Documentation ¶
Overview ¶
Package admissionregistration is the internal version of the API. AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration ValidatingWebhookConfiguration, and MutatingWebhookConfiguration are for the new dynamic admission controller configuration.
Index ¶
- Constants
- Variables
- func DropDisabledMutatingWebhookConfigurationFields(...)
- func DropDisabledValidatingWebhookConfigurationFields(...)
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type AuditAnnotation
- type ExpressionWarning
- type FailurePolicyType
- type MatchCondition
- type MatchPolicyType
- type MatchResources
- type MutatingWebhook
- type MutatingWebhookConfiguration
- type MutatingWebhookConfigurationList
- type NamedRuleWithOperations
- type OperationType
- type ParamKind
- type ParamRef
- type ParameterNotFoundActionType
- type ReinvocationPolicyType
- type Rule
- type RuleWithOperations
- type ScopeType
- type ServiceReference
- type SideEffectClass
- type TypeChecking
- type ValidatingAdmissionPolicy
- type ValidatingAdmissionPolicyBinding
- type ValidatingAdmissionPolicyBindingList
- type ValidatingAdmissionPolicyBindingSpec
- type ValidatingAdmissionPolicyConditionType
- type ValidatingAdmissionPolicyList
- type ValidatingAdmissionPolicySpec
- type ValidatingAdmissionPolicyStatus
- type ValidatingWebhook
- type ValidatingWebhookConfiguration
- type ValidatingWebhookConfigurationList
- type Validation
- type ValidationAction
- type Variable
- type WebhookClientConfig
Constants ¶
const GroupName = "admissionregistration.k8s.io"
GroupName is the name used for this API group
Variables ¶
var ( // SchemeBuilder is the scheme builder with scheme init functions to run for this API package SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) // AddToScheme is a global function that registers this API group & version to a scheme AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func DropDisabledMutatingWebhookConfigurationFields ¶ added in v1.27.0
func DropDisabledMutatingWebhookConfigurationFields(mutatingWebhookConfiguration, oldMutatingWebhookConfiguration *MutatingWebhookConfiguration)
DropDisabledMutatingWebhookConfigurationFields removes disabled fields from the mutatingWebhookConfiguration metadata and spec. This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a mutatingWebhookConfiguration
func DropDisabledValidatingWebhookConfigurationFields ¶ added in v1.27.0
func DropDisabledValidatingWebhookConfigurationFields(validatingWebhookConfiguration, oldValidatingWebhookConfiguration *ValidatingWebhookConfiguration)
DropDisabledValidatingWebhookConfigurationFields removes disabled fields from the validatingWebhookConfiguration metadata and spec. This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a validatingWebhookConfiguration
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns back a Group qualified GroupResource
Types ¶
type AuditAnnotation ¶ added in v1.27.0
type AuditAnnotation struct { // key specifies the audit annotation key. The audit annotation keys of // a ValidatingAdmissionPolicy must be unique. The key must be a qualified // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. // // The key is combined with the resource name of the // ValidatingAdmissionPolicy to construct an audit annotation key: // "{ValidatingAdmissionPolicy name}/{key}". // // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy // and the same audit annotation key, the annotation key will be identical. // In this case, the first annotation written with the key will be included // in the audit event and all subsequent annotations with the same key // will be discarded. // // Required. Key string // valueExpression represents the expression which is evaluated by CEL to // produce an audit annotation value. The expression must evaluate to either // a string or null value. If the expression evaluates to a string, the // audit annotation is included with the string value. If the expression // evaluates to null or empty string the audit annotation will be omitted. // The valueExpression may be no longer than 5kb in length. // If the result of the valueExpression is more than 10kb in length, it // will be truncated to 10kb. // // If multiple ValidatingAdmissionPolicyBinding resources match an // API request, then the valueExpression will be evaluated for // each binding. All unique values produced by the valueExpressions // will be joined together in a comma-separated list. // // Required. ValueExpression string }
AuditAnnotation describes how to produce an audit annotation for an API request.
func (*AuditAnnotation) DeepCopy ¶ added in v1.27.0
func (in *AuditAnnotation) DeepCopy() *AuditAnnotation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditAnnotation.
func (*AuditAnnotation) DeepCopyInto ¶ added in v1.27.0
func (in *AuditAnnotation) DeepCopyInto(out *AuditAnnotation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExpressionWarning ¶ added in v1.27.0
type ExpressionWarning struct { // The path to the field that refers the expression. // For example, the reference to the expression of the first item of // validations is "spec.validations[0].expression" FieldRef string // The content of type checking information in a human-readable form. // Each line of the warning contains the type that the expression is checked // against, followed by the type check error from the compiler. Warning string }
ExpressionWarning is a warning information that targets a specific expression.
func (*ExpressionWarning) DeepCopy ¶ added in v1.27.0
func (in *ExpressionWarning) DeepCopy() *ExpressionWarning
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExpressionWarning.
