Documentation
¶
Index ¶
- Constants
- func BuildRequestType() *apiservercel.DeclType
- func CreateAdmissionRequest(attr admission.Attributes) *admissionv1.AdmissionRequest
- type CompilationResult
- type EvaluationResult
- type ExpressionAccessor
- type Filter
- type FilterCompiler
- type OptionalVariableBindings
- type OptionalVariableDeclarations
Constants ¶
const (
ObjectVarName = "object"
OldObjectVarName = "oldObject"
ParamsVarName = "params"
RequestVarName = "request"
AuthorizerVarName = "authorizer"
RequestResourceAuthorizerVarName = "authorizer.requestResource"
)
Variables ¶
This section is empty.
Functions ¶
func BuildRequestType ¶
func BuildRequestType() *apiservercel.DeclType
BuildRequestType generates a DeclType for AdmissionRequest. This may be replaced with a utility that converts the native type definition to apiservercel.DeclType once such a utility becomes available. The 'uid' field is omitted since it is not needed for in-process admission review. The 'object' and 'oldObject' fields are omitted since they are exposed as root level CEL variables.
func CreateAdmissionRequest ¶
func CreateAdmissionRequest(attr admission.Attributes) *admissionv1.AdmissionRequest
Types ¶
type CompilationResult ¶
type CompilationResult struct {
Program cel.Program
Error *apiservercel.Error
ExpressionAccessor ExpressionAccessor
}
CompilationResult represents a compiled validations expression.
func CompileCELExpression ¶
func CompileCELExpression(expressionAccessor ExpressionAccessor, optionalVars OptionalVariableDeclarations, perCallLimit uint64) CompilationResult
CompileCELExpression returns a compiled CEL expression. perCallLimit was added for testing purpose only. Callers should always use const PerCallLimit from k8s.io/apiserver/pkg/apis/cel/config.go as input.
type EvaluationResult ¶
type EvaluationResult struct {
EvalResult ref.Val
ExpressionAccessor ExpressionAccessor
Elapsed time.Duration
Error error
}
EvaluationResult contains the minimal required fields and metadata of a cel evaluation
type ExpressionAccessor ¶
type ExpressionAccessor interface {
GetExpression() string
ReturnTypes() []*cel.Type
}
type Filter ¶
type Filter interface {
// ForInput converts compiled CEL-typed values into evaluated CEL-typed value.
// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
// If cost budget is calculated, the filter should return the remaining budget.
ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *v1.AdmissionRequest, optionalVars OptionalVariableBindings, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error)
// CompilationErrors returns a list of errors from the compilation of the evaluator
CompilationErrors() []error
}
Filter contains a function to evaluate compiled CEL-typed values It expects the inbound object to already have been converted to the version expected by the underlying CEL code (which is indicated by the match criteria of a policy definition). versionedParams may be nil.
type FilterCompiler ¶
type FilterCompiler interface {
// Compile is used for the cel expression compilation
// perCallLimit was added for testing purpose only. Callers should always use const PerCallLimit from k8s.io/apiserver/pkg/apis/cel/config.go as input.
Compile(expressions []ExpressionAccessor, optionalDecls OptionalVariableDeclarations, perCallLimit uint64) Filter
}
FilterCompiler contains a function to assist with converting types and values to/from CEL-typed values.
func NewFilterCompiler ¶
func NewFilterCompiler() FilterCompiler
type OptionalVariableBindings ¶
type OptionalVariableBindings struct {
// VersionedParams provides the "params" variable binding. This variable binding may
// be set to nil even when OptionalVariableDeclarations.HashParams is set to true.
VersionedParams runtime.Object
// Authorizer provides the authorizer used for the "authorizer" and
// "authorizer.requestResource" variable bindings. If the expression was compiled with
// OptionalVariableDeclarations.HasAuthorizer set to true this must be non-nil.
Authorizer authorizer.Authorizer
}
OptionalVariableBindings provides expression bindings for optional CEL variables.
type OptionalVariableDeclarations ¶
type OptionalVariableDeclarations struct {
// HasParams specifies if the "params" variable is declared.
// The "params" variable may still be bound to "null" when declared.
HasParams bool
// HasAuthorizer specifies if the"authorizer" and "authorizer.requestResource"
// variables are declared. When declared, the authorizer variables are
// expected to be non-null.
HasAuthorizer bool
}
OptionalVariableDeclarations declares which optional CEL variables are declared for an expression.
Source Files