package validatingadmissionpolicy

import "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"

Index ¶

• Constants
• func NewPlugin() (admission.Interface, error)
• func Register(plugins *admission.Plugins)
• type CELPolicyEvaluator
• func NewAdmissionController( informerFactory informers.SharedInformerFactory, client kubernetes.Interface, restMapper meta.RESTMapper, dynamicClient dynamic.Interface, ) CELPolicyEvaluator
• type Matcher
• func NewMatcher(m *matching.Matcher) Matcher
• type PolicyDecision
• type PolicyDecisionAction
• type PolicyDecisionEvaluation
• type ValidationCondition
• func (v *ValidationCondition) GetExpression() string
• type Validator
• func NewValidator(filter cel.Filter, failPolicy *v1.FailurePolicyType) Validator

Constants ¶

const (
	// PluginName indicates the name of admission plug-in
	PluginName = "ValidatingAdmissionPolicy"
)

Functions ¶

func NewPlugin ¶

func NewPlugin() (admission.Interface, error)

func Register ¶

func Register(plugins *admission.Plugins)

Register registers a plugin

Types ¶

type CELPolicyEvaluator ¶

type CELPolicyEvaluator interface {
	admission.InitializationValidator

	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
	HasSynced() bool
	Run(stopCh <-chan struct{})
}

func NewAdmissionController ¶

func NewAdmissionController(

	informerFactory informers.SharedInformerFactory,
	client kubernetes.Interface,
	restMapper meta.RESTMapper,
	dynamicClient dynamic.Interface,
) CELPolicyEvaluator

type Matcher ¶

type Matcher interface {
	admission.InitializationValidator

	// DefinitionMatches says whether this policy definition matches the provided admission
	// resource request
	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)

	// BindingMatches says whether this policy definition matches the provided admission
	// resource request
	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)
}

Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes

func NewMatcher ¶

func NewMatcher(m *matching.Matcher) Matcher

type PolicyDecision ¶

type PolicyDecision struct {
	Action     PolicyDecisionAction
	Evaluation PolicyDecisionEvaluation
	Message    string
	Reason     metav1.StatusReason
	Elapsed    time.Duration
}

PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration

type PolicyDecisionAction ¶

type PolicyDecisionAction string

const (
	ActionAdmit PolicyDecisionAction = "admit"
	ActionDeny  PolicyDecisionAction = "deny"
)

type PolicyDecisionEvaluation ¶

type PolicyDecisionEvaluation string

const (
	EvalAdmit PolicyDecisionEvaluation = "admit"
	EvalError PolicyDecisionEvaluation = "error"
	EvalDeny  PolicyDecisionEvaluation = "deny"
)

type ValidationCondition ¶

type ValidationCondition struct {
	Expression string
	Message    string
	Reason     *metav1.StatusReason
}

ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression

func (*ValidationCondition) GetExpression ¶

func (v *ValidationCondition) GetExpression() string

type Validator ¶

type Validator interface {
	// Validate is used to take cel evaluations and convert into decisions
	Validate(versionedAttr *generic.VersionedAttributes, versionedParams runtime.Object) []PolicyDecision
}

Validator is contains logic for converting ValidationEvaluation to PolicyDecisions

func NewValidator ¶

func NewValidator(filter cel.Filter, failPolicy *v1.FailurePolicyType) Validator

Source Files ¶

admission.go controller.go controller_reconcile.go initializer.go interface.go matcher.go policy_decision.go validator.go

Directories ¶