v1

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 11, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package v1 contains API Schema definitions for the policies v1 API group +kubebuilder:object:generate=true +groupName=policies.kubewarden.io

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "policies.kubewarden.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AdmissionPolicy 

type AdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus        `json:"status,omitempty"`
}

AdmissionPolicy is the Schema for the admissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Namespaced +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy"

func (*AdmissionPolicy) CopyInto 

func (r *AdmissionPolicy) CopyInto(policy *Policy)

func (*AdmissionPolicy) DeepCopy 

func (in *AdmissionPolicy) DeepCopy() *AdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicy.

func (*AdmissionPolicy) DeepCopyInto 

func (in *AdmissionPolicy) DeepCopyInto(out *AdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicy) DeepCopyObject 

func (in *AdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AdmissionPolicy) Default 

func (r *AdmissionPolicy) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type

func (*AdmissionPolicy) GetContextAwareResources added in v1.6.0 

func (r *AdmissionPolicy) GetContextAwareResources() []ContextAwareResource

func (*AdmissionPolicy) GetFailurePolicy 

func (r *AdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*AdmissionPolicy) GetMatchPolicy 

func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*AdmissionPolicy) GetModule 

func (r *AdmissionPolicy) GetModule() string

func (*AdmissionPolicy) GetObjectMeta 

func (r *AdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*AdmissionPolicy) GetObjectSelector 

func (r *AdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*AdmissionPolicy) GetPolicyMode 

func (r *AdmissionPolicy) GetPolicyMode() PolicyMode

func (*AdmissionPolicy) GetPolicyServer 

func (r *AdmissionPolicy) GetPolicyServer() string

func (*AdmissionPolicy) GetRules 

func (r *AdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

GetRules returns all rules. Scope is namespaced since AdmissionPolicy just watch for namespace resources

func (*AdmissionPolicy) GetSettings 

func (r *AdmissionPolicy) GetSettings() runtime.RawExtension

func (*AdmissionPolicy) GetSideEffects 

func (r *AdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*AdmissionPolicy) GetStatus 

func (r *AdmissionPolicy) GetStatus() *PolicyStatus

func (*AdmissionPolicy) GetTimeoutSeconds 

func (r *AdmissionPolicy) GetTimeoutSeconds() *int32

func (*AdmissionPolicy) GetUniqueName 

func (r *AdmissionPolicy) GetUniqueName() string

func (*AdmissionPolicy) GetUpdatedNamespaceSelector added in v1.4.0 

func (r *AdmissionPolicy) GetUpdatedNamespaceSelector(string) *metav1.LabelSelector

GetNamespaceSelector returns the namespace of the AdmissionPolicy since it is the only namespace we want the policy to be applied to.

func (*AdmissionPolicy) IsMutating 

func (r *AdmissionPolicy) IsMutating() bool

func (*AdmissionPolicy) SetPolicyModeStatus 

func (r *AdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*AdmissionPolicy) SetStatus 

func (r *AdmissionPolicy) SetStatus(status PolicyStatusEnum)

func (*AdmissionPolicy) SetupWebhookWithManager 

func (r *AdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*AdmissionPolicy) ValidateCreate 

func (r *AdmissionPolicy) ValidateCreate() error

ValidateCreate implements webhook.Validator so a webhook will be registered for the type

func (*AdmissionPolicy) ValidateDelete 

func (r *AdmissionPolicy) ValidateDelete() error

ValidateDelete implements webhook.Validator so a webhook will be registered for the type

func (*AdmissionPolicy) ValidateUpdate 

func (r *AdmissionPolicy) ValidateUpdate(old runtime.Object) error

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type

type AdmissionPolicyList 

type AdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AdmissionPolicy `json:"items"`
}

AdmissionPolicyList contains a list of AdmissionPolicy

func (*AdmissionPolicyList) DeepCopy 

func (in *AdmissionPolicyList) DeepCopy() *AdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyList.

