Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add request input struct #3234

Merged
merged 7 commits into from
Feb 1, 2024
Merged

docs: add request input struct #3234

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4ac9a25
docs: add request input struct
salaxander Jan 25, 2024
2eb7f44
docs: update input review docs to dedupe
salaxander Jan 29, 2024
45a23ab
Merge branch 'master' into docs_admission_input
salaxander Jan 29, 2024
7c273d9
Merge branch 'master' into docs_admission_input
salaxander Jan 30, 2024
7f105f8
docs: reference new input docs from old location
salaxander Jan 30, 2024
f1eadb1
Merge branch 'master' into docs_admission_input
salaxander Jan 31, 2024
a7586cf
Merge branch 'master' into docs_admission_input
salaxander Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 1 addition & 12 deletions website/docs/howto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,16 +138,5 @@ kubectl get constraints
```

### Input Review
salaxander marked this conversation as resolved.
Show resolved Hide resolved
You can view information on the `input.review` object that Gatekeeper takes as input [here](./input.md)

The `input.review` object stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It has the following fields:
- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
- `object`: The request object under evaluation to be created or modified.
- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.

> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources.
75 changes: 75 additions & 0 deletions website/docs/input.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
id: input
title: Admission Review Input
---

The data that's passed to Gatekeeper for review is in the form of an `input.review` object that stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It follows a structure that contains the object being created, and in the case of update operations the old object being updated. It has the following fields:
- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
- `object`: The request object under evaluation to be created or modified.
- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.

> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources.

You can see an example of the request structure below.

```json
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"uid": "abc123",
"kind": {
"group": "apps",
"version": "v1",
"kind": "Deployment"
},
"resource": {
"group": "apps",
"version": "v1",
"resource": "deployments"
},
"namespace": "default",
"operation": "CREATE",
"userInfo": {
"username": "john_doe",
"groups": ["developers"]
},
"object": {
// The resource object being created, updated, or deleted
"metadata": {
"name": "my-deployment",
"labels": {
"app": "my-app",
"env": "production"
}
},
"spec": {
// Specific configuration for the resource
"replicas": 3,
// ... other fields ...
}
},
"oldObject": {
// For update requests, the previous state of the resource
"metadata": {
"name": "my-deployment",
"labels": {
"app": "my-app",
"env": "staging"
}
},
"spec": {
// Previous configuration for the resource
"replicas": 2,
// ... other fields ...
}
}
}
}
```
5 changes: 4 additions & 1 deletion website/sidebars.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,10 @@ module.exports = {
type: 'category',
label: 'Concepts',
collapsed: false,
items: ['mutation-background']
items: [
'input',
'mutation-background'
]
},
{
type: 'category',
Expand Down
14 changes: 1 addition & 13 deletions website/versioned_docs/version-v3.14.x/howto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,16 +138,4 @@ kubectl get constraints
```

### Input Review

The `input.review` object stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It has the following fields:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update this as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is updated same as the other one. For whatever reason the display is showing the new line below the deleted bit

- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
- `object`: The request object under evaluation to be created or modified.
- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.

> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources.
You can view information on the `input.review` object that Gatekeeper takes as input [here](./input.md)
75 changes: 75 additions & 0 deletions website/versioned_docs/version-v3.14.x/input.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
id: input
title: Admission Review Input
---

The data that's passed to Gatekeeper for review is in the form of an `input.review` object that stores the [admission request](https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest) under evaluation. It follows a structure that contains the object being created, and in the case of update operations the old object being updated. It has the following fields:
- `dryRun`: Describes if the request was invoked by `kubectl --dry-run`. This cannot be populated by Kubernetes for audit.
- `kind`: The resource `kind`, `group`, `version` of the request object under evaluation.
- `name`: The name of the request object under evaluation. It may be empty if the deployment expects the API server to generate a name for the requested resource.
- `namespace`: The namespace of the request object under evaluation. Empty for cluster scoped objects.
- `object`: The request object under evaluation to be created or modified.
- `oldObject`: The original state of the request object under evaluation. This is only available for UPDATE operations.
- `operation`: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.
- `uid`: The request's unique identifier. This cannot be populated by Kubernetes for audit.
- `userInfo`: The request's user's information such as `username`, `uid`, `groups`, `extra`. This cannot be populated by Kubernetes for audit.

> **_NOTE_** For `input.review` fields above that cannot be populated by Kubernetes for audit reviews, the constraint templates that rely on them are not auditable. It is up to the rego author to handle the case where these fields are unset and empty in order to avoid every matching resource being reported as violating resources.

You can see an example of the request structure below.

```json
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"uid": "abc123",
"kind": {
"group": "apps",
"version": "v1",
"kind": "Deployment"
},
"resource": {
"group": "apps",
"version": "v1",
"resource": "deployments"
},
"namespace": "default",
"operation": "CREATE",
"userInfo": {
"username": "john_doe",
"groups": ["developers"]
},
"object": {
// The resource object being created, updated, or deleted
"metadata": {
"name": "my-deployment",
"labels": {
"app": "my-app",
"env": "production"
}
},
"spec": {
// Specific configuration for the resource
"replicas": 3,
// ... other fields ...
}
},
"oldObject": {
// For update requests, the previous state of the resource
"metadata": {
"name": "my-deployment",
"labels": {
"app": "my-app",
"env": "staging"
}
},
"spec": {
// Previous configuration for the resource
"replicas": 2,
// ... other fields ...
}
}
}
}
```
1 change: 1 addition & 0 deletions website/versioned_sidebars/version-v3.14.x-sidebars.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
"label": "Concepts",
"collapsed": false,
"items": [
"input",
"mutation-background"
]
},
Expand Down
Loading