Documentation ¶
Index ¶
- Constants
- Variables
- func ExactMatch(pattern, value string) bool
- func ExactMatchWithPatternArray(value string, patternArray []string) bool
- func GetUnionOfArrays(array1, array2 []string) []string
- func MatchBigInt(pattern string, value *big.Int) bool
- func MatchPattern(pattern, value string) bool
- func MatchPatternWithArray(pattern string, valueArray []string) bool
- func MatchWithPatternArray(value string, patternArray []string) bool
- func SplitRule(rules string) []string
- type CheckError
- type DecisionType
- type MutationEvalResult
- type NamespaceSelector
- func (s1 *NamespaceSelector) DeepCopy() *NamespaceSelector
- func (s1 *NamespaceSelector) DeepCopyInto(s2 *NamespaceSelector)
- func (self *NamespaceSelector) MatchNamespace(namespace *v1.Namespace) bool
- func (self *NamespaceSelector) MatchNamespaceName(nsName string) bool
- func (s1 *NamespaceSelector) Merge(s2 *NamespaceSelector) *NamespaceSelector
- type ObjectMetadata
- type ParsedRequest
- type ReasonCode
- type ReqContext
- func (reqc *ReqContext) GroupVersion() string
- func (rc *ReqContext) IsCreateRequest() bool
- func (rc *ReqContext) IsDeleteRequest() bool
- func (rc *ReqContext) IsSecret() bool
- func (rc *ReqContext) IsServiceAccount() bool
- func (rc *ReqContext) IsUpdateRequest() bool
- func (reqc *ReqContext) Map() map[string]string
- func (reqc *ReqContext) ResourceRef() *ResourceRef
- type ResourceAnnotation
- type ResourceLabel
- type ResourceRef
- type SignatureAnnotation
- type SignatureEvalResult
- type SignerInfo
Constants ¶
View Source
const ( IVCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" IVCustomResourceKind = "IntegrityVerifier" SignatureCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" SignatureCustomResourceKind = "ResourceSignature" VerifierConfigCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" VerifierConfigCustomResourceKind = "VerifierConfig" SignPolicyCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" SignPolicyCustomResourceKind = "SignPolicy" ProfileCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" ProfileCustomResourceKind = "ResourceSigningProfile" HelmReleaseMetadataCustomResourceAPIVersion = "apis.integrityverifier.io/v1alpha1" HelmReleaseMetadataCustomResourceKind = "HelmReleasemetadata" )
View Source
const ( ResourceIntegrityLabelKey = "integrityverifier.io/resourceIntegrity" ReasonLabelKey = "integrityverifier.io/reason" SignatureAnnotationKey = "integrityverifier.io/signature" MessageAnnotationKey = "integrityverifier.io/message" CertificateAnnotationKey = "integrityverifier.io/certificate" SignatureTypeAnnotationKey = "integrityverifier.io/signatureType" MessageScopeAnnotationKey = "integrityverifier.io/messageScope" MutableAttrsAnnotationKey = "integrityverifier.io/mutableAttrs" ResSigLabelApiVer = "integrityverifier.io/sigobject-apiversion" ResSigLabelKind = "integrityverifier.io/sigobject-kind" ResSigLabelTime = "integrityverifier.io/sigtime" LabelValueVerified = "verified" LabelValueUnverified = "unverified" )
View Source
const ( DecisionUndetermined = "undetermined" DecisionAllow = "allow" DecisionDeny = "deny" DecisionError = "error" )
View Source
const ( REASON_INTERNAL = iota // REASON_VALIDATION_FAIL REASON_RULE_MATCH REASON_VALID_SIG REASON_VERIFIED_OWNER REASON_UPDATE_BY_SA REASON_VERIFIED_SA REASON_NO_MUTATION REASON_IV_ADMIN REASON_IGNORED_SA REASON_NOT_PROTECTED REASON_IGNORE_RULE_MATCHED REASON_BLOCK_IV_RESOURCE_OPERATION REASON_NOT_VERIFIED REASON_SKIP_DELETE REASON_ABORTED REASON_BREAK_GLASS REASON_DETECTION REASON_INVALID_SIG REASON_NO_SIG REASON_NO_POLICY REASON_UNEXPECTED REASON_ERROR )
Variables ¶
View Source
var ReasonCodeMap = map[int]ReasonCode{ REASON_INTERNAL: { Message: "internal request", Code: "internal", }, REASON_VALIDATION_FAIL: { Message: "Validation failed; format is wrong", Code: "validation-fail", }, REASON_RULE_MATCH: { Message: "allowed by rule", Code: "rule-match", }, REASON_VALID_SIG: { Message: "allowed by valid signer's signature", Code: "valid-sig", }, REASON_VERIFIED_OWNER: { Message: "owned by verified owner", Code: "verified-owner", }, REASON_UPDATE_BY_SA: { Message: "updated by creator", Code: "updated-by-sa", }, REASON_VERIFIED_SA: { Message: "operated by verified sa", Code: "verified-sa", }, REASON_NO_MUTATION: { Message: "allowed because no mutation found", Code: "no-mutation", }, REASON_IV_ADMIN: { Message: "IV admin operation", Code: "iv-admin", }, REASON_IGNORED_SA: { Message: "ignored sa", Code: "ignored-sa", }, REASON_NOT_PROTECTED: { Message: "not protected", Code: "unprotected", }, REASON_IGNORE_RULE_MATCHED: { Message: "ignore rule matched", Code: "ignore-rule-matched", }, REASON_BLOCK_IV_RESOURCE_OPERATION: { Message: "block oprations for IV resouce", Code: "block-ivresource-operation", }, REASON_SKIP_DELETE: { Message: "skip delete request", Code: "skip-delete", }, REASON_ABORTED: { Message: "aborted", Code: "aborted", }, REASON_BREAK_GLASS: { Message: "allowed by breakglass mode", Code: "breakglass", }, REASON_DETECTION: { Message: "allowed by detection mode", Code: "detection", }, REASON_INVALID_SIG: { Message: "Failed to verify signature", Code: "invalid-signature", }, REASON_NO_SIG: { Message: "No signature found", Code: "no-signature", }, REASON_NO_POLICY: { Message: "No signer policies", Code: "no-signer-policy", }, REASON_UNEXPECTED: { Message: "unexpected", Code: "unexpected", }, REASON_ERROR: { Message: "error", Code: "error", }, }
Functions ¶
func ExactMatch ¶
func GetUnionOfArrays ¶
func MatchPattern ¶
func MatchPatternWithArray ¶
func MatchWithPatternArray ¶
Types ¶
type CheckError ¶
type CheckError struct { Msg string `json:"msg"` Reason string `json:"reason"` Error error `json:"error"` }
func (*CheckError) MakeMessage ¶
func (self *CheckError) MakeMessage() string
type DecisionType ¶
type DecisionType string
type MutationEvalResult ¶
type MutationEvalResult struct { IsMutated bool `json:"isMutated"` Diff string `json:"diff"` Filtered string `json:"filtered"` Checked bool `json:"checked"` Error *CheckError `json:"error"` }
type NamespaceSelector ¶
type NamespaceSelector struct { LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"` Include []string `json:"include,omitempty"` Exclude []string `json:"exclude,omitempty"` }
func (*NamespaceSelector) DeepCopy ¶
func (s1 *NamespaceSelector) DeepCopy() *NamespaceSelector
func (*NamespaceSelector) DeepCopyInto ¶
func (s1 *NamespaceSelector) DeepCopyInto(s2 *NamespaceSelector)
func (*NamespaceSelector) MatchNamespace ¶
func (self *NamespaceSelector) MatchNamespace(namespace *v1.Namespace) bool
func (*NamespaceSelector) MatchNamespaceName ¶
func (self *NamespaceSelector) MatchNamespaceName(nsName string) bool
func (*NamespaceSelector) Merge ¶
func (s1 *NamespaceSelector) Merge(s2 *NamespaceSelector) *NamespaceSelector
type ObjectMetadata ¶
type ObjectMetadata struct { Annotations *ResourceAnnotation `json:"annotations"` Labels *ResourceLabel `json:"labels"` }