func (*ExpressionWarning) DeepCopyInto ¶ added in v1.27.0
func (in *ExpressionWarning) DeepCopyInto(out *ExpressionWarning)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FailurePolicyType ¶
type FailurePolicyType string
FailurePolicyType specifies the type of failure policy
const ( // Ignore means that an error calling the webhook is ignored. Ignore FailurePolicyType = "Ignore" // Fail means that an error calling the webhook causes the admission to fail. Fail FailurePolicyType = "Fail" )
type MatchCondition ¶ added in v1.27.0
type MatchCondition struct { // Name is an identifier for this match condition, used for strategic merging of MatchConditions, // as well as providing an identifier for logging purposes. A good name should be descriptive of // the associated expression. // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') // // Required. Name string // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: // // 'object' - The object from the incoming request. The value is null for DELETE requests. // 'oldObject' - The existing object. The value is null for CREATE requests. // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the // request resource. // 'variables' - Map of composited variables, from its name to its lazily evaluated value. // For example, a variable named 'foo' can be access as 'variables.foo' // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // Required. Expression string }
MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
func (*MatchCondition) DeepCopy ¶ added in v1.27.0
func (in *MatchCondition) DeepCopy() *MatchCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchCondition.
func (*MatchCondition) DeepCopyInto ¶ added in v1.27.0
func (in *MatchCondition) DeepCopyInto(out *MatchCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MatchPolicyType ¶ added in v1.15.0
type MatchPolicyType string
MatchPolicyType specifies the type of match policy
const ( // Exact means requests should only be sent to the webhook if they exactly match a given rule Exact MatchPolicyType = "Exact" // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. Equivalent MatchPolicyType = "Equivalent" )
type MatchResources ¶ added in v1.26.0
type MatchResources struct { // NamespaceSelector decides whether to run the admission control policy on an object based // on whether the namespace for that object matches the selector. If the // object itself is a namespace, the matching is performed on // object.metadata.labels. If the object is another cluster scoped resource, // it never skips the policy. // // For example, to run the webhook on any objects whose namespace is not // associated with "runlevel" of "0" or "1"; you will set the selector as // follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "runlevel", // "operator": "NotIn", // "values": [ // "0", // "1" // ] // } // ] // } // // If instead you want to only run the policy on any objects whose // namespace is associated with the "environment" of "prod" or "staging"; // you will set the selector as follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "environment", // "operator": "In", // "values": [ // "prod", // "staging" // ] // } // ] // } // // See // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ // for more examples of label selectors. // // Default to the empty LabelSelector, which matches everything. // +optional NamespaceSelector *metav1.LabelSelector // ObjectSelector decides whether to run the validation based on if the // object has matching labels. objectSelector is evaluated against both // the oldObject and newObject that would be sent to the cel validation, and // is considered to match if either object matches the selector. A null // object (oldObject in the case of create, or newObject in the case of // delete) or an object that cannot have labels (like a // DeploymentRollback or a PodProxyOptions object) is not considered to // match. // Use the object selector only if the webhook is opt-in, because end // users may skip the admission webhook by setting the labels. // Default to the empty LabelSelector, which matches everything. // +optional ObjectSelector *metav1.LabelSelector // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. // The policy cares about an operation if it matches _any_ Rule. // +optional ResourceRules []NamedRuleWithOperations // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) // +optional ExcludeResourceRules []NamedRuleWithOperations // matchPolicy defines how the "MatchResources" list is used to match incoming requests. // Allowed values are "Exact" or "Equivalent". // // - Exact: match a request only if it exactly matches a specified rule. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. // // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. // // Defaults to "Equivalent" // +optional MatchPolicy *MatchPolicyType }
MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
func (*MatchResources) DeepCopy ¶ added in v1.26.0
func (in *MatchResources) DeepCopy() *MatchResources
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
func (*MatchResources) DeepCopyInto ¶ added in v1.26.0
func (in *MatchResources) DeepCopyInto(out *MatchResources)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MutatingWebhook ¶ added in v1.15.0
type MutatingWebhook struct { // The name of the admission webhook. // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where // "imagepolicy" is the name of the webhook, and kubernetes.io is the name // of the organization. // Required. Name string // ClientConfig defines how to communicate with the hook. // Required ClientConfig WebhookClientConfig // Rules describes what operations on what resources/subresources the webhook cares about. // The webhook cares about an operation if it matches _any_ Rule. Rules []RuleWithOperations // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - // allowed values are Ignore or Fail. Defaults to Ignore. // +optional FailurePolicy *FailurePolicyType // matchPolicy defines how the "rules" list is used to match incoming requests. // Allowed values are "Exact" or "Equivalent". // // - Exact: match a request only if it exactly matches a specified rule. