@@ -26,7 +26,7 @@ This command launches an instance of the Kubernetes apiserver (kube\-apiserver).

 .PP

 \fB\-\-admission\-control\fP="AlwaysAdmit"

-    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, BuildDefaults, BuildOverrides, ClusterResourceOverride, ClusterResourceQuota, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, ImageLimitRange, InitialResources, JenkinsBootstrapper, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, OriginResourceQuota, PersistentVolumeLabel, PodNodeConstraints, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RestrictedEndpointsAdmission, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount

+    Ordered list of plug\-ins to do admission control of resources into cluster. Comma\-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, BuildByStrategy, BuildDefaults, BuildOverrides, ClusterResourceOverride, ClusterResourceQuota, DenyEscalatingExec, DenyExecOnPrivileged, ExternalIPRanger, ImageLimitRange, ImagePolicy, InitialResources, JenkinsBootstrapper, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OriginNamespaceLifecycle, OriginPodNodeEnvironment, OriginResourceQuota, PersistentVolumeLabel, PodNodeConstraints, PodSecurityPolicy, ProjectRequestLimit, ResourceQuota, RestrictedEndpointsAdmission, RunOnceDuration, SCCExecRestrictions, SecurityContextConstraint, SecurityContextDeny, ServiceAccount

 .PP

 \fB\-\-admission\-control\-config\-file\fP=""

new file mode 100644

@@ -0,0 +1,40 @@

+package meta

+

+import (

+	"k8s.io/kubernetes/pkg/util/validation/field"

+

+	buildapi "github.com/openshift/origin/pkg/build/api"

+)

+

+type buildSpecMutator struct {

+	spec *buildapi.CommonSpec

+	path *field.Path

+}

+

+func (m *buildSpecMutator) Mutate(fn ImageReferenceMutateFunc) field.ErrorList {

+	var errs field.ErrorList

+	for i, image := range m.spec.Source.Images {

+		if err := fn(&image.From); err != nil {

+			errs = append(errs, field.InternalError(m.path.Child("source", "images").Index(i).Child("from", "name"), err))

+			continue

+		}

+	}

+	if s := m.spec.Strategy.CustomStrategy; s != nil {

+		if err := fn(&s.From); err != nil {

+			errs = append(errs, field.InternalError(m.path.Child("strategy", "customStrategy", "from", "name"), err))

+		}

+	}

+	if s := m.spec.Strategy.DockerStrategy; s != nil {

+		if s.From != nil {

+			if err := fn(s.From); err != nil {

+				errs = append(errs, field.InternalError(m.path.Child("strategy", "dockerStrategy", "from", "name"), err))

+			}

+		}

+	}

+	if s := m.spec.Strategy.SourceStrategy; s != nil {

+		if err := fn(&s.From); err != nil {

+			errs = append(errs, field.InternalError(m.path.Child("strategy", "sourceStrategy", "from", "name"), err))

+		}

+	}

+	return errs

+}

new file mode 100644

@@ -0,0 +1,41 @@

+package meta

+

+import (

+	"fmt"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/runtime"

+	"k8s.io/kubernetes/pkg/util/validation/field"

+

+	buildapi "github.com/openshift/origin/pkg/build/api"

+)

+

+// ImageReferenceMutateFunc is passed a reference representing an image, and may alter

+// the Name, Kind, and Namespace fields of the reference. If an error is returned the

+// object may still be mutated under the covers.

+type ImageReferenceMutateFunc func(ref *kapi.ObjectReference) error

+

+type ImageReferenceMutator interface {

+	// Mutate invokes fn on every image reference in the object. If fn returns an error,

+	// a field.Error is added to the list to be returned. Mutate does not terminate early

+	// if errors are detected.

+	Mutate(fn ImageReferenceMutateFunc) field.ErrorList

+}

+

+var errNoImageMutator = fmt.Errorf("No list of images available for this object")

+

+// GetImageReferenceMutator returns a mutator for the provided object, or an error if no

+// such mutator is defined.

+func GetImageReferenceMutator(obj runtime.Object) (ImageReferenceMutator, error) {

+	switch t := obj.(type) {

+	case *buildapi.Build:

+		return &buildSpecMutator{spec: &t.Spec.CommonSpec, path: field.NewPath("spec")}, nil

+	case *buildapi.BuildConfig:

+		return &buildSpecMutator{spec: &t.Spec.CommonSpec, path: field.NewPath("spec")}, nil

+	default:

+		if spec, path, err := GetPodSpec(obj); err == nil {

+			return &podSpecMutator{spec: spec, path: path}, nil

+		}

+		return nil, errNoImageMutator

+	}

+}

@@ -79,28 +79,39 @@ func GetPodSpec(obj runtime.Object) (*kapi.PodSpec, *field.Path, error) {

 	return nil, nil, errNoPodSpec

 }

+// podSpecMutator implements the mutation interface over objects with a pod spec.

 type podSpecMutator struct {

 	spec *kapi.PodSpec

 	path *field.Path

 }

+// Mutate applies fn to all containers and init containers. If fn changes the Kind to

+// any value other than "DockerImage", an error is set on that field.

 func (m *podSpecMutator) Mutate(fn ImageReferenceMutateFunc) field.ErrorList {

 	var errs field.ErrorList

 	for i := range m.spec.InitContainers {

-		result, err := fn(m.spec.InitContainers[i].Image)

-		if err != nil {

+		ref := kapi.ObjectReference{Kind: "DockerImage", Name: m.spec.InitContainers[i].Image}

+		if err := fn(&ref); err != nil {

 			errs = append(errs, field.InternalError(m.path.Child("initContainers").Index(i).Child("image"), err))

 			continue

 		}

-		m.spec.InitContainers[i].Image = result

+		if ref.Kind != "DockerImage" {

+			errs = append(errs, field.InternalError(m.path.Child("initContainers").Index(i).Child("image"), fmt.Errorf("pod specs may only contain references to docker images, not %q", ref.Kind)))

+			continue

+		}

+		m.spec.InitContainers[i].Image = ref.Name

 	}

 	for i := range m.spec.Containers {

-		result, err := fn(m.spec.Containers[i].Image)

-		if err != nil {

+		ref := kapi.ObjectReference{Kind: "DockerImage", Name: m.spec.Containers[i].Image}

+		if err := fn(&ref); err != nil {

 			errs = append(errs, field.InternalError(m.path.Child("containers").Index(i).Child("image"), err))

 			continue

 		}

-		m.spec.Containers[i].Image = result

+		if ref.Kind != "DockerImage" {

+			errs = append(errs, field.InternalError(m.path.Child("containers").Index(i).Child("image"), fmt.Errorf("pod specs may only contain references to docker images, not %q", ref.Kind)))

+			continue

+		}

+		m.spec.Containers[i].Image = ref.Name

 	}

 	return errs

 }

@@ -13,6 +13,7 @@ import (

 	_ "github.com/openshift/origin/pkg/build/admission/defaults/api/install"

 	_ "github.com/openshift/origin/pkg/build/admission/overrides/api/install"

+	_ "github.com/openshift/origin/pkg/image/admission/imagepolicy/api/install"

 	_ "github.com/openshift/origin/pkg/project/admission/requestlimit/api/install"

 	_ "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api/install"

 	_ "github.com/openshift/origin/pkg/quota/admission/runonceduration/api/install"

@@ -11,6 +11,7 @@ import (

 	kapi "k8s.io/kubernetes/pkg/api"

 	"k8s.io/kubernetes/pkg/api/meta"

 	"k8s.io/kubernetes/pkg/api/unversioned"

+	"k8s.io/kubernetes/pkg/labels"

 	"k8s.io/kubernetes/pkg/runtime"

 	"k8s.io/kubernetes/pkg/runtime/serializer"

 	"k8s.io/kubernetes/pkg/types"

@@ -19,6 +20,7 @@ import (

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

 	configapiv1 "github.com/openshift/origin/pkg/cmd/server/api/v1"

 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"

+	imagepolicyapi "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

 	podnodeapi "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints/api"

 	// install all APIs

@@ -280,6 +282,17 @@ func fuzzInternalObject(t *testing.T, forVersion unversioned.GroupVersion, item

 				obj.NodeSelectorLabelBlacklist = []string{"kubernetes.io/hostname"}

 			}

 		},

+		func(obj *labels.Selector, c fuzz.Continue) {

+		},

+		func(obj *imagepolicyapi.ImagePolicyConfig, c fuzz.Continue) {

+			c.FuzzNoCustom(obj)

+			for i := range obj.ExecutionRules {

+				if len(obj.ExecutionRules[i].OnResources) == 0 {

+					obj.ExecutionRules[i].OnResources = []unversioned.GroupResource{{Resource: "pods"}}

