Merge pull request #233 from leonnicolas/validation-webhook
Validation webhook
This commit is contained in:
commit
6b93cc2ad9
@ -1,4 +1,4 @@
|
||||
// Copyright 2019 the Kilo authors
|
||||
// Copyright 2021 the Kilo authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
|
186
cmd/kg/main.go
186
cmd/kg/main.go
@ -1,4 +1,4 @@
|
||||
// Copyright 2019 the Kilo authors
|
||||
// Copyright 2021 the Kilo authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
@ -30,7 +30,7 @@ import (
|
||||
"github.com/oklog/run"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||
flag "github.com/spf13/pflag"
|
||||
"github.com/spf13/cobra"
|
||||
apiextensions "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
@ -78,52 +78,75 @@ var (
|
||||
}, ", ")
|
||||
)
|
||||
|
||||
// Main is the principal function for the binary, wrapped only by `main` for convenience.
|
||||
func Main() error {
|
||||
backend := flag.String("backend", k8s.Backend, fmt.Sprintf("The backend for the mesh. Possible values: %s", availableBackends))
|
||||
cleanUpIface := flag.Bool("clean-up-interface", false, "Should Kilo delete its interface when it shuts down?")
|
||||
createIface := flag.Bool("create-interface", true, "Should kilo create an interface on startup?")
|
||||
cni := flag.Bool("cni", true, "Should Kilo manage the node's CNI configuration?")
|
||||
cniPath := flag.String("cni-path", mesh.DefaultCNIPath, "Path to CNI config.")
|
||||
compatibility := flag.String("compatibility", "", fmt.Sprintf("Should Kilo run in compatibility mode? Possible values: %s", availableCompatibilities))
|
||||
encapsulate := flag.String("encapsulate", string(encapsulation.Always), fmt.Sprintf("When should Kilo encapsulate packets within a location? Possible values: %s", availableEncapsulations))
|
||||
granularity := flag.String("mesh-granularity", string(mesh.LogicalGranularity), fmt.Sprintf("The granularity of the network mesh to create. Possible values: %s", availableGranularities))
|
||||
kubeconfig := flag.String("kubeconfig", "", "Path to kubeconfig.")
|
||||
hostname := flag.String("hostname", "", "Hostname of the node on which this process is running.")
|
||||
iface := flag.String("interface", mesh.DefaultKiloInterface, "Name of the Kilo interface to use; if it does not exist, it will be created.")
|
||||
listen := flag.String("listen", ":1107", "The address at which to listen for health and metrics.")
|
||||
local := flag.Bool("local", true, "Should Kilo manage routes within a location?")
|
||||
logLevel := flag.String("log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
|
||||
master := flag.String("master", "", "The address of the Kubernetes API server (overrides any value in kubeconfig).")
|
||||
mtu := flag.Uint("mtu", wireguard.DefaultMTU, "The MTU of the WireGuard interface created by Kilo.")
|
||||
topologyLabel := flag.String("topology-label", k8s.RegionLabelKey, "Kubernetes node label used to group nodes into logical locations.")
|
||||
var port uint
|
||||
flag.UintVar(&port, "port", mesh.DefaultKiloPort, "The port over which WireGuard peers should communicate.")
|
||||
subnet := flag.String("subnet", mesh.DefaultKiloSubnet.String(), "CIDR from which to allocate addresses for WireGuard interfaces.")
|
||||
resyncPeriod := flag.Duration("resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
|
||||
printVersion := flag.Bool("version", false, "Print version and exit")
|
||||
flag.Parse()
|
||||
var cmd = &cobra.Command{
|
||||
Use: "kg",
|
||||
Short: "kg is the Kilo agent",
|
||||
Long: `kg is the Kilo agent.
|
||||
It runs on every node of a cluster,
|
||||
setting up the public and private keys for the VPN
|
||||
as well as the necessary rules to route packets between locations.`,
|
||||
PreRunE: preRun,
|
||||
RunE: runRoot,
|
||||
SilenceUsage: true,
|
||||
SilenceErrors: true,
|
||||
}
|
||||
|
||||
if *printVersion {
|
||||
fmt.Println(version.Version)
|
||||
return nil
|
||||
}
|
||||
var (
|
||||
backend string
|
||||
cleanUpIface bool
|
||||
createIface bool
|
||||
cni bool
|
||||
cniPath string
|
||||
compatibility string
|
||||
encapsulate string
|
||||
granularity string
|
||||
hostname string
|
||||
kubeconfig string
|
||||
iface string
|
||||
listen string
|
||||
local bool
|
||||
master string
|
||||
mtu uint
|
||||
topologyLabel string
|
||||
port uint
|
||||
subnet string
|
||||
resyncPeriod time.Duration
|
||||
|
||||
_, s, err := net.ParseCIDR(*subnet)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse %q as CIDR: %v", *subnet, err)
|
||||
}
|
||||
printVersion bool
|
||||
logLevel string
|
||||
|
||||
if *hostname == "" {
|
||||
var err error
|
||||
*hostname, err = os.Hostname()
|
||||
if *hostname == "" || err != nil {
|
||||
return errors.New("failed to determine hostname")
|
||||
}
|
||||
}
|
||||
logger log.Logger
|
||||
registry *prometheus.Registry
|
||||
)
|
||||
|
||||
logger := log.NewJSONLogger(log.NewSyncWriter(os.Stdout))
|
||||
switch *logLevel {
|
||||
func init() {
|
||||
cmd.Flags().StringVar(&backend, "backend", k8s.Backend, fmt.Sprintf("The backend for the mesh. Possible values: %s", availableBackends))
|
||||
cmd.Flags().BoolVar(&cleanUpIface, "clean-up-interface", false, "Should Kilo delete its interface when it shuts down?")
|
||||
cmd.Flags().BoolVar(&createIface, "create-interface", true, "Should kilo create an interface on startup?")
|
||||
cmd.Flags().BoolVar(&cni, "cni", true, "Should Kilo manage the node's CNI configuration?")
|
||||
cmd.Flags().StringVar(&cniPath, "cni-path", mesh.DefaultCNIPath, "Path to CNI config.")
|
||||
cmd.Flags().StringVar(&compatibility, "compatibility", "", fmt.Sprintf("Should Kilo run in compatibility mode? Possible values: %s", availableCompatibilities))
|
||||
cmd.Flags().StringVar(&encapsulate, "encapsulate", string(encapsulation.Always), fmt.Sprintf("When should Kilo encapsulate packets within a location? Possible values: %s", availableEncapsulations))
|
||||
cmd.Flags().StringVar(&granularity, "mesh-granularity", string(mesh.LogicalGranularity), fmt.Sprintf("The granularity of the network mesh to create. Possible values: %s", availableGranularities))
|
||||
cmd.Flags().StringVar(&kubeconfig, "kubeconfig", "", "Path to kubeconfig.")
