Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsExempt ¶
func IsExempt(resourceName string, namespace string, userInfo authenticationv1.UserInfo, policyName string, exemptions []CompiledExemption) bool
IsExempt returns whether a resource is exempt from a given policy
Types ¶
type AnnotationConfig ¶
type AnnotationConfig struct {
Annotation string `json:"annotation"`
AllowedValues []string `json:"allowed_values"`
AllowMissing bool `json:"allow_missing"`
}
AnnotationConfig defines a single annotation config
type CompiledExemption ¶
type CompiledExemption struct {
ResourceName glob.Glob
Namespace glob.Glob
Username glob.Glob
Group glob.Glob
ExemptPolicies []glob.Glob
}
CompiledExemption is the compiled configuration for a policy exemption
func ExemptionsFromDirectory ¶
func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)
ExemptionsFromDirectory returns compiled exemptions a given directory
func ExemptionsFromYAML ¶
func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)
ExemptionsFromYAML returns compiled exemptions from YAML input
type Config ¶
type Config struct {
// PolicyRequireIngressExemptionClasses contains the Ingress classes that an exemption is required for
// to use. Typically this would include your public ingress classes.
PolicyRequireIngressExemptionClasses []string `json:"policy_require_ingress_exemption_classes"`
// PolicyRequireServiceLoadBalancerAnnotations contains the Service LB types annotation that are allowed with this policy.
PolicyRequireServiceLoadBalancerAnnotations []*AnnotationConfig `json:"policy_require_service_loadbalancer_annotations"`
// PolicyTrustedRepositoryRegexes contains regexes that match image repositories that you want to allow.
PolicyTrustedRepositoryRegexes []string `json:"policy_trusted_repository_regexes"`
// PolicyDefaultSeccompPolicy contains the seccomp policy that you want to be applied on Pods by default.
// Defaults to 'runtime/default'
PolicyDefaultSeccompPolicy string `json:"policy_default_seccomp_policy"`
// PolicyImagePullPolicy contains the images that needs to enforce to a specific ImagePullPolicy
PolicyImagePullPolicy map[string][]string `json:"mutate_image_pull_policy"`
MutateEmptyDirSizeLimit MutateEmptyDirSizeLimit `json:"mutate_empty_dir_size_limit"`
}
Config contains configuration for Policies
type MutateEmptyDirSizeLimit ¶
type MutateEmptyDirSizeLimit struct {
MaximumSizeLimit apiresource.Quantity `json:"maximum_size_limit"`
DefaultSizeLimit apiresource.Quantity `json:"default_size_limit"`
}
func (*MutateEmptyDirSizeLimit) UnmarshalJSON ¶
func (m *MutateEmptyDirSizeLimit) UnmarshalJSON(value []byte) error
type PatchOperation ¶
type PatchOperation struct {
Op string `json:"op"`
Path string `json:"path"`
Value interface{} `json:"value,omitempty"`
}
PatchOperation is used for specifying mutating patches on resources. It follows the JSONPatch format (http://jsonpatch.com/) This is the format that MutatingWebhookConfigurations require.
type RawExemption ¶
type RawExemption struct {
ResourceName string `json:"resource_name"`
Namespace string `json:"namespace"`
Username string `json:"username"`
Group string `json:"group"`
ExemptPolicies []string `json:"exempt_policies"`
}
RawExemption is the configuration for a policy exemption
func (*RawExemption) Compile ¶
func (r *RawExemption) Compile() CompiledExemption
Compile returns a CompiledExemption
type ResourceViolation ¶
type ResourceViolation struct {
ResourceName string
ResourceKind string
Namespace string
Violation string
Policy string
Error error
}
ResourceViolation contains information needed to report and track violations, as well as checking for exemptions
func (ResourceViolation) HumanString ¶
func (r ResourceViolation) HumanString() string
Source Files
Directories