package cel

import "k8s.io/apiserver/pkg/admission/plugin/cel"

Index

Constants 

const (
	ObjectVarName                    = "object"
	OldObjectVarName                 = "oldObject"
	ParamsVarName                    = "params"
	RequestVarName                   = "request"
	NamespaceVarName                 = "namespaceObject"
	AuthorizerVarName                = "authorizer"
	RequestResourceAuthorizerVarName = "authorizer.requestResource"
	VariableVarName                  = "variables"
)

Functions

func BuildNamespaceType 

func BuildNamespaceType() *apiservercel.DeclType

BuildNamespaceType generates a DeclType for Namespace. Certain nested fields in Namespace (e.g. managedFields, ownerReferences etc.) are omitted in the generated DeclType by design.

func BuildRequestType 

func BuildRequestType() *apiservercel.DeclType

BuildRequestType generates a DeclType for AdmissionRequest. This may be replaced with a utility that converts the native type definition to apiservercel.DeclType once such a utility becomes available. The 'uid' field is omitted since it is not needed for in-process admission review. The 'object' and 'oldObject' fields are omitted since they are exposed as root level CEL variables.

func CreateAdmissionRequest 

func CreateAdmissionRequest(attr admission.Attributes, equivalentGVR metav1.GroupVersionResource, equivalentKind metav1.GroupVersionKind) *admissionv1.AdmissionRequest

TODO: to reuse https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go#L154

func CreateNamespaceObject 

func CreateNamespaceObject(namespace *v1.Namespace) *v1.Namespace

CreateNamespaceObject creates a Namespace object that is suitable for the CEL evaluation. If the namespace is nil, CreateNamespaceObject returns nil

Types

type CompilationResult 

type CompilationResult struct {
	Program            cel.Program
	Error              *apiservercel.Error
	ExpressionAccessor ExpressionAccessor
	OutputType         *cel.Type
}

CompilationResult represents a compiled validations expression.

type Compiler 

type Compiler interface {
	CompileCELExpression(expressionAccessor ExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult
}

Compiler provides a CEL expression compiler configured with the desired admission related CEL variables and environment mode.

func NewCompiler 

func NewCompiler(env *environment.EnvSet) Compiler

type CompositedCompiler 

type CompositedCompiler struct {
	Compiler
	ConditionCompiler
	MutatingCompiler
	// contains filtered or unexported fields
}

CompositedCompiler compiles expressions with variable composition.

func NewCompositedCompiler 

func NewCompositedCompiler(envSet *environment.EnvSet) (*CompositedCompiler, error)

func NewCompositedCompilerForTypeChecking 

func NewCompositedCompilerForTypeChecking(envSet *environment.EnvSet) (*CompositedCompiler, error)

NewCompositedCompilerForTypeChecking creates a CompositedCompiler for type checking. It initializes the composition state but leaves the Compilers nil, as they are expected to be replaced by the caller (who is doing type checking).

func (*CompositedCompiler) CompileAndStoreVariable 

func (c *CompositedCompiler) CompileAndStoreVariable(variable NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) CompilationResult

func (*CompositedCompiler) CompileAndStoreVariables 

func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type)

func (*CompositedCompiler) CompileCondition 

func (c *CompositedCompiler) CompileCondition(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) ConditionEvaluator

func (*CompositedCompiler) CompileMutatingEvaluator 

func (c *CompositedCompiler) CompileMutatingEvaluator(expression ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) MutatingEvaluator

CompileEvaluator compiles an mutatingEvaluator for the given expression, options and environment.

func (*CompositedCompiler) CreateContext 

func (c *CompositedCompiler) CreateContext(parent context.Context) CompositionContext

func (*CompositedCompiler) Env 

func (c *CompositedCompiler) Env(mode environment.Type) (*cel.Env, error)

Env returns the CEL environment for the given mode.

type CompositedConditionEvaluator 

type CompositedConditionEvaluator struct {
	ConditionEvaluator
	// contains filtered or unexported fields
}

CompositedConditionEvaluator provides evaluation of a condition expression with variable composition. The expressions must return a boolean.

func (*CompositedConditionEvaluator) ForInput 

func (f *CompositedConditionEvaluator) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)

type CompositedEvaluator 

type CompositedEvaluator struct {
	MutatingEvaluator
	// contains filtered or unexported fields
}