|
||||
cmd.Flags().StringVar(&hostname, "hostname", "", "Hostname of the node on which this process is running.")
|
||||
cmd.Flags().StringVar(&iface, "interface", mesh.DefaultKiloInterface, "Name of the Kilo interface to use; if it does not exist, it will be created.")
|
||||
cmd.Flags().StringVar(&listen, "listen", ":1107", "The address at which to listen for health and metrics.")
|
||||
cmd.Flags().BoolVar(&local, "local", true, "Should Kilo manage routes within a location?")
|
||||
cmd.Flags().StringVar(&master, "master", "", "The address of the Kubernetes API server (overrides any value in kubeconfig).")
|
||||
cmd.Flags().UintVar(&mtu, "mtu", wireguard.DefaultMTU, "The MTU of the WireGuard interface created by Kilo.")
|
||||
cmd.Flags().StringVar(&topologyLabel, "topology-label", k8s.RegionLabelKey, "Kubernetes node label used to group nodes into logical locations.")
|
||||
cmd.Flags().UintVar(&port, "port", mesh.DefaultKiloPort, "The port over which WireGuard peers should communicate.")
|
||||
cmd.Flags().StringVar(&subnet, "subnet", mesh.DefaultKiloSubnet.String(), "CIDR from which to allocate addresses for WireGuard interfaces.")
|
||||
cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
|
||||
|
||||
cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit")
|
||||
cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
|
||||
}
|
||||
|
||||
func preRun(_ *cobra.Command, _ []string) error {
|
||||
logger = log.NewJSONLogger(log.NewSyncWriter(os.Stdout))
|
||||
switch logLevel {
|
||||
case logLevelAll:
|
||||
logger = level.NewFilter(logger, level.AllowAll())
|
||||
case logLevelDebug:
|
||||
@ -137,73 +160,97 @@ func Main() error {
|
||||
case logLevelNone:
|
||||
logger = level.NewFilter(logger, level.AllowNone())
|
||||
default:
|
||||
return fmt.Errorf("log level %v unknown; possible values are: %s", *logLevel, availableLogLevels)
|
||||
return fmt.Errorf("log level %v unknown; possible values are: %s", logLevel, availableLogLevels)
|
||||
}
|
||||
logger = log.With(logger, "ts", log.DefaultTimestampUTC)
|
||||
logger = log.With(logger, "caller", log.DefaultCaller)
|
||||
|
||||
e := encapsulation.Strategy(*encapsulate)
|
||||
registry = prometheus.NewRegistry()
|
||||
registry.MustRegister(
|
||||
prometheus.NewGoCollector(),
|
||||
prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}),
|
||||
)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// runRoot is the principal function for the binary.
|
||||
func runRoot(_ *cobra.Command, _ []string) error {
|
||||
if printVersion {
|
||||
fmt.Println(version.Version)
|
||||
return nil
|
||||
}
|
||||
|
||||
_, s, err := net.ParseCIDR(subnet)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse %q as CIDR: %v", subnet, err)
|
||||
}
|
||||
|
||||
if hostname == "" {
|
||||
var err error
|
||||
hostname, err = os.Hostname()
|
||||
if hostname == "" || err != nil {
|
||||
return errors.New("failed to determine hostname")
|
||||
}
|
||||
}
|
||||
|
||||
e := encapsulation.Strategy(encapsulate)
|
||||
switch e {
|
||||
case encapsulation.Never:
|
||||
case encapsulation.CrossSubnet:
|
||||
case encapsulation.Always:
|
||||
default:
|
||||
return fmt.Errorf("encapsulation %v unknown; possible values are: %s", *encapsulate, availableEncapsulations)
|
||||
return fmt.Errorf("encapsulation %v unknown; possible values are: %s", encapsulate, availableEncapsulations)
|
||||
}
|
||||
|
||||
var enc encapsulation.Encapsulator
|
||||
switch *compatibility {
|
||||
switch compatibility {
|
||||
case "flannel":
|
||||
enc = encapsulation.NewFlannel(e)
|
||||
default:
|
||||
enc = encapsulation.NewIPIP(e)
|
||||
}
|
||||
|
||||
gr := mesh.Granularity(*granularity)
|
||||
gr := mesh.Granularity(granularity)
|
||||
switch gr {
|
||||
case mesh.LogicalGranularity:
|
||||
case mesh.FullGranularity:
|
||||
default:
|
||||
return fmt.Errorf("mesh granularity %v unknown; possible values are: %s", *granularity, availableGranularities)
|
||||
return fmt.Errorf("mesh granularity %v unknown; possible values are: %s", granularity, availableGranularities)
|
||||
}
|
||||
|
||||
var b mesh.Backend
|
||||
switch *backend {
|
||||
switch backend {
|
||||
case k8s.Backend:
|
||||
config, err := clientcmd.BuildConfigFromFlags(*master, *kubeconfig)
|
||||
config, err := clientcmd.BuildConfigFromFlags(master, kubeconfig)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create Kubernetes config: %v", err)
|
||||
}
|
||||
c := kubernetes.NewForConfigOrDie(config)
|
||||
kc := kiloclient.NewForConfigOrDie(config)
|
||||
ec := apiextensions.NewForConfigOrDie(config)
|
||||
b = k8s.New(c, kc, ec, *topologyLabel)
|
||||
b = k8s.New(c, kc, ec, topologyLabel)
|
||||
default:
|
||||
return fmt.Errorf("backend %v unknown; possible values are: %s", *backend, availableBackends)
|
||||
return fmt.Errorf("backend %v unknown; possible values are: %s", backend, availableBackends)
|
||||
}
|
||||
|
||||
m, err := mesh.New(b, enc, gr, *hostname, uint32(port), s, *local, *cni, *cniPath, *iface, *cleanUpIface, *createIface, *mtu, *resyncPeriod, log.With(logger, "component", "kilo"))
|
||||
m, err := mesh.New(b, enc, gr, hostname, uint32(port), s, local, cni, cniPath, iface, cleanUpIface, createIface, mtu, resyncPeriod, log.With(logger, "component", "kilo"))
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create Kilo mesh: %v", err)
|
||||
}
|
||||
|
||||
r := prometheus.NewRegistry()
|
||||
r.MustRegister(
|
||||
prometheus.NewGoCollector(),
|
||||
prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}),
|
||||
)
|
||||
m.RegisterMetrics(r)
|
||||
m.RegisterMetrics(registry)
|
||||
|
||||
var g run.Group
|
||||
{
|
||||
// Run the HTTP server.
