|
本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。 |
|
这是尚未发布的文档。 Admission Controller 1.34-dev. |
验证策略
SUSE Security Admission Controller 策略服务器接收:
-
Kubernetes
AdmissionReview来自Kubernetes API服务器的对象。 然后将其`request`属性的值,类型为AdmissionRequest,转发给策略进行评估。
或:
-
一个JSON
request属性,包含自由格式的请求文档,以防原始策略。查看原始策略部分以获取更多详细信息。
策略评估`request`并说明是否应该接受它。当请求被拒绝时,策略可能会提供解释消息和错误代码以显示给最终用户。
根据`policy-server`项目的约定,来宾必须通过waPC来宾SDK暴露一个名为`validate`的函数,以便`policy-server`(waPC主机)可以调用它。
validate`函数接收一个`ValidationRequest JSON对象并返回一个`ValidationResponse` JSON对象。
`ValidationRequest`对象
`ValidationRequest`是由`validate`函数接收的JSON对象。 它看起来像:
{
"request": <AdmissionReview.request data> | <RawReviewRequest.request data>,
"settings": {
# your policy configuration
}
}`settings`键指向一个自由格式的JSON文档,包含特定于策略的设置。上一章集中讨论策略和设置。
示例
给定以下Kubernetes AdmissionReview:
展开以查看`AdmissionReview`
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
# Random uid uniquely identifying this admission call
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
# Fully-qualified group/version/kind of the incoming object
"kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified
"resource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
"subResource": "scale",
# Fully-qualified group/version/kind of the incoming object in the original request to the API server.
# This only differs from `+kind+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
# This only differs from `+resource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestResource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
# This only differs from `+subResource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestSubResource": "scale",
# Name of the resource being modified
"name": "my-deployment",
# Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
"namespace": "my-namespace",
# operation can be CREATE, UPDATE, DELETE, or CONNECT
"operation": "UPDATE",
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
# object is the new object being admitted.
# It is null for DELETE operations.
"object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# oldObject is the existing object.
# It is null for CREATE and CONNECT operations.
"oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
# It is null for CONNECT operations.
"options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
# dryRun indicates the API request is running in dry run mode and will not be persisted.
# Webhooks with side effects should avoid actuating those side effects when dryRun is true.
# See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
"dryRun": false
}
}`ValidationRequest`对象看起来像:
展开以查看 ValidationRequest
{
"request": {
# Random uid uniquely identifying this admission call
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
# Fully-qualified group/version/kind of the incoming object
"kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified
"resource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
"subResource": "scale",
# Fully-qualified group/version/kind of the incoming object in the original request to the API server.
# This only differs from `+kind+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
# Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
# This only differs from `+resource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestResource": {"group":"apps","version":"v1","resource":"deployments"},
# subresource, if the request is to a subresource
# This only differs from `+subResource+` if the webhook specified `+matchPolicy: Equivalent+` and the
# original request to the API server was converted to a version the webhook registered for.
"requestSubResource": "scale",
# Name of the resource being modified
"name": "my-deployment",
# Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
"namespace": "my-namespace",
# operation can be CREATE, UPDATE, DELETE, or CONNECT
"operation": "UPDATE",
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
# object is the new object being admitted.
# It is null for DELETE operations.
"object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# oldObject is the existing object.
# It is null for CREATE and CONNECT operations.
"oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
# options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
# It is null for CONNECT operations.
"options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
# dryRun indicates the API request is running in dry run mode and will not be persisted.
# Webhooks with side effects should avoid actuating those side effects when dryRun is true.
# See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
"dryRun": false
},
"settings": {
# policy settings
}
}`ValidationResponse`对象
`validate`函数返回其验证结果,使用`ValidationResponse`对象。
`ValidationResponse`具有以下结构:
{
# mandatory
"accepted": <boolean>,
# optional, ignored if accepted - recommended for rejections
"message": <string>,
# optional, ignored if accepted
"code": <integer>,
# optional, used by mutation policies
"mutated_object": <string>
}当请求未被接受时,您可以指定这些 message 和 code 属性。message 是一个自由格式的文本错误,code 表示 HTTP 错误代码。
Kubernetes API 服务器在请求接受时忽略 message 和 code 值。
在请求拒绝时,如果 message 或 code 存在,则 Kubernetes API 服务器返回此信息。该信息是错误主体的一部分,服务器将其返回给发出被拒绝请求的 Kubernetes API 客户端。
mutated_object 是一个可选字段,仅由变更策略使用。
这是下一章的主题。