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. // // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. // // +optional MatchPolicy *MatchPolicyType // NamespaceSelector decides whether to run the webhook on an object based // on whether the namespace for that object matches the selector. If the // object itself is a namespace, the matching is performed on // object.metadata.labels. If the object is another cluster scoped resource, // it never skips the webhook. // // For example, to run the webhook on any objects whose namespace is not // associated with "runlevel" of "0" or "1"; you will set the selector as // follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "runlevel", // "operator": "NotIn", // "values": [ // "0", // "1" // ] // } // ] // } // // If instead you want to only run the webhook on any objects whose // namespace is associated with the "environment" of "prod" or "staging"; // you will set the selector as follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "environment", // "operator": "In", // "values": [ // "prod", // "staging" // ] // } // ] // } // // See // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ // for more examples of label selectors. // // Default to the empty LabelSelector, which matches everything. // +optional NamespaceSelector *metav1.LabelSelector // ObjectSelector decides whether to run the webhook based on if the // object has matching labels. objectSelector is evaluated against both // the oldObject and newObject that would be sent to the webhook, and // is considered to match if either object matches the selector. A null // object (oldObject in the case of create, or newObject in the case of // delete) or an object that cannot have labels (like a // DeploymentRollback or a PodProxyOptions object) is not considered to // match. // Use the object selector only if the webhook is opt-in, because end // users may skip the admission webhook by setting the labels. // Default to the empty LabelSelector, which matches everything. // +optional ObjectSelector *metav1.LabelSelector // SideEffects states whether this webhook has side effects. // Acceptable values are: Unknown, None, Some, NoneOnDryRun // Webhooks with side effects MUST implement a reconciliation system, since a request may be // rejected by a future step in the admission chain and the side effects therefore need to be undone. // Requests with the dryRun attribute will be auto-rejected if they match a webhook with // sideEffects == Unknown or Some. Defaults to Unknown. // +optional SideEffects *SideEffectClass // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, // the webhook call will be ignored or the API call will fail based on the // failure policy. // The timeout value must be between 1 and 30 seconds. // +optional TimeoutSeconds *int32 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` // versions the Webhook expects. API server will try to use first version in // the list which it supports. If none of the versions specified in this list // supported by API server, validation will fail for this object. // If the webhook configuration has already been persisted with a version apiserver // does not understand, calls to the webhook will fail and be subject to the failure policy. // +optional AdmissionReviewVersions []string // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. // Allowed values are "Never" and "IfNeeded". // // Never: the webhook will not be called more than once in a single admission evaluation. // // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation // if the object being admitted is modified by other admission plugins after the initial webhook call. // Webhooks that specify this option *must* be idempotent, and hence able to process objects they previously admitted. // Note: // * the number of additional invocations is not guaranteed to be exactly one. // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. // * webhooks that use this option may be reordered to minimize the number of additional invocations. // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. // // Defaults to "Never". // +optional ReinvocationPolicy *ReinvocationPolicyType // MatchConditions is a list of conditions that must be met for a request to be sent to this // webhook. Match conditions filter requests that have already been matched by the rules, // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. // There are a maximum of 64 match conditions allowed. // // The exact matching logic is (in order): // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. // 3. If any matchCondition evaluates to an error (but none are FALSE): // - If failurePolicy=Fail, reject the request // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped // // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. // // +featureGate=AdmissionWebhookMatchConditions // +optional MatchConditions []MatchCondition }
MutatingWebhook describes an admission webhook and the resources and operations it applies to.
func (*MutatingWebhook) DeepCopy ¶ added in v1.15.0
func (in *MutatingWebhook) DeepCopy() *MutatingWebhook
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutatingWebhook.
func (*MutatingWebhook) DeepCopyInto ¶ added in v1.15.0
func (in *MutatingWebhook) DeepCopyInto(out *MutatingWebhook)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MutatingWebhookConfiguration ¶ added in v1.9.0
type MutatingWebhookConfiguration struct { metav1.TypeMeta // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta // Webhooks is a list of webhooks and the affected resources and operations. // +optional Webhooks []MutatingWebhook }
MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
func (*MutatingWebhookConfiguration) DeepCopy ¶ added in v1.9.0
func (in *MutatingWebhookConfiguration) DeepCopy() *MutatingWebhookConfiguration
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutatingWebhookConfiguration.
func (*MutatingWebhookConfiguration) DeepCopyInto ¶ added in v1.9.0
func (in *MutatingWebhookConfiguration) DeepCopyInto(out *MutatingWebhookConfiguration)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MutatingWebhookConfiguration) DeepCopyObject ¶ added in v1.9.0
func (in *MutatingWebhookConfiguration) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type MutatingWebhookConfigurationList ¶ added in v1.9.0
type MutatingWebhookConfigurationList struct { metav1.TypeMeta // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta // List of MutatingWebhookConfiguration. Items []MutatingWebhookConfiguration }
MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
func (*MutatingWebhookConfigurationList) DeepCopy ¶ added in v1.9.0
func (in *MutatingWebhookConfigurationList) DeepCopy() *MutatingWebhookConfigurationList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutatingWebhookConfigurationList.
func (*MutatingWebhookConfigurationList) DeepCopyInto ¶ added in v1.9.0
func (in *MutatingWebhookConfigurationList) DeepCopyInto(out *MutatingWebhookConfigurationList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MutatingWebhookConfigurationList) DeepCopyObject ¶ added in v1.9.0
func (in *MutatingWebhookConfigurationList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type NamedRuleWithOperations ¶ added in v1.26.0
type NamedRuleWithOperations struct { // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional ResourceNames []string // RuleWithOperations is a tuple of Operations and Resources. RuleWithOperations RuleWithOperations }
NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
func (*NamedRuleWithOperations) DeepCopy ¶ added in v1.26.0
func (in *NamedRuleWithOperations) DeepCopy() *NamedRuleWithOperations
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedRuleWithOperations.
func (*NamedRuleWithOperations) DeepCopyInto ¶ added in v1.26.0
func (in *NamedRuleWithOperations) DeepCopyInto(out *NamedRuleWithOperations)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OperationType ¶
type OperationType string
OperationType specifies what type of operation the admission hook cares about.
const ( OperationAll OperationType = "*" Create OperationType = "CREATE" Update OperationType = "UPDATE" Delete OperationType = "DELETE" Connect OperationType = "CONNECT" )
The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go.