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/health", healthHandler)
|
||||
mux.Handle("/graph", &graphHandler{m, gr, hostname, s})
|
||||
mux.Handle("/metrics", promhttp.HandlerFor(r, promhttp.HandlerOpts{}))
|
||||
l, err := net.Listen("tcp", *listen)
|
||||
mux.Handle("/graph", &graphHandler{m, gr, &hostname, s})
|
||||
mux.Handle("/metrics", promhttp.HandlerFor(registry, promhttp.HandlerOpts{}))
|
||||
l, err := net.Listen("tcp", listen)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to listen on %s: %v", *listen, err)
|
||||
return fmt.Errorf("failed to listen on %s: %v", listen, err)
|
||||
}
|
||||
|
||||
g.Add(func() error {
|
||||
@ -252,8 +299,15 @@ func Main() error {
|
||||
return g.Run()
|
||||
}
|
||||
|
||||
var versionCmd = &cobra.Command{
|
||||
Use: "version",
|
||||
Short: "Print the version and exit.",
|
||||
Run: func(_ *cobra.Command, _ []string) { fmt.Println(version.Version) },
|
||||
}
|
||||
|
||||
func main() {
|
||||
if err := Main(); err != nil {
|
||||
cmd.AddCommand(webhookCmd, versionCmd)
|
||||
if err := cmd.Execute(); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "%v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
273
cmd/kg/webhook.go
Normal file
273
cmd/kg/webhook.go
Normal file
@ -0,0 +1,273 @@
|
||||
// Copyright 2021 the Kilo authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/go-kit/kit/log/level"
|
||||
"github.com/oklog/run"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||
"github.com/spf13/cobra"
|
||||
v1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/serializer"
|
||||
|
||||
kilo "github.com/squat/kilo/pkg/k8s/apis/kilo/v1alpha1"
|
||||
"github.com/squat/kilo/pkg/version"
|
||||
)
|
||||
|
||||
var webhookCmd = &cobra.Command{
|
||||
Use: "webhook",
|
||||
PreRunE: func(c *cobra.Command, a []string) error {
|
||||
if c.HasParent() {
|
||||
return c.Parent().PreRunE(c, a)
|
||||
}
|
||||
return nil
|
||||
},
|
||||
Short: "webhook starts a HTTPS server to validate updates and creations of Kilo peers.",
|
||||
RunE: webhook,
|
||||
}
|
||||
|
||||
var (
|
||||
certPath string
|
||||
keyPath string
|
||||
metricsAddr string
|
||||
listenAddr string
|
||||
)
|
||||
|
||||
func init() {
|
||||
webhookCmd.Flags().StringVar(&certPath, "cert-file", "", "The path to a certificate file")
|
||||
webhookCmd.Flags().StringVar(&keyPath, "key-file", "", "The path to a key file")
|
||||
webhookCmd.Flags().StringVar(&metricsAddr, "listen-metrics", ":1107", "The metrics server will be listening to that address")
|
||||
webhookCmd.Flags().StringVar(&listenAddr, "listen", ":8443", "The webhook server will be listening to that address")
|
||||
}
|
||||
|
||||
var deserializer = serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer()
|
||||
|
||||
var (
|
||||
validationCounter = prometheus.NewCounterVec(
|
||||
prometheus.CounterOpts{
|
||||
Name: "admission_requests_total",
|
||||
Help: "The number of received admission reviews requests",
|
||||
},
|
||||
[]string{"operation", "response"},
|
||||
)
|
||||
requestCounter = prometheus.NewCounterVec(
|
||||
prometheus.CounterOpts{
|
||||
Name: "http_requests_total",
|
||||
Help: "The number of received http requests",
|
||||
},
|
||||
[]string{"handler", "method"},
|
||||
)
|
||||
errorCounter = prometheus.NewCounter(
|
||||
prometheus.CounterOpts{
|
||||
Name: "errors_total",
|
||||
Help: "The total number of errors",
|
||||
},
|
||||
)
|
||||
)
|
||||
|
||||
func validationHandler(w http.ResponseWriter, r *http.Request) {
|
||||
level.Debug(logger).Log("msg", "handling request", "source", r.RemoteAddr)
|
||||
body, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
errorCounter.Inc()
|
||||
level.Error(logger).Log("err", "failed to parse body from incoming request", "source", r.RemoteAddr)
|
||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
var admissionReview v1.AdmissionReview
|
||||
|
||||
contentType := r.Header.Get("Content-Type")
|
||||
if contentType != "application/json" {
|
||||
errorCounter.Inc()
|
||||
msg := fmt.Sprintf("received Content-Type=%s, expected application/json", contentType)
|
||||
level.Error(logger).Log("err", msg)
|
||||
http.Error(w, msg, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
response := v1.AdmissionReview{}
|
||||
|
||||
_, gvk, err := deserializer.Decode(body, nil, &admissionReview)
|
||||
if err != nil {
|
||||
errorCounter.Inc()
|
||||
msg := fmt.Sprintf("Request could not be decoded: %v", err)
|
||||
level.Error(logger).Log("err", msg)
|
||||
http.Error(w, msg, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if *gvk != v1.SchemeGroupVersion.WithKind("AdmissionReview") {
|
||||
errorCounter.Inc()
|
||||
msg := "only API v1 is supported"
|
||||
level.Error(logger).Log("err", msg)
|
||||
http.Error(w, msg, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
response.SetGroupVersionKind(*gvk)
|
||||
response.Response = &v1.AdmissionResponse{
|
||||
UID: admissionReview.Request.UID,
|
||||
}
|
||||
|
||||
rawExtension := admissionReview.Request.Object
|
||||
var peer kilo.Peer
|
||||
|
||||
if err := json.Unmarshal(rawExtension.Raw, &peer); err != nil {
|
||||
errorCounter.Inc()
|
||||
msg := fmt.Sprintf("could not unmarshal extension to peer spec: %v:", err)
|
||||
level.Error(logger).Log("err", msg)
|
||||
http.Error(w, msg, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if err := peer.Validate(); err == nil {
|
||||
level.Debug(logger).Log("msg", "got valid peer spec", "spec", peer.Spec, "name", peer.ObjectMeta.Name)
|
||||
validationCounter.With(prometheus.Labels{"operation": string(admissionReview.Request.Operation), "response": "allowed"}).Inc()
|
||||
response.Response.Allowed = true
|
||||
} else {
|
||||
level.Debug(logger).Log("msg", "got invalid peer spec", "spec", peer.Spec, "name", peer.ObjectMeta.Name)
|
||||
validationCounter.With(prometheus.Labels{"operation": string(admissionReview.Request.Operation), "response": "denied"}).Inc()
|
||||
response.Response.Result = &metav1.Status{
|
||||
Message: err.Error(),
|
||||
}
|
||||
}
|
||||
|
||||
res, err := json.Marshal(response)
|
||||
if err != nil {
|
||||
errorCounter.Inc()
|
||||
msg := fmt.Sprintf("failed to marshal response: %v", err)
|
||||
level.Error(logger).Log("err", msg)
|
||||
http.Error(w, msg, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
if _, err := w.Write(res); err != nil {
|
||||
level.Error(logger).Log("err", err, "msg", "failed to write response")
|
||||
}
|
||||
}
|
||||
|
||||
func metricsMiddleWare(path string, next func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
requestCounter.With(prometheus.Labels{"method": r.Method, "handler": path}).Inc()
|
||||
next(w, r)
|
||||
}
|
||||
}
|
||||
|
||||
func webhook(_ *cobra.Command, _ []string) error {
|
||||
if printVersion {
|
||||
fmt.Println(version.Version)
|
||||
os.Exit(0)
|
||||
}
|
||||
registry.MustRegister(
|
||||
errorCounter,
|
||||
validationCounter,
|
||||
requestCounter,
|
||||
)
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer func() {
|
||||
cancel()
|
||||
}()
|
||||
var g run.Group
|
||||
g.Add(run.SignalHandler(ctx, syscall.SIGINT, syscall.SIGTERM))
|
||||
{
|
||||
mm := http.NewServeMux()
|
||||
mm.Handle("/metrics", promhttp.HandlerFor(registry, promhttp.HandlerOpts{}))
|
||||
msrv := &http.Server{
|
||||
Addr: metricsAddr,
|
||||
Handler: mm,
|
||||
}
|
||||
|
||||
g.Add(
|
||||
func() error {
|
||||
level.Info(logger).Log("msg", "starting metrics server", "address", msrv.Addr)
|
||||
err := msrv.ListenAndServe()
|
||||
level.Info(logger).Log("msg", "metrics server exited", "err", err)
|
||||
return err
|
||||
|
||||
},
|
||||
func(err error) {
|
||||
var serr run.SignalError
|
||||
if ok := errors.As(err, &serr); ok {
|
||||
level.Info(logger).Log("msg", "received signal", "signal", serr.Signal.String(), "err", err.Error())
|
||||
} else {
|
||||
level.Error(logger).Log("msg", "received error", "err", err.Error())
|
||||
}
|
||||
level.Info(logger).Log("msg", "shutting down metrics server gracefully")
|
||||
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
||||
defer func() {
|
||||
cancel()
|
||||
}()
|
||||
if err := msrv.Shutdown(ctx); err != nil {
|
||||
level.Error(logger).Log("msg", "failed to shut down metrics server gracefully", "err", err.Error())
|
||||
msrv.Close()
|
||||
}
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
{
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/validate", metricsMiddleWare("/validate", validationHandler))
|
||||
srv := &http.Server{
|
||||
Addr: listenAddr,
|
||||
Handler: mux,
|
||||
}
|
||||
g.Add(
|
||||
func() error {
|
||||
level.Info(logger).Log("msg", "starting webhook server", "address", srv.Addr)
|
||||
err := srv.ListenAndServeTLS(certPath, keyPath)
|
||||
level.Info(logger).Log("msg", "webhook server exited", "err", err)
|
||||
return err
|
||||
},
|
||||
func(err error) {
|
||||
var serr run.SignalError
|
||||
if ok := errors.As(err, &serr); ok {
|
||||
level.Info(logger).Log("msg", "received signal", "signal", serr.Signal.String(), "err", err.Error())
|
||||
} else {
|
||||
level.Error(logger).Log("msg", "received error", "err", err.Error())
|
||||
}
|
||||
level.Info(logger).Log("msg", "shutting down webhook server gracefully")
|
||||
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
||||
defer func() {
|
||||
cancel()
|
||||
}()
|
||||
if err := srv.Shutdown(ctx); err != nil {
|
||||
level.Error(logger).Log("msg", "failed to shut down webhook server gracefully", "err", err.Error())
|
||||
srv.Close()
|
||||
}
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
err := g.Run()
|
||||
var serr run.SignalError
|
||||
if ok := errors.As(err, &serr); ok {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
@ -9,29 +9,14 @@ Once such a configuration is applied, the Kubernetes API server will send an Adm
|
||||
With regard to the [failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy), the API server will apply the requested changes to a resource if the request was answered with `"allowed": true`, or deny the changes if the answer was `"allowed": false`.
|
||||
|
||||
In case of Kilo Peer Validation, the specified operations are `UPDATE` and `CREATE`, the resources are `Peers`, and the default `failurePolicy` is set to `Fail`.
|
||||
View the full ValidatingWebhookConfiguration [here](https://github.com/leonnicolas/kilo-peer-validation/blob/main/deployment-no-cabundle.yaml).
|
||||
View the full ValidatingWebhookConfiguration [here](https://github.com/squat/kilo/blob/main/manifests/peer-validation.yaml).
|
||||
|
||||
## Getting Started
|
||||
|
||||
[Kilo-Peer-Validation](https://github.com/leonnicolas/kilo-peer-validation) is a webserver that rejects any AdmissionReviewRequest with a faulty Peer configuration.
|
||||
|
||||
Apply the Service, the Deployment of the actual webserver, and the ValidatingWebhookConfiguration with:
|
||||
```shell
|
||||
kubectl apply -f https://raw.githubusercontent.com/leonnicolas/kilo-peer-validation/main/deployment-no-cabundle.yaml
|
||||
kubectl apply -f https://raw.githubusercontent.com/squat/kilo/blob/main/manifests/peer-validation.yaml
|
||||
```
|
||||
|
||||
The Kubernetes API server will only talk to webhook servers via TLS so the Kilo-Peer-Validation server must be given a valid TLS certificate and key, and the API server must be told what certificate authority (CA) to trust.
|
||||
One way to do this is to use the [kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen) project to create a Kubernetes Secret holding the TLS certificate and key for the webhook server and to make a certificate signing request to the Kubernetes API server.
|
||||
The following snippet can be used to run kube-webhook-certgen in a Docker container to create a Secret and certificate signing request:
|
||||
```shell
|
||||
docker run -v /path/to/kubeconfig:/kubeconfig.yaml:ro jettech/kube-webhook-certgen:v1.5.2 --kubeconfig /kubeconfig.yaml create --namespace kilo --secret-name peer-validation-webhook-tls --host peer-validation,peer-validation.kilo.svc --key-name tls.key --cert-name tls.config
|
||||
```
|
||||
|
||||
Now, the Kubernetes API server can be told what CA to trust by patching the ValidatingWebhookConfiguration with the newly created CA bundle:
|
||||
```shell
|
||||
docker run -v /path/to/kubeconfig:/kubeconfig.yaml:ro jettech/kube-webhook-certgen:v1.5.2 --kubeconfig /kubeconfig.yaml patch --webhook-name peer-validation.kilo.svc --secret-name peer-validation-webhook-tls --namespace kilo --patch-mutating=false
|
||||
```
|
||||
|
||||
## Alternative Method
|
||||
|
||||
An alternative method to generate a ValidatingWebhookConfiguration manifest without using Kubernetes' Certificate Signing API is described in [Kilo-Peer-Validation](https://github.com/leonnicolas/kilo-peer-validation#use-the-set-up-script).
|
||||
The above manifest will use [kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen) to generate the requiered certificates and patch the [ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly).
|
||||
|
3
go.mod
3
go.mod
@ -11,10 +11,9 @@ require (
|
||||
github.com/go-kit/kit v0.9.0
|
||||
github.com/imdario/mergo v0.3.6 // indirect
|
||||
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348
|
||||
github.com/oklog/run v1.0.0
|
||||
github.com/oklog/run v1.1.0
|
||||
github.com/prometheus/client_golang v1.7.1
|
||||
github.com/spf13/cobra v1.1.3
|
||||
github.com/spf13/pflag v1.0.5
|
||||
github.com/vishvananda/netlink v1.0.0
|
||||
github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc // indirect
|
||||
golang.org/x/lint v0.0.0-20200302205851-738671d3881b
|
||||
|
2
go.sum
2
go.sum
@ -299,6 +299,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
|
||||
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
|
||||
github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
|
||||
github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
|
||||
github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
|
||||
github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
|
||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||
github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
|
||||
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
|
173
manifests/peer-validation.yaml
Normal file
173
manifests/peer-validation.yaml
Normal file
@ -0,0 +1,173 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: kilo
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: "peers.kilo.squat.ai"
|
||||
webhooks:
|
||||
- name: "peers.kilo.squat.ai"
|
||||
rules:
|
||||
- apiGroups: ["kilo.squat.ai"]
|
||||
apiVersions: ["v1alpha1"]
|
||||
operations: ["CREATE","UPDATE"]
|
||||
resources: ["peers"]
|
||||
scope: "Cluster"
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "kilo"
|
||||
name: "peer-validation"
|
||||
path: "/validate"
|
||||
admissionReviewVersions: ["v1"]
|
||||
sideEffects: None
|
||||
timeoutSeconds: 5
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: peer-validation-server
|
||||
namespace: kilo
|
||||
labels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
containers:
|
||||
- name: server
|
||||
image: squat/kilo
|
||||
args:
|
||||
- webhook
|
||||
- --cert-file=/run/secrets/tls/tls.crt
|
||||
- --key-file=/run/secrets/tls/tls.key
|
||||
- --metrics-address=:1107
|
||||
- --listen=:8443
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
name: webhook
|
||||
- containerPort: 1107
|
||||
name: metrics
|
||||
volumeMounts:
|
||||
- name: tls
|
||||
mountPath: /run/secrets/tls
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: tls
|
||||
secret:
|
||||
secretName: peer-validation-webhook-tls
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: peer-validation
|
||||
namespace: kilo
|
||||
spec:
|
||||
selector:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: webhook
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
rules:
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- validatingwebhookconfigurations
|
||||
resourceNames:
|
||||
- peers.kilo.squat.ai
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kilo-peer-validation
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kilo
|
||||
name: kilo-peer-validation
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: kilo-peer-validation
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kilo
|
||||
name: kilo-peer-validation
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: cert-gen
|
||||
namespace: kilo
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: kilo-peer-validation
|
||||
initContainers:
|
||||
- name: create
|
||||
image: jettech/kube-webhook-certgen:v1.5.2
|
||||
args:
|
||||
- create
|
||||
- --namespace=kilo
|
||||
- --secret-name=peer-validation-webhook-tls
|
||||
- --host=peer-validation,peer-validation.kilo.svc
|
||||
- --key-name=tls.key
|
||||
- --cert-name=tls.crt
|
||||
containers:
|
||||
- name: patch
|
||||
image: jettech/kube-webhook-certgen:v1.5.2
|
||||
args:
|
||||
- patch
|
||||
- --webhook-name=peers.kilo.squat.ai
|
||||
- --secret-name=peer-validation-webhook-tls
|
||||
- --namespace=kilo
|
||||
- --patch-mutating=false
|
||||
restartPolicy: OnFailure
|
||||
backoffLimit: 4
|
12
vendor/github.com/oklog/run/.travis.yml
generated
vendored
12
vendor/github.com/oklog/run/.travis.yml
generated
vendored
@ -1,12 +0,0 @@
|
||||
language: go
|
||||
sudo: false
|
||||
go:
|
||||
- 1.x
|
||||
- tip
|
||||
install:
|
||||
- go get -v github.com/golang/lint/golint
|
||||
- go build ./...
|
||||
script:
|
||||
- go vet ./...
|
||||
- $HOME/gopath/bin/golint .
|
||||
- go test -v -race ./...
|
10
vendor/github.com/oklog/run/README.md
generated
vendored
10
vendor/github.com/oklog/run/README.md
generated
vendored
@ -1,7 +1,7 @@
|
||||
# run
|
||||
|
||||
[![GoDoc](https://godoc.org/github.com/oklog/run?status.svg)](https://godoc.org/github.com/oklog/run)
|
||||
[![Build Status](https://travis-ci.org/oklog/run.svg?branch=master)](https://travis-ci.org/oklog/run)
|
||||
[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Foklog%2Frun%2Fbadge&style=flat-square&label=build)](https://github.com/oklog/run/actions?query=workflow%3ATest)
|
||||
[![Go Report Card](https://goreportcard.com/badge/github.com/oklog/run)](https://goreportcard.com/report/github.com/oklog/run)
|
||||
[![Apache 2 licensed](https://img.shields.io/badge/license-Apache2-blue.svg)](https://raw.githubusercontent.com/oklog/run/master/LICENSE)
|
||||
|
||||
@ -10,9 +10,11 @@ run.Group is a universal mechanism to manage goroutine lifecycles.
|
||||
Create a zero-value run.Group, and then add actors to it. Actors are defined as
|
||||
a pair of functions: an **execute** function, which should run synchronously;
|
||||
and an **interrupt** function, which, when invoked, should cause the execute
|
||||
function to return. Finally, invoke Run, which blocks until the first actor
|
||||
returns. This general-purpose API allows callers to model pretty much any
|
||||
runnable task, and achieve well-defined lifecycle semantics for the group.
|
||||
function to return. Finally, invoke Run, which concurrently runs all of the
|
||||
actors, waits until the first actor exits, invokes the interrupt functions, and
|
||||
finally returns control to the caller only once all actors have returned. This
|
||||
general-purpose API allows callers to model pretty much any runnable task, and
|
||||
achieve well-defined lifecycle semantics for the group.
|
||||
|
||||
run.Group was written to manage component lifecycles in func main for
|
||||
[OK Log](https://github.com/oklog/oklog).