func (*AdmissionPolicyList) DeepCopyInto 

func (in *AdmissionPolicyList) DeepCopyInto(out *AdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicyList) DeepCopyObject 

func (in *AdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdmissionPolicySpec 

type AdmissionPolicySpec struct {
	PolicySpec `json:""` //nolint
}

AdmissionPolicySpec defines the desired state of AdmissionPolicy

func (*AdmissionPolicySpec) DeepCopy 

func (in *AdmissionPolicySpec) DeepCopy() *AdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicySpec.

func (*AdmissionPolicySpec) DeepCopyInto 

func (in *AdmissionPolicySpec) DeepCopyInto(out *AdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterAdmissionPolicy 

type ClusterAdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterAdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus               `json:"status,omitempty"`
}

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy"

func (*ClusterAdmissionPolicy) CopyInto 

func (r *ClusterAdmissionPolicy) CopyInto(policy *Policy)

func (*ClusterAdmissionPolicy) DeepCopy 

func (in *ClusterAdmissionPolicy) DeepCopy() *ClusterAdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicy.

func (*ClusterAdmissionPolicy) DeepCopyInto 

func (in *ClusterAdmissionPolicy) DeepCopyInto(out *ClusterAdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicy) DeepCopyObject 

func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterAdmissionPolicy) Default 

func (r *ClusterAdmissionPolicy) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type

func (*ClusterAdmissionPolicy) GetContextAwareResources added in v1.6.0 

func (r *ClusterAdmissionPolicy) GetContextAwareResources() []ContextAwareResource

func (*ClusterAdmissionPolicy) GetFailurePolicy 

func (r *ClusterAdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*ClusterAdmissionPolicy) GetMatchPolicy 

func (r *ClusterAdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*ClusterAdmissionPolicy) GetModule 

func (r *ClusterAdmissionPolicy) GetModule() string

func (*ClusterAdmissionPolicy) GetObjectMeta 

func (r *ClusterAdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterAdmissionPolicy) GetObjectSelector 

func (r *ClusterAdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicy) GetPolicyMode 

func (r *ClusterAdmissionPolicy) GetPolicyMode() PolicyMode

func (*ClusterAdmissionPolicy) GetPolicyServer 

func (r *ClusterAdmissionPolicy) GetPolicyServer() string

func (*ClusterAdmissionPolicy) GetRules 

func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

func (*ClusterAdmissionPolicy) GetSettings 

func (r *ClusterAdmissionPolicy) GetSettings() runtime.RawExtension

func (*ClusterAdmissionPolicy) GetSideEffects 

func (r *ClusterAdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*ClusterAdmissionPolicy) GetStatus 

func (r *ClusterAdmissionPolicy) GetStatus() *PolicyStatus

func (*ClusterAdmissionPolicy) GetTimeoutSeconds 

func (r *ClusterAdmissionPolicy) GetTimeoutSeconds() *int32

func (*ClusterAdmissionPolicy) GetUniqueName 

func (r *ClusterAdmissionPolicy) GetUniqueName() string

func (*ClusterAdmissionPolicy) GetUpdatedNamespaceSelector added in v1.4.0 

func (r *ClusterAdmissionPolicy) GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector

func (*ClusterAdmissionPolicy) IsMutating 

func (r *ClusterAdmissionPolicy) IsMutating() bool

func (*ClusterAdmissionPolicy) SetPolicyModeStatus 

func (r *ClusterAdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*ClusterAdmissionPolicy) SetStatus 

func (r *ClusterAdmissionPolicy) SetStatus(status PolicyStatusEnum)

func (*ClusterAdmissionPolicy) SetupWebhookWithManager 

func (r *ClusterAdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*ClusterAdmissionPolicy) ValidateCreate 

func (r *ClusterAdmissionPolicy) ValidateCreate() error

ValidateCreate implements webhook.Validator so a webhook will be registered for the type

func (*ClusterAdmissionPolicy) ValidateDelete 

func (r *ClusterAdmissionPolicy) ValidateDelete() error

ValidateDelete implements webhook.Validator so a webhook will be registered for the type

func (*ClusterAdmissionPolicy) ValidateUpdate 

func (r *ClusterAdmissionPolicy) ValidateUpdate(old runtime.Object) error

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type

type ClusterAdmissionPolicyList 

type ClusterAdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterAdmissionPolicy `json:"items"`
}

