本文整理汇总了Golang中k8s/io/kubernetes/pkg/util/validation/field.Forbidden函数的典型用法代码示例。如果您正苦于以下问题:Golang Forbidden函数的具体用法?Golang Forbidden怎么用?Golang Forbidden使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了Forbidden函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: Validate
func (s *strategy) Validate(pod *api.Pod, container *api.Container) field.ErrorList {
if s.allowedProfiles == nil {
// Unrestricted: allow all.
return nil
}
allErrs := field.ErrorList{}
fieldPath := field.NewPath("pod", "metadata", "annotations").Key(apparmor.ContainerAnnotationKeyPrefix + container.Name)
profile := apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
if profile == "" {
if len(s.allowedProfiles) > 0 {
allErrs = append(allErrs, field.Forbidden(fieldPath, "AppArmor profile must be set"))
return allErrs
}
return nil
}
if !s.allowedProfiles[profile] {
msg := fmt.Sprintf("%s is not an allowed profile. Allowed values: %q", profile, s.allowedProfilesString)
allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
}
return allErrs
}示例2: Admit
// Admit determines if the service should be admitted based on the configured network CIDR.
func (r *externalIPRanger) Admit(a kadmission.Attributes) error {
if a.GetResource() != kapi.Resource("services") {
return nil
}
svc, ok := a.GetObject().(*kapi.Service)
// if we can't convert then we don't handle this object so just return
if !ok {
return nil
}
var errs field.ErrorList
switch {
// administrator disabled externalIPs
case len(svc.Spec.ExternalIPs) > 0 && len(r.admit) == 0:
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs"), "externalIPs have been disabled"))
// administrator has limited the range
case len(svc.Spec.ExternalIPs) > 0 && len(r.admit) > 0:
for i, s := range svc.Spec.ExternalIPs {
ip := net.ParseIP(s)
if ip == nil {
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs").Index(i), "externalIPs must be a valid address"))
continue
}
if networkSlice(r.reject).Contains(ip) || !networkSlice(r.admit).Contains(ip) {
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs").Index(i), "externalIP is not allowed"))
continue
}
}
}
if len(errs) > 0 {
return apierrs.NewInvalid(a.GetKind(), a.GetName(), errs)
}
return nil
}示例3: validateRoleBindingSubject
func validateRoleBindingSubject(subject kapi.ObjectReference, isNamespaced bool, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if len(subject.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
}
if len(subject.UID) != 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("uid"), fmt.Sprintf("%v", subject.UID)))
}
if len(subject.APIVersion) != 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("apiVersion"), subject.APIVersion))
}
if len(subject.ResourceVersion) != 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("resourceVersion"), subject.ResourceVersion))
}
if len(subject.FieldPath) != 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("fieldPath"), subject.FieldPath))
}
switch subject.Kind {
case authorizationapi.ServiceAccountKind:
if reasons := validation.ValidateServiceAccountName(subject.Name, false); len(subject.Name) > 0 && len(reasons) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, strings.Join(reasons, ", ")))
}
if !isNamespaced && len(subject.Namespace) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), "Service account subjects for ClusterRoleBindings must have a namespace"))
}
case authorizationapi.UserKind:
if reasons := uservalidation.ValidateUserName(subject.Name, false); len(subject.Name) > 0 && len(reasons) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, strings.Join(reasons, ", ")))
}
case authorizationapi.GroupKind:
if reasons := uservalidation.ValidateGroupName(subject.Name, false); len(subject.Name) > 0 && len(reasons) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, strings.Join(reasons, ", ")))
}
case authorizationapi.SystemUserKind:
isValidSAName := len(validation.ValidateServiceAccountName(subject.Name, false)) == 0
isValidUserName := len(uservalidation.ValidateUserName(subject.Name, false)) == 0
if isValidSAName || isValidUserName {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "conforms to User.name or ServiceAccount.name restrictions"))
}
case authorizationapi.SystemGroupKind:
if reasons := uservalidation.ValidateGroupName(subject.Name, false); len(subject.Name) > 0 && len(reasons) == 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "conforms to Group.name restrictions"))
}
default:
allErrs = append(allErrs, field.NotSupported(fldPath.Child("kind"), subject.Kind, []string{authorizationapi.ServiceAccountKind, authorizationapi.UserKind, authorizationapi.GroupKind, authorizationapi.SystemGroupKind, authorizationapi.SystemUserKind}))
}
return allErrs
}示例4: Admit
// Admit determines if the service should be admitted based on the configured network CIDR.
func (r *externalIPRanger) Admit(a kadmission.Attributes) error {
if a.GetResource().GroupResource() != kapi.Resource("services") {
return nil
}
svc, ok := a.GetObject().(*kapi.Service)
// if we can't convert then we don't handle this object so just return
if !ok {
return nil
}
// Determine if an ingress ip address should be allowed as an
// external ip by checking the loadbalancer status of the previous
// object state. Only updates need to be validated against the
// ingress ip since the loadbalancer status cannot be set on
// create.
ingressIP := ""
retrieveIngressIP := a.GetOperation() == kadmission.Update &&
r.allowIngressIP && svc.Spec.Type == kapi.ServiceTypeLoadBalancer
if retrieveIngressIP {
old, ok := a.GetOldObject().(*kapi.Service)
ipPresent := ok && old != nil && len(old.Status.LoadBalancer.Ingress) > 0
if ipPresent {
ingressIP = old.Status.LoadBalancer.Ingress[0].IP
}
}
var errs field.ErrorList
switch {
// administrator disabled externalIPs
case len(svc.Spec.ExternalIPs) > 0 && len(r.admit) == 0:
onlyIngressIP := len(svc.Spec.ExternalIPs) == 1 && svc.Spec.ExternalIPs[0] == ingressIP
if !onlyIngressIP {
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs"), "externalIPs have been disabled"))
}
// administrator has limited the range
case len(svc.Spec.ExternalIPs) > 0 && len(r.admit) > 0:
for i, s := range svc.Spec.ExternalIPs {
ip := net.ParseIP(s)
if ip == nil {
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs").Index(i), "externalIPs must be a valid address"))
continue
}
notIngressIP := s != ingressIP
if (NetworkSlice(r.reject).Contains(ip) || !NetworkSlice(r.admit).Contains(ip)) && notIngressIP {
errs = append(errs, field.Forbidden(field.NewPath("spec", "externalIPs").Index(i), "externalIP is not allowed"))
continue
}
}
}
if len(errs) > 0 {
return apierrs.NewInvalid(a.GetKind().GroupKind(), a.GetName(), errs)
}
return nil
}示例5: validateImageSignature
func validateImageSignature(signature *api.ImageSignature, fldPath *field.Path) field.ErrorList {
allErrs := validation.ValidateObjectMeta(&signature.ObjectMeta, false, oapi.MinimalNameRequirements, fldPath.Child("metadata"))
if len(signature.Labels) > 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("metadata").Child("labels"), "signature labels cannot be set"))
}
if len(signature.Annotations) > 0 {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("metadata").Child("annotations"), "signature annotations cannot be set"))
}
if _, _, err := api.SplitImageSignatureName(signature.Name); err != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("metadata").Child("name"), signature.Name, "name must be of format <imageName>@<signatureName>"))
}
if len(signature.Type) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("type"), ""))
}
if len(signature.Content) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("content"), ""))
}
var trustedCondition, forImageCondition *api.SignatureCondition
for i := range signature.Conditions {
cond := &signature.Conditions[i]
if cond.Type == api.SignatureTrusted && (trustedCondition == nil || !cond.LastProbeTime.Before(trustedCondition.LastProbeTime)) {
trustedCondition = cond
} else if cond.Type == api.SignatureForImage && forImageCondition == nil || !cond.LastProbeTime.Before(forImageCondition.LastProbeTime) {
forImageCondition = cond
}
}
if trustedCondition != nil && forImageCondition == nil {
msg := fmt.Sprintf("missing %q condition type", api.SignatureForImage)
allErrs = append(allErrs, field.Invalid(fldPath.Child("conditions"), signature.Conditions, msg))
} else if forImageCondition != nil && trustedCondition == nil {
msg := fmt.Sprintf("missing %q condition type", api.SignatureTrusted)
allErrs = append(allErrs, field.Invalid(fldPath.Child("conditions"), signature.Conditions, msg))
}
if trustedCondition == nil || trustedCondition.Status == kapi.ConditionUnknown {
if len(signature.ImageIdentity) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("imageIdentity"), signature.ImageIdentity, "must be unset for unknown signature state"))
}
if len(signature.SignedClaims) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("signedClaims"), signature.SignedClaims, "must be unset for unknown signature state"))
}
if signature.IssuedBy != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("issuedBy"), signature.IssuedBy, "must be unset for unknown signature state"))
}
if signature.IssuedTo != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("issuedTo"), signature.IssuedTo, "must be unset for unknown signature state"))
}
}
return allErrs
}示例6: ValidateStorageClassUpdate
// ValidateStorageClassUpdate tests if an update to StorageClass is valid.
func ValidateStorageClassUpdate(storageClass, oldStorageClass *extensions.StorageClass) field.ErrorList {
allErrs := apivalidation.ValidateObjectMetaUpdate(&storageClass.ObjectMeta, &oldStorageClass.ObjectMeta, field.NewPath("metadata"))
if !reflect.DeepEqual(oldStorageClass.Parameters, storageClass.Parameters) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("parameters"), "updates to parameters are forbidden."))
}
if strings.Compare(storageClass.Provisioner, oldStorageClass.Provisioner) != 0 {
allErrs = append(allErrs, field.Forbidden(field.NewPath("provisioner"), "updates to provisioner are forbidden."))
