package validatingadmissionpolicy
import "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
Index ¶
- Constants
- func NewPlugin() (admission.Interface, error)
- func Register(plugins *admission.Plugins)
- type AuditAnnotationCondition
- func (v *AuditAnnotationCondition) GetExpression() string
- func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type
- type CELPolicyEvaluator
- type Matcher
- type MessageExpressionCondition
- func (m *MessageExpressionCondition) GetExpression() string
- func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type
- type PolicyAuditAnnotation
- type PolicyAuditAnnotationAction
- type PolicyDecision
- type PolicyDecisionAction
- type PolicyDecisionEvaluation
- type TypeChecker
- func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alpha1.ExpressionWarning
- func (c *TypeChecker) CheckExpressions(expressions []string, hasParams bool, policy *v1alpha1.ValidatingAdmissionPolicy) []string
- type ValidateResult
- type ValidationCondition
- func (v *ValidationCondition) GetExpression() string
- func (v *ValidationCondition) ReturnTypes() []*celgo.Type
- type Validator
Constants ¶
const ( // PluginName indicates the name of admission plug-in PluginName = "ValidatingAdmissionPolicy" )
Functions ¶
func NewPlugin ¶
func Register ¶
Register registers a plugin
Types ¶
type AuditAnnotationCondition ¶
AuditAnnotationCondition contains the inputs needed to compile, evaluate and publish a cel audit annotation
func (*AuditAnnotationCondition) GetExpression ¶
func (v *AuditAnnotationCondition) GetExpression() string
func (*AuditAnnotationCondition) ReturnTypes ¶
func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type
type CELPolicyEvaluator ¶
type CELPolicyEvaluator interface {
admission.InitializationValidator
Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
HasSynced() bool
Run(stopCh <-chan struct{})
}
func NewAdmissionController ¶
func NewAdmissionController( informerFactory informers.SharedInformerFactory, client kubernetes.Interface, restMapper meta.RESTMapper, schemaResolver resolver.SchemaResolver, dynamicClient dynamic.Interface, authz authorizer.Authorizer, ) CELPolicyEvaluator
type Matcher ¶
type Matcher interface {
admission.InitializationValidator
// DefinitionMatches says whether this policy definition matches the provided admission
// resource request
DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)
// BindingMatches says whether this policy definition matches the provided admission
// resource request
BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)
}
Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes
func NewMatcher ¶
type MessageExpressionCondition ¶
type MessageExpressionCondition struct {
MessageExpression string
}
func (*MessageExpressionCondition) GetExpression ¶
func (m *MessageExpressionCondition) GetExpression() string
func (*MessageExpressionCondition) ReturnTypes ¶
func (m *MessageExpressionCondition) ReturnTypes() []*celgo.Type
type PolicyAuditAnnotation ¶
type PolicyAuditAnnotation struct {
Key string
Value string
Elapsed time.Duration
Action PolicyAuditAnnotationAction
Error string
}
type PolicyAuditAnnotationAction ¶
type PolicyAuditAnnotationAction string
const ( // AuditAnnotationActionPublish indicates that the audit annotation should be // published with the audit event. AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish" // AuditAnnotationActionError indicates that the valueExpression resulted // in an error. AuditAnnotationActionError PolicyAuditAnnotationAction = "error" // AuditAnnotationActionExclude indicates that the audit annotation should be excluded // because the valueExpression evaluated to null, or because FailurePolicy is Ignore // and the expression failed with a parse error, type check error, or runtime error. AuditAnnotationActionExclude PolicyAuditAnnotationAction = "exclude" )
type PolicyDecision ¶
type PolicyDecision struct {
Action PolicyDecisionAction
Evaluation PolicyDecisionEvaluation
Message string
Reason metav1.StatusReason
Elapsed time.Duration
}
PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration
type PolicyDecisionAction ¶
type PolicyDecisionAction string
const ( ActionAdmit PolicyDecisionAction = "admit" ActionDeny PolicyDecisionAction = "deny" )
type PolicyDecisionEvaluation ¶
type PolicyDecisionEvaluation string
const ( EvalAdmit PolicyDecisionEvaluation = "admit" EvalError PolicyDecisionEvaluation = "error" EvalDeny PolicyDecisionEvaluation = "deny" )
type TypeChecker ¶
type TypeChecker struct {
// contains filtered or unexported fields
}
func (*TypeChecker) Check ¶
func (c *TypeChecker) Check(policy *v1alpha1.ValidatingAdmissionPolicy) []v1alpha1.ExpressionWarning
Check preforms the type check against the given policy, and format the result as []ExpressionWarning that is ready to be set in policy.Status The result is nil if type checking returns no warning. The policy object is NOT mutated. The caller should update Status accordingly
func (*TypeChecker) CheckExpressions ¶
func (c *TypeChecker) CheckExpressions(expressions []string, hasParams bool, policy *v1alpha1.ValidatingAdmissionPolicy) []string
CheckExpressions checks a set of compiled CEL programs against the GVKs defined in policy.Spec.MatchConstraints The result is a human-readable form that describe which expressions violate what types at what place. The indexes of the return []string matches these of the input expressions. TODO: It is much more useful to have machine-readable output and let the client format it. That requires an update to the KEP, probably in coming releases.
type ValidateResult ¶
type ValidateResult struct {
// Decisions specifies the outcome of the validation as well as the details about the decision.
Decisions []PolicyDecision
// AuditAnnotations specifies the audit annotations that should be recorded for the validation.
AuditAnnotations []PolicyAuditAnnotation
}
ValidateResult defines the result of a Validator.Validate operation.
type ValidationCondition ¶
type ValidationCondition struct {
Expression string
Message string
Reason *metav1.StatusReason
}
ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression
func (*ValidationCondition) GetExpression ¶
func (v *ValidationCondition) GetExpression() string
func (*ValidationCondition) ReturnTypes ¶
func (v *ValidationCondition) ReturnTypes() []*celgo.Type
type Validator ¶
type Validator interface {
// Validate is used to take cel evaluations and convert into decisions
// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
Validate(ctx context.Context, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, runtimeCELCostBudget int64) ValidateResult
}
Validator is contains logic for converting ValidationEvaluation to PolicyDecisions
func NewValidator ¶
func NewValidator(validationFilter cel.Filter, celMatcher matchconditions.Matcher, auditAnnotationFilter, messageFilter cel.Filter, failPolicy *v1.FailurePolicyType, authorizer authorizer.Authorizer) Validator
Source Files ¶
admission.go controller.go controller_reconcile.go initializer.go interface.go matcher.go message.go policy_decision.go typechecking.go validator.go
Directories ¶
| Path | Synopsis |
|---|---|
| pkg/admission/plugin/validatingadmissionpolicy/internal | |
| pkg/admission/plugin/validatingadmissionpolicy/matching |
- Version
- v0.27.9
- Published
- Dec 20, 2023
- Platform
- js/wasm
- Imports
- 52 packages
- Last checked
- 4 minutes ago –
Tools for package owners.