k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/validating/policy_decision.go

k8s.io/apiserver@v0.31.1/pkg/admission/plugin/policy/validating/policy_decision.go (about)

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package validating
    18  
    19  import (
    20  	"net/http"
    21  	"time"
    22  
    23  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    24  )
    25  
    26  type PolicyDecisionAction string
    27  
    28  const (
    29  	ActionAdmit PolicyDecisionAction = "admit"
    30  	ActionDeny  PolicyDecisionAction = "deny"
    31  )
    32  
    33  type PolicyDecisionEvaluation string
    34  
    35  const (
    36  	EvalAdmit PolicyDecisionEvaluation = "admit"
    37  	EvalError PolicyDecisionEvaluation = "error"
    38  	EvalDeny  PolicyDecisionEvaluation = "deny"
    39  )
    40  
    41  // PolicyDecision contains the action determined from a cel evaluation along with metadata such as message, reason and duration
    42  type PolicyDecision struct {
    43  	Action     PolicyDecisionAction
    44  	Evaluation PolicyDecisionEvaluation
    45  	Message    string
    46  	Reason     metav1.StatusReason
    47  	Elapsed    time.Duration
    48  }
    49  
    50  type PolicyAuditAnnotationAction string
    51  
    52  const (
    53  	// AuditAnnotationActionPublish indicates that the audit annotation should be
    54  	// published with the audit event.
    55  	AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish"
    56  	// AuditAnnotationActionError indicates that the valueExpression resulted
    57  	// in an error.
    58  	AuditAnnotationActionError PolicyAuditAnnotationAction = "error"
    59  	// AuditAnnotationActionExclude indicates that the audit annotation should be excluded
    60  	// because the valueExpression evaluated to null, or because FailurePolicy is Ignore
    61  	// and the expression failed with a parse error, type check error, or runtime error.
    62  	AuditAnnotationActionExclude PolicyAuditAnnotationAction = "exclude"
    63  )
    64  
    65  type PolicyAuditAnnotation struct {
    66  	Key     string
    67  	Value   string
    68  	Elapsed time.Duration
    69  	Action  PolicyAuditAnnotationAction
    70  	Error   string
    71  }
    72  
    73  func reasonToCode(r metav1.StatusReason) int32 {
    74  	switch r {
    75  	case metav1.StatusReasonForbidden:
    76  		return http.StatusForbidden
    77  	case metav1.StatusReasonUnauthorized:
    78  		return http.StatusUnauthorized
    79  	case metav1.StatusReasonRequestEntityTooLarge:
    80  		return http.StatusRequestEntityTooLarge
    81  	case metav1.StatusReasonInvalid:
    82  		return http.StatusUnprocessableEntity
    83  	default:
    84  		// It should not reach here since we only allow above reason to be set from API level
    85  		return http.StatusUnprocessableEntity
    86  	}
    87  }