type ParamKind ¶ added in v1.26.0
type ParamKind struct { // APIVersion is the API group version the resources belong to. // In format of "group/version". // Required. APIVersion string // Kind is the API kind the resources belong to. // Required. Kind string }
ParamKind is a tuple of Group Kind and Version.
func (*ParamKind) DeepCopy ¶ added in v1.26.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamKind.
func (*ParamKind) DeepCopyInto ¶ added in v1.26.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ParamRef ¶ added in v1.26.0
type ParamRef struct { // name is the name of the resource being referenced. // // One of `name` or `selector` must be set, but `name` and `selector` are // mutually exclusive properties. If one is set, the other must be unset. // // A single parameter used for all admission requests can be configured // by setting the `name` field, leaving `selector` blank, and setting namespace // if `paramKind` is namespace-scoped. // // +optional Name string // namespace is the namespace of the referenced resource. Allows limiting // the search for params to a specific namespace. Applies to both `name` and // `selector` fields. // // A per-namespace parameter may be used by specifying a namespace-scoped // `paramKind` in the policy and leaving this field empty. // // - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this // field results in a configuration error. // // - If `paramKind` is namespace-scoped, the namespace of the object being // evaluated for admission will be used when this field is left unset. Take // care that if this is left empty the binding must not match any cluster-scoped // resources, which will result in an error. // // +optional Namespace string // selector can be used to match multiple param objects based on their labels. // Supply selector: {} to match all resources of the ParamKind. // // If multiple params are found, they are all evaluated with the policy expressions // and the results are ANDed together. // // One of `name` or `selector` must be set, but `name` and `selector` are // mutually exclusive properties. If one is set, the other must be unset. // // +optional Selector *metav1.LabelSelector // parameterNotFoundAction controls the behavior of the binding when the resource // exists, and name or selector is valid, but there are no parameters // matched by the binding. If the value is set to `Allow`, then no // matched parameters will be treated as successful validation by the binding. // If set to `Deny`, then no matched parameters will be subject to the // `failurePolicy` of the policy. // // Allowed values are `Allow` or `Deny` // // Required ParameterNotFoundAction *ParameterNotFoundActionType }
ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding. +structType=atomic
func (*ParamRef) DeepCopy ¶ added in v1.26.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParamRef.
func (*ParamRef) DeepCopyInto ¶ added in v1.26.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ParameterNotFoundActionType ¶ added in v1.28.0
type ParameterNotFoundActionType string
ParameterNotFoundActionType specifies a failure policy that defines how a binding is evaluated when the param referred by its perNamespaceParamRef is not found.
const ( // Allow means all requests will be admitted if no param resources // could be found. AllowAction ParameterNotFoundActionType = "Allow" // Deny means all requests will be denied if no param resources are found. DenyAction ParameterNotFoundActionType = "Deny" )
type ReinvocationPolicyType ¶ added in v1.15.0
type ReinvocationPolicyType string
ReinvocationPolicyType specifies what type of policy the admission hook uses.
var ( // NeverReinvocationPolicy indicates that the webhook must not be called more than once in a // single admission evaluation. NeverReinvocationPolicy ReinvocationPolicyType = "Never" // IfNeededReinvocationPolicy indicates that the webhook may be called at least one // additional time as part of the admission evaluation if the object being admitted is // modified by other admission plugins after the initial webhook call. IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded" )
type Rule ¶
type Rule struct { // APIGroups is the API groups the resources belong to. '*' is all groups. // If '*' is present, the length of the slice must be one. // Required. APIGroups []string // APIVersions is the API versions the resources belong to. '*' is all versions. // If '*' is present, the length of the slice must be one. // Required. APIVersions []string // Resources is a list of resources this rule applies to. // // For example: // 'pods' means pods. // 'pods/log' means the log subresource of pods. // '*' means all resources, but not subresources. // 'pods/*' means all subresources of pods. // '*/scale' means all scale subresources. // '*/*' means all resources and their subresources. // // If wildcard is present, the validation rule will ensure resources do not // overlap with each other. // // Depending on the enclosing object, subresources might not be allowed. // Required. Resources []string // scope specifies the scope of this rule. // Valid values are "Cluster", "Namespaced", and "*" // "Cluster" means that only cluster-scoped resources will match this rule. // Namespace API objects are cluster-scoped. // "Namespaced" means that only namespaced resources will match this rule. // "*" means that there are no scope restrictions. // Subresources match the scope of their parent resource. // Default is "*". // // +optional Scope *ScopeType }
Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid.
func (*Rule) DeepCopy ¶ added in v1.8.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶ added in v1.8.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleWithOperations ¶
type RuleWithOperations struct { // Operations is the operations the admission hook cares about - CREATE, UPDATE, or * // for all operations. // If '*' is present, the length of the slice must be one. // Required. Operations []OperationType // Rule is embedded, it describes other criteria of the rule, like // APIGroups, APIVersions, Resources, etc. Rule }
RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.
func (*RuleWithOperations) DeepCopy ¶ added in v1.8.0
func (in *RuleWithOperations) DeepCopy() *RuleWithOperations
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleWithOperations.