+				}

+				obj.ExecutionRules[i].MatchImageLabelSelectors = nil

+			}

+		},

 		func(obj *configapi.GrantConfig, c fuzz.Continue) {

 			c.FuzzNoCustom(obj)

 			if len(obj.ServiceAccountMethod) == 0 {

@@ -324,6 +324,7 @@ var (

 		overrideapi.PluginName,

 		serviceadmit.ExternalIPPluginName,

 		serviceadmit.RestrictedEndpointsPluginName,

+		imagepolicy.PluginName,

 		"LimitRanger",

 		"ServiceAccount",

 		"SecurityContextConstraint",

@@ -356,6 +357,7 @@ var (

 		overrideapi.PluginName,

 		serviceadmit.ExternalIPPluginName,

 		serviceadmit.RestrictedEndpointsPluginName,

+		imagepolicy.PluginName,

 		"LimitRanger",

 		"ServiceAccount",

 		"SecurityContextConstraint",

@@ -12,6 +12,7 @@ import (

 	_ "github.com/openshift/origin/pkg/build/admission/overrides"

 	_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"

 	_ "github.com/openshift/origin/pkg/image/admission"

+	_ "github.com/openshift/origin/pkg/image/admission/imagepolicy"

 	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"

 	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"

 	_ "github.com/openshift/origin/pkg/project/admission/requestlimit"

new file mode 100644

@@ -0,0 +1,107 @@

+package imagepolicy

+

+import (

+	"fmt"

+

+	"github.com/golang/glog"

+

+	"k8s.io/kubernetes/pkg/admission"

+	kapi "k8s.io/kubernetes/pkg/api"

+	apierrs "k8s.io/kubernetes/pkg/api/errors"

+	"k8s.io/kubernetes/pkg/util/sets"

+	"k8s.io/kubernetes/pkg/util/validation/field"

+

+	"github.com/openshift/origin/pkg/api/meta"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/rules"

+)

+

+var errRejectByPolicy = fmt.Errorf("this image is prohibited by policy")

+

+type policyDecisions map[kapi.ObjectReference]policyDecision

+

+type policyDecision struct {

+	attrs  *rules.ImagePolicyAttributes

+	tested bool

+	err    error

+}

+

+func accept(accepter rules.Accepter, resolver imageResolver, m meta.ImageReferenceMutator, attr admission.Attributes, excludedRules sets.String) error {

+	var decisions policyDecisions

+

+	gr := attr.GetResource().GroupResource()

+	requiresImage := accepter.RequiresImage(gr)

+	resolvesImage := accepter.ResolvesImage(gr)

+

+	errs := m.Mutate(func(ref *kapi.ObjectReference) error {

+		// create the attribute set for this particular reference, if we have never seen the reference

+		// before

+		decision, ok := decisions[*ref]

+		if !ok {

+			var attrs *rules.ImagePolicyAttributes

+			var err error

+			if requiresImage || resolvesImage {

+				// convert the incoming reference into attributes to pass to the accepter

+				attrs, err = resolver.ResolveObjectReference(ref, attr.GetNamespace())

+			}

+			// if the incoming reference is of a Kind that needed a lookup, but that lookup failed,

+			// use the most generic policy rule here because we don't even know the image name

+			if attrs == nil {

+				attrs = &rules.ImagePolicyAttributes{}

+			}

+			attrs.Resource = gr

+			attrs.ExcludedRules = excludedRules

+

+			decision.attrs = attrs

+			decision.err = err

+		}

+

+		// we only need to test a given input once for acceptance

+		if !decision.tested {

+			accepted := accepter.Accepts(decision.attrs)

+			glog.V(5).Infof("Made decision for %v (as: %v, err: %v): %t", ref, decision.attrs.Name, decision.err, accepted)

+

+			// remember this decision for any identical reference

+			if decisions == nil {

+				decisions = make(policyDecisions)

+			}

+			decision.tested = true

+			decisions[*ref] = decision

+

+			if !accepted {

+				// if the image is rejected, return the resolution error, if any

+				if decision.err != nil {

+					return decision.err

+				}

+				return errRejectByPolicy

+			}

+		}

+

+		// if resolution was requested, and no error was present, transform the

+		// reference back into a string to a DockerImage

+		if resolvesImage && decision.err == nil {

+			ref.Namespace = ""

+			ref.Name = decision.attrs.Name.Exact()

+			ref.Kind = "DockerImage"

+		}

+

+		if decision.err != nil {

+			glog.V(5).Infof("Ignored resolution error for %v: %v", ref, decision.err)

+		}

+

+		return nil

+	})

+

+	for i := range errs {

+		errs[i].Type = field.ErrorTypeForbidden

+		if errs[i].Detail != errRejectByPolicy.Error() {

+			errs[i].Detail = fmt.Sprintf("this image is prohibited by policy: %s", errs[i].Detail)

+		}

+	}

+

+	if len(errs) > 0 {

+		glog.V(5).Infof("failed to create: %v", errs)

+		return apierrs.NewInvalid(attr.GetKind().GroupKind(), attr.GetName(), errs)

+	}

+	glog.V(5).Infof("allowed: %#v", attr)

+	return nil

+}

new file mode 100644

@@ -0,0 +1,41 @@

+package install

+

+import (

+	"github.com/golang/glog"

+

+	"k8s.io/kubernetes/pkg/api/unversioned"

+

+	configapi "github.com/openshift/origin/pkg/cmd/server/api"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api/v1"

+)

+

+// availableVersions lists all known external versions for this group from most preferred to least preferred

+var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion}

+

+func init() {

+	if err := enableVersions(availableVersions); err != nil {

+		panic(err)

+	}

+}

+

+// TODO: enableVersions should be centralized rather than spread in each API group.

+func enableVersions(externalVersions []unversioned.GroupVersion) error {

+	addVersionsToScheme(externalVersions...)

+	return nil

+}

+

+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {

+	// add the internal version to Scheme

+	api.AddToScheme(configapi.Scheme)

+	// add the enabled external versions to Scheme

+	for _, v := range externalVersions {

+		switch v {

+		case v1.SchemeGroupVersion:

+			v1.AddToScheme(configapi.Scheme)

+		default:

+			glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v)

+			continue

+		}

+	}

+}

new file mode 100644

@@ -0,0 +1,4 @@

+package api

+

+const PluginName = "ImagePolicy"

+const ConfigKind = "ImagePolicyConfig"

new file mode 100644

@@ -0,0 +1,17 @@

+package api

+

+import (

+	"k8s.io/kubernetes/pkg/api/unversioned"

+	"k8s.io/kubernetes/pkg/runtime"

+)

+

+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: runtime.APIVersionInternal}

+

+// Adds the list of known types to api.Scheme.

+func AddToScheme(scheme *runtime.Scheme) {

+	scheme.AddKnownTypes(SchemeGroupVersion,

+		&ImagePolicyConfig{},

+	)

+}

+

+func (obj *ImagePolicyConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

new file mode 100644

@@ -0,0 +1,79 @@

+package api

+

+import (

+	"k8s.io/kubernetes/pkg/api/unversioned"

+	"k8s.io/kubernetes/pkg/labels"

+)

+

+// IgnorePolicyRulesAnnotation is a comma delimited list of rule names to omit from consideration

+// in a given namespace. Loaded from the namespace.

+const IgnorePolicyRulesAnnotation = "alpha.image.policy.openshift.io/ignore-rules"

+

+// ImagePolicyConfig is the configuration for controlling how images are used in the cluster.

+type ImagePolicyConfig struct {

+	unversioned.TypeMeta

+

+	// ExecutionRules determine whether the use of an image is allowed in an object with a pod spec.

+	// By default, these rules only apply to pods, but may be extended to other resource types.

+	ExecutionRules []ImageExecutionPolicyRule

+}

+

+// ImageExecutionPolicyRule determines whether a provided image may be used on the platform.

+type ImageExecutionPolicyRule struct {

+	ImageCondition

+

+	// Resolve indicates that images referenced by this resource must be resolved

+	Resolve bool

+

+	// Reject means this rule, if it matches the condition, will cause an immediate failure. No

+	// other rules will be considered.

+	Reject bool

+}

+

+// ImageCondition defines the conditions for matching a particular image source. The conditions below

+// are all required (logical AND). If Reject is specified, the condition is false if all conditions match,

+// and true otherwise.

+type ImageCondition struct {

+	// Name is the name of this policy rule for reference. It must be unique across all rules.

+	Name string

+	// IgnoreNamespaceOverride prevents this condition from being overriden when the

+	// `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.

