Documentation
¶
Index ¶
Constants ¶
View Source
const ( // RequiredPlugins is the annotation key for extra required plugins. RequiredPlugins = plugin.RequiredPluginsAnnotation )
Variables ¶
View Source
var ( // ErrValidation is returned if validation rejects an adjustment. ErrValidation = errors.New("validation error") )
Functions ¶
This section is empty.
Types ¶
type DefaultValidator ¶
type DefaultValidator struct {
// contains filtered or unexported fields
}
DefaultValidator implements default validation.
func NewDefaultValidator ¶
func NewDefaultValidator(cfg *DefaultValidatorConfig) *DefaultValidator
NewDefaultValidator creates a new instance of the validator.
func (*DefaultValidator) SetConfig ¶
func (v *DefaultValidator) SetConfig(cfg *DefaultValidatorConfig)
SetConfig sets new configuration for the validator.
func (*DefaultValidator) ValidateContainerAdjustment ¶
func (v *DefaultValidator) ValidateContainerAdjustment(ctx context.Context, req *api.ValidateContainerAdjustmentRequest) error
ValidateContainerAdjustment validates a container adjustment.
type DefaultValidatorConfig ¶
type DefaultValidatorConfig struct {
// Enable the default validator plugin.
Enable bool `yaml:"enable" toml:"enable"`
// RejectOCIHookAdjustment fails validation if OCI hooks are adjusted.
RejectOCIHookAdjustment bool `yaml:"rejectOCIHookAdjustment" toml:"reject_oci_hook_adjustment"`
// RejectRuntimeDefaultSeccompAdjustment fails validation if a runtime default seccomp
// policy is adjusted.
RejectRuntimeDefaultSeccompAdjustment bool `yaml:"rejectRuntimeDefaultSeccompAdjustment" toml:"reject_runtime_default_seccomp_adjustment"`
// RejectUnconfinedSeccompAdjustment fails validation if an unconfined seccomp policy is
// adjusted.
RejectUnconfinedSeccompAdjustment bool `yaml:"rejectUnconfinedSeccompAdjustment" toml:"reject_unconfined_seccomp_adjustment"`
// RejectCustomSeccompAdjustment fails validation if a custom seccomp policy (aka LOCALHOST)
// is adjusted.
RejectCustomSeccompAdjustment bool `yaml:"rejectCustomSeccompAdjustment" toml:"reject_custom_seccomp_adjustment"`
// RejectNamespaceAdjustment fails validation if any plugin adjusts Linux namespaces.
RejectNamespaceAdjustment bool `yaml:"rejectNamespaceAdjustment" toml:"reject_namespace_adjustment"`
// RejectSysctlAdjustment fails validation if any plugin adjusts sysctls
RejectSysctlAdjustment bool `yaml:"rejectSysctlAdjustment" toml:"reject_sysctl_adjustment"`
// RequiredPlugins list globally required plugins. These must be present
// or otherwise validation will fail.
// WARNING: This is a global setting and will affect all containers. In
// particular, if you configure any globally required plugins, you should
// annotate your static pods to tolerate missing plugins. Failing to do
// so will prevent static pods from starting.
// Notes:
// Containers can be annotated to tolerate missing plugins using the
// toleration annotation, if one is set.
RequiredPlugins []string `yaml:"requiredPlugins" toml:"required_plugins"`
// TolerateMissingPlugins is an optional annotation key. If set, it can
// be used to annotate containers to tolerate missing required plugins.
TolerateMissingAnnotation string `yaml:"tolerateMissingPluginsAnnotation" toml:"tolerate_missing_plugins_annotation"`
}
DefaultValidatorConfig is the configuration for the default validator plugin.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.