|
||||
|
38
vendor/github.com/oklog/run/actors.go
generated
vendored
Normal file
38
vendor/github.com/oklog/run/actors.go
generated
vendored
Normal file
@ -0,0 +1,38 @@
|
||||
package run
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/signal"
|
||||
)
|
||||
|
||||
// SignalHandler returns an actor, i.e. an execute and interrupt func, that
|
||||
// terminates with SignalError when the process receives one of the provided
|
||||
// signals, or the parent context is canceled.
|
||||
func SignalHandler(ctx context.Context, signals ...os.Signal) (execute func() error, interrupt func(error)) {
|
||||
ctx, cancel := context.WithCancel(ctx)
|
||||
return func() error {
|
||||
c := make(chan os.Signal, 1)
|
||||
signal.Notify(c, signals...)
|
||||
select {
|
||||
case sig := <-c:
|
||||
return SignalError{Signal: sig}
|
||||
case <-ctx.Done():
|
||||
return ctx.Err()
|
||||
}
|
||||
}, func(error) {
|
||||
cancel()
|
||||
}
|
||||
}
|
||||
|
||||
// SignalError is returned by the signal handler's execute function
|
||||
// when it terminates due to a received signal.
|
||||
type SignalError struct {
|
||||
Signal os.Signal
|
||||
}
|
||||
|
||||
// Error implements the error interface.
|
||||
func (e SignalError) Error() string {
|
||||
return fmt.Sprintf("received signal %s", e.Signal)
|
||||
}
|
3
vendor/github.com/oklog/run/go.mod
generated
vendored
Normal file
3
vendor/github.com/oklog/run/go.mod
generated
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
module github.com/oklog/run
|
||||
|
||||
go 1.13
|
23
vendor/k8s.io/api/admission/v1/doc.go
generated
vendored
Normal file
23
vendor/k8s.io/api/admission/v1/doc.go
generated
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// +k8s:deepcopy-gen=package
|
||||
// +k8s:protobuf-gen=package
|
||||
// +k8s:openapi-gen=false
|
||||
|
||||
// +groupName=admission.k8s.io
|
||||
|
||||
package v1 // import "k8s.io/api/admission/v1"
|
1783
vendor/k8s.io/api/admission/v1/generated.pb.go
generated
vendored
Normal file
1783
vendor/k8s.io/api/admission/v1/generated.pb.go
generated
vendored
Normal file
File diff suppressed because it is too large
Load Diff
167
vendor/k8s.io/api/admission/v1/generated.proto
generated
vendored
Normal file
167
vendor/k8s.io/api/admission/v1/generated.proto
generated
vendored
Normal file
@ -0,0 +1,167 @@
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
|
||||
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
||||
|
||||
syntax = "proto2";
|
||||
|
||||
package k8s.io.api.admission.v1;
|
||||
|
||||
import "k8s.io/api/authentication/v1/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
||||
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
||||
|
||||
// Package-wide variables from generator "generated".
|
||||
option go_package = "v1";
|
||||
|
||||
// AdmissionRequest describes the admission.Attributes for the admission request.
|
||||
message AdmissionRequest {
|
||||
// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
||||
// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
||||
// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
||||
// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
||||
optional string uid = 1;
|
||||
|
||||
// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
|
||||
|
||||
// Resource is the fully-qualified resource being requested (for example, v1.pods)
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
|
||||
|
||||
// SubResource is the subresource being requested, if any (for example, "status" or "scale")
|
||||
// +optional
|
||||
optional string subResource = 4;
|
||||
|
||||
// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
||||
// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
||||
//
|
||||
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||
// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
||||
// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
||||
//
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
|
||||
|
||||
// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
||||
// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
||||
//
|
||||
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||
// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
||||
// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
||||
//
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
|
||||
|
||||
// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
||||
// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||
// +optional
|
||||
optional string requestSubResource = 15;
|
||||
|
||||
// Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
||||
// rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
||||
// +optional
|
||||
optional string name = 5;
|
||||
|
||||
// Namespace is the namespace associated with the request (if any).
|
||||
// +optional
|
||||
optional string namespace = 6;
|
||||
|
||||
// Operation is the operation being performed. This may be different than the operation
|
||||
// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
||||
optional string operation = 7;
|
||||
|
||||
// UserInfo is information about the requesting user
|
||||
optional k8s.io.api.authentication.v1.UserInfo userInfo = 8;
|
||||
|
||||
// Object is the object from the incoming request.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
|
||||
|
||||
// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
|
||||
|
||||
// DryRun indicates that modifications will definitely not be persisted for this request.
|
||||
// Defaults to false.
|
||||
// +optional
|
||||
optional bool dryRun = 11;
|
||||
|
||||
// Options is the operation option structure of the operation being performed.
|
||||
// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
||||
// different than the options the caller provided. e.g. for a patch request the performed
|
||||
// Operation might be a CREATE, in which case the Options will a
|
||||
// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
|
||||
}
|
||||
|
||||
// AdmissionResponse describes an admission response.
|
||||
message AdmissionResponse {
|
||||
// UID is an identifier for the individual request/response.
|
||||
// This must be copied over from the corresponding AdmissionRequest.
|
||||
optional string uid = 1;
|
||||
|
||||
// Allowed indicates whether or not the admission request was permitted.
|
||||
optional bool allowed = 2;
|
||||
|
||||
// Result contains extra details into why an admission request was denied.
|
||||
// This field IS NOT consulted in any way if "Allowed" is "true".
|
||||
// +optional
|
||||
optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
|
||||
|
||||
// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
|
||||
// +optional
|
||||
optional bytes patch = 4;
|
||||
|
||||
// The type of Patch. Currently we only allow "JSONPatch".
|
||||
// +optional
|
||||
optional string patchType = 5;
|
||||
|
||||
// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
|
||||
// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
|
||||
// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
|
||||
// the admission webhook to add additional context to the audit log for this request.
|
||||
// +optional
|
||||
map<string, string> auditAnnotations = 6;
|
||||
|
||||
// warnings is a list of warning messages to return to the requesting API client.
|
||||
// Warning messages describe a problem the client making the API request should correct or be aware of.
|
||||
// Limit warnings to 120 characters if possible.
|
||||
// Warnings over 256 characters and large numbers of warnings may be truncated.
|
||||
// +optional
|
||||
repeated string warnings = 7;
|
||||
}
|
||||
|
||||
// AdmissionReview describes an admission review request/response.
|
||||
message AdmissionReview {
|
||||
// Request describes the attributes for the admission request.
|
||||
// +optional
|
||||
optional AdmissionRequest request = 1;
|
||||
|
||||
// Response describes the attributes for the admission response.
|
||||
// +optional
|
||||
optional AdmissionResponse response = 2;
|
||||
}
|
||||
|
53
vendor/k8s.io/api/admission/v1/register.go
generated
vendored
Normal file
53
vendor/k8s.io/api/admission/v1/register.go
generated
vendored
Normal file
@ -0,0 +1,53 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
// GroupName is the group name for this API.