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy +kubebuilder:object:root=true

func (*ClusterAdmissionPolicyList) DeepCopy 

func (in *ClusterAdmissionPolicyList) DeepCopy() *ClusterAdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyList.

func (*ClusterAdmissionPolicyList) DeepCopyInto 

func (in *ClusterAdmissionPolicyList) DeepCopyInto(out *ClusterAdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicyList) DeepCopyObject 

func (in *ClusterAdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterAdmissionPolicySpec 

type ClusterAdmissionPolicySpec struct {
	PolicySpec `json:""` //nolint

	// NamespaceSelector decides whether to run the webhook on an object based
	// on whether the namespace for that object matches the selector. If the
	// object itself is a namespace, the matching is performed on
	// object.metadata.labels. If the object is another cluster scoped resource,
	// it never skips the webhook.
	//
	// For example, to run the webhook on any objects whose namespace is not
	// associated with "runlevel" of "0" or "1";  you will set the selector as
	// follows:
	// "namespaceSelector": {
	//   "matchExpressions": [
	//     {
	//       "key": "runlevel",
	//       "operator": "NotIn",
	//       "values": [
	//         "0",
	//         "1"
	//       ]
	//     }
	//   ]
	// }
	//
	// If instead you want to only run the webhook on any objects whose
	// namespace is associated with the "environment" of "prod" or "staging";
	// you will set the selector as follows:
	// "namespaceSelector": {
	//   "matchExpressions": [
	//     {
	//       "key": "environment",
	//       "operator": "In",
	//       "values": [
	//         "prod",
	//         "staging"
	//       ]
	//     }
	//   ]
	// }
	//
	// See
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
	// for more examples of label selectors.
	//
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`

	// List of Kubernetes resources the policy is allowed to access at evaluation time.
	// Access to these resources is done using the `ServiceAccount` of the PolicyServer
	// the policy is assigned to.
	// +optional
	ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"`
}

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy

func (*ClusterAdmissionPolicySpec) DeepCopy 

func (in *ClusterAdmissionPolicySpec) DeepCopy() *ClusterAdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicySpec.

func (*ClusterAdmissionPolicySpec) DeepCopyInto 

func (in *ClusterAdmissionPolicySpec) DeepCopyInto(out *ClusterAdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ContextAwareResource added in v1.6.0 

type ContextAwareResource struct {
	// apiVersion of the resource (v1 for core group, groupName/groupVersions for other).
	APIVersion string `json:"apiVersion"`

	// Singular PascalCase name of the resource
	Kind string `json:"kind"`
}

ContextAwareResource identifies a Kubernetes resource

func (*ContextAwareResource) DeepCopy added in v1.6.0 

func (in *ContextAwareResource) DeepCopy() *ContextAwareResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAwareResource.

func (*ContextAwareResource) DeepCopyInto added in v1.6.0 

func (in *ContextAwareResource) DeepCopyInto(out *ContextAwareResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Policy 

type Policy interface {
	client.Object
	GetPolicyMode() PolicyMode
	SetPolicyModeStatus(policyMode PolicyModeStatus)
	GetModule() string
	IsMutating() bool
	GetSettings() runtime.RawExtension
	GetStatus() *PolicyStatus
	SetStatus(status PolicyStatusEnum)
	CopyInto(object *Policy)
	GetSideEffects() *admissionregistrationv1.SideEffectClass
	GetRules() []admissionregistrationv1.RuleWithOperations
	GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
	GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
	GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector
	GetObjectSelector() *metav1.LabelSelector
	GetTimeoutSeconds() *int32
	GetObjectMeta() *metav1.ObjectMeta
	GetPolicyServer() string
	GetUniqueName() string
	GetContextAwareResources() []ContextAwareResource
}