CompositedEvaluator provides evaluation of a single expression with variable composition. The types that may returned by the expression is determined at compilation time.

type CompositionContext 

type CompositionContext interface {
	context.Context
	Variables(activation any) ref.Val
	GetAndResetCost() int64
}

type ConditionCompiler 

type ConditionCompiler interface {
	// CompileCondition is used for the cel expression compilation
	CompileCondition(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) ConditionEvaluator
}

ConditionCompiler contains a function to assist with converting types and values to/from CEL-typed values.

func NewConditionCompiler 

func NewConditionCompiler(env *environment.EnvSet) ConditionCompiler

type ConditionEvaluator 

type ConditionEvaluator interface {
	// ForInput converts compiled CEL-typed values into evaluated CEL-typed value.
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	// If cost budget is calculated, the condition should return the remaining budget.
	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)

	// CompilationErrors returns a list of errors from the compilation of the mutatingEvaluator
	CompilationErrors() []error
}

ConditionEvaluator contains the result of compiling a CEL expression that evaluates to a condition. This is used both for validation and pre-conditions. It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.

func NewCondition 

func NewCondition(compilationResults []CompilationResult) ConditionEvaluator

type EvaluationResult 

type EvaluationResult struct {
	EvalResult         ref.Val
	ExpressionAccessor ExpressionAccessor
	Elapsed            time.Duration
	Error              error
}

EvaluationResult contains the minimal required fields and metadata of a cel evaluation

type ExpressionAccessor 

type ExpressionAccessor interface {
	GetExpression() string
	ReturnTypes() []*cel.Type
}

type MutatingCompiler 

type MutatingCompiler interface {
	// CompileMutatingEvaluator is used for the cel expression compilation
	CompileMutatingEvaluator(expression ExpressionAccessor, optionalDecls OptionalVariableDeclarations, envType environment.Type) MutatingEvaluator
}

MutatingCompiler contains a function to assist with converting types and values to/from CEL-typed values.

type MutatingEvaluator 

type MutatingEvaluator interface {
	// ForInput converts compiled CEL-typed values into a CEL-typed value representing a mutation.
	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
	// If cost budget is calculated, the condition should return the remaining budget.
	ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, namespace *corev1.Namespace, runtimeCELCostBudget int64) (EvaluationResult, int64, error)

	// CompilationErrors returns a list of errors from the compilation of the mutatingEvaluator
	CompilationErrors() []error
}

MutatingEvaluator contains the result of compiling a CEL expression that evaluates to a mutation. It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.

func NewMutatingEvaluator 

func NewMutatingEvaluator(compilationResult CompilationResult) MutatingEvaluator

type NamedExpressionAccessor 

type NamedExpressionAccessor interface {
	ExpressionAccessor

	GetName() string // follows the naming convention of ExpressionAccessor
}

NamedExpressionAccessor extends NamedExpressionAccessor with a name.

type OptionalVariableBindings 

type OptionalVariableBindings struct {
	// VersionedParams provides the "params" variable binding. This variable binding may
	// be set to nil even when OptionalVariableDeclarations.HashParams is set to true.
	VersionedParams runtime.Object
	// Authorizer provides the authorizer used for the "authorizer" and
	// "authorizer.requestResource" variable bindings. If the expression was compiled with
	// OptionalVariableDeclarations.HasAuthorizer set to true this must be non-nil.
	Authorizer authorizer.Authorizer
}

OptionalVariableBindings provides expression bindings for optional CEL variables.

type OptionalVariableDeclarations 

type OptionalVariableDeclarations struct {
	// HasParams specifies if the "params" variable is declared.
	// The "params" variable may still be bound to "null" when declared.
	HasParams bool
	// HasAuthorizer specifies if the "authorizer" and "authorizer.requestResource"
	// variables are declared. When declared, the authorizer variables are
	// expected to be non-null.
	HasAuthorizer bool
	// HasPatchTypes specifies if JSONPatch, Object, Object.metadata and similar types are available in CEL. These can be used
	// to initialize the typed objects in CEL required to create patches.
	HasPatchTypes bool
}

OptionalVariableDeclarations declares which optional CEL variables are declared for an expression.

Source Files

activation.go compile.go composition.go condition.go interface.go mutation.go

Version
v0.36.0 (latest)
Published
Apr 22, 2026
Platform
linux/amd64
Imports
26 packages
Last checked
4 days ago

Tools for package owners.