policies

package

v3.6.1 Latest Latest Go to latest Published: Oct 28, 2021 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cruise-automation/k-rail

Links

Open Source Insights

Documentation ¶

Index ¶

func IsExempt(clusterName, resourceName, namespace string, ...) bool
type AnnotationConfig
type CompiledExemption
- func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)
- func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)
type Config
type MutateEmptyDirSizeLimit
- func (m *MutateEmptyDirSizeLimit) UnmarshalJSON(value []byte) error
type PatchOperation
type RawExemption
- func (r *RawExemption) Compile() CompiledExemption
type ResourceViolation
- func (r ResourceViolation) HumanString() string
type VirtualServiceGatewaysConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsExempt ¶

func IsExempt(clusterName, resourceName, namespace string, userInfo authenticationv1.UserInfo, policyName string, exemptions []CompiledExemption) bool

IsExempt returns whether a resource is exempt from a given policy

Types ¶

type AnnotationConfig ¶

type AnnotationConfig struct {
	Annotation    string   `json:"annotation"`
	Annotations   []string `json:"annotations"`
	AllowedValues []string `json:"allowed_values"`
	AllowMissing  bool     `json:"allow_missing"`
}

AnnotationConfig defines a single annotation config

type CompiledExemption ¶

type CompiledExemption struct {
	ClusterName    glob.Glob
	ResourceName   glob.Glob
	Namespace      glob.Glob
	Username       glob.Glob
	Group          glob.Glob
	ExemptPolicies []glob.Glob
}

CompiledExemption is the compiled configuration for a policy exemption

func ExemptionsFromDirectory ¶

func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)

ExemptionsFromDirectory returns compiled exemptions a given directory

func ExemptionsFromYAML ¶

func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)

ExemptionsFromYAML returns compiled exemptions from YAML input

type Config ¶

type Config struct {
	// PolicyRequireIngressExemptionClasses contains the Ingress classes that an exemption is required for
	// to use. Typically this would include your public ingress classes.
	PolicyRequireIngressExemptionClasses []string `json:"policy_require_ingress_exemption_classes"`
	// PolicyRequireServiceLoadBalancerAnnotations contains the Service LB types annotation that are allowed with this policy.
	PolicyRequireServiceLoadBalancerAnnotations []*AnnotationConfig `json:"policy_require_service_loadbalancer_annotations"`
	// PolicyRequireVirtualServiceGateways contains the Gateways that are allowed with this policy.
	PolicyRequireVirtualServiceGateways *VirtualServiceGatewaysConfig `json:"policy_require_virtualservice_gateways"`
	// PolicyTrustedRepositoryRegexes contains regexes that match image repositories that you want to allow.
	PolicyTrustedRepositoryRegexes []string `json:"policy_trusted_repository_regexes"`
	// PolicyDefaultSeccompPolicy contains the seccomp policy that you want to be applied on Pods by default.
	// Defaults to 'runtime/default'
	PolicyDefaultSeccompPolicy string `json:"policy_default_seccomp_policy"`
	// PolicyImagePullPolicy contains the images that needs to enforce to a specific ImagePullPolicy
	PolicyImagePullPolicy   map[string][]string     `json:"mutate_image_pull_policy"`
	MutateEmptyDirSizeLimit MutateEmptyDirSizeLimit `json:"mutate_empty_dir_size_limit"`
}

Config contains configuration for Policies

type MutateEmptyDirSizeLimit ¶

type MutateEmptyDirSizeLimit struct {
	MaximumSizeLimit apiresource.Quantity `json:"maximum_size_limit"`
	DefaultSizeLimit apiresource.Quantity `json:"default_size_limit"`
}

func (*MutateEmptyDirSizeLimit) UnmarshalJSON ¶

func (m *MutateEmptyDirSizeLimit) UnmarshalJSON(value []byte) error

type PatchOperation ¶

type PatchOperation struct {
	Op    string      `json:"op"`
	Path  string      `json:"path"`
	Value interface{} `json:"value,omitempty"`
}

PatchOperation is used for specifying mutating patches on resources. It follows the JSONPatch format (http://jsonpatch.com/) This is the format that MutatingWebhookConfigurations require.

type RawExemption ¶

type RawExemption struct {
	ClusterName    string   `json:"cluster_name"`
	ResourceName   string   `json:"resource_name"`
	Namespace      string   `json:"namespace"`
	Username       string   `json:"username"`
	Group          string   `json:"group"`
	ExemptPolicies []string `json:"exempt_policies"`
}

RawExemption is the configuration for a policy exemption

func (*RawExemption) Compile ¶

func (r *RawExemption) Compile() CompiledExemption

Compile returns a CompiledExemption

type ResourceViolation ¶

type ResourceViolation struct {
	ResourceName string
	ResourceKind string
	Namespace    string
	Violation    string
	Policy       string
	Error        error
}

ResourceViolation contains information needed to report and track violations, as well as checking for exemptions

func (ResourceViolation) HumanString ¶

func (r ResourceViolation) HumanString() string

type VirtualServiceGatewaysConfig ¶ added in v3.5.0

type VirtualServiceGatewaysConfig struct {
	AllowedGateways    []string `json:"allowed_gateways"`
	AllowEmptyGateways bool     `json:"allow_empty_gateways"`
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clusterrolebinding
customresourcedefinition
ingress
persistentvolume
pod
poddisruptionbudget
rolebinding
service
virtualservice

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL