cel

package

v0.2.151 Latest Latest Go to latest Published: Jun 19, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubescape/operator

Links

Open Source Insights

Documentation ¶

Index ¶

type AdmissionCEL
- func NewAdmissionCEL() (*AdmissionCEL, error)
type AdmissionCelEvent
- func NewAdmissionCelEvent(attrs admission.Attributes) *AdmissionCelEvent
type AdmissionCelUserInfo

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AdmissionCEL ¶

type AdmissionCEL struct {
	// contains filtered or unexported fields
}

AdmissionCEL owns a CEL environment configured for evaluating expressions against AdmissionCelEvent values. Compiled programs are cached so repeated evaluation of the same expression avoids re-compilation.

func NewAdmissionCEL ¶

func NewAdmissionCEL() (*AdmissionCEL, error)

NewAdmissionCEL creates a CEL environment with the AdmissionCelEvent and AdmissionCelUserInfo types registered as native Go types. The resulting environment exposes two variables:

event     — cel.AdmissionCelEvent
eventType — string

func (*AdmissionCEL) CreateEvalContext ¶

func (c *AdmissionCEL) CreateEvalContext(event *AdmissionCelEvent) map[string]any

CreateEvalContext builds a map suitable for passing to program.Eval. The returned map is safe to reuse across sequential EvaluateRuleWithContext calls for the same event. The map fields (Object, OldObject, Options) are injected as separate top-level variables because cel-go's native type system does not support map[string]interface{} struct fields.

The "params" key is initialized to an empty map. The evaluator overrides it with the active binding's parameters before evaluating each rule, so a single context can serve multiple rules with different parameter sets.

func (*AdmissionCEL) EvaluateRuleWithContext ¶

func (c *AdmissionCEL) EvaluateRuleWithContext(evalContext map[string]any, eventType armotypes.EventType, expressions []armotypes.RuleExpression) (bool, error)

EvaluateRuleWithContext evaluates all expressions whose EventType matches the provided eventType. Returns true only when every matching expression evaluates to true (AND semantics). If no expressions match the provided eventType, returns false — the rule has no opinion for this event type, so it should not fire.

func (*AdmissionCEL) EvaluateStringExpression ¶

func (c *AdmissionCEL) EvaluateStringExpression(evalContext map[string]any, expression string) (string, error)

EvaluateStringExpression compiles and evaluates a CEL expression that is expected to return a string (e.g. a message template).

func (*AdmissionCEL) ProgramCacheSize ¶

func (c *AdmissionCEL) ProgramCacheSize() int

ProgramCacheSize returns the number of entries in the program cache (including nil entries for compile failures).

func (*AdmissionCEL) RetainOnly ¶

func (c *AdmissionCEL) RetainOnly(activeExpressions []string)

RetainOnly drops every cached program whose expression is not in the provided active set. Call this from the rule sync path after replacing the rule list so programs compiled for now-removed rules are released — the cache grows monotonically otherwise.

Passing nil or an empty slice clears the entire cache.

type AdmissionCelEvent ¶

type AdmissionCelEvent struct {
	Kind        string
	Group       string
	Version     string
	Name        string
	Namespace   string
	Operation   string
	Subresource string
	Resource    string
	DryRun      bool
	UserInfo    AdmissionCelUserInfo
	Object      map[string]interface{}
	OldObject   map[string]interface{}
	Options     map[string]interface{}
}

AdmissionCelEvent is a plain Go struct that mirrors the interesting fields of admission.Attributes. It is registered with cel-go's native type system so CEL expressions can access fields like event.kind, event.namespace, etc.

func NewAdmissionCelEvent ¶

func NewAdmissionCelEvent(attrs admission.Attributes) *AdmissionCelEvent

NewAdmissionCelEvent extracts all relevant fields from admission.Attributes into an AdmissionCelEvent suitable for CEL evaluation.

type AdmissionCelUserInfo ¶

type AdmissionCelUserInfo struct {
	Username string
	Groups   []string
	UID      string
}

AdmissionCelUserInfo holds user identity fields extracted from an admission request. Exported fields are registered with the CEL type system so expressions can reference e.g. event.UserInfo.Username.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL