|
この文書は自動機械翻訳技術を使用して翻訳されています。 正確な翻訳を提供するように努めておりますが、翻訳された内容の完全性、正確性、信頼性については一切保証いたしません。 相違がある場合は、元の英語版 英語 が優先され、正式なテキストとなります。 |
|
これは未公開の文書です Admission Controller 1.34-dev. |
ポリシーの検証
SUSE Security Admission Controller ポリシーサーバーは次のものを受け取ります:
-
Kubernetes
AdmissionReviewKubernetes API サーバーからのオブジェクト。 次に、評価のためにポリシーに送信する、request`タイプが `AdmissionRequestの属性の値を転送します。
あるいは、
-
生のポリシーの場合、自由形式のリクエストドキュメントを含む JSON
request属性。詳細については、生のポリシーセクションを確認してください。
ポリシーは request を評価し、それを受け入れるべきかどうかを示します。リクエストが拒否されると、ポリシーはエンドユーザーに表示するための説明メッセージとエラーコードを提供する場合があります。
慣例として、policy-server プロジェクトのゲストは、waPC ゲスト SDK を通じて validate という名前の関数を公開する必要があります。そうすることで、policy-server(waPC ホスト)がそれを呼び出すことができます。
validate 関数は ValidationRequest JSON オブジェクトを受け取り、ValidationResponse JSON オブジェクトを返します。
ValidationRequest オブジェクト
ValidationRequest は validate 関数によって受け取られる JSON オブジェクトです。
次のようになります:
{
"request": <AdmissionReview.request data> | <RawReviewRequest.request data>,
"settings": {
# your policy configuration
}
}
settings キーは、ポリシー固有の設定を保持する自由形式の JSON ドキュメントを指します。前の章では、ポリシーと設定に焦点を当てました。
例
次の Kubernetes AdmissionReview を考慮してください:
`AdmissionReview`を表示するには、開いてください
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
# Random uid uniquely identifying this admission call
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
# Fully-qualified group/version/kind of the incoming object
"kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified
"resource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
"subResource": "scale",
# Fully-qualified group/version/kind of the incoming object in the original request to the API server.
# This only differs from `+kind+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
# This only differs from `+resource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestResource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
# This only differs from `+subResource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestSubResource": "scale",
# Name of the resource being modified
"name": "my-deployment",
# Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
"namespace": "my-namespace",
# operation can be CREATE, UPDATE, DELETE, or CONNECT
"operation": "UPDATE",
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
# object is the new object being admitted.
# It is null for DELETE operations.
"object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# oldObject is the existing object.
# It is null for CREATE and CONNECT operations.
"oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
# It is null for CONNECT operations.
"options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
# dryRun indicates the API request is running in dry run mode and will not be persisted.
# Webhooks with side effects should avoid actuating those side effects when dryRun is true.
# See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
"dryRun": false
}
}
`ValidationRequest`オブジェクトは次のようになります:
`ValidationRequest`を表示するには、開いてください
{
"request": {
# Random uid uniquely identifying this admission call
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
# Fully-qualified group/version/kind of the incoming object
"kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified
"resource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
"subResource": "scale",
# Fully-qualified group/version/kind of the incoming object in the original request to the API server.
# This only differs from `+kind+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
# This only differs from `+resource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestResource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
# This only differs from `+subResource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestSubResource": "scale",
# Name of the resource being modified
"name": "my-deployment",
# Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
"namespace": "my-namespace",
# operation can be CREATE, UPDATE, DELETE, or CONNECT
"operation": "UPDATE",
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
# object is the new object being admitted.
# It is null for DELETE operations.
"object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# oldObject is the existing object.
# It is null for CREATE and CONNECT operations.
"oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
# It is null for CONNECT operations.
"options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
# dryRun indicates the API request is running in dry run mode and will not be persisted.
# Webhooks with side effects should avoid actuating those side effects when dryRun is true.
# See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
"dryRun": false
},
"settings": {
# policy settings
}
}
ValidationResponse オブジェクト
`validate`関数は、`ValidationResponse`オブジェクトを使用してその検証の結果を返します。
`ValidationResponse`はこの構造を持っています:
{
# mandatory
"accepted": <boolean>,
# optional, ignored if accepted - recommended for rejections
"message": <string>,
# optional, ignored if accepted
"code": <integer>,
# optional, used by mutation policies
"mutated_object": <string>
}
リクエストが受け入れられない場合、これらの`message`および`code`属性を指定できます。`message`は自由形式のテキストエラーであり、`code`はHTTPエラーコードを表します。
Kubernetes API サーバーは、リクエストの受け入れ時に`message`および`code`の値を無視します。
リクエストが拒否された場合、`message`または`code`が存在する場合、Kubernetes API サーバーはこの情報を返します。この情報はエラーの本文の一部であり、サーバーは拒否されたリクエストを発行したKubernetes API クライアントに返します。
`mutated_object`は、変更ポリシーでのみ使用される任意のフィールドです。 これは次の章のトピックです。