if len(errs) > 0 {
return nil, errs.ToAggregate()
}
return config, nil
}
type projectRequestLimit struct {
*admission.Handler
client client.Interface
config *ProjectRequestLimitConfig
cache *projectcache.ProjectCache
}
// ensure that the required Openshift admission interfaces are implemented
var _ = oadmission.WantsProjectCache(&projectRequestLimit{})
var _ = oadmission.WantsOpenshiftClient(&projectRequestLimit{})
var _ = oadmission.Validator(&projectRequestLimit{})
// Admit ensures that only a configured number of projects can be requested by a particular user.
func (o *projectRequestLimit) Admit(a admission.Attributes) (err error) {
if a.GetResource() != projectapi.Resource("projectrequests") {
return nil
}
if _, isProjectRequest := a.GetObject().(*projectapi.ProjectRequest); !isProjectRequest {
return nil
}
userName := a.GetUserInfo().GetName()
projectCount, err := o.projectCountByRequester(userName)
if err != nil {
return err
}
type imagePolicyPlugin struct {
*admission.Handler
config *api.ImagePolicyConfig
client client.Interface
accepter rules.Accepter
integratedRegistryMatcher integratedRegistryMatcher
resolveGroupResources []unversioned.GroupResource
projectCache *cache.ProjectCache
resolver imageResolver
}
var _ = oadmission.WantsOpenshiftClient(&imagePolicyPlugin{})
var _ = oadmission.Validator(&imagePolicyPlugin{})
var _ = oadmission.WantsDefaultRegistryFunc(&imagePolicyPlugin{})
type integratedRegistryMatcher struct {
rules.RegistryMatcher
}
// imageResolver abstracts identifying an image for a particular reference.
type imageResolver interface {
ResolveObjectReference(ref *kapi.ObjectReference, defaultNamespace string) (*rules.ImagePolicyAttributes, error)
}
// imagePolicyPlugin returns an admission controller for pods that controls what images are allowed to run on the
// cluster.
func newImagePolicyPlugin(client clientset.Interface, parsed *api.ImagePolicyConfig) (*imagePolicyPlugin, error) {
})
}
type jenkinsBootstrapper struct {
*admission.Handler
privilegedRESTClientConfig restclient.Config
serviceClient coreclient.ServicesGetter
openshiftClient client.Interface
jenkinsConfig configapi.JenkinsPipelineConfig
}
var _ = oadmission.WantsJenkinsPipelineConfig(&jenkinsBootstrapper{})
var _ = oadmission.WantsRESTClientConfig(&jenkinsBootstrapper{})
var _ = oadmission.WantsOpenshiftClient(&jenkinsBootstrapper{})
// NewJenkinsBootstrapper returns an admission plugin that will create required jenkins resources as the user if they are needed.
func NewJenkinsBootstrapper(serviceClient coreclient.ServicesGetter) admission.Interface {
return &jenkinsBootstrapper{
Handler: admission.NewHandler(admission.Create),
serviceClient: serviceClient,
}
}
func (a *jenkinsBootstrapper) Admit(attributes admission.Attributes) error {
if a.jenkinsConfig.AutoProvisionEnabled != nil && !*a.jenkinsConfig.AutoProvisionEnabled {
return nil
}
if len(attributes.GetSubresource()) != 0 {
return nil
"github.com/openshift/origin/pkg/client"
oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
)
func init() {
admission.RegisterPlugin("BuildByStrategy", func(c clientset.Interface, config io.Reader) (admission.Interface, error) {
return NewBuildByStrategy(), nil
})
}
type buildByStrategy struct {
*admission.Handler
client client.Interface
}
var _ = oadmission.WantsOpenshiftClient(&buildByStrategy{})
var _ = oadmission.Validator(&buildByStrategy{})
// NewBuildByStrategy returns an admission control for builds that checks
// on policy based on the build strategy type
func NewBuildByStrategy() admission.Interface {
return &buildByStrategy{
Handler: admission.NewHandler(admission.Create, admission.Update),
}
}
var (
buildsResource = buildapi.Resource("builds")
buildConfigsResource = buildapi.Resource("buildconfigs")
)
return NewRestrictUsersAdmission(kclient)
})
}
// restrictUsersAdmission implements admission.Interface and enforces
// restrictions on adding rolebindings in a project to permit only designated
// subjects.
type restrictUsersAdmission struct {
*admission.Handler
oclient oclient.Interface
kclient kclientset.Interface
groupCache *usercache.GroupCache
}
var _ = oadmission.WantsOpenshiftClient(&restrictUsersAdmission{})
var _ = oadmission.WantsGroupCache(&restrictUsersAdmission{})
var _ = oadmission.Validator(&restrictUsersAdmission{})
// NewRestrictUsersAdmission configures an admission plugin that enforces
// restrictions on adding role bindings in a project.
func NewRestrictUsersAdmission(kclient kclientset.Interface) (admission.Interface, error) {
return &restrictUsersAdmission{
Handler: admission.NewHandler(admission.Create, admission.Update),
kclient: kclient,
}, nil
}
func (q *restrictUsersAdmission) SetOpenshiftClient(c oclient.Interface) {
q.oclient = c
}
admission.RegisterPlugin(pluginName,
func(kClient clientset.Interface, config io.Reader) (admission.Interface, error) {
return NewOriginResourceQuota(kClient), nil
})
}
// originQuotaAdmission implements an admission controller that can enforce quota constraints on images and image
// streams
type originQuotaAdmission struct {
*admission.Handler
kQuotaAdmission admission.Interface
// must be able to read/write ResourceQuota
kClient clientset.Interface
}
var _ = oadmission.WantsOpenshiftClient(&originQuotaAdmission{})
var _ = oadmission.Validator(&originQuotaAdmission{})
// NewOriginResourceQuota creates a new OriginResourceQuota admission plugin that takes care of admission of
// origin resources abusing resource quota.
func NewOriginResourceQuota(kClient clientset.Interface) admission.Interface {
// defer an initialization of upstream controller until os client is set
return &originQuotaAdmission{
Handler: admission.NewHandler(admission.Create, admission.Update),
kClient: kClient,
}
}
func (a *originQuotaAdmission) Admit(as admission.Attributes) error {
return a.kQuotaAdmission.Admit(as)
}