+	IgnoreNamespaceOverride bool

+

+	// OnResources determines which resources this applies to. Defaults to 'pods' for ImageExecutionPolicyRules.

+	OnResources []unversioned.GroupResource

+

+	// InvertMatch means the value of the condition is logically inverted (true -> false, false -> true).

+	InvertMatch bool

+

+	// MatchIntegratedRegistry will only match image sources that originate from the configured integrated

+	// registry.

+	MatchIntegratedRegistry bool

+	// MatchRegistries will match image references that point to the provided registries. If any of the listed

+	// registries match, this condition is satisfied.

+	MatchRegistries []string

+

+	// AllowResolutionFailure allows the subsequent conditions to be bypassed if the integrated registry does

+	// not have access to image metadata (no image exists matching the image digest).

+	AllowResolutionFailure bool

+

+	// MatchDockerImageLabels checks against the resolved image for the presence of a Docker label. All conditions

+	// must match.

+	MatchDockerImageLabels []ValueCondition

+	// MatchImageLabels checks against the resolved image for a label. All conditions must match.

+	MatchImageLabels []unversioned.LabelSelector

+	// MatchImageLabelSelectors is the processed form of MatchImageLabels. All conditions must match.

+	MatchImageLabelSelectors []labels.Selector

+	// MatchImageAnnotations checks against the resolved image for an annotation. All conditions must match.

+	MatchImageAnnotations []ValueCondition

+}

+

+// ValueCondition reflects whether the following key in a map is set or has a given value.

+type ValueCondition struct {

+	// Key is the name of a key in a map to retrieve.

+	Key string

+	// Set indicates the provided key exists in the map. This field is exclusive with Value.

+	Set bool

+	// Value indicates the provided key has the given value. This field is exclusive with Set.

+	Value string

+}

new file mode 100644

@@ -0,0 +1,20 @@

+kind: ImagePolicyConfig

+apiVersion: v1

+executionRules:

+- name: execution-denied

+  # Reject all images that have the annotation images.openshift.io/deny-execution set to true.

+  # This annotation may be set by infrastructure that wishes to flag particular images as dangerous

+  onResources:

+  - resource: pods

+  - resource: builds

+  reject: true

+  matchImageAnnotations:

+  - key: images.openshift.io/deny-execution

+    value: "true"

+  allowResolutionFailure: true

+# To require that all images running on the platform be imported first, you may uncomment the

+# following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it

+# unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that

+# digest has been imported via the import-image flow.

+#- name: require-imported-images

+#  allowResolutionFailure: false

new file mode 100644

@@ -0,0 +1,41 @@

+package v1

+

+import (

+	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/api/unversioned"

+	"k8s.io/kubernetes/pkg/conversion"

+	"k8s.io/kubernetes/pkg/runtime"

+

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

+)

+

+// SchemeGroupVersion is group version used to register these objects

+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: "v1"}

+

+// Adds the list of known types to api.Scheme.

+func AddToScheme(scheme *runtime.Scheme) {

+	scheme.AddKnownTypes(SchemeGroupVersion,

+		&ImagePolicyConfig{},

+	)

+	scheme.AddDefaultingFuncs(

+		func(c *ImagePolicyConfig) {

+			for i := range c.ExecutionRules {

+				if len(c.ExecutionRules[i].OnResources) == 0 {

+					c.ExecutionRules[i].OnResources = []GroupResource{{Resource: "pods", Group: kapi.GroupName}}

+				}

+			}

+		},

+	)

+	scheme.AddConversionFuncs(

+		// TODO: remove when MatchSignatures is implemented

+		func(in *ImageCondition, out *api.ImageCondition, s conversion.Scope) error {

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+		// TODO: remove when ConsumptionRules and PlacementRules are implemented

+		func(in *ImagePolicyConfig, out *api.ImagePolicyConfig, s conversion.Scope) error {

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+	)

+}

+

+func (obj *ImagePolicyConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

new file mode 100644

@@ -0,0 +1,64 @@

+package v1

+

+// This file contains methods that can be used by the go-restful package to generate Swagger

+// documentation for the object types found in 'types.go' This file is automatically generated

+// by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift.

