Documentation ¶
Index ¶
- func MutationMessage(resourceName string, diffResult []mapnode.Difference) (msg string)
- type CheckContext
- type CheckResult
- type ConcreteMutationChecker
- type ConcreteOwnerResolver
- type DecisionResult
- type FindOwnerResult
- type Loader
- func (self *Loader) BreakGlassConditions() []policy.BreakGlassCondition
- func (self *Loader) DetectOnlyMode() bool
- func (self *Loader) IgnoreAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) IgnoreServiceAccountPatterns(resourceScope string) []*protect.ServieAccountPattern
- func (self *Loader) MergedSignPolicy() *policy.SignPolicy
- func (self *Loader) ProtectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) ProtectRules(resourceScope string) []*protect.Rule
- func (self *Loader) ResSigList(reqc *common.ReqContext) *rsig.ResourceSignatureList
- func (self *Loader) UnprotectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) UnprotectedRequestMatchPattern() []protect.RequestPattern
- type MAResult
- type Ma4kInput
- type MutationChecker
- type OwnerResolver
- type RequestHandler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MutationMessage ¶
func MutationMessage(resourceName string, diffResult []mapnode.Difference) (msg string)
Types ¶
type CheckContext ¶
type CheckContext struct { DetectOnlyModeEnabled bool `json:"detectOnly"` BreakGlassModeEnabled bool `json:"breakGlass"` Result *CheckResult `json:"result"` IgnoredSA bool `json:"ignoredSA"` Protected bool `json:"protected"` IEResource bool `json:"ieresource"` Allow bool `json:"allow"` Verified bool `json:"verified"` Aborted bool `json:"aborted"` AbortReason string `json:"abortReason"` Error error `json:"error"` Message string `json:"msg"` ConsoleLogEnabled bool `json:"-"` ContextLogEnabled bool `json:"-"` IncludeRequest bool `json:"-"` ReasonCode int `json:"reasonCode"` AllowByBreakGlassMode bool `json:"allowByBreakGlassMode"` AllowByDetectOnlyMode bool `json:"allowByDetectOnlyMode"` }
func InitCheckContext ¶
func InitCheckContext(config *config.EnforcerConfig) *CheckContext
type CheckResult ¶
type CheckResult struct { SignPolicyEvalResult *common.SignPolicyEvalResult `json:"signpolicy"` ResolveOwnerResult *common.ResolveOwnerResult `json:"owner"` MutationEvalResult *common.MutationEvalResult `json:"mutation"` }
type ConcreteMutationChecker ¶
func (*ConcreteMutationChecker) Eval ¶
func (self *ConcreteMutationChecker) Eval(reqc *common.ReqContext, rules []*protect.AttrsPattern) (*common.MutationEvalResult, error)
type ConcreteOwnerResolver ¶
type ConcreteOwnerResolver struct {
// contains filtered or unexported fields
}
func (*ConcreteOwnerResolver) Find ¶
func (self *ConcreteOwnerResolver) Find(reqc *common.ReqContext) (*common.ResolveOwnerResult, error)
type DecisionResult ¶
type FindOwnerResult ¶
type FindOwnerResult struct { Ref *common.ResourceRef Owner *common.Owner Error *common.CheckError }
type Loader ¶
type Loader struct { Config *config.EnforcerConfig SignPolicy *ctlconfig.SignPolicyLoader RPP *ctlconfig.RPPLoader CRPP *ctlconfig.CRPPLoader ResourceSignature *ctlconfig.ResSigLoader }
func (*Loader) BreakGlassConditions ¶
func (self *Loader) BreakGlassConditions() []policy.BreakGlassCondition
func (*Loader) DetectOnlyMode ¶
func (*Loader) IgnoreAttrsPatterns ¶
func (self *Loader) IgnoreAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) IgnoreServiceAccountPatterns ¶
func (self *Loader) IgnoreServiceAccountPatterns(resourceScope string) []*protect.ServieAccountPattern
func (*Loader) MergedSignPolicy ¶
func (self *Loader) MergedSignPolicy() *policy.SignPolicy
func (*Loader) ProtectAttrsPatterns ¶
func (self *Loader) ProtectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) ProtectRules ¶
func (*Loader) ResSigList ¶
func (self *Loader) ResSigList(reqc *common.ReqContext) *rsig.ResourceSignatureList
func (*Loader) UnprotectAttrsPatterns ¶
func (self *Loader) UnprotectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) UnprotectedRequestMatchPattern ¶
func (self *Loader) UnprotectedRequestMatchPattern() []protect.RequestPattern
type MAResult ¶
type MAResult struct { IsMutated bool Diff string Filtered string MatchedKeys []string Checked bool Msg string Error error }
func GetMAResult ¶
func GetMAResult(ma4kInput *Ma4kInput, rules []*protect.AttrsPattern) (*MAResult, error)
type Ma4kInput ¶
type Ma4kInput struct { Before map[string]interface{} `json:"before"` After map[string]interface{} `json:"after"` Namespace string `json:"namespace"` UserName string `json:"userName"` Kind string `json:"kind"` Name string `json:"name"` UserGroups []string `json:"userGroups"` IntegrityRef *common.ResourceRef `json:"owner"` }
type MutationChecker ¶
type MutationChecker interface {
Eval(reqc *common.ReqContext, rules []*protect.AttrsPattern) (*common.MutationEvalResult, error)
}
func NewMutationChecker ¶
func NewMutationChecker(owners []*common.Owner) (MutationChecker, error)
type OwnerResolver ¶
type OwnerResolver interface {
Find(reqc *common.ReqContext) (*common.ResolveOwnerResult, error)
}
func NewOwnerResolver ¶
func NewOwnerResolver() (OwnerResolver, error)
type RequestHandler ¶
type RequestHandler struct {
// contains filtered or unexported fields
}
func NewRequestHandler ¶
func NewRequestHandler(config *config.EnforcerConfig) *RequestHandler
func (*RequestHandler) CheckIfBreakGlassEnabled ¶
func (self *RequestHandler) CheckIfBreakGlassEnabled() bool
func (*RequestHandler) CheckIfDetectOnly ¶
func (self *RequestHandler) CheckIfDetectOnly() bool
func (*RequestHandler) GetEnabledPlugins ¶
func (self *RequestHandler) GetEnabledPlugins() map[string]bool
func (*RequestHandler) Run ¶
func (self *RequestHandler) Run(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
Click to show internal directories.
Click to hide internal directories.