admissionwebhook

package
v0.1.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 28, 2026 License: MIT Imports: 22 Imported by: 0

Documentation

Overview

Package admissionwebhook provides a shared library for validating Kubernetes resources by calling admission webhooks (e.g., Kyverno, OPA Gatekeeper).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FormatResourceKey 

func FormatResourceKey(meta ResourceMetadata) string

FormatResourceKey returns a human-readable key for error messages.

func MatchesAny 

func MatchesAny(patterns []string, value string) bool

MatchesAny returns true if value matches any pattern, where "*" is a wildcard.

func NewUID 

func NewUID() string

NewUID generates a random UUID for AdmissionReview requests.

func ParseAPIVersion 

func ParseAPIVersion(apiVersion string) (group, version string)

ParseAPIVersion splits "apps/v1" into ("apps", "v1") or "v1" into ("", "v1").

func ParseResourceType 

func ParseResourceType(rt api.ResourceType) (apiVersion, kind string)

ParseResourceType splits "apps/v1/Deployment" -> ("apps/v1", "Deployment"). For core types: "v1/Pod" -> ("v1", "Pod").

func ValidateResources 

func ValidateResources(
	client *WebhookClient,
	webhooks []WebhookEndpoint,
	rp yamlkit.ResourceProvider,
	parsedData gaby.Container,
	converter ResponseConverter,
) (gaby.Container, any, error)

ValidateResources uses VisitResources to iterate over parsed K8s resources, match against webhooks, call them, and aggregate into a ValidationResult.

Types

type AdmissionRequest 

type AdmissionRequest struct {
	UID             string                `json:"uid"`
	Kind            GroupVersionKind      `json:"kind"`
	Resource        GroupVersionResource  `json:"resource"`
	RequestKind     *GroupVersionKind     `json:"requestKind,omitempty"`
	RequestResource *GroupVersionResource `json:"requestResource,omitempty"`
	Namespace       string                `json:"namespace"`
	Name            string                `json:"name"`
	Operation       string                `json:"operation"`
	Object          json.RawMessage       `json:"object"`
	DryRun          *bool                 `json:"dryRun,omitempty"`
	UserInfo        UserInfo              `json:"userInfo"`
}

AdmissionRequest contains the request details for an AdmissionReview.

type AdmissionResponse 

type AdmissionResponse struct {
	UID      string   `json:"uid"`
	Allowed  bool     `json:"allowed"`
	Status   *Status  `json:"status,omitempty"`
	Warnings []string `json:"warnings,omitempty"`
}

AdmissionResponse contains the response from a webhook.

type AdmissionReview 

type AdmissionReview struct {
	APIVersion string             `json:"apiVersion"`
	Kind       string             `json:"kind"`
	Request    *AdmissionRequest  `json:"request,omitempty"`
	Response   *AdmissionResponse `json:"response,omitempty"`
}

AdmissionReview is a minimal local definition to avoid pulling in k8s.io/api.

type GroupVersionKind 

type GroupVersionKind struct {
	Group   string `json:"group"`
	Version string `json:"version"`
	Kind    string `json:"kind"`
}

GroupVersionKind identifies a Kubernetes resource kind.

type GroupVersionResource 

type GroupVersionResource struct {
	Group    string `json:"group"`
	Version  string `json:"version"`
	Resource string `json:"resource"`
}

GroupVersionResource identifies a Kubernetes resource type.

type K8sDiscoveryClient 

type K8sDiscoveryClient struct {
	// contains filtered or unexported fields
}

K8sDiscoveryClient manages connections to the K8s API for VWC discovery.

func NewK8sDiscoveryClient 

func NewK8sDiscoveryClient() (*K8sDiscoveryClient, error)

NewK8sDiscoveryClient creates a client using in-cluster config or kubeconfig. It first tries in-cluster config (service account token + CA cert), then falls back to the default kubeconfig file.

func NewK8sDiscoveryClientForTesting 

func NewK8sDiscoveryClientForTesting(httpClient *http.Client, apiHost, token string) *K8sDiscoveryClient

NewK8sDiscoveryClientForTesting creates a discovery client for testing.

func (*K8sDiscoveryClient) DiscoverWebhooks 

func (c *K8sDiscoveryClient) DiscoverWebhooks(selector WebhookSelector) ([]WebhookEndpoint, error)

DiscoverWebhooks queries the K8s API for VWCs matching the selector.

type ResourceMetadata 

type ResourceMetadata struct {
	Kind       string
	APIVersion string
	Name       string
	Namespace  string
	Group      string
	Version    string
	Resource   string
}

ResourceMetadata holds parsed K8s metadata for building AdmissionReview.

func ParseResourceMetadataFromResourceInfo 

func ParseResourceMetadataFromResourceInfo(info *api.ResourceInfo) ResourceMetadata

