086b2e1ddd
This commit adds a sub command `webhook` to Kilo. It will start a https web server that answeres request from a Kubernetes API server to validate updates and creations of Kilo peers. It also updates the "Peer Validation" docs to enable users to install the web hook server and generate the self signed certificates in the cluster by only applying a manifest. Signed-off-by: leonnicolas <leonloechner@gmx.de> Apply suggestions from code review Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
168 lines
8.0 KiB
Protocol Buffer
168 lines
8.0 KiB
Protocol Buffer
/*
|
|
Copyright The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = "proto2";
|
|
|
|
package k8s.io.api.admission.v1;
|
|
|
|
import "k8s.io/api/authentication/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1";
|
|
|
|
// AdmissionRequest describes the admission.Attributes for the admission request.
|
|
message AdmissionRequest {
|
|
// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
|
// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
|
// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
|
// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
|
optional string uid = 1;
|
|
|
|
// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
|
|
|
|
// Resource is the fully-qualified resource being requested (for example, v1.pods)
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
|
|
|
|
// SubResource is the subresource being requested, if any (for example, "status" or "scale")
|
|
// +optional
|
|
optional string subResource = 4;
|
|
|
|
// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
|
// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
|
//
|
|
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
|
// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
|
//
|
|
// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
|
|
|
|
// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
|
// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
|
//
|
|
// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
|
// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
|
//
|
|
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
|
|
|
|
// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
|
// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
|
// See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
// +optional
|
|
optional string requestSubResource = 15;
|
|
|
|
// Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
|
// rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
|
// +optional
|
|
optional string name = 5;
|
|
|
|
// Namespace is the namespace associated with the request (if any).
|
|
// +optional
|
|
optional string namespace = 6;
|
|
|
|
// Operation is the operation being performed. This may be different than the operation
|
|
// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
|
optional string operation = 7;
|
|
|
|
// UserInfo is information about the requesting user
|
|
optional k8s.io.api.authentication.v1.UserInfo userInfo = 8;
|
|
|
|
// Object is the object from the incoming request.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
|
|
|
|
// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
|
|
|
|
// DryRun indicates that modifications will definitely not be persisted for this request.
|
|
// Defaults to false.
|
|
// +optional
|
|
optional bool dryRun = 11;
|
|
|
|
// Options is the operation option structure of the operation being performed.
|
|
// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
|
// different than the options the caller provided. e.g. for a patch request the performed
|
|
// Operation might be a CREATE, in which case the Options will a
|
|
// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.runtime.RawExtension options = 12;
|
|
}
|
|
|
|
// AdmissionResponse describes an admission response.
|
|
message AdmissionResponse {
|
|
// UID is an identifier for the individual request/response.
|
|
// This must be copied over from the corresponding AdmissionRequest.
|
|
optional string uid = 1;
|
|
|
|
// Allowed indicates whether or not the admission request was permitted.
|
|
optional bool allowed = 2;
|
|
|
|
// Result contains extra details into why an admission request was denied.
|
|
// This field IS NOT consulted in any way if "Allowed" is "true".
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
|
|
|
|
// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
|
|
// +optional
|
|
optional bytes patch = 4;
|
|
|
|
// The type of Patch. Currently we only allow "JSONPatch".
|
|
// +optional
|
|
optional string patchType = 5;
|
|
|
|
// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
|
|
// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
|
|
// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
|
|
// the admission webhook to add additional context to the audit log for this request.
|
|
// +optional
|
|
map<string, string> auditAnnotations = 6;
|
|
|
|
// warnings is a list of warning messages to return to the requesting API client.
|
|
// Warning messages describe a problem the client making the API request should correct or be aware of.
|
|
// Limit warnings to 120 characters if possible.
|
|
// Warnings over 256 characters and large numbers of warnings may be truncated.
|
|
// +optional
|
|
repeated string warnings = 7;
|
|
}
|
|
|
|
// AdmissionReview describes an admission review request/response.
|
|
message AdmissionReview {
|
|
// Request describes the attributes for the admission request.
|
|
// +optional
|
|
optional AdmissionRequest request = 1;
|
|
|
|
// Response describes the attributes for the admission response.
|
|
// +optional
|
|
optional AdmissionResponse response = 2;
|
|
}
|
|
|