+// ==== DO NOT EDIT THIS FILE MANUALLY ====

+

+var map_GroupResource = map[string]string{

+	"":         "GroupResource represents a resource in a specific group.",

+	"resource": "Resource is the name of an admission resource to process, e.g. 'petsets'.",

+	"group":    "Group is the name of the group the resource is in, e.g. 'apps'.",

+}

+

+func (GroupResource) SwaggerDoc() map[string]string {

+	return map_GroupResource

+}

+

+var map_ImageCondition = map[string]string{

+	"":     "ImageCondition defines the conditions for matching a particular image source. The conditions below are all required (logical AND). If Reject is specified, the condition is false if all conditions match, and true otherwise.",

+	"name": "Name is the name of this policy rule for reference. It must be unique across all rules.",

+	"ignoreNamespaceOverride": "IgnoreNamespaceOverride prevents this condition from being overriden when the `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.",

+	"onResources":             "OnResources determines which resources this applies to. Defaults to 'pods' for ImageExecutionPolicyRules.",

+	"invertMatch":             "InvertMatch means the value of the condition is logically inverted (true -> false, false -> true).",

+	"matchIntegratedRegistry": "MatchIntegratedRegistry will only match image sources that originate from the configured integrated registry.",

+	"matchRegistries":         "MatchRegistries will match image references that point to the provided registries. The image registry must match at least one of these strings.",

+	"allowResolutionFailure":  "AllowResolutionFailure allows the subsequent conditions to be bypassed if the integrated registry does not have access to image metadata (no image exists matching the image digest).",

+	"matchDockerImageLabels":  "MatchDockerImageLabels checks against the resolved image for the presence of a Docker label. All conditions must match.",

+	"matchImageLabels":        "MatchImageLabels checks against the resolved image for a label. All conditions must match.",

+	"matchImageAnnotations":   "MatchImageAnnotations checks against the resolved image for an annotation. All conditions must match.",

+}

+

+func (ImageCondition) SwaggerDoc() map[string]string {

+	return map_ImageCondition

+}

+

+var map_ImageExecutionPolicyRule = map[string]string{

+	"":        "ImageExecutionPolicyRule determines whether a provided image may be used on the platform.",

+	"resolve": "Resolve indicates that images referenced by this resource must be resolved",

+	"reject":  "Reject means this rule, if it matches the condition, will cause an immediate failure. No other rules will be considered.",

+}

+

+func (ImageExecutionPolicyRule) SwaggerDoc() map[string]string {

+	return map_ImageExecutionPolicyRule

+}

+

+var map_ImagePolicyConfig = map[string]string{

+	"":               "ImagePolicyConfig is the configuration for control of images running on the platform.",

+	"executionRules": "ExecutionRules determine whether the use of an image is allowed in an object with a pod spec. By default, these rules only apply to pods, but may be extended to other resource types. If all execution rules are negations, the default behavior is allow all. If any execution rule is an allow, the default behavior is to reject all.",

+}

+

+func (ImagePolicyConfig) SwaggerDoc() map[string]string {

+	return map_ImagePolicyConfig

+}

+

+var map_ValueCondition = map[string]string{

+	"":      "ValueCondition reflects whether the following key in a map is set or has a given value.",

+	"key":   "Key is the name of a key in a map to retrieve.",

+	"set":   "Set indicates the provided key exists in the map. This field is exclusive with Value.",

+	"value": "Value indicates the provided key has the given value. This field is exclusive with Set.",

+}

+

+func (ValueCondition) SwaggerDoc() map[string]string {

+	return map_ValueCondition

+}

new file mode 100644

@@ -0,0 +1,82 @@

+package v1

+

+import (

+	"k8s.io/kubernetes/pkg/api/unversioned"

+)

+

+// ImagePolicyConfig is the configuration for control of images running on the platform.

+type ImagePolicyConfig struct {

+	unversioned.TypeMeta `json:",inline"`

+

+	// ExecutionRules determine whether the use of an image is allowed in an object with a pod spec.

+	// By default, these rules only apply to pods, but may be extended to other resource types.

+	// If all execution rules are negations, the default behavior is allow all. If any execution rule

+	// is an allow, the default behavior is to reject all.

+	ExecutionRules []ImageExecutionPolicyRule `json:"executionRules"`

+}

+

+// ImageExecutionPolicyRule determines whether a provided image may be used on the platform.

+type ImageExecutionPolicyRule struct {

+	ImageCondition `json:",inline"`

+

+	// Resolve indicates that images referenced by this resource must be resolved

+	Resolve bool `json:"resolve"`

+

+	// Reject means this rule, if it matches the condition, will cause an immediate failure. No

+	// other rules will be considered.

+	Reject bool `json:"reject"`

+}

+

+// GroupResource represents a resource in a specific group.

+type GroupResource struct {

+	// Resource is the name of an admission resource to process, e.g. 'petsets'.

+	Resource string `json:"resource"`

+	// Group is the name of the group the resource is in, e.g. 'apps'.

+	Group string `json:"group"`

+}

+

+// ImageCondition defines the conditions for matching a particular image source. The conditions below

+// are all required (logical AND). If Reject is specified, the condition is false if all conditions match,

+// and true otherwise.

+type ImageCondition struct {

+	// Name is the name of this policy rule for reference. It must be unique across all rules.

+	Name string `json:"name"`

+	// IgnoreNamespaceOverride prevents this condition from being overriden when the

+	// `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.

+	IgnoreNamespaceOverride bool `json:"ignoreNamespaceOverride"`

+

+	// OnResources determines which resources this applies to. Defaults to 'pods' for ImageExecutionPolicyRules.

+	OnResources []GroupResource `json:"onResources"`

+

+	// InvertMatch means the value of the condition is logically inverted (true -> false, false -> true).

+	InvertMatch bool `json:"invertMatch"`

+

+	// MatchIntegratedRegistry will only match image sources that originate from the configured integrated

+	// registry.

+	MatchIntegratedRegistry bool `json:"matchIntegratedRegistry"`

+	// MatchRegistries will match image references that point to the provided registries. The image registry

+	// must match at least one of these strings.

+	MatchRegistries []string `json:"matchRegistries"`

+

+	// AllowResolutionFailure allows the subsequent conditions to be bypassed if the integrated registry does

+	// not have access to image metadata (no image exists matching the image digest).

+	AllowResolutionFailure bool `json:"allowResolutionFailure"`

+

+	// MatchDockerImageLabels checks against the resolved image for the presence of a Docker label. All

+	// conditions must match.

+	MatchDockerImageLabels []ValueCondition `json:"matchDockerImageLabels"`

+	// MatchImageLabels checks against the resolved image for a label. All conditions must match.

+	MatchImageLabels []unversioned.LabelSelector `json:"matchImageLabels"`

+	// MatchImageAnnotations checks against the resolved image for an annotation. All conditions must match.

+	MatchImageAnnotations []ValueCondition `json:"matchImageAnnotations"`

+}

+

+// ValueCondition reflects whether the following key in a map is set or has a given value.

+type ValueCondition struct {

+	// Key is the name of a key in a map to retrieve.

+	Key string `json:"key"`

+	// Set indicates the provided key exists in the map. This field is exclusive with Value.

+	Set bool `json:"set"`

+	// Value indicates the provided key has the given value. This field is exclusive with Set.

+	Value string `json:"value"`

+}

new file mode 100644

@@ -0,0 +1,30 @@

+package validation

+

+import (

+	"k8s.io/kubernetes/pkg/api/unversioned"

+	"k8s.io/kubernetes/pkg/util/sets"

+	"k8s.io/kubernetes/pkg/util/validation/field"

+

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

+)

+

+func Validate(config *api.ImagePolicyConfig) field.ErrorList {

+	allErrs := field.ErrorList{}

+	if config == nil {

+		return allErrs

+	}

+	names := sets.NewString()

+	for i, rule := range config.ExecutionRules {

+		if names.Has(rule.Name) {

+			allErrs = append(allErrs, field.Duplicate(field.NewPath(api.PluginName, "executionRules").Index(i).Child("name"), rule.Name))

+		}

+		names.Insert(rule.Name)

+		for j, selector := range rule.MatchImageLabels {

+			_, err := unversioned.LabelSelectorAsSelector(&selector)

+			if err != nil {

+				allErrs = append(allErrs, field.Invalid(field.NewPath(api.PluginName, "executionRules").Index(i).Child("matchImageLabels").Index(j), nil, err.Error()))

+			}

+		}

+	}

+	return allErrs

+}

new file mode 100644

@@ -0,0 +1,49 @@

+package validation

+

+import (

+	"testing"

+

+	"k8s.io/kubernetes/pkg/api/unversioned"

+

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

+)

+

+func TestValidation(t *testing.T) {

+	if errs := Validate(&api.ImagePolicyConfig{}); len(errs) != 0 {

+		t.Fatal(errs)

