k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/plugin/pkg/admission/imagepolicy/config.go (about)

     1  /*
     2  Copyright 2016 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  // Package imagepolicy contains an admission controller that configures a webhook to which policy
    18  // decisions are delegated.
    19  package imagepolicy
    20  
    21  import (
    22  	"fmt"
    23  	"time"
    24  
    25  	"k8s.io/klog/v2"
    26  )
    27  
    28  const (
    29  	defaultRetryBackoff = time.Duration(500) * time.Millisecond
    30  	minRetryBackoff     = time.Duration(1)
    31  	maxRetryBackoff     = time.Duration(5) * time.Minute
    32  	defaultAllowTTL     = time.Duration(5) * time.Minute
    33  	defaultDenyTTL      = time.Duration(30) * time.Second
    34  	minAllowTTL         = time.Duration(1) * time.Second
    35  	maxAllowTTL         = time.Duration(30) * time.Minute
    36  	minDenyTTL          = time.Duration(1) * time.Second
    37  	maxDenyTTL          = time.Duration(30) * time.Minute
    38  	useDefault          = time.Duration(0)  //sentinel for using default TTL
    39  	disableTTL          = time.Duration(-1) //sentinel for disabling a TTL
    40  )
    41  
    42  // imagePolicyWebhookConfig holds config data for imagePolicyWebhook
    43  type imagePolicyWebhookConfig struct {
    44  	KubeConfigFile string        `json:"kubeConfigFile"`
    45  	AllowTTL       time.Duration `json:"allowTTL"`
    46  	DenyTTL        time.Duration `json:"denyTTL"`
    47  	RetryBackoff   time.Duration `json:"retryBackoff"`
    48  	DefaultAllow   bool          `json:"defaultAllow"`
    49  }
    50  
    51  // AdmissionConfig holds config data for admission controllers
    52  type AdmissionConfig struct {
    53  	ImagePolicyWebhook imagePolicyWebhookConfig `json:"imagePolicy"`
    54  }
    55  
    56  func normalizeWebhookConfig(config *imagePolicyWebhookConfig) (err error) {
    57  	config.RetryBackoff, err = normalizeConfigDuration("backoff", time.Millisecond, config.RetryBackoff, minRetryBackoff, maxRetryBackoff, defaultRetryBackoff)
    58  	if err != nil {
    59  		return err
    60  	}
    61  	config.AllowTTL, err = normalizeConfigDuration("allow cache", time.Second, config.AllowTTL, minAllowTTL, maxAllowTTL, defaultAllowTTL)
    62  	if err != nil {
    63  		return err
    64  	}
    65  	config.DenyTTL, err = normalizeConfigDuration("deny cache", time.Second, config.DenyTTL, minDenyTTL, maxDenyTTL, defaultDenyTTL)
    66  	return err
    67  }
    68  
    69  func normalizeConfigDuration(name string, scale, value, min, max, defaultValue time.Duration) (time.Duration, error) {
    70  	// disable with -1 sentinel
    71  	if value == disableTTL {
    72  		klog.V(2).Infof("image policy webhook %s disabled", name)
    73  		return time.Duration(0), nil
    74  	}
    75  
    76  	// use default with 0 sentinel
    77  	if value == useDefault {
    78  		klog.V(2).Infof("image policy webhook %s using default value", name)
    79  		return defaultValue, nil
    80  	}
    81  
    82  	// convert to s; unmarshalling gives ns
    83  	value *= scale
    84  
    85  	// check value is within range
    86  	if value < min || value > max {
    87  		return value, fmt.Errorf("valid value is between %v and %v, got %v", min, max, value)
    88  	}
    89  	return value, nil
    90  }