|
||||
const GroupName = "admission.k8s.io"
|
||||
|
||||
// SchemeGroupVersion is group version used to register these objects
|
||||
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
|
||||
|
||||
// Resource takes an unqualified resource and returns a Group qualified GroupResource
|
||||
func Resource(resource string) schema.GroupResource {
|
||||
return SchemeGroupVersion.WithResource(resource).GroupResource()
|
||||
}
|
||||
|
||||
// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
|
||||
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
|
||||
var (
|
||||
// SchemeBuilder points to a list of functions added to Scheme.
|
||||
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
|
||||
localSchemeBuilder = &SchemeBuilder
|
||||
// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme.
|
||||
AddToScheme = localSchemeBuilder.AddToScheme
|
||||
)
|
||||
|
||||
// Adds the list of known types to the given scheme.
|
||||
func addKnownTypes(scheme *runtime.Scheme) error {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&AdmissionReview{},
|
||||
)
|
||||
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
|
||||
return nil
|
||||
}
|
169
vendor/k8s.io/api/admission/v1/types.go
generated
vendored
Normal file
169
vendor/k8s.io/api/admission/v1/types.go
generated
vendored
Normal file
@ -0,0 +1,169 @@
|
||||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
authenticationv1 "k8s.io/api/authentication/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// AdmissionReview describes an admission review request/response.
|
||||
type AdmissionReview struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Request describes the attributes for the admission request.
|
||||
// +optional
|
||||
Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
|
||||
// Response describes the attributes for the admission response.
|
||||
// +optional
|
||||
Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
|
||||
}
|
||||
|
||||
// AdmissionRequest describes the admission.Attributes for the admission request.
|
||||
type AdmissionRequest struct {
|
||||
// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
||||
// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
||||
// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
||||
// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
||||
UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
|
||||
// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
||||
Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
|
||||
// Resource is the fully-qualified resource being requested (for example, v1.pods)
|
||||
Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
|
||||
// SubResource is the subresource being requested, if any (for example, "status" or "scale")
|
||||
// +optional
|
||||
SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
|
||||
|
||||
// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
||||
// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
||||
//
|
||||
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||
// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
||||
// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
||||
//
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
||||
// +optional
|
||||
RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty" protobuf:"bytes,13,opt,name=requestKind"`
|
||||
// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
||||
// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
||||
//
|
||||
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
||||
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
||||
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
||||
// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
||||
// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
||||
//
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||
// +optional
|
||||
RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty" protobuf:"bytes,14,opt,name=requestResource"`
|
||||
// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
||||
// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
||||
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
||||
// +optional
|
||||
RequestSubResource string `json:"requestSubResource,omitempty" protobuf:"bytes,15,opt,name=requestSubResource"`
|
||||
|
||||
// Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
||||
// rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
||||
// +optional
|
||||
Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
|
||||
// Namespace is the namespace associated with the request (if any).
|
||||
// +optional
|
||||
Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
|
||||
// Operation is the operation being performed. This may be different than the operation
|
||||
// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
||||
Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
|
||||
// UserInfo is information about the requesting user
|
||||
UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
|
||||
// Object is the object from the incoming request.
|
||||
// +optional
|
||||
Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
|
||||
// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
|
||||
// +optional
|
||||
OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
|
||||
// DryRun indicates that modifications will definitely not be persisted for this request.
|
||||
// Defaults to false.
|
||||
// +optional
|
||||
DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
|
||||
// Options is the operation option structure of the operation being performed.
|
||||
// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
||||
// different than the options the caller provided. e.g. for a patch request the performed
|
||||
// Operation might be a CREATE, in which case the Options will a
|
||||
// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
||||
// +optional
|
||||
Options runtime.RawExtension `json:"options,omitempty" protobuf:"bytes,12,opt,name=options"`
|
||||
}
|
||||
|
||||
// AdmissionResponse describes an admission response.
|
||||
type AdmissionResponse struct {
|
||||
// UID is an identifier for the individual request/response.
|
||||
// This must be copied over from the corresponding AdmissionRequest.
|
||||
UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
|
||||
|
||||
// Allowed indicates whether or not the admission request was permitted.
|
||||
Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
|
||||
|
||||
// Result contains extra details into why an admission request was denied.
|
||||
// This field IS NOT consulted in any way if "Allowed" is "true".
|
||||
// +optional
|
||||
Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
|
||||
// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
|
||||
// +optional
|
||||
Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
|
||||
|
||||
// The type of Patch. Currently we only allow "JSONPatch".
|
||||
// +optional
|
||||
PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
|
||||
|
||||
// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
|
||||
// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
|
||||
// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
|
||||
// the admission webhook to add additional context to the audit log for this request.
|
||||
// +optional
|
||||
AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,6,opt,name=auditAnnotations"`
|
||||
|
||||
// warnings is a list of warning messages to return to the requesting API client.
|
||||
// Warning messages describe a problem the client making the API request should correct or be aware of.
|
||||
// Limit warnings to 120 characters if possible.
|
||||
// Warnings over 256 characters and large numbers of warnings may be truncated.
|
||||
// +optional
|
||||
Warnings []string `json:"warnings,omitempty" protobuf:"bytes,7,rep,name=warnings"`
|
||||
}
|
||||
|
||||
// PatchType is the type of patch being used to represent the mutated object
|
||||
type PatchType string
|
||||
|
||||
// PatchType constants.
|
||||
const (
|
||||
PatchTypeJSONPatch PatchType = "JSONPatch"
|
||||
)
|
||||
|
||||
// Operation is the type of resource operation being checked for admission control
|
||||
type Operation string
|
||||
|
||||
// Operation constants
|
||||
const (
|
||||
Create Operation = "CREATE"
|
||||
Update Operation = "UPDATE"
|
||||
Delete Operation = "DELETE"
|
||||
Connect Operation = "CONNECT"
|
||||
)
|
78
vendor/k8s.io/api/admission/v1/types_swagger_doc_generated.go
generated
vendored
Normal file
78
vendor/k8s.io/api/admission/v1/types_swagger_doc_generated.go
generated
vendored
Normal file
@ -0,0 +1,78 @@
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
// This file contains a collection of methods that can be used from go-restful to
|
||||
// generate Swagger API documentation for its models. Please read this PR for more
|
||||
// information on the implementation: https://github.com/emicklei/go-restful/pull/215
|
||||
//
|
||||
// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
|
||||
// they are on one line! For multiple line or blocks that you want to ignore use ---.
|
||||
// Any context after a --- is ignored.