func (*RuleWithOperations) DeepCopyInto ¶ added in v1.8.0
func (in *RuleWithOperations) DeepCopyInto(out *RuleWithOperations)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ScopeType ¶ added in v1.14.0
type ScopeType string
ScopeType specifies the type of scope being used
const ( // ClusterScope means that scope is limited to cluster-scoped objects. // Namespace objects are cluster-scoped. ClusterScope ScopeType = "Cluster" // NamespacedScope means that scope is limited to namespaced objects. NamespacedScope ScopeType = "Namespaced" // AllScopes means that all scopes are included. AllScopes ScopeType = "*" )
type ServiceReference ¶
type ServiceReference struct { // `namespace` is the namespace of the service. // Required Namespace string // `name` is the name of the service. // Required Name string // `path` is an optional URL path which will be sent in any request to // this service. // +optional Path *string // If specified, the port on the service that hosting webhook. // `port` should be a valid port number (1-65535, inclusive). // +optional Port int32 }
ServiceReference holds a reference to Service.legacy.k8s.io
func (*ServiceReference) DeepCopy ¶ added in v1.8.0
func (in *ServiceReference) DeepCopy() *ServiceReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceReference.
func (*ServiceReference) DeepCopyInto ¶ added in v1.8.0
func (in *ServiceReference) DeepCopyInto(out *ServiceReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SideEffectClass ¶ added in v1.12.0
type SideEffectClass string
SideEffectClass denotes the type of side effects resulting from calling the webhook
const ( // SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. SideEffectClassUnknown SideEffectClass = "Unknown" // SideEffectClassNone means that calling the webhook will have no side effects. SideEffectClassNone SideEffectClass = "None" // SideEffectClassSome means that calling the webhook will possibly have side effects. // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. SideEffectClassSome SideEffectClass = "Some" // SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the // request being reviewed has the dry-run attribute, the side effects will be suppressed. SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun" )
type TypeChecking ¶ added in v1.27.0
type TypeChecking struct { // The type checking warnings for each expression. // +optional // +listType=atomic ExpressionWarnings []ExpressionWarning }
TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy
func (*TypeChecking) DeepCopy ¶ added in v1.27.0
func (in *TypeChecking) DeepCopy() *TypeChecking
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypeChecking.
func (*TypeChecking) DeepCopyInto ¶ added in v1.27.0
func (in *TypeChecking) DeepCopyInto(out *TypeChecking)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicy ¶ added in v1.26.0
type ValidatingAdmissionPolicy struct { metav1.TypeMeta // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta // Specification of the desired behavior of the ValidatingAdmissionPolicy. Spec ValidatingAdmissionPolicySpec // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy // behaves in the expected way. // Populated by the system. // Read-only. // +optional Status ValidatingAdmissionPolicyStatus }
ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
func (*ValidatingAdmissionPolicy) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicy) DeepCopy() *ValidatingAdmissionPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicy.
func (*ValidatingAdmissionPolicy) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicy) DeepCopyInto(out *ValidatingAdmissionPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicy) DeepCopyObject ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBinding ¶ added in v1.26.0
type ValidatingAdmissionPolicyBinding struct { metav1.TypeMeta // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. Spec ValidatingAdmissionPolicyBindingSpec }
ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
For a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.
The CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.
func (*ValidatingAdmissionPolicyBinding) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBinding) DeepCopy() *ValidatingAdmissionPolicyBinding
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBinding.
func (*ValidatingAdmissionPolicyBinding) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBinding) DeepCopyInto(out *ValidatingAdmissionPolicyBinding)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyBinding) DeepCopyObject ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBinding) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBindingList ¶ added in v1.26.0
type ValidatingAdmissionPolicyBindingList struct { metav1.TypeMeta // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta // List of PolicyBinding. Items []ValidatingAdmissionPolicyBinding }
ValidatingAdmissionPolicyBindingList is a list of PolicyBinding.
func (*ValidatingAdmissionPolicyBindingList) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBindingList) DeepCopy() *ValidatingAdmissionPolicyBindingList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBindingList.
func (*ValidatingAdmissionPolicyBindingList) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBindingList) DeepCopyInto(out *ValidatingAdmissionPolicyBindingList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyBindingList) DeepCopyObject ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBindingList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicyBindingSpec ¶ added in v1.26.0
type ValidatingAdmissionPolicyBindingSpec struct { // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. // If the referenced resource does not exist, this binding is considered invalid and will be ignored // Required. PolicyName string // paramRef specifies the parameter resource used to configure the admission control policy. // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. // If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param. // +optional ParamRef *ParamRef // MatchResources declares what resources match this binding and will be validated by it. // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. // If this is unset, all resources matched by the policy are validated by this binding // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required. // +optional MatchResources *MatchResources // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. // If a validation evaluates to false it is always enforced according to these actions. // // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy. // // validationActions is declared as a set of action values. Order does // not matter. validationActions may not contain duplicates of the same action. // // The supported actions values are: // // "Deny" specifies that a validation failure results in a denied request. // // "Warn" specifies that a validation failure is reported to the request client // in HTTP Warning headers, with a warning code of 299. Warnings can be sent // both for allowed or denied admission responses. // // "Audit" specifies that a validation failure is included in the published // audit event for the request. The audit event will contain a // `validation.policy.admission.k8s.io/validation_failure` audit annotation // with a value containing the details of the validation failures, formatted as // a JSON list of objects, each with the following fields: // - message: The validation failure message string // - policy: The resource name of the ValidatingAdmissionPolicy // - binding: The resource name of the ValidatingAdmissionPolicyBinding // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy // - validationActions: The enforcement actions enacted for the validation failure // Example audit annotation: // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"` // // Clients should expect to handle additional values by ignoring // any values not recognized. // // "Deny" and "Warn" may not be used together since this combination // needlessly duplicates the validation failure both in the // API response body and the HTTP warning headers. // // Required. ValidationActions []ValidationAction }
ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
func (*ValidatingAdmissionPolicyBindingSpec) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBindingSpec) DeepCopy() *ValidatingAdmissionPolicyBindingSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyBindingSpec.
