Documentation ¶
Overview ¶
package options is the public flags and options used by a generic api server. It takes a minimal set of dependencies and does not reference implementations, in order to ensure it may be reused by multiple components (such as CLI commands that wish to generate or validate config).
Index ¶
- Constants
- Variables
- func CreateListener(network, addr string, config net.ListenConfig) (net.Listener, int, error)
- func DefaultAuthWebhookRetryBackoff() *wait.Backoff
- func ParseWatchCacheSizes(cacheSizes []string) (map[schema.GroupResource]int, error)
- func WriteWatchCacheSizes(watchCacheSizes map[schema.GroupResource]int) ([]string, error)
- type APIEnablementOptions
- type AdmissionOptions
- type AuditBatchOptions
- type AuditDynamicOptions
- type AuditLogOptions
- type AuditOptions
- type AuditTruncateOptions
- type AuditWebhookOptions
- type CertKey
- type ClientCertAuthenticationOptions
- type CoreAPIOptions
- type DelegatingAuthenticationOptions
- func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
- func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.AuthenticationInfo, ...) error
- func (s *DelegatingAuthenticationOptions) Validate() []error
- func (s *DelegatingAuthenticationOptions) WithClientTimeout(timeout time.Duration)
- func (s *DelegatingAuthenticationOptions) WithCustomRetryBackoff(backoff wait.Backoff)
- type DelegatingAuthorizationOptions
- func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
- func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) error
- func (s *DelegatingAuthorizationOptions) Validate() []error
- func (s *DelegatingAuthorizationOptions) WithAlwaysAllowGroups(groups ...string) *DelegatingAuthorizationOptions
- func (s *DelegatingAuthorizationOptions) WithAlwaysAllowPaths(paths ...string) *DelegatingAuthorizationOptions
- func (s *DelegatingAuthorizationOptions) WithClientTimeout(timeout time.Duration)
- func (s *DelegatingAuthorizationOptions) WithCustomRetryBackoff(backoff wait.Backoff)
- type DeprecatedInsecureServingOptions
- func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet)
- func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet)
- func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error
- func (s *DeprecatedInsecureServingOptions) Validate() []error
- func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback
- type DeprecatedInsecureServingOptionsWithLoopback
- type DynamicRequestHeaderController
- type EgressSelectorOptions
- type EtcdOptions
- type FeatureOptions
- type GeneratableKeyCert
- type GroupRegisty
- type RecommendedOptions
- type RequestHeaderAuthenticationOptions
- type SecureServingOptions
- func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet)
- func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
- func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error)
- func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress string, alternateDNS []string, alternateIPs []net.IP) error
- func (s *SecureServingOptions) Validate() []error
- func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback
- type SecureServingOptionsWithLoopback
- type ServerRunOptions
- type SimpleRestOptionsFactory
- type StorageFactoryRestOptionsFactory
Constants ¶
const ( // ModeBatch indicates that the audit backend should buffer audit events // internally, sending batch updates either once a certain number of // events have been received or a certain amount of time has passed. ModeBatch = "batch" // ModeBlocking causes the audit backend to block on every attempt to process // a set of events. This causes requests to the API server to wait for the // flush before sending a response. ModeBlocking = "blocking" // ModeBlockingStrict is the same as ModeBlocking, except when there is // a failure during audit logging at RequestReceived stage, the whole // request to apiserver will fail. ModeBlockingStrict = "blocking-strict" )
Variables ¶
var AllowedModes = []string{ ModeBatch, ModeBlocking, ModeBlockingStrict, }
AllowedModes is the modes known for audit backends.
Functions ¶
func CreateListener ¶
func DefaultAuthWebhookRetryBackoff ¶
DefaultAuthWebhookRetryBackoff is the default backoff parameters for both authentication and authorization webhook used by the apiserver.
Types ¶
type APIEnablementOptions ¶
type APIEnablementOptions struct {
RuntimeConfig cliflag.ConfigurationMap
}
APIEnablementOptions contains the options for which resources to turn on and off. Given small aggregated API servers, this option isn't required for "normal" API servers
func NewAPIEnablementOptions ¶
func NewAPIEnablementOptions() *APIEnablementOptions
func (*APIEnablementOptions) AddFlags ¶
func (s *APIEnablementOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags for a specific APIServer to the specified FlagSet
func (*APIEnablementOptions) ApplyTo ¶
func (s *APIEnablementOptions) ApplyTo(c *server.Config, defaultResourceConfig *serverstore.ResourceConfig, registry resourceconfig.GroupVersionRegistry) error
ApplyTo override MergedResourceConfig with defaults and registry
func (*APIEnablementOptions) Validate ¶
func (s *APIEnablementOptions) Validate(registries ...GroupRegisty) []error
Validate validates RuntimeConfig with a list of registries. Usually this list only has one element, the apiserver registry of the process. But in the advanced (and usually not recommended) case of delegated apiservers there can be more. Validate will filter out the known groups of each registry. If anything is left over after that, an error is returned.
type AdmissionOptions ¶
type AdmissionOptions struct { // RecommendedPluginOrder holds an ordered list of plugin names we recommend to use by default RecommendedPluginOrder []string // DefaultOffPlugins is a set of plugin names that is disabled by default DefaultOffPlugins sets.String // EnablePlugins indicates plugins to be enabled passed through `--enable-admission-plugins`. EnablePlugins []string // DisablePlugins indicates plugins to be disabled passed through `--disable-admission-plugins`. DisablePlugins []string // ConfigFile is the file path with admission control configuration. ConfigFile string // Plugins contains all registered plugins. Plugins *admission.Plugins // Decorators is a list of admission decorator to wrap around the admission plugins Decorators admission.Decorators }
AdmissionOptions holds the admission options
func NewAdmissionOptions ¶
func NewAdmissionOptions() *AdmissionOptions
NewAdmissionOptions creates a new instance of AdmissionOptions Note:
In addition it calls RegisterAllAdmissionPlugins to register all generic admission plugins. Provides the list of RecommendedPluginOrder that holds sane values that can be used by servers that don't care about admission chain. Servers that do care can overwrite/append that field after creation.
