api

package
v0.31.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 23, 2024 License: Apache-2.0 Imports: 10 Imported by: 102

Documentation

Overview

Package api contains constants and helpers for PodSecurity admission label keys and values

Index

Constants

View Source 
const (
	EnforceLevelLabel   = labelPrefix + "enforce"
	EnforceVersionLabel = labelPrefix + "enforce-version"
	AuditLevelLabel     = labelPrefix + "audit"
	AuditVersionLabel   = labelPrefix + "audit-version"
	WarnLevelLabel      = labelPrefix + "warn"
	WarnVersionLabel    = labelPrefix + "warn-version"

	ExemptionReasonAnnotationKey = "exempt"
	AuditViolationsAnnotationKey = "audit-violations"
	EnforcedPolicyAnnotationKey  = "enforce-policy"
)
View Source 
const AuditAnnotationPrefix = labelPrefix
View Source 
const VersionLatest = "latest"

Variables

This section is empty.

Functions

func CompareLevels 

func CompareLevels(a, b Level) int

CompareLevels returns an integer comparing two levels by strictness. The result will be 0 if a==b, -1 if a is less strict than b, and +1 if a is more strict than b.

Types

type Attributes added in v0.23.0 

type Attributes interface {
	// GetName is the name of the object associated with the request.
	GetName() string
	// GetNamespace is the namespace associated with the request (if any)
	GetNamespace() string
	// GetResource is the name of the resource being requested.  This is not the kind.  For example: pods
	GetResource() schema.GroupVersionResource
	// GetKind is the name of the kind being requested.  For example: Pod
	GetKind() schema.GroupVersionKind
	// GetSubresource is the name of the subresource being requested.  This is a different resource, scoped to the parent resource, but it may have a different kind.
	// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
	// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
	GetSubresource() string
	// GetOperation is the operation being performed
	GetOperation() admissionv1.Operation

	// GetObject returns the typed Object from incoming request.
	// For objects in the core API group, the result must use the v1 API.
	GetObject() (runtime.Object, error)
	// GetOldObject returns the typed existing object. Only populated for UPDATE requests.
	// For objects in the core API group, the result must use the v1 API.
	GetOldObject() (runtime.Object, error)
	// GetUserName is the requesting user's authenticated name.
	GetUserName() string
}

Attributes exposes the admission request parameters consumed by the PodSecurity admission controller.

func RequestAttributes added in v0.23.0 

func RequestAttributes(request *admissionv1.AdmissionRequest, decoder runtime.Decoder) Attributes

RequestAttributes adapts an admission.Request to the Attributes interface.

type AttributesRecord added in v0.23.0 

type AttributesRecord struct {
	Name        string
	Namespace   string
	Kind        schema.GroupVersionKind
	Resource    schema.GroupVersionResource
	Subresource string
	Operation   admissionv1.Operation
	Object      runtime.Object
	OldObject   runtime.Object
	Username    string
}

AttributesRecord is a simple struct implementing the Attributes interface.

func (*AttributesRecord) GetKind added in v0.23.0 

func (a *AttributesRecord) GetKind() schema.GroupVersionKind

func (*AttributesRecord) GetName added in v0.23.0 

func (a *AttributesRecord) GetName() string

func (*AttributesRecord) GetNamespace added in v0.23.0 

func (a *AttributesRecord) GetNamespace() string

func (*AttributesRecord) GetObject added in v0.23.0 

func (a *AttributesRecord) GetObject() (runtime.Object, error)

func (*AttributesRecord) GetOldObject added in v0.23.0 

func (a *AttributesRecord) GetOldObject() (runtime.Object, error)

func (*AttributesRecord) GetOperation added in v0.23.0 

func (a *AttributesRecord) GetOperation() admissionv1.Operation

func (*AttributesRecord) GetResource added in v0.23.0 

func (a *AttributesRecord) GetResource() schema.GroupVersionResource

func (*AttributesRecord) GetSubresource added in v0.23.0 

func (a *AttributesRecord) GetSubresource() string

func (*AttributesRecord) GetUserName added in v0.23.0 

func (a *AttributesRecord) GetUserName() string

type Level 

type Level string
const (
	LevelPrivileged Level = "privileged"
	LevelBaseline   Level = "baseline"
	LevelRestricted Level = "restricted"
)

func ParseLevel 

func ParseLevel(level string) (Level, error)

ParseLevel returns the level that should be evaluated. level must be "privileged", "baseline", or "restricted". if level does not match one of those strings, "restricted" and an error is returned.

func (*Level) Valid 

func (l *Level) Valid() bool

Valid checks whether the level l is a valid level.

type LevelVersion 

type LevelVersion struct {
	Level
	Version
}

func (*LevelVersion) Equivalent added in v0.25.0 

func (lv *LevelVersion) Equivalent(other *LevelVersion) bool

Equivalent determines whether two LevelVersions are functionally equivalent. LevelVersions are considered equivalent if both are privileged, or both levels & versions are equal.

func (LevelVersion) String 

func (lv LevelVersion) String() string

type Policy 

type Policy struct {
	Enforce LevelVersion
	Audit   LevelVersion
	Warn    LevelVersion
}

func PolicyToEvaluate 

func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.ErrorList)

PolicyToEvaluate resolves the PodSecurity namespace labels to the policy for that namespace, falling back to the provided defaults when a label is unspecified. A valid policy is always returned, even when an error is returned. If labels cannot be parsed correctly, the values of "restricted" and "latest" are used for level and version respectively.

func (*Policy) Equivalent added in v0.25.0 

func (p *Policy) Equivalent(other *Policy) bool

Equivalent determines whether two policies are functionally equivalent. Policies are considered equivalent if all 3 modes are considered equivalent.

func (*Policy) FullyPrivileged added in v0.25.0 

func (p *Policy) FullyPrivileged() bool

FullyPrivileged returns true if all 3 policy modes are privileged.

func (*Policy) String added in v0.25.0 

func (p *Policy) String() string

type Version 

type Version struct {
	// contains filtered or unexported fields
}

func GetAPIVersion added in v0.23.0 

func GetAPIVersion() Version

GetAPIVersion get the version of apiServer and return the version major and minor

func LatestVersion 

func LatestVersion() Version

func MajorMinorVersion 

func MajorMinorVersion(major, minor int) Version

func ParseVersion 

func ParseVersion(version string) (Version, error)

ParseVersion returns the policy version that should be evaluated. version must be "latest" or "v1.x". If version does not match one of those patterns, the latest version and an error is returned.

func (*Version) Latest 

func (v *Version) Latest() bool

func (*Version) Major 

func (v *Version) Major() int

func (*Version) Minor 

func (v *Version) Minor() int

func (*Version) Older 

func (v *Version) Older(other Version) bool

Older returns true if this version v is older than the other.

func (Version) String 

func (v Version) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.