func (*ValidatingAdmissionPolicyBindingSpec) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyBindingSpec) DeepCopyInto(out *ValidatingAdmissionPolicyBindingSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicyConditionType ¶ added in v1.27.0
type ValidatingAdmissionPolicyConditionType string
ValidatingAdmissionPolicyConditionType is the condition type of admission validation policy.
type ValidatingAdmissionPolicyList ¶ added in v1.26.0
type ValidatingAdmissionPolicyList struct { metav1.TypeMeta // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta // List of ValidatingAdmissionPolicy. Items []ValidatingAdmissionPolicy }
ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.
func (*ValidatingAdmissionPolicyList) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyList) DeepCopy() *ValidatingAdmissionPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyList.
func (*ValidatingAdmissionPolicyList) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyList) DeepCopyInto(out *ValidatingAdmissionPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingAdmissionPolicyList) DeepCopyObject ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingAdmissionPolicySpec ¶ added in v1.26.0
type ValidatingAdmissionPolicySpec struct { // ParamKind specifies the kind of resources used to parameterize this policy. // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. // +optional ParamKind *ParamKind // MatchConstraints specifies what resources this policy is designed to validate. // The AdmissionPolicy cares about a request if it matches _all_ Constraint. // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. // Required. MatchConstraints *MatchResources // validations contain CEL expressions which are used to validate admission requests. // validations and auditAnnotations may not both be empty; a minimum of one validations or auditAnnotations is // required. // +optional Validations []Validation // MatchConditions is a list of conditions that must be met for a request to be validated. // Match conditions filter requests that have already been matched by the rules, // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. // There are a maximum of 64 match conditions allowed. // // If a parameter object is provided, it can be accessed via the `params` handle in the same // manner as validation expressions. // // The exact matching logic is (in order): // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. // 3. If any matchCondition evaluates to an error (but none are FALSE): // - If failurePolicy=Fail, reject the request // - If failurePolicy=Ignore, the policy is skipped // // +optional MatchConditions []MatchCondition // failurePolicy defines how to handle failures for the admission policy. Failures can // occur from CEL expression parse errors, type check errors, runtime errors and invalid // or mis-configured policy definitions or bindings. // // A policy is invalid if spec.paramKind refers to a non-existent Kind. // A binding is invalid if spec.paramRef.name refers to a non-existent resource. // // failurePolicy does not define how validations that evaluate to false are handled. // // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions // define how failures are enforced. // // Allowed values are Ignore or Fail. Defaults to Fail. // +optional FailurePolicy *FailurePolicyType // auditAnnotations contains CEL expressions which are used to produce audit // annotations for the audit event of the API request. // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is // required. // A maximum of 20 auditAnnotation are allowed per ValidatingAdmissionPolicy. // +optional AuditAnnotations []AuditAnnotation // Variables contain definitions of variables that can be used in composition of other expressions. // Each variable is defined as a named CEL expression. // The variables defined here will be available under `variables` in other expressions of the policy // except MatchConditions because MatchConditions are evaluated before the rest of the policy. // // The expression of a variable can refer to other variables defined earlier in the list but not those after. // Thus, Variables must be sorted by the order of first appearance and acyclic. // +optional Variables []Variable }
ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
func (*ValidatingAdmissionPolicySpec) DeepCopy ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicySpec) DeepCopy() *ValidatingAdmissionPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicySpec.
func (*ValidatingAdmissionPolicySpec) DeepCopyInto ¶ added in v1.26.0
func (in *ValidatingAdmissionPolicySpec) DeepCopyInto(out *ValidatingAdmissionPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingAdmissionPolicyStatus ¶ added in v1.27.0
type ValidatingAdmissionPolicyStatus struct { // The generation observed by the controller. // +optional ObservedGeneration int64 // The results of type checking for each expression. // Presence of this field indicates the completion of the type checking. // +optional TypeChecking *TypeChecking // The conditions represent the latest available observations of a policy's current state. // +optional // +listType=map // +listMapKey=type Conditions []metav1.Condition }
ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
func (*ValidatingAdmissionPolicyStatus) DeepCopy ¶ added in v1.27.0
func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyStatus.
