client

package

v0.0.0-...-46c65af Latest Latest Go to latest Published: Jan 20, 2026 License: Apache-2.0 Imports: 24 Imported by: 160

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/open-policy-agent/frameworks

Links

Open Source Insights

Documentation ¶

Overview ¶

Package client provides the main client for interacting with the constraint framework.

Index ¶

Variables
func IsUnrecognizedConstraintError(err error) booldeprecated
type ARGetter
type Client
- func NewClient(opts ...Opt) (*Client, error)
type Opt

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrCreatingBackend indicates a failure to create a backend.
	ErrCreatingBackend = errors.New("unable to create backend")
	// ErrNoDriverName indicates a driver was provided without a name.
	ErrNoDriverName = errors.New("driver has no name")
	// ErrNoReferentialDriver indicates no referential driver was configured.
	ErrNoReferentialDriver = errors.New("no driver that supports referential constraints added")
	// ErrDuplicateDriver indicates multiple drivers with the same name were added.
	ErrDuplicateDriver = errors.New("duplicate drivers of the same name")
	// ErrCreatingClient indicates a failure to create a client.
	ErrCreatingClient = errors.New("unable to create client")
	// ErrMissingConstraint indicates a required constraint is missing.
	ErrMissingConstraint = errors.New("missing Constraint")
	// ErrMissingConstraintTemplate indicates a required constraint template is missing.
	ErrMissingConstraintTemplate = errors.New("missing ConstraintTemplate")
	// ErrInvalidModule indicates an invalid Rego module.
	ErrInvalidModule = errors.New("invalid module")
	// ErrReview indicates a failure during target review handling.
	ErrReview = errors.New("target.HandleReview failed")
	// ErrUnsupportedEnforcementPoints indicates unsupported enforcement points.
	ErrUnsupportedEnforcementPoints = errors.New("enforcement point not supported by client")
)

Client error variables.

Functions ¶

func IsUnrecognizedConstraintError deprecated

func IsUnrecognizedConstraintError(err error) bool

IsUnrecognizedConstraintError returns true if err is an ErrMissingConstraint.

Deprecated: Use errors.Is(err, ErrMissingConstraint) instead.

Types ¶

type ARGetter ¶

type ARGetter interface {
	GetAdmissionRequest() *admissionv1.AdmissionRequest
}

ARGetter is an interface for getting an AdmissionRequest.

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client tracks ConstraintTemplates and Constraints for a set of Targets. Allows validating reviews against Constraints.

Threadsafe. Does not support concurrent mutation operations.

Note that adding per-identifier locking would not fix this completely - the thread for the first-sent call could be put to sleep while the second is allowed to continue running. Thus, this problem can only safely be handled by the caller.

func NewClient ¶

func NewClient(opts ...Opt) (*Client, error)

NewClient creates a new client.

func (*Client) AddConstraint ¶

func (c *Client) AddConstraint(ctx context.Context, constraint *unstructured.Unstructured) (*types.Responses, error)

AddConstraint validates the constraint and, if valid, inserts it into OPA. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) AddData ¶

func (c *Client) AddData(ctx context.Context, data interface{}) (*types.Responses, error)

AddData inserts the provided data into OPA for every target that can handle the data. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) AddTemplate ¶

func (c *Client) AddTemplate(ctx context.Context, templ *templates.ConstraintTemplate) (*types.Responses, error)

AddTemplate adds the template source code to OPA and registers the CRD with the client for schema validation on calls to AddConstraint. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) CreateCRD ¶

func (c *Client) CreateCRD(ctx context.Context, templ *templates.ConstraintTemplate) (*apiextensions.CustomResourceDefinition, error)

CreateCRD creates a CRD from template.

func (*Client) Dump ¶

func (c *Client) Dump(ctx context.Context) (string, error)

Dump dumps the state of OPA to aid in debugging.

func (*Client) GetConstraint ¶

func (c *Client) GetConstraint(constraint *unstructured.Unstructured) (*unstructured.Unstructured, error)

GetConstraint gets the currently recognized constraint.

func (*Client) GetDescriptionForStat ¶

func (c *Client) GetDescriptionForStat(source instrumentation.Source, statName string) string

GetDescriptionForStat returns a human-readable description for a given stat name.

func (*Client) GetTemplate ¶

func (c *Client) GetTemplate(templ *templates.ConstraintTemplate) (*templates.ConstraintTemplate, error)

GetTemplate gets the currently recognized template.

func (*Client) RemoveConstraint ¶

func (c *Client) RemoveConstraint(ctx context.Context, constraint *unstructured.Unstructured) (*types.Responses, error)

RemoveConstraint removes a constraint from OPA. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) RemoveData ¶

func (c *Client) RemoveData(ctx context.Context, data interface{}) (*types.Responses, error)

RemoveData removes data from OPA for every target that can handle the data. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) RemoveTemplate ¶

func (c *Client) RemoveTemplate(ctx context.Context, templ *templates.ConstraintTemplate) (*types.Responses, error)

RemoveTemplate removes the template source code from OPA and removes the CRD from the validation registry. Any constraints relying on the template will also be removed. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) Review ¶

func (c *Client) Review(ctx context.Context, obj interface{}, opts ...reviews.ReviewOpt) (*types.Responses, error)

Review makes sure the provided object satisfies constraints applicable for specific enforcement points. On error, the responses return value will still be populated so that partial results can be analyzed.

func (*Client) ValidateConstraint ¶

func (c *Client) ValidateConstraint(constraint *unstructured.Unstructured) error

ValidateConstraint returns an error if the constraint is not recognized or does not conform to the registered CRD for that constraint.

type Opt ¶

type Opt func(*Client) error

Opt is a functional option for configuring a Client.

func Driver ¶

func Driver(d drivers.Driver) Opt

Driver defines the Rego execution environment.

func EnforcementPoints ¶

func EnforcementPoints(eps ...string) Opt

EnforcementPoints sets the enforcement points for the client.

func IgnoreNoReferentialDriverWarning ¶

func IgnoreNoReferentialDriverWarning(ignore bool) Opt

IgnoreNoReferentialDriverWarning suppresses the warning when no referential driver is configured.

func Targets ¶

func Targets(ts ...handler.TargetHandler) Opt

Targets defines the targets Client will pass review requests to.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clienttest Package clienttest defines a TargetHandler and Templates, and Constraints for documenting and testing the behavior of Client.	Package clienttest defines a TargetHandler and Templates, and Constraints for documenting and testing the behavior of Client.
cts Package cts is a set of methods for constructing ConstraintTemplates for use in tests.	Package cts is a set of methods for constructing ConstraintTemplates for use in tests.
crds Package crds provides utilities for creating and managing constraint CRDs.	Package crds provides utilities for creating and managing constraint CRDs.
drivers Package drivers defines interfaces for policy evaluation drivers.	Package drivers defines interfaces for policy evaluation drivers.
fake Package fake provides a fake driver implementation for testing.	Package fake provides a fake driver implementation for testing.
fake/schema Package schema defines the source schema for the fake driver.	Package schema defines the source schema for the fake driver.
rego Package rego provides the Rego driver for policy evaluation.	Package rego provides the Rego driver for policy evaluation.
rego/schema Package schema provides Rego driver source schema handling.	Package schema provides Rego driver source schema handling.
errors Package errors defines error types for constraint operations.	Package errors defines error types for constraint operations.
reviews Package reviews provides options and configuration for review queries.	Package reviews provides options and configuration for review queries.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL