package cel

import "k8s.io/apiserver/pkg/admission/plugin/cel"

Index

Constants 

const (
	// PluginName indicates the name of admission plug-in
	PluginName = "CEL"
)

Functions

func NewPlugin 

func NewPlugin() (*celAdmissionPlugin, error)

func Register 

func Register(plugins *admission.Plugins)

Register registers a plugin

Types

type CELPolicyEvaluator 

type CELPolicyEvaluator interface {
	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
	HasSynced() bool
}

func NewAdmissionController 

func NewAdmissionController(

	policyDefinitionsInformer cache.SharedIndexInformer,
	policyBindingInformer cache.SharedIndexInformer,

	objectConverter ObjectConverter,
	restMapper meta.RESTMapper,
	dynamicClient dynamic.Interface,
) CELPolicyEvaluator

type EvaluatorFunc 

type EvaluatorFunc func(a admission.Attributes, params *unstructured.Unstructured) []PolicyDecision

EvaluatorFunc represents the AND of one or more compiled CEL expression's evaluators `params` may be nil if definition does not specify a paramsource

type FailurePolicy 

type FailurePolicy string
const (
	Fail   FailurePolicy = "Fail"
	Ignore FailurePolicy = "Ignore"
)

type FakePolicyBinding 

type FakePolicyBinding struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Specified as a function pointer so that this type is still comparable
	MatchFunc *func(admission.Attributes) bool `json:"-"`
	Params    string                           `json:"params"`
	Policy    string                           `json:"policy"`
}

func (*FakePolicyBinding) DeepCopyObject 

func (f *FakePolicyBinding) DeepCopyObject() runtime.Object

func (*FakePolicyBinding) GetObjectKind 

func (f *FakePolicyBinding) GetObjectKind() schema.ObjectKind

func (*FakePolicyBinding) GetTargetDefinition 

func (f *FakePolicyBinding) GetTargetDefinition() (namespace, name string)

func (*FakePolicyBinding) GetTargetParams 

func (f *FakePolicyBinding) GetTargetParams() (namespace, name string)

func (*FakePolicyBinding) GroupVersionKind 

func (f *FakePolicyBinding) GroupVersionKind() schema.GroupVersionKind

func (*FakePolicyBinding) Matches 

func (f *FakePolicyBinding) Matches(a admission.Attributes) bool

func (*FakePolicyBinding) SetGroupVersionKind 

func (f *FakePolicyBinding) SetGroupVersionKind(kind schema.GroupVersionKind)

type FakePolicyBindingList 

type FakePolicyBindingList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []FakePolicyBinding
}

func (*FakePolicyBindingList) DeepCopyObject 

func (f *FakePolicyBindingList) DeepCopyObject() runtime.Object

func (*FakePolicyBindingList) GetObjectKind 

func (f *FakePolicyBindingList) GetObjectKind() schema.ObjectKind

func (*FakePolicyBindingList) GroupVersionKind 

func (f *FakePolicyBindingList) GroupVersionKind() schema.GroupVersionKind

func (*FakePolicyBindingList) SetGroupVersionKind 

func (f *FakePolicyBindingList) SetGroupVersionKind(kind schema.GroupVersionKind)

type FakePolicyDefinition 

type FakePolicyDefinition struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Function called when `Matches` is called
	// If nil, a default function that always returns true is used
	// Specified as a function pointer so that this type is still comparable
	MatchFunc *func(admission.Attributes) bool `json:"-"`

	// Func invoked for implementation of `Compile`
	// Specified as a function pointer so that this type is still comparable
	CompileFunc *func(converter ObjectConverter) (EvaluatorFunc, error) `json:"-"`

	// GVK to return when ParamSource() is called
	ParamSource *schema.GroupVersionKind `json:"paramSource"`

	FailurePolicy FailurePolicy `json:"failurePolicy"`
}

func (*FakePolicyDefinition) Compile 

func (f *FakePolicyDefinition) Compile(
	converter ObjectConverter,
	mapper meta.RESTMapper,
) (EvaluatorFunc, error)

func (*FakePolicyDefinition) DeepCopyObject 

func (f *FakePolicyDefinition) DeepCopyObject() runtime.Object

func (*FakePolicyDefinition) GetFailurePolicy 

func (f *FakePolicyDefinition) GetFailurePolicy() FailurePolicy

func (*FakePolicyDefinition) GetName 

func (f *FakePolicyDefinition) GetName() string

func (*FakePolicyDefinition) GetNamespace 

func (f *FakePolicyDefinition) GetNamespace() string

func (*FakePolicyDefinition) GetObjectKind 

func (f *FakePolicyDefinition) GetObjectKind() schema.ObjectKind

func (*FakePolicyDefinition) GetParamSource 

func (f *FakePolicyDefinition) GetParamSource() *schema.GroupVersionKind

func (*FakePolicyDefinition) GroupVersionKind 

func (f *FakePolicyDefinition) GroupVersionKind() schema.GroupVersionKind

func (*FakePolicyDefinition) Matches 

func (f *FakePolicyDefinition) Matches(a admission.Attributes) bool

func (*FakePolicyDefinition) SetGroupVersionKind 

func (f *FakePolicyDefinition) SetGroupVersionKind(kind schema.GroupVersionKind)