+	}

+	if errs := Validate(&api.ImagePolicyConfig{

+		ExecutionRules: []api.ImageExecutionPolicyRule{

+			{

+				ImageCondition: api.ImageCondition{

+					MatchImageLabels: []unversioned.LabelSelector{

+						{MatchLabels: map[string]string{"test": "other"}},

+					},

+				},

+			},

+		},

+	}); len(errs) != 0 {

+		t.Fatal(errs)

+	}

+	if errs := Validate(&api.ImagePolicyConfig{

+		ExecutionRules: []api.ImageExecutionPolicyRule{

+			{

+				ImageCondition: api.ImageCondition{

+					MatchImageLabels: []unversioned.LabelSelector{

+						{MatchLabels: map[string]string{"": ""}},

+					},

+				},

+			},

+		},

+	}); len(errs) == 0 {

+		t.Fatal(errs)

+	}

+	if errs := Validate(&api.ImagePolicyConfig{

+		ExecutionRules: []api.ImageExecutionPolicyRule{

+			{ImageCondition: api.ImageCondition{Name: "test"}},

+			{ImageCondition: api.ImageCondition{Name: "test"}},

+		},

+	}); len(errs) == 0 {

+		t.Fatal(errs)

+	}

+}

new file mode 100644

@@ -0,0 +1,312 @@

+package imagepolicy

+

+import (

+	"fmt"

+	"io"

+	"strings"

+	"time"

+

+	"github.com/golang/glog"

+	lru "github.com/hashicorp/golang-lru"

+

+	"k8s.io/kubernetes/pkg/admission"

+	kapi "k8s.io/kubernetes/pkg/api"

+	apierrs "k8s.io/kubernetes/pkg/api/errors"

+	"k8s.io/kubernetes/pkg/api/unversioned"

+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"

+	"k8s.io/kubernetes/pkg/util/sets"

+

+	"github.com/openshift/origin/pkg/api/meta"

+	"github.com/openshift/origin/pkg/client"

+	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"

+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api/validation"

+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/rules"

+	imageapi "github.com/openshift/origin/pkg/image/api"

+	"github.com/openshift/origin/pkg/project/cache"

+)

+

+func init() {

+	admission.RegisterPlugin(api.PluginName, func(client clientset.Interface, input io.Reader) (admission.Interface, error) {

+		obj, err := configlatest.ReadYAML(input)

+		if err != nil {

+			return nil, err

+		}

+		if obj == nil {

+			return nil, nil

+		}

+		config, ok := obj.(*api.ImagePolicyConfig)

+		if !ok {

+			return nil, fmt.Errorf("unexpected config object: %#v", obj)

+		}

+		if errs := validation.Validate(config); len(errs) > 0 {

+			return nil, errs.ToAggregate()

+		}

+		glog.V(5).Infof("%s admission controller loaded with config: %#v", api.PluginName, config)

+		return newImagePolicyPlugin(client, config)

+	})

+}

+

+type imagePolicyPlugin struct {

+	*admission.Handler

+	config *api.ImagePolicyConfig

+	client client.Interface

+

+	accepter rules.Accepter

+

+	integratedRegistryMatcher integratedRegistryMatcher

+

+	resolveGroupResources []unversioned.GroupResource

+

+	projectCache *cache.ProjectCache

+	resolver     imageResolver

+}

+

+var _ = oadmission.WantsOpenshiftClient(&imagePolicyPlugin{})

+var _ = oadmission.Validator(&imagePolicyPlugin{})

+var _ = oadmission.WantsDefaultRegistryFunc(&imagePolicyPlugin{})

+

+type integratedRegistryMatcher struct {

+	rules.RegistryMatcher

+}

+

+// imageResolver abstracts identifying an image for a particular reference.

+type imageResolver interface {

+	ResolveObjectReference(ref *kapi.ObjectReference, defaultNamespace string) (*rules.ImagePolicyAttributes, error)

+}

+

+// imagePolicyPlugin returns an admission controller for pods that controls what images are allowed to run on the

+// cluster.

+func newImagePolicyPlugin(client clientset.Interface, parsed *api.ImagePolicyConfig) (*imagePolicyPlugin, error) {

+	m := integratedRegistryMatcher{

+		RegistryMatcher: rules.NewRegistryMatcher(nil),

+	}

+	accepter, err := rules.NewExecutionRulesAccepter(parsed.ExecutionRules, m)

+	if err != nil {

+		return nil, err

+	}

+