k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/validating/interface.go

k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/validating/interface.go (about)

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package validating
    18  
    19  import (
    20  	"context"
    21  
    22  	celgo "github.com/google/cel-go/cel"
    23  
    24  	corev1 "k8s.io/api/core/v1"
    25  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26  	"k8s.io/apimachinery/pkg/runtime"
    27  	"k8s.io/apimachinery/pkg/runtime/schema"
    28  	"k8s.io/apiserver/pkg/admission"
    29  	"k8s.io/apiserver/pkg/admission/plugin/cel"
    30  	"k8s.io/apiserver/pkg/authorization/authorizer"
    31  )
    32  
    33  var _ cel.ExpressionAccessor = &ValidationCondition{}
    34  
    35  // ValidationCondition contains the inputs needed to compile, evaluate and validate a cel expression
    36  type ValidationCondition struct {
    37  	Expression string
    38  	Message    string
    39  	Reason     *metav1.StatusReason
    40  }
    41  
    42  func (v *ValidationCondition) GetExpression() string {
    43  	return v.Expression
    44  }
    45  
    46  func (v *ValidationCondition) ReturnTypes() []*celgo.Type {
    47  	return []*celgo.Type{celgo.BoolType}
    48  }
    49  
    50  // AuditAnnotationCondition contains the inputs needed to compile, evaluate and publish a cel audit annotation
    51  type AuditAnnotationCondition struct {
    52  	Key             string
    53  	ValueExpression string
    54  }
    55  
    56  func (v *AuditAnnotationCondition) GetExpression() string {
    57  	return v.ValueExpression
    58  }
    59  
    60  func (v *AuditAnnotationCondition) ReturnTypes() []*celgo.Type {
    61  	return []*celgo.Type{celgo.StringType, celgo.NullType}
    62  }
    63  
    64  // Variable is a named expression for composition.
    65  type Variable struct {
    66  	Name       string
    67  	Expression string
    68  }
    69  
    70  func (v *Variable) GetExpression() string {
    71  	return v.Expression
    72  }
    73  
    74  func (v *Variable) ReturnTypes() []*celgo.Type {
    75  	return []*celgo.Type{celgo.AnyType, celgo.DynType}
    76  }
    77  
    78  func (v *Variable) GetName() string {
    79  	return v.Name
    80  }
    81  
    82  // ValidateResult defines the result of a Validator.Validate operation.
    83  type ValidateResult struct {
    84  	// Decisions specifies the outcome of the validation as well as the details about the decision.
    85  	Decisions []PolicyDecision
    86  	// AuditAnnotations specifies the audit annotations that should be recorded for the validation.
    87  	AuditAnnotations []PolicyAuditAnnotation
    88  }
    89  
    90  // Validator is contains logic for converting ValidationEvaluation to PolicyDecisions
    91  type Validator interface {
    92  	// Validate is used to take cel evaluations and convert into decisions
    93  	// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
    94  	Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult
    95  }