type FakePolicyDefinitionList 

type FakePolicyDefinitionList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []FakePolicyDefinition
}

func (*FakePolicyDefinitionList) DeepCopyObject 

func (f *FakePolicyDefinitionList) DeepCopyObject() runtime.Object

func (*FakePolicyDefinitionList) GetObjectKind 

func (f *FakePolicyDefinitionList) GetObjectKind() schema.ObjectKind

func (*FakePolicyDefinitionList) GroupVersionKind 

func (f *FakePolicyDefinitionList) GroupVersionKind() schema.GroupVersionKind

func (*FakePolicyDefinitionList) SetGroupVersionKind 

func (f *FakePolicyDefinitionList) SetGroupVersionKind(kind schema.GroupVersionKind)

type ObjectConverter 

type ObjectConverter interface {
	// DeclForResource looks up the openapi or JSONSchemaProps, structural schema, etc.
	// and compiles it into something that can be used to turn objects into CEL
	// values
	DeclForResource(gvr schema.GroupVersionResource) (*cel.DeclType, error)

	// ValueForObject takes a Kubernetes Object and uses the CEL DeclType
	// to transform it into a CEL value.
	// Object may be a typed native object or an unstructured object
	ValueForObject(value runtime.Object, decl *cel.DeclType) (ref.Val, error)
}

ObjectConverter is Dependency Injected into the PolicyDefinition's `Compile` function to assist with converting types and values to/from CEL-typed values.

type PluginInitializer 

type PluginInitializer struct {
	// contains filtered or unexported fields
}

PluginInitializer is used for initialization of the webhook admission plugin.

func NewPluginInitializer 

func NewPluginInitializer(validator CELPolicyEvaluator) *PluginInitializer

NewPluginInitializer creates a plugin initializer which dependency injects a singleton cel admission controller into the plugins which desire it

func (*PluginInitializer) Initialize 

func (i *PluginInitializer) Initialize(plugin admission.Interface)

Initialize checks the initialization interfaces implemented by each plugin and provide the appropriate initialization data

type PolicyBinding 

type PolicyBinding interface {
	runtime.Object

	// Matches says whether this policy binding matches the provided admission
	// resource request
	Matches(a admission.Attributes) bool

	// GetTargetDefinition returns the Namespace/Name of Policy Definition used
	// by this binding.
	GetTargetDefinition() (namespace, name string)

	// GetTargetParams returns the Namespace/Name of instance of TargetDefinition's
	// ParamSource to be provided to the CEL expressions of the definition during
	// evaluation.
	// If TargetDefinition has nil ParamSource, this is ignored.
	GetTargetParams() (namespace, name string)
}

PolicyBinding is an interface for internal policy binding type. Implemented by mock/testing types, and to be implemented by the public API types once they have completed API review.

The interface closely mirrors the format and functionality of the PolicyBinding proposed in the KEP.

type PolicyDecision 

type PolicyDecision struct {
	Kind    PolicyDecisionKind `json:"kind"`
	Message any                `json:"message"`
}

type PolicyDecisionKind 

type PolicyDecisionKind string
const (
	Admit PolicyDecisionKind = "Admit"
	Deny  PolicyDecisionKind = "Deny"
)

type PolicyDecisionWithMetadata 

type PolicyDecisionWithMetadata struct {
	PolicyDecision `json:"decision"`
	Definition     PolicyDefinition `json:"definition"`
	Binding        PolicyBinding    `json:"binding"`
}

type PolicyDefinition 

type PolicyDefinition interface {
	runtime.Object

	// Matches says whether this policy definition matches the provided admission
	// resource request
	Matches(a admission.Attributes) bool

	Compile(

		objectConverter ObjectConverter,

		mapper meta.RESTMapper,
	) (EvaluatorFunc, error)

	// GetParamSource returns the GVK for the CRD used as the source of
	// parameters used in the evaluation of instances of this policy
	// May return nil if there is no paramsource for this definition.
	GetParamSource() *schema.GroupVersionKind

	// GetFailurePolicy returns how an object should be treated during an
	// admission when there is a configuration error preventing CEL evaluation
	GetFailurePolicy() FailurePolicy
}

PolicyDefinition is an interface for internal policy binding type. Implemented by mock/testing types, and to be implemented by the public API types once they have completed API review.

The interface closely mirrors the format and functionality of the PolicyDefinition proposed in the KEP.

type PolicyError 

type PolicyError struct {
	Decisions []PolicyDecisionWithMetadata
}

func (*PolicyError) Error 

func (p *PolicyError) Error() string

type WantsCELPolicyEvaluator 

type WantsCELPolicyEvaluator interface {
	SetCELPolicyEvaluator(CELPolicyEvaluator)
}

WantsCELPolicyEvaluator gives the ability to have the shared CEL Admission Controller dependency injected at initialization-time.

Source Files

admission.go controller.go controller_reconcile.go fake.go initializer.go interface.go policy_decision.go

Directories

PathSynopsis
pkg/admission/plugin/cel/internal
Version
v0.26.0-alpha.3
Published
Nov 2, 2022
Platform
js/wasm
Imports
24 packages
Last checked
1 hour ago

Tools for package owners.