no pod spec, return `nil, nil, nil`.
ExtractPodSpec(runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)
}
PodSpecExtractor extracts a PodSpec from pod-controller resources that embed a PodSpec. This interface can be extended to enforce policy on CRDs for custom pod-controllers.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package api contains PodSecurity admission configuration file types
|
Package api contains PodSecurity admission configuration file types |
|
v1alpha1
Package v1alpha1 contains PodSecurity admission configuration file types
|
Package v1alpha1 contains PodSecurity admission configuration file types |
|
v1beta1
Package v1beta1 contains PodSecurity admission configuration file types
|
Package v1beta1 contains PodSecurity admission configuration file types |