-
Notifications
You must be signed in to change notification settings - Fork 30
/
policy_types.go
127 lines (110 loc) · 5.56 KB
/
policy_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha2
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// +kubebuilder:validation:Enum=protect;monitor
type PolicyMode string
type PolicySpec struct {
// PolicyServer identifies an existing PolicyServer resource.
// +kubebuilder:default:=default
// +optional
PolicyServer string `json:"policyServer"`
// Module is the location of the WASM module to be loaded. Can be a
// local file (file://), a remote file served by an HTTP server
// (http://, https://), or an artifact served by an OCI-compatible
// registry (registry://).
// +kubebuilder:validation:Required
Module string `json:"module"`
// Mode defines the execution mode of this policy. Can be set to
// either "protect" or "monitor". If it's empty, it is defaulted to
// "protect".
// Transitioning this setting from "monitor" to "protect" is
// allowed, but is disallowed to transition from "protect" to
// "monitor". To perform this transition, the policy should be
// recreated in "monitor" mode instead.
// +kubebuilder:default:=protect
// +optional
Mode PolicyMode `json:"mode,omitempty"`
// Settings is a free-form object that contains the policy configuration
// values.
// +optional
// +nullable
// +kubebuilder:pruning:PreserveUnknownFields
// x-kubernetes-embedded-resource: false
Settings runtime.RawExtension `json:"settings,omitempty"`
// Rules describes what operations on what resources/subresources the webhook cares about.
// The webhook cares about an operation if it matches _any_ Rule.
Rules []admissionregistrationv1.RuleWithOperations `json:"rules"`
// FailurePolicy defines how unrecognized errors and timeout errors from the
// policy are handled. Allowed values are "Ignore" or "Fail".
// * "Ignore" means that an error calling the webhook is ignored and the API
// request is allowed to continue.
// * "Fail" means that an error calling the webhook causes the admission to
// fail and the API request to be rejected.
// The default behaviour is "Fail"
// +optional
FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
// Mutating indicates whether a policy has the ability to mutate
// incoming requests or not.
Mutating bool `json:"mutating"`
// matchPolicy defines how the "rules" list is used to match incoming requests.
// Allowed values are "Exact" or "Equivalent".
// <ul>
// <li>
// Exact: match a request only if it exactly matches a specified rule.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
// </li>
// <li>
// Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
// </li>
// </ul>
// Defaults to "Equivalent"
// +optional
MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
// ObjectSelector decides whether to run the webhook based on if the
// object has matching labels. objectSelector is evaluated against both
// the oldObject and newObject that would be sent to the webhook, and
// is considered to match if either object matches the selector. A null
// object (oldObject in the case of create, or newObject in the case of
// delete) or an object that cannot have labels (like a
// DeploymentRollback or a PodProxyOptions object) is not considered to
// match.
// Use the object selector only if the webhook is opt-in, because end
// users may skip the admission webhook by setting the labels.
// Default to the empty LabelSelector, which matches everything.
// +optional
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
// SideEffects states whether this webhook has side effects.
// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission change and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some.
SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
// the webhook call will be ignored or the API call will fail based on the
// failure policy.
// The timeout value must be between 1 and 30 seconds.
// Default to 10 seconds.
// +optional
// +kubebuilder:default:=10
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}