const defaultNamespaceMaxPodsToCheck … const defaultNamespacePodCheckTimeout … type Admission … type NamespaceGetter … type PodLister … type PodSpecExtractor … var defaultPodSpecResources … type DefaultPodSpecExtractor … func (DefaultPodSpecExtractor) HasPodSpec(gr schema.GroupResource) bool { … } func (DefaultPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav1.ObjectMeta, *corev1.PodSpec, error) { … } func (DefaultPodSpecExtractor) PodSpecResources() []schema.GroupResource { … } func extractPodSpecFromTemplate(template *corev1.PodTemplateSpec) (*metav1.ObjectMeta, *corev1.PodSpec, error) { … } // CompleteConfiguration sets up default or derived configuration. func (a *Admission) CompleteConfiguration() error { … } // ValidateConfiguration ensures all required fields are set with valid values. func (a *Admission) ValidateConfiguration() error { … } var namespacesResource … var podsResource … // Validate admits an API request. // The objects in admission attributes are expected to be external v1 objects that we care about. // The returned response may be shared and must not be mutated. func (a *Admission) Validate(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse { … } // ValidateNamespace evaluates a namespace create or update request to ensure the pod security labels are valid, // and checks existing pods in the namespace for violations of the new policy when updating the enforce level on a namespace. // The returned response may be shared between evaluations and must not be mutated. func (a *Admission) ValidateNamespace(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse { … } var ignoredPodSubresources … // ValidatePod evaluates a pod create or update request against the effective policy for the namespace. // The returned response may be shared between evaluations and must not be mutated. func (a *Admission) ValidatePod(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse { … } // ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace. // The returned response may be shared between evaluations and must not be mutated. func (a *Admission) ValidatePodController(ctx context.Context, attrs api.Attributes) *admissionv1.AdmissionResponse { … } // EvaluatePod evaluates the given policy against the given pod(-like) object. // The enforce policy is only checked if enforce=true. // The returned response may be shared between evaluations and must not be mutated. func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, attrs api.Attributes, enforce bool) *admissionv1.AdmissionResponse { … } type podCount … func (a *Admission) EvaluatePodsInNamespace(ctx context.Context, namespace string, enforce api.LevelVersion) []string { … } // prefixes warnings with the pod names related to that warning func decoratePodWarnings(podWarningsToCount map[string]podCount, warnings []string) { … } func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, field.ErrorList) { … } // isSignificantPodUpdate determines whether a pod update should trigger a policy evaluation. // Relevant mutable pod fields as of 1.21 are image annotations: // * https://github.com/kubernetes/kubernetes/blob/release-1.21/pkg/apis/core/validation/validation.go#L3947-L3949 func isSignificantPodUpdate(pod, oldPod *corev1.Pod) bool { … } // isSignificantContainerUpdate determines whether a container update should trigger a policy evaluation. func isSignificantContainerUpdate(container, oldContainer *corev1.Container) bool { … } func (a *Admission) exemptNamespace(namespace string) bool { … } func (a *Admission) exemptUser(username string) bool { … } func (a *Admission) exemptRuntimeClass(runtimeClass *string) bool { … } // Filter and prioritize pods based on runtimeclass and uniqueness of the controller respectively for evaluation. // The input slice is modified in place and should not be reused. func (a *Admission) prioritizePods(pods []*corev1.Pod) []*corev1.Pod { … } func containsString(needle string, haystack []string) bool { … } // exemptNamespaceWarning returns a non-empty warning message if the exempt namespace has a // non-privileged policy and sets pod security labels. func (a *Admission) exemptNamespaceWarning(exemptNamespace string, policy api.Policy, nsLabels map[string]string) string { … }
Codebase Browser
kubernetes