pod-security-admissionk8s.io/pod-security-admission/admission Index | Files | Directories

package admission

import "k8s.io/pod-security-admission/admission"

Package admission contains PodSecurity admission logic

Index

Types

type Admission 

type Admission struct {
	Configuration *admissionapi.PodSecurityConfiguration

	// Getting policy checks per level/version
	Evaluator policy.Evaluator

	// Metrics
	Metrics metrics.Recorder

	// Arbitrary object --> PodSpec
	PodSpecExtractor PodSpecExtractor

	// API connections
	NamespaceGetter NamespaceGetter
	PodLister       PodLister
	// contains filtered or unexported fields
}

Admission implements the core admission logic for the Pod Security Admission controller. The admission logic can be

func (*Admission) CompleteConfiguration 

func (a *Admission) CompleteConfiguration() error

CompleteConfiguration sets up default or derived configuration.

func (*Admission) EvaluatePod 

func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, attrs api.Attributes, enforce bool) *admissionv1.AdmissionResponse

EvaluatePod evaluates the given policy against the given pod(-like) object. The enforce policy is only checked if enforce=true. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) EvaluatePodsInNamespace 

func (a *Admission) EvaluatePodsInNamespace(ctx context.Context, namespace string, enforce api.LevelVersion) []string

func (*Admission) PolicyToEvaluate 

func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, field.ErrorList)

func (*Admission) Validate 

func (a *Admission) Validate(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

Validate admits an API request. The objects in admission attributes are expected to be external v1 objects that we care about. The returned response may be shared and must not be mutated.

func (*Admission) ValidateConfiguration 

func (a *Admission) ValidateConfiguration() error

ValidateConfiguration ensures all required fields are set with valid values.

func (*Admission) ValidateNamespace 

func (a *Admission) ValidateNamespace(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid, and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePod 

func (a *Admission) ValidatePod(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidatePod evaluates a pod create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

func (*Admission) ValidatePodController 

func (a *Admission) ValidatePodController(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse

ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace. The returned response may be shared between evaluations and must not be mutated.

type DefaultPodSpecExtractor 

type DefaultPodSpecExtractor struct{}

func (DefaultPodSpecExtractor) ExtractPodSpec 

func (DefaultPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)

func (DefaultPodSpecExtractor) HasPodSpec 

func (DefaultPodSpecExtractor) HasPodSpec(gr schema.GroupResource) bool

func (DefaultPodSpecExtractor) PodSpecResources 

func (DefaultPodSpecExtractor) PodSpecResources() []schema.GroupResource

type NamespaceGetter 

type NamespaceGetter interface {
	GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
}

func NamespaceGetterFromClient 

func NamespaceGetterFromClient(client kubernetes.Interface) NamespaceGetter

func NamespaceGetterFromListerAndClient 

func NamespaceGetterFromListerAndClient(lister corev1listers.NamespaceLister, client kubernetes.Interface) NamespaceGetter

type PodLister 

type PodLister interface {
	ListPods(ctx context.Context, namespace string) ([]*corev1.Pod, error)
}

func PodListerFromClient 

func PodListerFromClient(client kubernetes.Interface) PodLister

PodListerFromClient returns a PodLister that does live lists using the provided client.

func PodListerFromInformer 

func PodListerFromInformer(lister corev1listers.PodLister) PodLister

PodListerFromInformer returns a PodLister that does cached lists using the provided lister.

type PodSpecExtractor 

type PodSpecExtractor interface {
	// HasPodSpec returns true if the given resource type MAY contain an extractable PodSpec.
	HasPodSpec(schema.GroupResource) bool
	// ExtractPodSpec returns a pod spec and metadata to evaluate from the object.
	// An error returned here does not block admission of the pod-spec-containing object and is not returned to the user.
	// If the object has no pod spec, return `nil, nil, nil`.
	ExtractPodSpec(runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error)
}

PodSpecExtractor extracts a PodSpec from pod-controller resources that embed a PodSpec. This interface can be extended to enforce policy on CRDs for custom pod-controllers.

Source Files

admission.go doc.go namespace.go pods.go response.go

Directories

PathSynopsis
admission/apiPackage api contains PodSecurity admission configuration file types
admission/api/load
admission/api/scheme
admission/api/v1Package v1 contains PodSecurity admission configuration file types
admission/api/v1alpha1Package v1alpha1 contains PodSecurity admission configuration file types
admission/api/v1beta1Package v1beta1 contains PodSecurity admission configuration file types
admission/api/validation
Version
v0.32.2 (latest)
Published
Feb 13, 2025
Platform
linux/amd64
Imports
25 packages
Last checked
3 months ago

Tools for package owners.