func (*ValidatingAdmissionPolicyStatus) DeepCopyInto ¶ added in v1.27.0
func (in *ValidatingAdmissionPolicyStatus) DeepCopyInto(out *ValidatingAdmissionPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingWebhook ¶ added in v1.15.0
type ValidatingWebhook struct { // The name of the admission webhook. // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where // "imagepolicy" is the name of the webhook, and kubernetes.io is the name // of the organization. // Required. Name string // ClientConfig defines how to communicate with the hook. // Required ClientConfig WebhookClientConfig // Rules describes what operations on what resources/subresources the webhook cares about. // The webhook cares about an operation if it matches _any_ Rule. Rules []RuleWithOperations // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - // allowed values are Ignore or Fail. Defaults to Ignore. // +optional FailurePolicy *FailurePolicyType // matchPolicy defines how the "rules" list is used to match incoming requests. // Allowed values are "Exact" or "Equivalent". // // - Exact: match a request only if it exactly matches a specified rule. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. // // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. // // +optional MatchPolicy *MatchPolicyType // NamespaceSelector decides whether to run the webhook on an object based // on whether the namespace for that object matches the selector. If the // object itself is a namespace, the matching is performed on // object.metadata.labels. If the object is another cluster scoped resource, // it never skips the webhook. // // For example, to run the webhook on any objects whose namespace is not // associated with "runlevel" of "0" or "1"; you will set the selector as // follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "runlevel", // "operator": "NotIn", // "values": [ // "0", // "1" // ] // } // ] // } // // If instead you want to only run the webhook on any objects whose // namespace is associated with the "environment" of "prod" or "staging"; // you will set the selector as follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "environment", // "operator": "In", // "values": [ // "prod", // "staging" // ] // } // ] // } // // See // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ // for more examples of label selectors. // // Default to the empty LabelSelector, which matches everything. // +optional NamespaceSelector *metav1.LabelSelector // ObjectSelector decides whether to run the webhook based on if the // object has matching labels. objectSelector is evaluated against both // the oldObject and newObject that would be sent to the webhook, and // is considered to match if either object matches the selector. A null // object (oldObject in the case of create, or newObject in the case of // delete) or an object that cannot have labels (like a // DeploymentRollback or a PodProxyOptions object) is not considered to // match. // Use the object selector only if the webhook is opt-in, because end // users may skip the admission webhook by setting the labels. // Default to the empty LabelSelector, which matches everything. // +optional ObjectSelector *metav1.LabelSelector // SideEffects states whether this webhook has side effects. // Acceptable values are: Unknown, None, Some, NoneOnDryRun // Webhooks with side effects MUST implement a reconciliation system, since a request may be // rejected by a future step in the admission chain and the side effects therefore need to be undone. // Requests with the dryRun attribute will be auto-rejected if they match a webhook with // sideEffects == Unknown or Some. Defaults to Unknown. // +optional SideEffects *SideEffectClass // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, // the webhook call will be ignored or the API call will fail based on the // failure policy. // The timeout value must be between 1 and 30 seconds. // +optional TimeoutSeconds *int32 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` // versions the Webhook expects. API server will try to use first version in // the list which it supports. If none of the versions specified in this list // supported by API server, validation will fail for this object. // If the webhook configuration has already been persisted with a version apiserver // does not understand, calls to the webhook will fail and be subject to the failure policy. // +optional AdmissionReviewVersions []string // MatchConditions is a list of conditions that must be met for a request to be sent to this // webhook. Match conditions filter requests that have already been matched by the rules, // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. // There are a maximum of 64 match conditions allowed. // // The exact matching logic is (in order): // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. // 3. If any matchCondition evaluates to an error (but none are FALSE): // - If failurePolicy=Fail, reject the request // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped // // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. // // +featureGate=AdmissionWebhookMatchConditions // +optional MatchConditions []MatchCondition }
ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
func (*ValidatingWebhook) DeepCopy ¶ added in v1.15.0
func (in *ValidatingWebhook) DeepCopy() *ValidatingWebhook
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingWebhook.
func (*ValidatingWebhook) DeepCopyInto ¶ added in v1.15.0
func (in *ValidatingWebhook) DeepCopyInto(out *ValidatingWebhook)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidatingWebhookConfiguration ¶ added in v1.9.0
type ValidatingWebhookConfiguration struct { metav1.TypeMeta // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. // +optional metav1.ObjectMeta // Webhooks is a list of webhooks and the affected resources and operations. // +optional Webhooks []ValidatingWebhook }
ValidatingWebhookConfiguration describes the configuration of an admission webhook that accepts or rejects and object without changing it.
func (*ValidatingWebhookConfiguration) DeepCopy ¶ added in v1.9.0
func (in *ValidatingWebhookConfiguration) DeepCopy() *ValidatingWebhookConfiguration
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingWebhookConfiguration.
func (*ValidatingWebhookConfiguration) DeepCopyInto ¶ added in v1.9.0
func (in *ValidatingWebhookConfiguration) DeepCopyInto(out *ValidatingWebhookConfiguration)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingWebhookConfiguration) DeepCopyObject ¶ added in v1.9.0
func (in *ValidatingWebhookConfiguration) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ValidatingWebhookConfigurationList ¶ added in v1.9.0
type ValidatingWebhookConfigurationList struct { metav1.TypeMeta // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds // +optional metav1.ListMeta // List of ValidatingWebhookConfigurations. Items []ValidatingWebhookConfiguration }
ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
func (*ValidatingWebhookConfigurationList) DeepCopy ¶ added in v1.9.0
func (in *ValidatingWebhookConfigurationList) DeepCopy() *ValidatingWebhookConfigurationList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingWebhookConfigurationList.
