Documentation
¶
Index ¶
- type EngineResponse
- func (er EngineResponse) GetFailedRules() []string
- func (er EngineResponse) GetPatches() [][]byte
- func (er EngineResponse) GetResourceSpec() ResourceSpec
- func (er EngineResponse) GetSuccessRules() []string
- func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
- func (er EngineResponse) IsEmpty() bool
- func (er EngineResponse) IsError() bool
- func (er EngineResponse) IsFailed() bool
- func (er EngineResponse) IsNil() bool
- func (er EngineResponse) IsSkipped() bool
- func (er EngineResponse) IsSuccessful() bool
- type PodSecurityChecks
- type PolicyResponse
- type PolicySpec
- type PolicyStats
- type ResourceSpec
- type RuleResponse
- type RuleStats
- type RuleStatus
- type RuleType
- type ValidationFailureActionOverride
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EngineResponse ¶
type EngineResponse struct {
// Resource patched with the engine action changes
PatchedResource unstructured.Unstructured
// Original policy
Policy kyvernov1.PolicyInterface
// Policy Response
PolicyResponse PolicyResponse
}
EngineResponse engine response to the action
func (EngineResponse) GetFailedRules ¶
func (er EngineResponse) GetFailedRules() []string
GetFailedRules returns failed rules
func (EngineResponse) GetPatches ¶
func (er EngineResponse) GetPatches() [][]byte
GetPatches returns all the patches joined
func (EngineResponse) GetResourceSpec ¶ added in v1.3.0
func (er EngineResponse) GetResourceSpec() ResourceSpec
GetResourceSpec returns resourceSpec of er
func (EngineResponse) GetSuccessRules ¶
func (er EngineResponse) GetSuccessRules() []string
GetSuccessRules returns success rules
func (*EngineResponse) GetValidationFailureAction ¶ added in v1.7.0
func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
func (EngineResponse) IsEmpty ¶ added in v1.7.0
func (er EngineResponse) IsEmpty() bool
IsEmpty checks if any rule results are present
func (EngineResponse) IsError ¶ added in v1.8.0
func (er EngineResponse) IsError() bool
IsError checks if any rule resulted in a processing error
func (EngineResponse) IsFailed ¶ added in v1.4.2
func (er EngineResponse) IsFailed() bool
IsFailed checks if any rule created a policy violation
func (EngineResponse) IsNil ¶ added in v1.8.0
func (er EngineResponse) IsNil() bool
isNil checks if rule is an empty rule
func (EngineResponse) IsSkipped ¶ added in v1.8.0
func (er EngineResponse) IsSkipped() bool
IsSkipped checks if any rule has skipped resource or not.
func (EngineResponse) IsSuccessful ¶ added in v1.2.0
func (er EngineResponse) IsSuccessful() bool
IsSuccessful checks if any rule has failed or produced an error during execution
type PodSecurityChecks ¶ added in v1.9.0
type PodSecurityChecks struct {
Level api.Level
Version string
Checks []pssutils.PSSCheckResult
}
type PolicyResponse ¶
type PolicyResponse struct {
// policy details
Policy PolicySpec `json:"policy"`
// resource details
Resource ResourceSpec `json:"resource"`
// policy statistics
PolicyStats `json:",inline"`
// rule response
Rules []RuleResponse `json:"rules"`
// ValidationFailureAction: audit (default) or enforce
ValidationFailureAction kyvernov1.ValidationFailureAction
ValidationFailureActionOverrides []ValidationFailureActionOverride
}
PolicyResponse policy application response
type PolicySpec ¶ added in v1.4.2
PolicySpec policy
type PolicyStats ¶
type PolicyStats struct {
// time required to process the policy rules on a resource
ProcessingTime time.Duration `json:"processingTime"`
// Count of rules that were applied successfully
RulesAppliedCount int `json:"rulesAppliedCount"`
// Count of rules that with execution errors
RulesErrorCount int `json:"rulesErrorCount"`
// Timestamp of the instant the Policy was triggered
PolicyExecutionTimestamp int64 `json:"policyExecutionTimestamp"`
}
PolicyStats stores statistics for the single policy application
type ResourceSpec ¶
type ResourceSpec struct {
Kind string `json:"kind"`
APIVersion string `json:"apiVersion"`
Namespace string `json:"namespace"`
Name string `json:"name"`
// UID is not used to build the unique identifier
// optional
UID string `json:"uid"`
}
ResourceSpec resource action applied on
type RuleResponse ¶
type RuleResponse struct {
// rule name specified in policy
Name string `json:"name"`
// rule type (Mutation,Generation,Validation) for Kyverno Policy
Type RuleType `json:"type"`
// message response from the rule application
Message string `json:"message"`
// JSON patches, for mutation rules
Patches [][]byte `json:"patches,omitempty"`
// Resource generated by the generate rules of a policy
GeneratedResource unstructured.Unstructured `json:"generatedResource,omitempty"`
// rule status
Status RuleStatus `json:"status"`
// statistics
RuleStats `json:",inline"`
// PatchedTarget is the patched resource for mutate.targets
PatchedTarget *unstructured.Unstructured
// PatchedTargetSubresourceName is the name of the subresource which is patched, empty if the resource patched is
// not a subresource.