}
return allErrs
}示例7: ValidateImageSignatureUpdate
// ValidateImageSignatureUpdate ensures that the new ImageSignature is valid.
func ValidateImageSignatureUpdate(newImageSignature, oldImageSignature *api.ImageSignature) field.ErrorList {
allErrs := validation.ValidateObjectMetaUpdate(&newImageSignature.ObjectMeta, &oldImageSignature.ObjectMeta, field.NewPath("metadata"))
allErrs = append(allErrs, ValidateImageSignature(newImageSignature)...)
if newImageSignature.Type != oldImageSignature.Type {
allErrs = append(allErrs, field.Forbidden(field.NewPath("type"), "cannot change signature type"))
}
if !bytes.Equal(newImageSignature.Content, oldImageSignature.Content) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("content"), "cannot change signature content"))
}
return allErrs
}示例8: ValidateNetworkPolicySpec
// ValidateNetworkPolicySpec tests if required fields in the networkpolicy spec are set.
func ValidateNetworkPolicySpec(spec *extensions.NetworkPolicySpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(&spec.PodSelector, fldPath.Child("podSelector"))...)
// Validate ingress rules.
for _, i := range spec.Ingress {
// TODO: Update From to be a pointer to slice as soon as auto-generation supports it.
for _, f := range i.From {
numFroms := 0
if f.PodSelector != nil {
numFroms++
allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(f.PodSelector, fldPath.Child("podSelector"))...)
}
if f.NamespaceSelector != nil {
if numFroms > 0 {
allErrs = append(allErrs, field.Forbidden(fldPath, "may not specify more than 1 from type"))
} else {
numFroms++
allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(f.NamespaceSelector, fldPath.Child("namespaces"))...)
}
}
if numFroms == 0 {
// At least one of PodSelector and NamespaceSelector must be defined.
allErrs = append(allErrs, field.Required(fldPath, "must specify a from type"))
}
}
}
return allErrs
}示例9: ValidateNetworkPolicyUpdate
// ValidateNetworkPolicyUpdate tests if an update to a NetworkPolicy is valid.
func ValidateNetworkPolicyUpdate(np, oldNP *extensions.NetworkPolicy) field.ErrorList {
allErrs := field.ErrorList{}
if !reflect.DeepEqual(np, oldNP) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to networkpolicy spec are forbidden."))
}
return allErrs
}示例10: ValidateUpdate
func (v *WrappingValidator) ValidateUpdate(obj, old runtime.Object) field.ErrorList {
if v.validateUpdate == nil {
// if there is no update validation, fail.
return field.ErrorList{field.Forbidden(field.NewPath("obj"), obj)}
}
return callValidateUpdate(reflect.ValueOf(obj), reflect.ValueOf(old), *v.validateUpdate)
}示例11: ValidatePod
// ValidatePod ensures that the specified values on the pod fall within the range
// of the strategy.
func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{}
podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
return allErrs
}
if !s.profileAllowed(podProfile) {
msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", podProfile, s.allowedProfilesString)
allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, msg))
}
return allErrs
}示例12: ValidateContainer
// ValidateContainer ensures that the specified values on the container fall within
// the range of the strategy.
func (s *strategy) ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList {
allErrs := field.ErrorList{}
fieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
containerProfile := profileForContainer(pod, container)
if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && containerProfile != "" {
allErrs = append(allErrs, field.Forbidden(fieldPath, "seccomp may not be set"))
return allErrs
}
if !s.profileAllowed(containerProfile) {
msg := fmt.Sprintf("%s is not an allowed seccomp profile. Valid values are %v", containerProfile, s.allowedProfilesString)
allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
}
return allErrs
}示例13: ValidateNetworkPolicyUpdate
// ValidateNetworkPolicyUpdate tests if an update to a NetworkPolicy is valid.
func ValidateNetworkPolicyUpdate(update, old *extensions.NetworkPolicy) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&update.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
if !reflect.DeepEqual(update.Spec, old.Spec) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to networkpolicy spec are forbidden."))
}
return allErrs
}示例14: ValidateUpdate
// ValidateUpdate is the default update validation for an end user.
func (petSetStrategy) ValidateUpdate(ctx api.Context, obj, old runtime.Object) field.ErrorList {
return field.ErrorList{field.Forbidden(field.NewPath("spec"), "updates to petset spec are forbidden.")}
// TODO: For now we're taking the safe route and disallowing all updates to spec.
// Enable on a case by case basis.
//validationErrorList := validation.ValidatePetSet(obj.(*apps.PetSet))
//updateErrorList := validation.ValidatePetSetUpdate(obj.(*apps.PetSet), old.(*apps.PetSet))
//return append(validationErrorList, updateErrorList...)
}示例15: ValidatePod
// ValidatePod ensures that the specified values on the pod fall within the range
// of the strategy.
func (s *withSeccompProfile) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{}
fieldPath := field.NewPath("pod", "metadata", "annotations", api.SeccompPodAnnotationKey)
podProfile, _ := pod.Annotations[api.SeccompPodAnnotationKey]
if len(s.allowedProfiles) == 0 && podProfile != "" {
allErrs = append(allErrs, field.Forbidden(fieldPath, "seccomp may not be set"))
return allErrs
}
if !isProfileAllowed(podProfile, s.allowedProfiles) {
msg := fmt.Sprintf("%s is not a valid seccomp profile. Valid values are %v", podProfile, s.allowedProfiles)
allErrs = append(allErrs, field.Forbidden(fieldPath, msg))
}
return allErrs
}