+kubebuilder:object:generate:=false

type PolicyConditionType 

type PolicyConditionType string
const (
	// PolicyActive represents the condition of the Policy admission
	// webhook been registered
	PolicyActive PolicyConditionType = "PolicyActive"
	// PolicyServerConfigurationUpToDate represents the condition of the
	// associated Policy Server having the latest configuration up to
	// date regarding this policy
	PolicyServerConfigurationUpToDate PolicyConditionType = "PolicyServerConfigurationUpToDate"
	// PolicyUniquelyReachable represents the condition of the latest
	// applied policy being uniquely accessible. This means that after a
	// policy has been deployed or modified, after this condition is met
	// for this policy, only the latest instance of the policy can be
	// reached through policy server where it is scheduled.
	PolicyUniquelyReachable PolicyConditionType = "PolicyUniquelyReachable"
)

type PolicyMode 

type PolicyMode string

+kubebuilder:validation:Enum=protect;monitor

type PolicyModeStatus 

type PolicyModeStatus string

+kubebuilder:validation:Enum=protect;monitor;unknown 

const (
	PolicyModeStatusProtect PolicyModeStatus = "protect"
	PolicyModeStatusMonitor PolicyModeStatus = "monitor"
	PolicyModeStatusUnknown PolicyModeStatus = "unknown"
)

type PolicyServer 

type PolicyServer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PolicyServerSpec   `json:"spec,omitempty"`
	Status PolicyServerStatus `json:"status,omitempty"`
}

PolicyServer is the Schema for the policyservers API

func (*PolicyServer) AppLabel 

func (ps *PolicyServer) AppLabel() string

func (*PolicyServer) DeepCopy 

func (in *PolicyServer) DeepCopy() *PolicyServer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServer.

func (*PolicyServer) DeepCopyInto 

func (in *PolicyServer) DeepCopyInto(out *PolicyServer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServer) DeepCopyObject 

func (in *PolicyServer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PolicyServer) Default 

func (ps *PolicyServer) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type

func (*PolicyServer) NameWithPrefix 

func (ps *PolicyServer) NameWithPrefix() string

func (*PolicyServer) SetupWebhookWithManager 

func (ps *PolicyServer) SetupWebhookWithManager(mgr ctrl.Manager) error

type PolicyServerConditionType 

type PolicyServerConditionType string
const (
	// PolicyServerCASecretReconciled represents the condition of the
	// Policy Server Secret reconciliation
	PolicyServerCASecretReconciled PolicyServerConditionType = "CASecretReconciled"
	// PolicyServerCARootSecretReconciled represents the condition of the
	// Policy Server CA Root Secret reconciliation
	PolicyServerCARootSecretReconciled PolicyServerConditionType = "CARootSecretReconciled"
	// PolicyServerConfigMapReconciled represents the condition of the
	// Policy Server ConfigMap reconciliation
	PolicyServerConfigMapReconciled PolicyServerConditionType = "ConfigMapReconciled"
	// PolicyServerDeploymentReconciled represents the condition of the
	// Policy Server Deployment reconciliation
	PolicyServerDeploymentReconciled PolicyServerConditionType = "DeploymentReconciled"
	// PolicyServerServiceReconciled represents the condition of the
	// Policy Server Service reconciliation
	PolicyServerServiceReconciled PolicyServerConditionType = "ServiceReconciled"
)

type PolicyServerList 

type PolicyServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []PolicyServer `json:"items"`
}

PolicyServerList contains a list of PolicyServer

func (*PolicyServerList) DeepCopy 

func (in *PolicyServerList) DeepCopy() *PolicyServerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerList.

func (*PolicyServerList) DeepCopyInto 

func (in *PolicyServerList) DeepCopyInto(out *PolicyServerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServerList) DeepCopyObject 

func (in *PolicyServerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyServerSecurity added in v1.6.0 

type PolicyServerSecurity struct {
	// securityContext definition to be used in the policy server container
	// +optional
	Container *corev1.SecurityContext `json:"container,omitempty"`
	// podSecurityContext definition to be used in the policy server Pod
	// +optional
	Pod *corev1.PodSecurityContext `json:"pod,omitempty"`
}

PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload

func (*PolicyServerSecurity) DeepCopy added in v1.6.0 

func (in *PolicyServerSecurity) DeepCopy() *PolicyServerSecurity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSecurity.