ParseResourceMetadataFromResourceInfo derives metadata from ResourceInfo. ResourceType="apps/v1/Deployment" -> apiVersion="apps/v1", kind="Deployment" ResourceName="default/my-deploy" -> namespace="default", name="my-deploy" Cluster-scoped resources have namespace="".

type ResponseConverter 

type ResponseConverter func(resp *AdmissionResponse, resourceInfo api.ResourceInfo) (details []string, failedAttrs []api.AttributeValue)

ResponseConverter converts an AdmissionResponse for a resource into validation details and failed attributes.

type Status 

type Status struct {
	Message string `json:"message"`
	Status  string `json:"status"`
}

Status contains the status message from an admission response.

type UserInfo 

type UserInfo struct {
	Username string `json:"username"`
}

UserInfo contains the user information for an admission request.

type VWCClientConfig 

type VWCClientConfig struct {
	Service *VWCServiceRef `json:"service"`
}

VWCClientConfig contains the client configuration for a webhook.

type VWCItem 

type VWCItem struct {
	Metadata VWCMetadata  `json:"metadata"`
	Webhooks []VWCWebhook `json:"webhooks"`
}

VWCItem represents a ValidatingWebhookConfiguration.

type VWCList 

type VWCList struct {
	Items []VWCItem `json:"items"`
}

VWCList is a list of ValidatingWebhookConfigurations.

type VWCMetadata 

type VWCMetadata struct {
	Name string `json:"name"`
}

VWCMetadata contains metadata for a VWC.

type VWCServiceRef 

type VWCServiceRef struct {
	Path *string `json:"path"`
}

VWCServiceRef references a service for a webhook.

type VWCWebhook 

type VWCWebhook struct {
	Name         string            `json:"name"`
	ClientConfig VWCClientConfig   `json:"clientConfig"`
	Rules        []WebhookRuleSpec `json:"rules"`
}

VWCWebhook represents a single webhook within a VWC.

type WebhookClient 

type WebhookClient struct {
	// contains filtered or unexported fields
}

WebhookClient sends AdmissionReview requests to a webhook endpoint.

func NewWebhookClient 

func NewWebhookClient(urlEnv, caCertPathEnv, skipTLSVerifyEnv string) (*WebhookClient, error)

NewWebhookClient creates a new WebhookClient from environment variables.

func NewWebhookClientForTesting 

func NewWebhookClientForTesting(httpClient *http.Client, baseURL string) *WebhookClient

NewWebhookClientForTesting creates a WebhookClient with a custom HTTP client and base URL, suitable for tests using httptest.Server.

func (*WebhookClient) CallWebhook 

func (c *WebhookClient) CallWebhook(path string, reviewJSON []byte) (*AdmissionResponse, error)

CallWebhook sends an AdmissionReview to a specific webhook path and returns the response.

type WebhookClientConfig 

type WebhookClientConfig struct {
	BaseURL       string
	CACertPath    string
	SkipTLSVerify bool
}

WebhookClientConfig contains the configuration for creating a WebhookClient.

type WebhookEndpoint 

type WebhookEndpoint struct {
	Name  string
	Path  string
	Rules []WebhookRuleSpec
}

WebhookEndpoint represents a discovered webhook with its path and matching rules.

func ParseWebhookEndpoints 

func ParseWebhookEndpoints(list VWCList, selector WebhookSelector) []WebhookEndpoint

ParseWebhookEndpoints extracts webhook endpoints from a VWC list, filtering by the selector's ConfigNames.

func (*WebhookEndpoint) MatchesResource 

func (e *WebhookEndpoint) MatchesResource(group, version, resource, operation string) bool

MatchesResource checks if this webhook should be called for the given resource.

type WebhookRuleSpec 

type WebhookRuleSpec struct {
	APIGroups   []string `json:"apiGroups"`
	APIVersions []string `json:"apiVersions"`
	Operations  []string `json:"operations"`
	Resources   []string `json:"resources"`
}

WebhookRuleSpec defines which resources a webhook handles.

type WebhookSelector 

type WebhookSelector struct {
	LabelSelector string
	ConfigNames   []string
}

WebhookSelector defines criteria for filtering ValidatingWebhookConfigurations.

type WebhookWatcher 

type WebhookWatcher struct {
	// contains filtered or unexported fields
}

WebhookWatcher watches for VWC updates via K8s watch API.

func NewWebhookWatcher 

func NewWebhookWatcher(client *K8sDiscoveryClient, selector WebhookSelector) *WebhookWatcher

NewWebhookWatcher creates a new watcher that keeps webhook endpoints up to date.

func (*WebhookWatcher) GetEndpoints 

func (w *WebhookWatcher) GetEndpoints() []WebhookEndpoint

GetEndpoints returns the current set of webhook endpoints (thread-safe).

func (*WebhookWatcher) Start 

func (w *WebhookWatcher) Start(ctx context.Context) error

Start performs an initial list and then watches for updates in a background goroutine. It blocks until the initial list completes, then returns.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.