func (*ValidatingWebhookConfigurationList) DeepCopyInto ¶ added in v1.9.0
func (in *ValidatingWebhookConfigurationList) DeepCopyInto(out *ValidatingWebhookConfigurationList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ValidatingWebhookConfigurationList) DeepCopyObject ¶ added in v1.9.0
func (in *ValidatingWebhookConfigurationList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type Validation ¶ added in v1.26.0
type Validation struct { // Expression represents the expression which will be evaluated by CEL. // ref: https://github.com/google/cel-spec // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables: // //'object' - The object from the incoming request. The value is null for DELETE requests. //'oldObject' - The existing object. The value is null for CREATE requests. //'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). //'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. //'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. //'variables' - Map of composited variables, from its name to its lazily evaluated value. // For example, a variable named 'foo' can be accessed as 'variables.foo' // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the // request resource. // // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the // object. No other metadata properties are accessible. // // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. // Accessible property names are escaped according to the following rules when accessed in the expression: // - '__' escapes to '__underscores__' // - '.' escapes to '__dot__' // - '-' escapes to '__dash__' // - '/' escapes to '__slash__' // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", // "import", "let", "loop", "package", "namespace", "return". // Examples: // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"} // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"} // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"} // // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and // non-intersecting elements in `Y` are appended, retaining their partial order. // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with // non-intersecting keys are appended, retaining their partial order. // Required. Expression string // Message represents the message displayed when validation fails. The message is required if the Expression contains // line breaks. The message must not contain line breaks. // If unset, the message is "failed rule: {Rule}". // e.g. "must be a URL with the host matching spec.host" // If ExpressMessage is specified, Message will be ignored // If the Expression contains line breaks. Eith Message or ExpressMessage is required. // The message must not contain line breaks. // If unset, the message is "failed Expression: {Expression}". // +optional Message string // Reason represents a machine-readable description of why this validation failed. // If this is the first validation in the list to fail, this reason, as well as the // corresponding HTTP response code, are used in the // HTTP response to the client. // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". // If not set, StatusReasonInvalid is used in the response to the client. // +optional Reason *metav1.StatusReason // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. // Since messageExpression is used as a failure message, it must evaluate to a string. // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. // Example: // "object.x must be less than max ("+string(params.max)+")" // +optional MessageExpression string }
Validation specifies the CEL expression which is used to apply the validation.
func (*Validation) DeepCopy ¶ added in v1.26.0
func (in *Validation) DeepCopy() *Validation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
func (*Validation) DeepCopyInto ¶ added in v1.26.0
func (in *Validation) DeepCopyInto(out *Validation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ValidationAction ¶ added in v1.27.0
type ValidationAction string
ValidationAction specifies a policy enforcement action.
const ( // Deny specifies that a validation failure results in a denied request. Deny ValidationAction = "Deny" // Warn specifies that a validation failure is reported to the request client // in HTTP Warning headers, with a warning code of 299. Warnings can be sent // both for allowed or denied admission responses. Warn ValidationAction = "Warn" // Audit specifies that a validation failure is included in the published // audit event for the request. The audit event will contain a // `validation.policy.admission.k8s.io/validation_failure` audit annotation // with a value containing the details of the validation failure. Audit ValidationAction = "Audit" )
type Variable ¶ added in v1.28.0
type Variable struct { // Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. // The variable can be accessed in other expressions through `variables` // For example, if name is "foo", the variable will be available as `variables.foo` Name string // Expression is the expression that will be evaluated as the value of the variable. // The CEL expression has access to the same identifiers as the CEL expressions in Validation. Expression string }
Variable is the definition of a variable that is used for composition. A variable is defined as a named expression. +structType=atomic
func (*Variable) DeepCopy ¶ added in v1.28.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variable.
func (*Variable) DeepCopyInto ¶ added in v1.28.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type WebhookClientConfig ¶ added in v1.9.0
type WebhookClientConfig struct { // `url` gives the location of the webhook, in standard URL form // (`scheme://host:port/path`). Exactly one of `url` or `service` // must be specified. // // The `host` should not refer to a service running in the cluster; use // the `service` field instead. The host might be resolved via external // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve // in-cluster DNS as that would be a layering violation). `host` may // also be an IP address. // // Please note that using `localhost` or `127.0.0.1` as a `host` is // risky unless you take great care to run this webhook on all hosts // which run an apiserver which might need to make calls to this // webhook. Such installs are likely to be non-portable, i.e., not easy // to turn up in a new cluster. // // The scheme must be "https"; the URL must begin with "https://". // // A path is optional, and if present may be any string permissible in // a URL. You may use the path to pass an arbitrary string to the // webhook, for example, a cluster identifier. // // Attempting to use a user or basic auth e.g. "user:password@" is not // allowed. Fragments ("#...") and query parameters ("?...") are not // allowed, either. // // +optional URL *string // `service` is a reference to the service for this webhook. Either // `service` or `url` must be specified. // // If the webhook is running within the cluster, then you should use `service`. // // +optional Service *ServiceReference // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used. // +optional CABundle []byte }
WebhookClientConfig contains the information to make a TLS connection with the webhook
func (*WebhookClientConfig) DeepCopy ¶ added in v1.9.0
func (in *WebhookClientConfig) DeepCopy() *WebhookClientConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookClientConfig.
func (*WebhookClientConfig) DeepCopyInto ¶ added in v1.9.0
func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Directories ¶
Path | Synopsis |
---|---|
Package v1 is the v1 version of the API.
|
Package v1 is the v1 version of the API. |
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
Package v1beta1 is the v1beta1 version of the API.
|
Package v1beta1 is the v1beta1 version of the API. |