func (*PolicyServerSecurity) DeepCopyInto added in v1.6.0 

func (in *PolicyServerSecurity) DeepCopyInto(out *PolicyServerSecurity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyServerSpec 

type PolicyServerSpec struct {
	// Docker image name.
	Image string `json:"image"`

	// Replicas is the number of desired replicas.
	Replicas int32 `json:"replicas"`

	// Annotations is an unstructured key value map stored with a resource that may be
	// set by external tools to store and retrieve arbitrary metadata. They are not
	// queryable and should be preserved when modifying objects.
	// More info: http://kubernetes.io/docs/user-guide/annotations
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// List of environment variables to set in the container.
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`

	// Name of the service account associated with the policy server.
	// Namespace service account will be used if not specified.
	// +optional
	ServiceAccountName string `json:"serviceAccountName,omitempty"`

	// Name of ImagePullSecret secret in the same namespace, used for pulling
	// policies from repositories.
	// +optional
	ImagePullSecret string `json:"imagePullSecret,omitempty"`

	// List of insecure URIs to policy repositories.
	// +optional
	InsecureSources []string `json:"insecureSources,omitempty"`

	// Key value map of registry URIs endpoints to a list of their associated
	// PEM encoded certificate authorities that have to be used to verify the
	// certificate used by the endpoint.
	// +optional
	SourceAuthorities map[string][]string `json:"sourceAuthorities,omitempty"`

	// Name of VerificationConfig configmap in the same namespace, containing
	// Sigstore verification configuration. The configuration must be under a
	// key named verification-config in the Configmap.
	// +optional
	VerificationConfig string `json:"verificationConfig,omitempty"`

	// Security configuration to be used in the Policy Server workload.
	// The field allows different configurations for the pod and containers.
	// This configuration will not be used in containers added by other
	// controllers (e.g. telemetry sidecars)
	// +optional
	SecurityContexts PolicyServerSecurity `json:"securityContexts,omitempty"`
}

PolicyServerSpec defines the desired state of PolicyServer

func (*PolicyServerSpec) DeepCopy 

func (in *PolicyServerSpec) DeepCopy() *PolicyServerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSpec.

func (*PolicyServerSpec) DeepCopyInto 

func (in *PolicyServerSpec) DeepCopyInto(out *PolicyServerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyServerStatus 

type PolicyServerStatus struct {
	// Conditions represent the observed conditions of the
	// PolicyServer resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerDeploymentReconciled" and
	// "PolicyServerServiceReconciled"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions"`
}

PolicyServerStatus defines the observed state of PolicyServer

func (*PolicyServerStatus) DeepCopy 

func (in *PolicyServerStatus) DeepCopy() *PolicyServerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerStatus.

func (*PolicyServerStatus) DeepCopyInto 

func (in *PolicyServerStatus) DeepCopyInto(out *PolicyServerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicySpec 

type PolicySpec struct {
	// PolicyServer identifies an existing PolicyServer resource.
	// +kubebuilder:default:=default
	// +optional
	PolicyServer string `json:"policyServer"`

	// Module is the location of the WASM module to be loaded. Can be a
	// local file (file://), a remote file served by an HTTP server
	// (http://, https://), or an artifact served by an OCI-compatible
	// registry (registry://).
	// If prefix is missing, it will default to registry:// and use that
	// internally.
	// +kubebuilder:validation:Required
	Module string `json:"module"`

	// Mode defines the execution mode of this policy. Can be set to
	// either "protect" or "monitor". If it's empty, it is defaulted to
	// "protect".
	// Transitioning this setting from "monitor" to "protect" is
	// allowed, but is disallowed to transition from "protect" to
	// "monitor". To perform this transition, the policy should be
	// recreated in "monitor" mode instead.
	// +kubebuilder:default:=protect
	// +optional
	Mode PolicyMode `json:"mode,omitempty"`

	// Settings is a free-form object that contains the policy configuration
	// values.
	// +optional
	// +nullable
	// +kubebuilder:pruning:PreserveUnknownFields
	// x-kubernetes-embedded-resource: false
	Settings runtime.RawExtension `json:"settings,omitempty"`

	// Rules describes what operations on what resources/subresources the webhook cares about.
	// The webhook cares about an operation if it matches _any_ Rule.
	Rules []admissionregistrationv1.RuleWithOperations `json:"rules"`

	// FailurePolicy defines how unrecognized errors and timeout errors from the
	// policy are handled. Allowed values are "Ignore" or "Fail".
	// * "Ignore" means that an error calling the webhook is ignored and the API
	//   request is allowed to continue.
	// * "Fail" means that an error calling the webhook causes the admission to
	//   fail and the API request to be rejected.
	// The default behaviour is "Fail"
	// +optional
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`

	// Mutating indicates whether a policy has the ability to mutate
	// incoming requests or not.
	Mutating bool `json:"mutating"`

	// matchPolicy defines how the "rules" list is used to match incoming requests.
	// Allowed values are "Exact" or "Equivalent".
	//
	// - Exact: match a request only if it exactly matches a specified rule.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
	//
	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
	//
	// Defaults to "Equivalent"
	// +optional
	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`

	// ObjectSelector decides whether to run the webhook based on if the
	// object has matching labels. objectSelector is evaluated against both
	// the oldObject and newObject that would be sent to the webhook, and
	// is considered to match if either object matches the selector. A null
	// object (oldObject in the case of create, or newObject in the case of
	// delete) or an object that cannot have labels (like a
	// DeploymentRollback or a PodProxyOptions object) is not considered to
	// match.
	// Use the object selector only if the webhook is opt-in, because end
	// users may skip the admission webhook by setting the labels.
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`

	// SideEffects states whether this webhook has side effects.
	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
	// rejected by a future step in the admission change and the side effects therefore need to be undone.
	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
	// sideEffects == Unknown or Some.
	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`

	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
	// the webhook call will be ignored or the API call will fail based on the
	// failure policy.
	// The timeout value must be between 1 and 30 seconds.
	// Default to 10 seconds.
	// +optional
	// +kubebuilder:default:=10
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}

func (*PolicySpec) DeepCopy 

func (in *PolicySpec) DeepCopy() *PolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.

func (*PolicySpec) DeepCopyInto 

func (in *PolicySpec) DeepCopyInto(out *PolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatus 

type PolicyStatus struct {
	// PolicyStatus represents the observed status of the policy
	PolicyStatus PolicyStatusEnum `json:"policyStatus"`
	// PolicyMode represents the observed policy mode of this policy in
	// the associated PolicyServer configuration
	PolicyMode PolicyModeStatus `json:"mode,omitempty"`
	// Conditions represent the observed conditions of the
	// ClusterAdmissionPolicy resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerConfigMapReconciled",
	// "PolicyServerDeploymentReconciled",
	// "PolicyServerServiceReconciled" and
	// "AdmissionPolicyActive"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatusEnum 

type PolicyStatusEnum string

+kubebuilder:validation:Enum=unscheduled;scheduled;pending;active 

const (
	// PolicyStatusUnscheduled is a transient state that will continue
	// to scheduled. This is the default state if no policy server is
	// assigned.
	PolicyStatusUnscheduled PolicyStatusEnum = "unscheduled"
	// PolicyStatusScheduled is a transient state that will continue to
	// pending. This is the default state if a policy server is
	// assigned.
	PolicyStatusScheduled PolicyStatusEnum = "scheduled"
	// PolicyStatusPending informs that the policy server exists,
	// we are reconciling all resources
	PolicyStatusPending PolicyStatusEnum = "pending"
	// PolicyStatusActive informs that the k8s API server should be
	// forwarding admission review objects to the policy
	PolicyStatusActive PolicyStatusEnum = "active"
)

type ReconciliationTransitionReason 

type ReconciliationTransitionReason string
const (
	// ReconciliationFailed represents a reconciliation failure
	ReconciliationFailed ReconciliationTransitionReason = "ReconciliationFailed"
	// ReconciliationSucceeded represents a reconciliation success
	ReconciliationSucceeded ReconciliationTransitionReason = "ReconciliationSucceeded"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.