Documentation
¶
Index ¶
- Constants
- func ApplyPatchNew(resource, patch []byte) ([]byte, error)
- func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error)
- func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error)
- func FormAbsolutePath(referencePath, absolutePath string) string
- func JoinPatches(patches [][]byte) []byte
- func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule) bool
- func ParseKindFromObject(bytes []byte) string
- func ParseNameFromObject(bytes []byte) string
- func ParseNamespaceFromObject(bytes []byte) string
- func ParseResourceInfoFromObject(rawResource []byte) string
- func ValidateValueWithPattern(value, pattern interface{}) bool
- type Condition
- type ConditionAnchorHandler
- type DefaultHandler
- type EngineResponse
- type EngineStats
- type EqualityHandler
- type ExistanceHandler
- type NegationHandler
- type Operator
- type PolicyContext
- type PolicyResponse
- type PolicyStats
- type RequestInfo
- type ResourceSpec
- type RuleResponse
- type RuleStats
- type RuleType
- type ValidationHandler
- func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler
- func NewConditionAnchorHandler(anchor string, pattern interface{}, path string) ValidationHandler
- func NewDefaultHandler(element string, pattern interface{}, path string) ValidationHandler
- func NewEqualityHandler(anchor string, pattern interface{}, path string) ValidationHandler
- func NewExistanceHandler(anchor string, pattern interface{}, path string) ValidationHandler
- func NewNegationHandler(anchor string, pattern interface{}, path string) ValidationHandler
Constants ¶
const (
SaPrefix = "system:serviceaccount:"
)
Variables ¶
This section is empty.
Functions ¶
func ApplyPatchNew ¶ added in v0.9.0
ApplyPatchNew patches given resource with given joined patches
func ApplyPatches ¶
ApplyPatches patches given resource with given patches and returns patched document
func ConvertToUnstructured ¶ added in v0.8.0
func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error)
func FormAbsolutePath ¶ added in v0.4.0
FormAbsolutePath returns absolute path
func JoinPatches ¶
JoinPatches joins array of serialized JSON patches to the single JSONPatch array
func MatchesResourceDescription ¶ added in v0.8.0
func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule) bool
MatchesResourceDescription checks if the resource matches resource desription of the rule or not
func ParseKindFromObject ¶ added in v0.5.0
ParseKindFromObject get kind from resource
func ParseNameFromObject ¶
ParseNameFromObject extracts resource name from JSON obj
func ParseNamespaceFromObject ¶
ParseNamespaceFromObject extracts the namespace from the JSON obj
func ParseResourceInfoFromObject ¶ added in v0.7.0
ParseResourceInfoFromObject get kind/namepace/name from resource
func ValidateValueWithPattern ¶
func ValidateValueWithPattern(value, pattern interface{}) bool
ValidateValueWithPattern validates value with operators and wildcards
Types ¶
type ConditionAnchorHandler ¶ added in v0.10.0
type ConditionAnchorHandler struct {
// contains filtered or unexported fields
}
ConditionAnchorHandler provides handler for condition anchor
type DefaultHandler ¶ added in v0.10.0
type DefaultHandler struct {
// contains filtered or unexported fields
}
DefaultHandler provides handler for non anchor element
type EngineResponse ¶ added in v0.8.0
type EngineResponse struct {
// Resource patched with the engine action changes
PatchedResource unstructured.Unstructured
// Policy Response
PolicyResponse PolicyResponse
}
EngineResponse engine response to the action
func Generate ¶
func Generate(policyContext PolicyContext) (response EngineResponse)
Generate apply generation rules on a resource
func Mutate ¶
func Mutate(policyContext PolicyContext) (response EngineResponse)
Mutate performs mutation. Overlay first and then mutation patches
func Validate ¶
func Validate(policyContext PolicyContext) (response EngineResponse)
Validate applies validation rules from policy on the resource
func (EngineResponse) GetFailedRules ¶ added in v0.10.0
func (er EngineResponse) GetFailedRules() []string
GetFailedRules returns failed rules
func (EngineResponse) GetPatches ¶ added in v0.10.0
func (er EngineResponse) GetPatches() [][]byte
GetPatches returns all the patches joined
func (EngineResponse) GetSuccessRules ¶ added in v0.10.0
func (er EngineResponse) GetSuccessRules() []string
GetSuccessRules returns success rules
func (EngineResponse) IsSuccesful ¶ added in v0.10.0
func (er EngineResponse) IsSuccesful() bool
IsSuccesful checks if any rule has failed or not
type EngineStats ¶ added in v0.8.0
type EngineStats struct {
// average time required to process the policy rules on a resource
ExecutionTime time.Duration
// Count of rules that were applied succesfully
