This section is empty.


This section is empty.


func NewUnrecognizedConstraintError

func NewUnrecognizedConstraintError(text string) error


type Backend

type Backend struct {
	// contains filtered or unexported fields

func NewBackend

func NewBackend(opts ...BackendOpt) (*Backend, error)

NewBackend creates a new backend. A backend could be a connection to a remote server or a new local OPA instance.

func (*Backend) NewClient

func (b *Backend) NewClient(opts ...ClientOpt) (*Client, error)

NewClient creates a new client for the supplied backend

type BackendOpt

type BackendOpt func(*Backend)

func Driver

func Driver(d drivers.Driver) BackendOpt

type Client

type Client struct {
	// contains filtered or unexported fields

func (*Client) AddConstraint

func (c *Client) AddConstraint(ctx context.Context, constraint *unstructured.Unstructured) (*types.Responses, error)

AddConstraint validates the constraint and, if valid, inserts it into OPA

func (*Client) AddData

func (c *Client) AddData(ctx context.Context, data interface{}) (*types.Responses, error)

AddData inserts the provided data into OPA for every target that can handle the data.

func (*Client) AddTemplate

func (c *Client) AddTemplate(ctx context.Context, templ *templates.ConstraintTemplate) (*types.Responses, error)

AddTemplate adds the template source code to OPA and registers the CRD with the client for schema validation on calls to AddConstraint. It also returns a copy of the CRD describing the constraint.

func (*Client) Audit

func (c *Client) Audit(ctx context.Context, opts ...QueryOpt) (*types.Responses, error)

Audit makes sure the cached state of the system satisfies all stored constraints

func (*Client) CreateCRD

CreateCRD creates a CRD from template

func (*Client) Dump

func (c *Client) Dump(ctx context.Context) (string, error)

Dump dumps the state of OPA to aid in debugging

func (*Client) RemoveConstraint

func (c *Client) RemoveConstraint(ctx context.Context, constraint *unstructured.Unstructured) (*types.Responses, error)

RemoveConstraint removes a constraint from OPA

func (*Client) RemoveData

func (c *Client) RemoveData(ctx context.Context, data interface{}) (*types.Responses, error)

RemoveData removes data from OPA for every target that can handle the data.

func (*Client) RemoveTemplate

func (c *Client) RemoveTemplate(ctx context.Context, templ *templates.ConstraintTemplate) (*types.Responses, error)

RemoveTemplate removes the template source code from OPA and removes the CRD from the validation registry.

func (*Client) Reset

func (c *Client) Reset(ctx context.Context) error

Reset the state of OPA

func (*Client) Review

func (c *Client) Review(ctx context.Context, obj interface{}, opts ...QueryOpt) (*types.Responses, error)

Review makes sure the provided object satisfies all stored constraints

func (*Client) ValidateConstraint

func (c *Client) ValidateConstraint(ctx context.Context, constraint *unstructured.Unstructured) error

ValidateConstraint returns an error if the constraint is not recognized or does not conform to the registered CRD for that constraint.

type ClientOpt

type ClientOpt func(*Client) error

func AllowedDataFields

func AllowedDataFields(fields ...string) ClientOpt

AllowedDataFields sets the fields under `data` that Rego in ConstraintTemplates can access. If unset, all fields can be accessed. Only fields recognized by the system can be enabled.

func Targets

func Targets(ts ...TargetHandler) ClientOpt

type ErrorMap

type ErrorMap map[string]error

func (ErrorMap) Error

func (e ErrorMap) Error() string

type Errors

type Errors []error

Errors is a list of error.

func (Errors) Error

func (errs Errors) Error() string

Error implements error.

type MatchSchemaProvider

type MatchSchemaProvider interface {
	// MatchSchema returns the JSON Schema for the `match` field of a constraint
	MatchSchema() apiextensions.JSONSchemaProps

type Probe

type Probe struct {
	// contains filtered or unexported fields

func NewProbe

func NewProbe(d drivers.Driver) (*Probe, error)

func (*Probe) TestFuncs

func (p *Probe) TestFuncs() map[string]func() error

type QueryOpt

type QueryOpt func(*queryCfg)

func Tracing

func Tracing(enabled bool) QueryOpt

type TargetHandler

type TargetHandler interface {

	GetName() string

	// Library returns the pieces of Rego code required to stitch together constraint evaluation
	// for the target. Current required libraries are `matching_constraints` and
	// `matching_reviews_and_constraints`
	// Libraries are currently templates that have the following parameters:
	//   ConstraintsRoot: The root path under which all constraints for the target are stored
	//   DataRoot: The root path under which all data for the target is stored
	Library() *template.Template

	// ProcessData takes a potential data object and returns:
	//   true if the target handles the data type
	//   the path under which the data should be stored in OPA
	//   the data in an object that can be cast into JSON, suitable for storage in OPA
	ProcessData(interface{}) (bool, string, interface{}, error)

	// HandleReview takes a potential review request and builds the `review` field of the input
	// object. it returns:
	//		true if the target handles the data type
	//		the data for the `review` field
	HandleReview(interface{}) (bool, interface{}, error)

	// HandleViolation allows for post-processing of the result object, which can be mutated directly
	HandleViolation(result *types.Result) error

	// ValidateConstraint returns if the constraint is misconfigured in any way. This allows for
	// non-trivial validation of things like match schema
	ValidateConstraint(*unstructured.Unstructured) error

type UnrecognizedConstraintError

type UnrecognizedConstraintError struct {
	// contains filtered or unexported fields

func (*UnrecognizedConstraintError) Error


Path Synopsis