admission

package
v0.24.15 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2023 License: Apache-2.0 Imports: 24 Imported by: 5

Documentation

Overview

Package admission contains PodSecurity admission logic

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Admission

type Admission struct {
	Configuration *admissionapi.PodSecurityConfiguration

	// Getting policy checks per level/version
	Evaluator policy.Evaluator

	// Metrics
	Metrics metrics.Recorder

	// Arbitrary object --> PodSpec
	PodSpecExtractor PodSpecExtractor

	// API connections
	NamespaceGetter NamespaceGetter
	PodLister       PodLister
	// contains filtered or unexported fields
}

Admission implements the core admission logic for the Pod Security Admission controller. The admission logic can be

func (*Admission) CompleteConfiguration

func (a *Admission) CompleteConfiguration() error

CompleteConfiguration sets up default or derived configuration.

func (*Admission) EvaluatePod

func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, attrs api.Attributes, enforce bool) *admissionv1.AdmissionResponse

EvaluatePod evaluates the given policy against the given pod(-like) object. The enforce policy is only checked if enforce=true. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) EvaluatePodsInNamespace

func (a *Admission) EvaluatePodsInNamespace(ctx context.Context, namespace string, enforce api.LevelVersion) []string

func (*Admission) PolicyToEvaluate

func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, field.ErrorList)

func (*Admission) Validate

Validate admits an API request. The objects in admission attributes are expected to be external v1 objects that we care about. The returned response may be shared and must not be mutated.

func (*Admission) ValidateConfiguration

func (a *Admission) ValidateConfiguration() error

ValidateConfiguration ensures all required fields are set with valid values.

func (*Admission) ValidateNamespace

func (a *Admission) ValidateNamespace(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid, and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePod

func (a *Admission) ValidatePod(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidatePod evaluates a pod create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePodController

func (a *Admission) ValidatePodController(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

type DefaultPodSpecExtractor

type DefaultPodSpecExtractor struct{}

func (DefaultPodSpecExtractor) ExtractPodSpec

func (DefaultPodSpecExtractor) HasPodSpec

func (DefaultPodSpecExtractor) PodSpecResources

func (DefaultPodSpecExtractor) PodSpecResources() []schema.GroupResource

type NamespaceGetter

type NamespaceGetter interface {
	GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
}

func NamespaceGetterFromClient

func NamespaceGetterFromClient(client kubernetes.Interface) NamespaceGetter

func NamespaceGetterFromListerAndClient

func NamespaceGetterFromListerAndClient(lister corev1listers.NamespaceLister, client kubernetes.Interface) NamespaceGetter

type PodLister

type PodLister interface {
	ListPods(ctx context.Context, namespace string) ([]*corev1.Pod, error)
}

func PodListerFromClient

func PodListerFromClient(client kubernetes.Interface) PodLister

PodListerFromClient returns a PodLister that does live lists using the provided client.

func PodListerFromInformer

func PodListerFromInformer(lister corev1listers.PodLister) PodLister

PodListerFromInformer returns a PodLister that does cached lists using the provided lister.

type PodSpecExtractor

type PodSpecExtractor interface {
	// HasPodSpec returns true if the given resource type MAY contain an extractable PodSpec.
	HasPodSpec(schema.GroupResource) bool
	// ExtractPodSpec returns a pod spec and metadata to evaluate from the object.
	// An error returned here does not block admission of the pod-spec-containing object and is not returned to the user.
	// If the object has no pod spec, return `nil, nil, nil`.
	ExtractPodSpec(runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)
}

PodSpecExtractor extracts a PodSpec from pod-controller resources that embed a PodSpec. This interface can be extended to enforce policy on CRDs for custom pod-controllers.

Directories

Path Synopsis
api
Package api contains PodSecurity admission configuration file types
Package api contains PodSecurity admission configuration file types
v1alpha1
Package v1alpha1 contains PodSecurity admission configuration file types
Package v1alpha1 contains PodSecurity admission configuration file types
v1beta1
Package v1beta1 contains PodSecurity admission configuration file types
Package v1beta1 contains PodSecurity admission configuration file types

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL