package cel
import "k8s.io/apiserver/pkg/authorization/cel"
Index ¶
- func RegisterMetrics()
- func ResetMetricsForTest()
- type CELMatcher
- func (c *CELMatcher) Eval(ctx context.Context, r *authorizationv1.SubjectAccessReview) (bool, error)
- type CompilationResult
- type Compiler
- type EvaluationResult
- type ExpressionAccessor
- type MatcherMetrics
- type NoopMatcherMetrics
- func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)
- func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)
- func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)
- type SubjectAccessReviewMatchCondition
Functions ¶
func RegisterMetrics ¶
func RegisterMetrics()
func ResetMetricsForTest ¶
func ResetMetricsForTest()
Types ¶
type CELMatcher ¶
type CELMatcher struct {
CompilationResults []CompilationResult
// These track if any expressions use fieldSelector and labelSelector,
// so construction of data passed to the CEL expression can be optimized if those fields are unused.
UsesLabelSelector bool
UsesFieldSelector bool
// These are optional fields which can be populated if metrics reporting is desired
Metrics MatcherMetrics
AuthorizerType string
AuthorizerName string
}
func (*CELMatcher) Eval ¶
func (c *CELMatcher) Eval(ctx context.Context, r *authorizationv1.SubjectAccessReview) (bool, error)
eval evaluates the given SubjectAccessReview against all cel matchCondition expression
type CompilationResult ¶
type CompilationResult struct {
Program cel.Program
ExpressionAccessor ExpressionAccessor
// These track if a given expression uses fieldSelector and labelSelector,
// so construction of data passed to the CEL expression can be optimized if those fields are unused.
UsesFieldSelector bool
UsesLabelSelector bool
}
CompilationResult represents a compiled authorization cel expression.
type Compiler ¶
type Compiler interface {
CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error)
}
Compiler is an interface for compiling CEL expressions with the desired environment mode.
func NewCompiler ¶
func NewCompiler(env *environment.EnvSet) Compiler
NewCompiler returns a new Compiler.
func NewDefaultCompiler ¶
func NewDefaultCompiler() Compiler
NewDefaultCompiler returns a new Compiler following the default compatibility version. Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
type EvaluationResult ¶
type EvaluationResult struct {
EvalResult ref.Val
ExpressionAccessor ExpressionAccessor
}
EvaluationResult contains the minimal required fields and metadata of a cel evaluation
type ExpressionAccessor ¶
type MatcherMetrics ¶
type MatcherMetrics interface {
// RecordAuthorizationMatchConditionEvaluation records the total time taken to evaluate matchConditions for an Authorize() call to the given authorizer
RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)
// RecordAuthorizationMatchConditionEvaluationFailure increments if any evaluation error was encountered evaluating matchConditions for an Authorize() call to the given authorizer
RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)
// RecordAuthorizationMatchConditionExclusion records increments when at least one matchCondition evaluates to false and excludes an Authorize() call to the given authorizer
RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)
}
MatcherMetrics defines methods for reporting matchCondition metrics
func NewMatcherMetrics ¶
func NewMatcherMetrics() MatcherMetrics
type NoopMatcherMetrics ¶
type NoopMatcherMetrics struct{}
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation ¶
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure ¶
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion ¶
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)
type SubjectAccessReviewMatchCondition ¶
type SubjectAccessReviewMatchCondition struct {
Expression string
}
SubjectAccessReviewMatchCondition is a CEL expression that maps a SubjectAccessReview request to a list of values.
func (*SubjectAccessReviewMatchCondition) GetExpression ¶
func (v *SubjectAccessReviewMatchCondition) GetExpression() string
func (*SubjectAccessReviewMatchCondition) ReturnTypes ¶
func (v *SubjectAccessReviewMatchCondition) ReturnTypes() []*celgo.Type
Source Files ¶
compile.go interface.go matcher.go metrics.go
- Version
- v0.36.0 (latest)
- Published
- Apr 22, 2026
- Platform
- linux/amd64
- Imports
- 17 packages
- Last checked
- 4 days ago –
Tools for package owners.