Documentation
¶
Index ¶
- func MutationMessage(resourceName string, diffResult []mapnode.Difference) (msg string)
- type CheckContext
- type CheckResult
- type ConcreteMutationChecker
- type ConcreteOwnerResolver
- type DecisionResult
- type FindOwnerResult
- type Loader
- func (self *Loader) BreakGlassConditions() []policy.BreakGlassCondition
- func (self *Loader) DetectOnlyMode() bool
- func (self *Loader) IgnoreAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) IgnoreServiceAccountPatterns(resourceScope string) []*protect.ServieAccountPattern
- func (self *Loader) MergedSignPolicy() *policy.SignPolicy
- func (self *Loader) ProtectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) ProtectRules(resourceScope string) []*protect.Rule
- func (self *Loader) ResSigList(reqc *common.ReqContext) *rsig.ResourceSignatureList
- func (self *Loader) UnprotectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
- func (self *Loader) UnprotectedRequestMatchPattern() []protect.RequestPattern
- type MAResult
- type Ma4kInput
- type MutationChecker
- type OwnerResolver
- type RequestHandler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MutationMessage ¶
func MutationMessage(resourceName string, diffResult []mapnode.Difference) (msg string)
Types ¶
type CheckContext ¶
type CheckContext struct {
DetectOnlyModeEnabled bool `json:"detectOnly"`
BreakGlassModeEnabled bool `json:"breakGlass"`
Result *CheckResult `json:"result"`
IgnoredSA bool `json:"ignoredSA"`
Protected bool `json:"protected"`
IEResource bool `json:"ieresource"`
Allow bool `json:"allow"`
Verified bool `json:"verified"`
Aborted bool `json:"aborted"`
AbortReason string `json:"abortReason"`
Error error `json:"error"`
Message string `json:"msg"`
ConsoleLogEnabled bool `json:"-"`
ContextLogEnabled bool `json:"-"`
IncludeRequest bool `json:"-"`
ReasonCode int `json:"reasonCode"`
AllowByBreakGlassMode bool `json:"allowByBreakGlassMode"`
AllowByDetectOnlyMode bool `json:"allowByDetectOnlyMode"`
}
func InitCheckContext ¶
func InitCheckContext(config *config.EnforcerConfig) *CheckContext
type CheckResult ¶
type CheckResult struct {
SignPolicyEvalResult *common.SignPolicyEvalResult `json:"signpolicy"`
ResolveOwnerResult *common.ResolveOwnerResult `json:"owner"`
MutationEvalResult *common.MutationEvalResult `json:"mutation"`
}
type ConcreteMutationChecker ¶
func (*ConcreteMutationChecker) Eval ¶
func (self *ConcreteMutationChecker) Eval(reqc *common.ReqContext, rules []*protect.AttrsPattern) (*common.MutationEvalResult, error)
type ConcreteOwnerResolver ¶
type ConcreteOwnerResolver struct {
// contains filtered or unexported fields
}
func (*ConcreteOwnerResolver) Find ¶
func (self *ConcreteOwnerResolver) Find(reqc *common.ReqContext) (*common.ResolveOwnerResult, error)
type DecisionResult ¶
type FindOwnerResult ¶
type FindOwnerResult struct {
Ref *common.ResourceRef
Owner *common.Owner
Error *common.CheckError
}
type Loader ¶
type Loader struct {
Config *config.EnforcerConfig
SignPolicy *ctlconfig.SignPolicyLoader
RPP *ctlconfig.RPPLoader
CRPP *ctlconfig.CRPPLoader
ResourceSignature *ctlconfig.ResSigLoader
}
func (*Loader) BreakGlassConditions ¶
func (self *Loader) BreakGlassConditions() []policy.BreakGlassCondition
func (*Loader) DetectOnlyMode ¶
func (*Loader) IgnoreAttrsPatterns ¶
func (self *Loader) IgnoreAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) IgnoreServiceAccountPatterns ¶
func (self *Loader) IgnoreServiceAccountPatterns(resourceScope string) []*protect.ServieAccountPattern
func (*Loader) MergedSignPolicy ¶
func (self *Loader) MergedSignPolicy() *policy.SignPolicy
func (*Loader) ProtectAttrsPatterns ¶
func (self *Loader) ProtectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) ProtectRules ¶
func (*Loader) ResSigList ¶
func (self *Loader) ResSigList(reqc *common.ReqContext) *rsig.ResourceSignatureList
func (*Loader) UnprotectAttrsPatterns ¶
func (self *Loader) UnprotectAttrsPatterns(resourceScope string) []*protect.AttrsPattern
func (*Loader) UnprotectedRequestMatchPattern ¶
func (self *Loader) UnprotectedRequestMatchPattern() []protect.RequestPattern
type MAResult ¶
type MAResult struct {
IsMutated bool
Diff string
Filtered string
MatchedKeys []string
Checked bool
Msg string
Error error
}
func GetMAResult ¶
func GetMAResult(ma4kInput *Ma4kInput, rules []*protect.AttrsPattern) (*MAResult, error)
type Ma4kInput ¶
type Ma4kInput struct {
Before map[string]interface{} `json:"before"`
After map[string]interface{} `json:"after"`
Namespace string `json:"namespace"`
UserName string `json:"userName"`
Kind string `json:"kind"`
Name string `json:"name"`
UserGroups []string `json:"userGroups"`
IntegrityRef *common.ResourceRef `json:"owner"`
}
type MutationChecker ¶
type MutationChecker interface {
Eval(reqc *common.ReqContext, rules []*protect.AttrsPattern) (*common.MutationEvalResult, error)
}
func NewMutationChecker ¶
func NewMutationChecker(owners []*common.Owner) (MutationChecker, error)
type OwnerResolver ¶
type OwnerResolver interface {
Find(reqc *common.ReqContext) (*common.ResolveOwnerResult, error)
}
func NewOwnerResolver ¶
func NewOwnerResolver() (OwnerResolver, error)
type RequestHandler ¶
type RequestHandler struct {
// contains filtered or unexported fields
}
func NewRequestHandler ¶
func NewRequestHandler(config *config.EnforcerConfig) *RequestHandler
func (*RequestHandler) CheckIfBreakGlassEnabled ¶
func (self *RequestHandler) CheckIfBreakGlassEnabled() bool
func (*RequestHandler) CheckIfDetectOnly ¶
func (self *RequestHandler) CheckIfDetectOnly() bool
func (*RequestHandler) GetEnabledPlugins ¶
func (self *RequestHandler) GetEnabledPlugins() map[string]bool
func (*RequestHandler) Run ¶
func (self *RequestHandler) Run(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
Source Files
Click to show internal directories.
Click to hide internal directories.