package api
import "k8s.io/pod-security-admission/api"
Package api contains constants and helpers for PodSecurity admission label keys and values
Index ¶
- Constants
- func CompareLevels(a, b Level) int
- type Attributes
- type AttributesRecord
- func (a *AttributesRecord) GetKind() schema.GroupVersionKind
- func (a *AttributesRecord) GetName() string
- func (a *AttributesRecord) GetNamespace() string
- func (a *AttributesRecord) GetObject() (runtime.Object, error)
- func (a *AttributesRecord) GetOldObject() (runtime.Object, error)
- func (a *AttributesRecord) GetOperation() admissionv1.Operation
- func (a *AttributesRecord) GetResource() schema.GroupVersionResource
- func (a *AttributesRecord) GetSubresource() string
- func (a *AttributesRecord) GetUserName() string
- type Level
- type LevelVersion
- type Policy
- func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.ErrorList)
- func (p *Policy) Equivalent(other *Policy) bool
- func (p *Policy) FullyPrivileged() bool
- func (p *Policy) String() string
- type Version
- func GetAPIVersion() Version
- func LatestVersion() Version
- func MajorMinorVersion(major, minor int) Version
- func ParseVersion(version string) (Version, error)
- func (v *Version) Latest() bool
- func (v *Version) Major() int
- func (v *Version) Minor() int
- func (v *Version) Older(other Version) bool
- func (v Version) String() string
Constants ¶
const ( EnforceLevelLabel = labelPrefix + "enforce" EnforceVersionLabel = labelPrefix + "enforce-version" AuditLevelLabel = labelPrefix + "audit" AuditVersionLabel = labelPrefix + "audit-version" WarnLevelLabel = labelPrefix + "warn" WarnVersionLabel = labelPrefix + "warn-version" ExemptionReasonAnnotationKey = "exempt" AuditViolationsAnnotationKey = "audit-violations" EnforcedPolicyAnnotationKey = "enforce-policy" )
const AuditAnnotationPrefix = labelPrefix
const VersionLatest = "latest"
Functions ¶
func CompareLevels ¶
CompareLevels returns an integer comparing two levels by strictness. The result will be 0 if a==b, -1 if a is less strict than b, and +1 if a is more strict than b.
Types ¶
type Attributes ¶
type Attributes interface {
// GetName is the name of the object associated with the request.
GetName() string
// GetNamespace is the namespace associated with the request (if any)
GetNamespace() string
// GetResource is the name of the resource being requested. This is not the kind. For example: pods
GetResource() schema.GroupVersionResource
// GetKind is the name of the kind being requested. For example: Pod
GetKind() schema.GroupVersionKind
// GetSubresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.
// For instance, /pods has the resource "pods" and the kind "Pod", while /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod"
// (because status operates on pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource "binding", and kind "Binding".
GetSubresource() string
// GetOperation is the operation being performed
GetOperation() admissionv1.Operation
// GetObject returns the typed Object from incoming request.
// For objects in the core API group, the result must use the v1 API.
GetObject() (runtime.Object, error)
// GetOldObject returns the typed existing object. Only populated for UPDATE requests.
// For objects in the core API group, the result must use the v1 API.
GetOldObject() (runtime.Object, error)
// GetUserName is the requesting user's authenticated name.
GetUserName() string
}
Attributes exposes the admission request parameters consumed by the PodSecurity admission controller.
func RequestAttributes ¶
func RequestAttributes(request *admissionv1.AdmissionRequest, decoder runtime.Decoder) Attributes
RequestAttributes adapts an admission.Request to the Attributes interface.
type AttributesRecord ¶
type AttributesRecord struct {
Name string
Namespace string
Kind schema.GroupVersionKind
Resource schema.GroupVersionResource
Subresource string
Operation admissionv1.Operation
Object runtime.Object
OldObject runtime.Object
Username string
}
AttributesRecord is a simple struct implementing the Attributes interface.
func (*AttributesRecord) GetKind ¶
func (a *AttributesRecord) GetKind() schema.GroupVersionKind
func (*AttributesRecord) GetName ¶
func (a *AttributesRecord) GetName() string
func (*AttributesRecord) GetNamespace ¶
func (a *AttributesRecord) GetNamespace() string
func (*AttributesRecord) GetObject ¶
func (a *AttributesRecord) GetObject() (runtime.Object, error)
func (*AttributesRecord) GetOldObject ¶
func (a *AttributesRecord) GetOldObject() (runtime.Object, error)
func (*AttributesRecord) GetOperation ¶
func (a *AttributesRecord) GetOperation() admissionv1.Operation
func (*AttributesRecord) GetResource ¶
func (a *AttributesRecord) GetResource() schema.GroupVersionResource
func (*AttributesRecord) GetSubresource ¶
func (a *AttributesRecord) GetSubresource() string
func (*AttributesRecord) GetUserName ¶
func (a *AttributesRecord) GetUserName() string
type Level ¶
type Level string
const ( LevelPrivileged Level = "privileged" LevelBaseline Level = "baseline" LevelRestricted Level = "restricted" )
func ParseLevel ¶
ParseLevel returns the level that should be evaluated. level must be "privileged", "baseline", or "restricted". if level does not match one of those strings, "restricted" and an error is returned.
func (*Level) Valid ¶
Valid checks whether the level l is a valid level.
type LevelVersion ¶
func (*LevelVersion) Equivalent ¶
func (lv *LevelVersion) Equivalent(other *LevelVersion) bool
Equivalent determines whether two LevelVersions are functionally equivalent. LevelVersions are considered equivalent if both are privileged, or both levels & versions are equal.
func (LevelVersion) String ¶
func (lv LevelVersion) String() string
type Policy ¶
type Policy struct {
Enforce LevelVersion
Audit LevelVersion
Warn LevelVersion
}
func PolicyToEvaluate ¶
PolicyToEvaluate resolves the PodSecurity namespace labels to the policy for that namespace, falling back to the provided defaults when a label is unspecified. A valid policy is always returned, even when an error is returned. If labels cannot be parsed correctly, the values of "restricted" and "latest" are used for level and version respectively.
func (*Policy) Equivalent ¶
Equivalent determines whether two policies are functionally equivalent. Policies are considered equivalent if all 3 modes are considered equivalent.
func (*Policy) FullyPrivileged ¶
FullyPrivileged returns true if all 3 policy modes are privileged.
func (*Policy) String ¶
type Version ¶
type Version struct {
// contains filtered or unexported fields
}
func GetAPIVersion ¶
func GetAPIVersion() Version
GetAPIVersion get the version of apiServer and return the version major and minor
func LatestVersion ¶
func LatestVersion() Version
func MajorMinorVersion ¶
func ParseVersion ¶
ParseVersion returns the policy version that should be evaluated. version must be "latest" or "v1.x". If version does not match one of those patterns, the latest version and an error is returned.
func (*Version) Latest ¶
func (*Version) Major ¶
func (*Version) Minor ¶
func (*Version) Older ¶
Older returns true if this version v is older than the other.
func (Version) String ¶
Source Files ¶
attributes.go constants.go doc.go helpers.go
- Version
- v0.32.2 (latest)
- Published
- Feb 13, 2025
- Platform
- linux/amd64
- Imports
- 10 packages
- Last checked
- 2 months ago –
Tools for package owners.