RulesAppliedCount int
}
EngineStats stores in the statistics for a single application of resource
type EqualityHandler ¶ added in v0.10.0
type EqualityHandler struct {
// contains filtered or unexported fields
}
EqualityHandler provides handler for non anchor element
type ExistanceHandler ¶ added in v0.10.0
type ExistanceHandler struct {
// contains filtered or unexported fields
}
ExistanceHandler provides handlers to process exitence anchor handler
type NegationHandler ¶ added in v0.10.0
type NegationHandler struct {
// contains filtered or unexported fields
}
NegationHandler provides handler for check if the tag in anchor is not defined
type Operator ¶
type Operator string
Operator is string alias that represents selection operators enum
type PolicyContext ¶ added in v1.0.0
type PolicyContext struct {
// policy to be processed
Policy kyverno.ClusterPolicy
// resource to be processed
NewResource unstructured.Unstructured
// old Resource - Update operations
OldResource unstructured.Unstructured
AdmissionInfo RequestInfo
// Dynamic client - used by generate
Client *client.Client
}
PolicyContext contains the contexts for engine to process
type PolicyResponse ¶ added in v0.9.0
type PolicyResponse struct {
// policy name
Policy string `json:"policy"`
// resource details
Resource ResourceSpec `json:"resource"`
// policy statistics
PolicyStats `json:",inline"`
// rule response
Rules []RuleResponse `json:"rules"`
// ValidationFailureAction: audit(default if not set),enforce
ValidationFailureAction string
}
PolicyResponse policy application response
type PolicyStats ¶ added in v0.9.0
type PolicyStats struct {
// time required to process the policy rules on a resource
ProcessingTime time.Duration `json:"processingTime"`
// Count of rules that were applied succesfully
RulesAppliedCount int `json:"rulesAppliedCount"`
}
PolicyStats stores statistics for the single policy application
type RequestInfo ¶ added in v1.0.0
type RequestInfo struct {
// Roles is a list of possible role send the request
Roles []string
// ClusterRoles is a list of possible clusterRoles send the request
ClusterRoles []string
// UserInfo is the userInfo carried in the admission request
AdmissionUserInfo authenticationv1.UserInfo
}
RequestInfo contains permission info carried in an admission request
type ResourceSpec ¶ added in v0.9.0
type ResourceSpec struct {
//TODO: support ApiVersion
Kind string `json:"kind"`
APIVersion string `json:"apiVersion"`
Namespace string `json:"namespace"`
Name string `json:"name"`
}
ResourceSpec resource action applied on
type RuleResponse ¶ added in v0.9.0
type RuleResponse struct {
// rule name specified in policy
Name string `json:"name"`
// rule type (Mutation,Generation,Validation) for Kyverno Policy
Type string `json:"type"`
// message response from the rule application
Message string `json:"message"`
// JSON patches, for mutation rules
Patches [][]byte `json:"patches,omitempty"`
// success/fail
Success bool `json:"success"`
// statistics
RuleStats `json:",inline"`
}
RuleResponse details for each rule applicatino
func (RuleResponse) ToString ¶ added in v0.9.0
func (rr RuleResponse) ToString() string
ToString ...
type RuleStats ¶ added in v0.9.0
type RuleStats struct {
// time required to appliy the rule on the resource
ProcessingTime time.Duration `json:"processingTime"`
}
RuleStats stores the statisctis for the single rule application
type ValidationHandler ¶ added in v0.10.0
type ValidationHandler interface {
Handle(resourceMap map[string]interface{}, originPattenr interface{}) (string, error)
}
ValidationHandler for element processes
func CreateElementHandler ¶ added in v0.10.0
func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler
CreateElementHandler factory to process elements
func NewConditionAnchorHandler ¶ added in v0.10.0
func NewConditionAnchorHandler(anchor string, pattern interface{}, path string) ValidationHandler
NewConditionAnchorHandler returns an instance of condition acnhor handler
func NewDefaultHandler ¶ added in v0.10.0
func NewDefaultHandler(element string, pattern interface{}, path string) ValidationHandler
NewDefaultHandler returns handler for non anchor elements
func NewEqualityHandler ¶ added in v0.10.0
func NewEqualityHandler(anchor string, pattern interface{}, path string) ValidationHandler
NewEqualityHandler returens instance of equality handler
func NewExistanceHandler ¶ added in v0.10.0
func NewExistanceHandler(anchor string, pattern interface{}, path string) ValidationHandler
NewExistanceHandler returns existence handler
func NewNegationHandler ¶ added in v0.10.0
func NewNegationHandler(anchor string, pattern interface{}, path string) ValidationHandler
NewNegationHandler returns instance of negation handler
Source Files
Directories