k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/generic/policy_matcher.go

k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/generic/policy_matcher.go (about)

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package generic
    18  
    19  import (
    20  	"fmt"
    21  
    22  	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
    23  	corev1 "k8s.io/api/core/v1"
    24  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25  	"k8s.io/apimachinery/pkg/labels"
    26  	"k8s.io/apimachinery/pkg/runtime/schema"
    27  	"k8s.io/apiserver/pkg/admission"
    28  	"k8s.io/apiserver/pkg/admission/plugin/policy/matching"
    29  )
    30  
    31  // Matcher is used for matching ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding to attributes
    32  type PolicyMatcher interface {
    33  	admission.InitializationValidator
    34  
    35  	// DefinitionMatches says whether this policy definition matches the provided admission
    36  	// resource request
    37  	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition PolicyAccessor) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error)
    38  
    39  	// BindingMatches says whether this policy definition matches the provided admission
    40  	// resource request
    41  	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error)
    42  
    43  	// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
    44  	// GetNamespace must return nil, nil
    45  	GetNamespace(name string) (*corev1.Namespace, error)
    46  }
    47  
    48  type matcher struct {
    49  	Matcher *matching.Matcher
    50  }
    51  
    52  func NewPolicyMatcher(m *matching.Matcher) PolicyMatcher {
    53  	return &matcher{
    54  		Matcher: m,
    55  	}
    56  }
    57  
    58  // ValidateInitialization checks if Matcher is initialized.
    59  func (c *matcher) ValidateInitialization() error {
    60  	return c.Matcher.ValidateInitialization()
    61  }
    62  
    63  // DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request
    64  func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition PolicyAccessor) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error) {
    65  	constraints := definition.GetMatchConstraints()
    66  	if constraints == nil {
    67  		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf("policy contained no match constraints, a required field")
    68  	}
    69  	criteria := matchCriteria{constraints: constraints}
    70  	return c.Matcher.Matches(a, o, &criteria)
    71  }
    72  
    73  // BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request
    74  func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error) {
    75  	matchResources := binding.GetMatchResources()
    76  	if matchResources == nil {
    77  		return true, nil
    78  	}
    79  
    80  	criteria := matchCriteria{constraints: matchResources}
    81  	isMatch, _, _, err := c.Matcher.Matches(a, o, &criteria)
    82  	return isMatch, err
    83  }
    84  
    85  func (c *matcher) GetNamespace(name string) (*corev1.Namespace, error) {
    86  	return c.Matcher.GetNamespace(name)
    87  }
    88  
    89  var _ matching.MatchCriteria = &matchCriteria{}
    90  
    91  type matchCriteria struct {
    92  	constraints *admissionregistrationv1.MatchResources
    93  }
    94  
    95  // GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector
    96  func (m *matchCriteria) GetParsedNamespaceSelector() (labels.Selector, error) {
    97  	return metav1.LabelSelectorAsSelector(m.constraints.NamespaceSelector)
    98  }
    99  
   100  // GetParsedObjectSelector returns the converted LabelSelector which implements labels.Selector
   101  func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) {
   102  	return metav1.LabelSelectorAsSelector(m.constraints.ObjectSelector)
   103  }
   104  
   105  // GetMatchResources returns the matchConstraints
   106  func (m *matchCriteria) GetMatchResources() admissionregistrationv1.MatchResources {
   107  	return *m.constraints
   108  }