PatchedTargetSubresourceName string
// PatchedTargetParentResourceGVR is the GVR of the parent resource of the PatchedTarget. This is only populated
// when PatchedTarget is a subresource.
PatchedTargetParentResourceGVR metav1.GroupVersionResource
// PodSecurityChecks contains pod security checks (only if this is a pod security rule)
PodSecurityChecks *PodSecurityChecks
}
RuleResponse details for each rule application
type RuleStats ¶
type RuleStats struct {
// time required to apply the rule on the resource
ProcessingTime time.Duration `json:"processingTime"`
// Timestamp of the instant the rule got triggered
RuleExecutionTimestamp int64 `json:"ruleExecutionTimestamp"`
}
RuleStats stores the statistics for the single rule application
type RuleStatus ¶ added in v1.5.0
type RuleStatus int
RuleStatus represents the status of rule execution
const ( // RuleStatusPass indicates that the resources meets the policy rule requirements RuleStatusPass RuleStatus = iota // RuleStatusFail indicates that the resource does not meet the policy rule requirements RuleStatusFail // RuleStatusWarn indicates that the resource does not meet the policy rule requirements, but the policy is not scored RuleStatusWarn // RuleStatusError indicates that the policy rule could not be evaluated due to a processing error, for // example when a variable cannot be resolved in the policy rule definition. Note that variables // that cannot be resolved in preconditions are replaced with empty values to allow existence // checks. RuleStatusError // RuleStatusSkip indicates that the policy rule was not selected based on user inputs or applicability, for example // when preconditions are not met, or when conditional or global anchors are not satistied. RuleStatusSkip )
RuleStatusPass is used to report the result of processing a rule.
func (*RuleStatus) MarshalJSON ¶ added in v1.5.0
func (s *RuleStatus) MarshalJSON() ([]byte, error)
MarshalJSON marshals the enum as a quoted json string
func (*RuleStatus) String ¶ added in v1.5.0
func (s *RuleStatus) String() string
func (*RuleStatus) UnmarshalJSON ¶ added in v1.5.0
func (s *RuleStatus) UnmarshalJSON(b []byte) error
UnmarshalJSON unmarshals a quoted json string to the enum value
func (*RuleStatus) UnmarshalYAML ¶ added in v1.5.0
func (s *RuleStatus) UnmarshalYAML(unmarshal func(interface{}) error) error
type RuleType ¶ added in v1.7.0
type RuleType string
const ( // Mutation type for mutation rule Mutation RuleType = "Mutation" // Validation type for validation rule Validation RuleType = "Validation" // Generation type for generation rule Generation RuleType = "Generation" // ImageVerify type for image verification ImageVerify RuleType = "ImageVerify" )
type ValidationFailureActionOverride ¶ added in v1.6.0
type ValidationFailureActionOverride struct {
Action kyvernov1.ValidationFailureAction `json:"action"`
Namespaces []string `json:"namespaces"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.