|
||||
//
|
||||
// Those methods can be generated by using hack/update-generated-swagger-docs.sh
|
||||
|
||||
// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
|
||||
var map_AdmissionRequest = map[string]string{
|
||||
"": "AdmissionRequest describes the admission.Attributes for the admission request.",
|
||||
"uid": "UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
|
||||
"kind": "Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
|
||||
"resource": "Resource is the fully-qualified resource being requested (for example, v1.pods)",
|
||||
"subResource": "SubResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
|
||||
"requestKind": "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
|
||||
"requestResource": "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
|
||||
"requestSubResource": "RequestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
|
||||
"name": "Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and rely on the server to generate the name. If that is the case, this field will contain an empty string.",
|
||||
"namespace": "Namespace is the namespace associated with the request (if any).",
|
||||
"operation": "Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
|
||||
"userInfo": "UserInfo is information about the requesting user",
|
||||
"object": "Object is the object from the incoming request.",
|
||||
"oldObject": "OldObject is the existing object. Only populated for DELETE and UPDATE requests.",
|
||||
"dryRun": "DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
|
||||
"options": "Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
|
||||
}
|
||||
|
||||
func (AdmissionRequest) SwaggerDoc() map[string]string {
|
||||
return map_AdmissionRequest
|
||||
}
|
||||
|
||||
var map_AdmissionResponse = map[string]string{
|
||||
"": "AdmissionResponse describes an admission response.",
|
||||
"uid": "UID is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest.",
|
||||
"allowed": "Allowed indicates whether or not the admission request was permitted.",
|
||||
"status": "Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
|
||||
"patch": "The patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
|
||||
"patchType": "The type of Patch. Currently we only allow \"JSONPatch\".",
|
||||
"auditAnnotations": "AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
|
||||
"warnings": "warnings is a list of warning messages to return to the requesting API client. Warning messages describe a problem the client making the API request should correct or be aware of. Limit warnings to 120 characters if possible. Warnings over 256 characters and large numbers of warnings may be truncated.",
|
||||
}
|
||||
|
||||
func (AdmissionResponse) SwaggerDoc() map[string]string {
|
||||
return map_AdmissionResponse
|
||||
}
|
||||
|
||||
var map_AdmissionReview = map[string]string{
|
||||
"": "AdmissionReview describes an admission review request/response.",
|
||||
"request": "Request describes the attributes for the admission request.",
|
||||
"response": "Response describes the attributes for the admission response.",
|
||||
}
|
||||
|
||||
func (AdmissionReview) SwaggerDoc() map[string]string {
|
||||
return map_AdmissionReview
|
||||
}
|
||||
|
||||
// AUTO-GENERATED FUNCTIONS END HERE
|
141
vendor/k8s.io/api/admission/v1/zz_generated.deepcopy.go
generated
vendored
Normal file
141
vendor/k8s.io/api/admission/v1/zz_generated.deepcopy.go
generated
vendored
Normal file
@ -0,0 +1,141 @@
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by deepcopy-gen. DO NOT EDIT.
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest) {
|
||||
*out = *in
|
||||
out.Kind = in.Kind
|
||||
out.Resource = in.Resource
|
||||
if in.RequestKind != nil {
|
||||
in, out := &in.RequestKind, &out.RequestKind
|
||||
*out = new(metav1.GroupVersionKind)
|
||||
**out = **in
|
||||
}
|
||||
if in.RequestResource != nil {
|
||||
in, out := &in.RequestResource, &out.RequestResource
|
||||
*out = new(metav1.GroupVersionResource)
|
||||
**out = **in
|
||||
}
|
||||
in.UserInfo.DeepCopyInto(&out.UserInfo)
|
||||
in.Object.DeepCopyInto(&out.Object)
|
||||
in.OldObject.DeepCopyInto(&out.OldObject)
|
||||
if in.DryRun != nil {
|
||||
in, out := &in.DryRun, &out.DryRun
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
in.Options.DeepCopyInto(&out.Options)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.
|
||||
func (in *AdmissionRequest) DeepCopy() *AdmissionRequest {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(AdmissionRequest)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse) {
|
||||
*out = *in
|
||||
if in.Result != nil {
|
||||
in, out := &in.Result, &out.Result
|
||||
*out = new(metav1.Status)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Patch != nil {
|
||||
in, out := &in.Patch, &out.Patch
|
||||
*out = make([]byte, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.PatchType != nil {
|
||||
in, out := &in.PatchType, &out.PatchType
|
||||
*out = new(PatchType)
|
||||
**out = **in
|
||||
}
|
||||
if in.AuditAnnotations != nil {
|
||||
in, out := &in.AuditAnnotations, &out.AuditAnnotations
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
if in.Warnings != nil {
|
||||
in, out := &in.Warnings, &out.Warnings
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.
|
||||
func (in *AdmissionResponse) DeepCopy() *AdmissionResponse {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(AdmissionResponse)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview) {
|
||||
*out = *in
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if in.Request != nil {
|
||||
in, out := &in.Request, &out.Request
|
||||
*out = new(AdmissionRequest)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Response != nil {
|
||||
in, out := &in.Response, &out.Response
|
||||
*out = new(AdmissionResponse)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReview.
|
||||
func (in *AdmissionReview) DeepCopy() *AdmissionReview {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(AdmissionReview)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||
func (in *AdmissionReview) DeepCopyObject() runtime.Object {
|
||||
if c := in.DeepCopy(); c != nil {
|
||||
return c
|
||||
}
|
||||
return nil
|
||||
}
|
4
vendor/modules.txt
vendored
4
vendor/modules.txt
vendored
@ -95,7 +95,7 @@ github.com/matttproud/golang_protobuf_extensions/pbutil
|
||||
github.com/modern-go/concurrent
|
||||
# github.com/modern-go/reflect2 v1.0.1
|
||||
github.com/modern-go/reflect2
|
||||
# github.com/oklog/run v1.0.0
|
||||
# github.com/oklog/run v1.1.0
|
||||
## explicit
|
||||
github.com/oklog/run
|
||||
# github.com/pkg/errors v0.9.1
|
||||
@ -121,7 +121,6 @@ github.com/prometheus/procfs/internal/util
|
||||
## explicit
|
||||
github.com/spf13/cobra
|
||||
# github.com/spf13/pflag v1.0.5
|
||||
## explicit
|
||||
github.com/spf13/pflag
|
||||
# github.com/vishvananda/netlink v1.0.0
|
||||
## explicit
|
||||
@ -230,6 +229,7 @@ gopkg.in/yaml.v2
|
||||
gopkg.in/yaml.v3
|
||||
# k8s.io/api v0.21.1
|
||||
## explicit
|
||||
k8s.io/api/admission/v1
|
||||
k8s.io/api/admissionregistration/v1
|
||||
k8s.io/api/admissionregistration/v1beta1
|
||||
k8s.io/api/apiserverinternal/v1alpha1
|
||||
|
Loading…
Reference in New Issue
Block a user