Documentation
¶
Index ¶
Constants ¶
const META_POLICY = `` /* 886-byte string literal not displayed */
This policy produces the following outputs that govern program behavior: ok: boolean, true if and only if the meta-policy passes all_policies: []string, a list of the names of policies that are loaded under the `docker_socket_authorizer` namespace invalid_policies: []string, a list of policy names that do not produce a valid `result` and `message` invalid_storage: []string, a list of policy names that do not produce a valid `to_store` object
const QUERY = `` /* 1355-byte string literal not displayed */
This query produces the following outputs that govern program behavior: - ok: boolean, true if and only if the request is approved - meta_policy_ok: boolean, true if and only if the meta-policy passes - all_policies: []string, a list of the names of policies that are loaded under the `docker_socket_authorizer` namespace - to_store: map[string]interface{}, a map from policy to data to store for that policy This query also produces the following outputs that are used for logging: - denies: map[string]string, a map from policy to message for each policy with a result of "deny" - allows: map[string]string, a map from policy to message for each policy with a result of "allow" - skips: map[string]string, a map from policy to message for each policy with a result of "skip" - invalid_policies: []string, a list of policy names that do not produce a valid `result` and `message` - invalid_storage: []string, a list of policy names that do not produce a valid `to_store` object
Variables ¶
var ( Evaluator atomic.Pointer[RegoEvaluator] = atomic.Pointer[RegoEvaluator]{} GlobalPolicyWatcher atomic.Pointer[PolicyWatcher] = atomic.Pointer[PolicyWatcher]{} )
Functions ¶
func InitializePolicies ¶
func InitializePolicies(cfg *config.Configuration) error
func LoadPolicies ¶
func LoadPolicies() error
Types ¶
type PolicyWatcher ¶
type PolicyWatcher struct {
// contains filtered or unexported fields
}
func WatchPolicies ¶
func WatchPolicies() (*PolicyWatcher, error)
func (*PolicyWatcher) Close ¶
func (pw *PolicyWatcher) Close()
Idempotent (only runs once, guaranteed by an atomic bool)
type RegoEvaluator ¶
type RegoEvaluator struct {
// contains filtered or unexported fields
}
func NewEvaluator ¶
func NewEvaluator(policyLoader func(*rego.Rego)) (*RegoEvaluator, error)
func (*RegoEvaluator) EvaluateQuery ¶
func (r *RegoEvaluator) EvaluateQuery(ctx context.Context, options ...rego.EvalOption) (rego.ResultSet, error)
func (*RegoEvaluator) WriteToStorage ¶
func (r *RegoEvaluator) WriteToStorage(ctx context.Context, toStore map[string]interface{}) error
Source Files
Directories