1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package imagepolicy 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 24 25 // ImageReview checks if the set of images in a pod are allowed. 26 type ImageReview struct { 27 metav1.TypeMeta 28 metav1.ObjectMeta 29 30 // Spec holds information about the pod being evaluated 31 Spec ImageReviewSpec 32 33 // Status is filled in by the backend and indicates whether the pod should be allowed. 34 Status ImageReviewStatus 35 } 36 37 // ImageReviewSpec is a description of the pod creation request. 38 type ImageReviewSpec struct { 39 // Containers is a list of a subset of the information in each container of the Pod being created. 40 Containers []ImageReviewContainerSpec 41 // Annotations is a list of key-value pairs extracted from the Pod's annotations. 42 // It only includes keys which match the pattern `*.image-policy.k8s.io/*`. 43 // It is up to each webhook backend to determine how to interpret these annotations, if at all. 44 Annotations map[string]string 45 // Namespace is the namespace the pod is being created in. 46 Namespace string 47 } 48 49 // ImageReviewContainerSpec is a description of a container within the pod creation request. 50 type ImageReviewContainerSpec struct { 51 // This can be in the form image:tag or image@SHA:012345679abcdef. 52 Image string 53 // In future, we may add command line overrides, exec health check command lines, and so on. 54 } 55 56 // ImageReviewStatus is the result of the review for the pod creation request. 57 type ImageReviewStatus struct { 58 // Allowed indicates that all images were allowed to be run. 59 Allowed bool 60 // Reason should be empty unless Allowed is false in which case it 61 // may contain a short description of what is wrong. Kubernetes 62 // may truncate excessively long errors when displaying to the user. 63 Reason string 64 // AuditAnnotations will be added to the attributes object of the 65 // admission controller request using 'AddAnnotation'. The keys should 66 // be prefix-less (i.e., the admission controller will add an 67 // appropriate prefix). 68 AuditAnnotations map[string]string 69 } 70