type ParsedRequest ¶
func NewParsedRequest ¶
func NewParsedRequest(request *v1beta1.AdmissionRequest) *ParsedRequest
type ReasonCode ¶
type ReqContext ¶
type ReqContext struct { ResourceScope string `json:"resourceScope,omitempty"` DryRun bool `json:"dryRun"` RawObject []byte `json:"-"` RawOldObject []byte `json:"-"` RequestJsonStr string `json:"request"` RequestUid string `json:"requestUid"` Namespace string `json:"namespace"` Name string `json:"name"` ApiGroup string `json:"apiGroup"` ApiVersion string `json:"apiVersion"` Kind string `json:"kind"` Operation string `json:"operation"` OrgMetadata *ObjectMetadata `json:"orgMetadata"` ClaimedMetadata *ObjectMetadata `json:"claimedMetadata"` UserInfo string `json:"userInfo"` ObjLabels string `json:"objLabels"` ObjMetaName string `json:"objMetaName"` UserName string `json:"userName"` UserGroups []string `json:"userGroups"` Type string `json:"Type"` ObjectHashType string `json:"objectHashType"` ObjectHash string `json:"objectHash"` }
func NewReqContext ¶
func NewReqContext(req *v1beta1.AdmissionRequest) *ReqContext
func (*ReqContext) GroupVersion ¶
func (reqc *ReqContext) GroupVersion() string
func (*ReqContext) IsCreateRequest ¶
func (rc *ReqContext) IsCreateRequest() bool
func (*ReqContext) IsDeleteRequest ¶
func (rc *ReqContext) IsDeleteRequest() bool
func (*ReqContext) IsSecret ¶
func (rc *ReqContext) IsSecret() bool
func (*ReqContext) IsServiceAccount ¶
func (rc *ReqContext) IsServiceAccount() bool
func (*ReqContext) IsUpdateRequest ¶
func (rc *ReqContext) IsUpdateRequest() bool
func (*ReqContext) Map ¶
func (reqc *ReqContext) Map() map[string]string
func (*ReqContext) ResourceRef ¶
func (reqc *ReqContext) ResourceRef() *ResourceRef
type ResourceAnnotation ¶
type ResourceAnnotation struct {
// contains filtered or unexported fields
}
func (*ResourceAnnotation) SignatureAnnotations ¶
func (self *ResourceAnnotation) SignatureAnnotations() *SignatureAnnotation
type ResourceLabel ¶
type ResourceLabel struct {
// contains filtered or unexported fields
}
func NewResourceLabel ¶
func NewResourceLabel(values map[string]string) *ResourceLabel
func (*ResourceLabel) IntegrityVerified ¶
func (self *ResourceLabel) IntegrityVerified() bool
type ResourceRef ¶
type ResourceRef struct { Name string `json:"name"` Namespace string `json:"namespace"` Kind string `json:"kind"` ApiVersion string `json:"apiVersion"` }
func (*ResourceRef) Equals ¶
func (self *ResourceRef) Equals(ref *ResourceRef) bool
func (*ResourceRef) EqualsWithoutVersionCheck ¶
func (self *ResourceRef) EqualsWithoutVersionCheck(ref *ResourceRef) bool
type SignatureAnnotation ¶
type SignatureEvalResult ¶
type SignatureEvalResult struct { Signer *SignerInfo `json:"signer"` SignerName string `json:"signerName"` Checked bool `json:"checked"` Allow bool `json:"allow"` MatchedPolicy string `json:"matchedPolicy"` Error *CheckError `json:"error"` }
func (*SignatureEvalResult) GetSignerName ¶
func (self *SignatureEvalResult) GetSignerName() string
type SignerInfo ¶
type SignerInfo struct { Email string Name string Comment string Uid string Country string Organization string OrganizationalUnit string Locality string Province string StreetAddress string PostalCode string CommonName string SerialNumber *big.Int }
func (*SignerInfo) GetName ¶
func (self *SignerInfo) GetName() string
Click to show internal directories.
Click to hide internal directories.