apiserverk8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy Index | Files | Directories

package validatingadmissionpolicy

import "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"

Index

Constants 

const (
	ObjectVarName    = "object"
	OldObjectVarName = "oldObject"
	ParamsVarName    = "params"
	RequestVarName   = "request"
)
const (
	// PluginName indicates the name of admission plug-in
	PluginName = "ValidatingAdmissionPolicy"
)

Functions

func NewPlugin 

func NewPlugin() (admission.Interface, error)

func ReasonToCode 

func ReasonToCode(r metav1.StatusReason) int32

func Register 

func Register(plugins *admission.Plugins)

Register registers a plugin

Types

type CELPolicyEvaluator 

type CELPolicyEvaluator interface {
	admission.InitializationValidator

	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
	HasSynced() bool
	Run(stopCh <-chan struct{})
}

func NewAdmissionController 

func NewAdmissionController(

	informerFactory informers.SharedInformerFactory,
	client kubernetes.Interface,
	restMapper meta.RESTMapper,
	dynamicClient dynamic.Interface,
) CELPolicyEvaluator

type CELValidator 

type CELValidator struct {
	// contains filtered or unexported fields
}

CELValidator implements the Validator interface

func (*CELValidator) Validate 

func (v *CELValidator) Validate(versionedAttr *generic.VersionedAttributes, versionedParams runtime.Object) ([]PolicyDecision, error)

Validate validates all cel expressions in Validator and returns a PolicyDecision for each CEL expression or returns an error. An error will be returned if failed to convert the object/oldObject/params/request to unstructured. Each PolicyDecision will have a decision and a message. policyDecision.message will be empty if the decision is allowed and no error met.

type CELValidatorCompiler 

type CELValidatorCompiler struct {
	Matcher *matching.Matcher
}

CELValidatorCompiler implement the interface ValidatorCompiler.

func (*CELValidatorCompiler) BindingMatches 

func (c *CELValidatorCompiler) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)

BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request

func (*CELValidatorCompiler) Compile 

func (c *CELValidatorCompiler) Compile(p *v1alpha1.ValidatingAdmissionPolicy) Validator

Compile compiles the cel expression defined in ValidatingAdmissionPolicy

func (*CELValidatorCompiler) DefinitionMatches 

func (c *CELValidatorCompiler) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)

DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request

func (*CELValidatorCompiler) ValidateInitialization 

func (c *CELValidatorCompiler) ValidateInitialization() error

ValidateInitialization checks if Matcher is initialized.

type CompilationResult 

type CompilationResult struct {
	Program cel.Program
	Error   *apiservercel.Error
}

CompilationResult represents a compiled ValidatingAdmissionPolicy validation expression.

func CompileValidatingPolicyExpression 

func CompileValidatingPolicyExpression(validationExpression string, hasParams bool) CompilationResult

CompileValidatingPolicyExpression returns a compiled vaalidating policy CEL expression.

type PolicyDecision 

type PolicyDecision struct {
	Action     PolicyDecisionAction
	Evaluation PolicyDecisionEvaluation
	Message    string
	Reason     metav1.StatusReason
	Elapsed    time.Duration
}

type PolicyDecisionAction 

type PolicyDecisionAction string
const (
	ActionAdmit PolicyDecisionAction = "admit"
	ActionDeny  PolicyDecisionAction = "deny"
)

type PolicyDecisionEvaluation 

type PolicyDecisionEvaluation string
const (
	EvalAdmit PolicyDecisionEvaluation = "admit"
	EvalError PolicyDecisionEvaluation = "error"
	EvalDeny  PolicyDecisionEvaluation = "deny"
)

type Validator 

type Validator interface {
	Validate(versionedAttr *generic.VersionedAttributes, versionedParams runtime.Object) ([]PolicyDecision, error)
}

Validator defines the func used to validate an object against the validator's rules. It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition).

type ValidatorCompiler 

type ValidatorCompiler interface {
	admission.InitializationValidator

	// Matches says whether this policy definition matches the provided admission
	// resource request
	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)

	// Matches says whether this policy definition matches the provided admission
	// resource request
	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)

	// Compile is used for the cel expression compilation
	Compile(
		policy *v1alpha1.ValidatingAdmissionPolicy,
	) Validator
}

ValidatorCompiler is Dependency Injected into the PolicyDefinition's `Compile` function to assist with converting types and values to/from CEL-typed values.

Source Files

admission.go compiler.go controller.go controller_reconcile.go initializer.go interface.go policy_decision.go validator.go

Directories

PathSynopsis
pkg/admission/plugin/validatingadmissionpolicy/internal
pkg/admission/plugin/validatingadmissionpolicy/matching
Version
v0.27.0-alpha.2
Published
Feb 15, 2023
Platform
linux/amd64
Imports
43 packages
Last checked
53 minutes ago

Tools for package owners.