const PluginName … const ephemeralcontainers … var AuditKeyPrefix … const ImagePolicyFailedOpenKeySuffix … const ImagePolicyAuditRequiredKeySuffix … var groupVersions … // Register registers a plugin func Register(plugins *admission.Plugins) { … } type Plugin … var _ … func (a *Plugin) statusTTL(status v1alpha1.ImageReviewStatus) time.Duration { … } // Filter out annotations that don't match *.image-policy.k8s.io/* func (a *Plugin) filterAnnotations(allAnnotations map[string]string) map[string]string { … } // Function to call on webhook failure; behavior determined by defaultAllow flag func (a *Plugin) webhookError(pod *api.Pod, attributes admission.Attributes, err error) error { … } // Validate makes an admission decision based on the request attributes func (a *Plugin) Validate(ctx context.Context, attributes admission.Attributes, o admission.ObjectInterfaces) (err error) { … } func (a *Plugin) admitPod(ctx context.Context, pod *api.Pod, attributes admission.Attributes, review *v1alpha1.ImageReview) error { … } // NewImagePolicyWebhook a new ImagePolicyWebhook plugin from the provided config file. // The config file is specified by --admission-control-config-file and has the // following format for a webhook: // // { // "imagePolicy": { // "kubeConfigFile": "path/to/kubeconfig/for/backend", // "allowTTL": 30, # time in s to cache approval // "denyTTL": 30, # time in s to cache denial // "retryBackoff": 500, # time in ms to wait between retries // "defaultAllow": true # determines behavior if the webhook backend fails // } // } // // The config file may be json or yaml. // // The kubeconfig property refers to another file in the kubeconfig format which // specifies how to connect to the webhook backend. // // The kubeconfig's cluster field is used to refer to the remote service, user refers to the returned authorizer. // // # clusters refers to the remote service. // clusters: // - name: name-of-remote-imagepolicy-service // cluster: // certificate-authority: /path/to/ca.pem # CA for verifying the remote service. // server: https://images.example.com/policy # URL of remote service to query. Must use 'https'. // // # users refers to the API server's webhook configuration. // users: // - name: name-of-api-server // user: // client-certificate: /path/to/cert.pem # cert for the webhook plugin to use // client-key: /path/to/key.pem # key matching the cert // // For additional HTTP configuration, refer to the kubeconfig documentation // http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html. func NewImagePolicyWebhook(configFile io.Reader) (*Plugin, error) { … }