func (*AdmissionOptions) AddFlags ¶
func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for a specific APIServer to the specified FlagSet
func (*AdmissionOptions) ApplyTo ¶
func (a *AdmissionOptions) ApplyTo( c *server.Config, informers informers.SharedInformerFactory, kubeAPIServerClientConfig *rest.Config, features featuregate.FeatureGate, pluginInitializers ...admission.PluginInitializer, ) error
ApplyTo adds the admission chain to the server configuration. In case admission plugin names were not provided by a cluster-admin they will be prepared from the recommended/default values. In addition the method lazily initializes a generic plugin that is appended to the list of pluginInitializers note this method uses:
genericconfig.Authorizer
func (*AdmissionOptions) Validate ¶
func (a *AdmissionOptions) Validate() []error
Validate verifies flags passed to AdmissionOptions.
type AuditBatchOptions ¶
type AuditBatchOptions struct { // Should the backend asynchronous batch events to the webhook backend or // should the backend block responses? // // Defaults to asynchronous batch events. Mode string // Configuration for batching backend. Only used in batch mode. BatchConfig pluginbuffered.BatchConfig }
func (*AuditBatchOptions) AddFlags ¶
func (o *AuditBatchOptions) AddFlags(pluginName string, fs *pflag.FlagSet)
type AuditDynamicOptions ¶
type AuditDynamicOptions struct { // Enabled tells whether the dynamic audit capability is enabled. Enabled bool // Configuration for batching backend. This is currently only used as an override // for integration tests BatchConfig *pluginbuffered.BatchConfig }
AuditDynamicOptions control the configuration of dynamic backends for audit events
type AuditLogOptions ¶
type AuditLogOptions struct { Path string MaxAge int MaxBackups int MaxSize int Format string Compress bool BatchOptions AuditBatchOptions TruncateOptions AuditTruncateOptions // API group version used for serializing audit events. GroupVersionString string }
AuditLogOptions determines the output of the structured audit log by default.
func (*AuditLogOptions) AddFlags ¶
func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet)
func (*AuditLogOptions) Validate ¶
func (o *AuditLogOptions) Validate() []error
type AuditOptions ¶
type AuditOptions struct { // Policy configuration file for filtering audit events that are captured. // If unspecified, a default is provided. PolicyFile string // Plugin options LogOptions AuditLogOptions WebhookOptions AuditWebhookOptions }
func NewAuditOptions ¶
func NewAuditOptions() *AuditOptions
func (*AuditOptions) AddFlags ¶
func (o *AuditOptions) AddFlags(fs *pflag.FlagSet)
func (*AuditOptions) ApplyTo ¶
func (o *AuditOptions) ApplyTo( c *server.Config, ) error
func (*AuditOptions) Validate ¶
func (o *AuditOptions) Validate() []error
Validate checks invalid config combination
type AuditTruncateOptions ¶
type AuditTruncateOptions struct { // Whether truncating is enabled or not. Enabled bool // Truncating configuration. TruncateConfig plugintruncate.Config }
func NewAuditTruncateOptions ¶
func NewAuditTruncateOptions() AuditTruncateOptions
func (*AuditTruncateOptions) AddFlags ¶
func (o *AuditTruncateOptions) AddFlags(pluginName string, fs *pflag.FlagSet)
func (*AuditTruncateOptions) Validate ¶
func (o *AuditTruncateOptions) Validate(pluginName string) error
type AuditWebhookOptions ¶
type AuditWebhookOptions struct { ConfigFile string InitialBackoff time.Duration BatchOptions AuditBatchOptions TruncateOptions AuditTruncateOptions // API group version used for serializing audit events. GroupVersionString string }
AuditWebhookOptions control the webhook configuration for audit events.
func (*AuditWebhookOptions) AddFlags ¶
func (o *AuditWebhookOptions) AddFlags(fs *pflag.FlagSet)
func (*AuditWebhookOptions) Validate ¶
func (o *AuditWebhookOptions) Validate() []error
type CertKey ¶
type ClientCertAuthenticationOptions ¶
type ClientCertAuthenticationOptions struct { // ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates ClientCA string // CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users. // Generally this is the CA bundle file used to authenticate client certificates // If non-nil, this takes priority over the ClientCA file. CAContentProvider dynamiccertificates.CAContentProvider }
ClientCertAuthenticationOptions provides different options for client cert auth. You should use `GetClientVerifyOptionFn` to get the verify options for your authenticator.
func (*ClientCertAuthenticationOptions) AddFlags ¶
func (s *ClientCertAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
func (*ClientCertAuthenticationOptions) GetClientCAContentProvider ¶
func (s *ClientCertAuthenticationOptions) GetClientCAContentProvider() (dynamiccertificates.CAContentProvider, error)
GetClientVerifyOptionFn provides verify options for your authenticator while respecting the preferred order of verifiers.
type CoreAPIOptions ¶
type CoreAPIOptions struct { // CoreAPIKubeconfigPath is a filename for a kubeconfig file to contact the core API server with. // If it is not set, the in cluster config is used. CoreAPIKubeconfigPath string }
CoreAPIOptions contains options to configure the connection to a core API Kubernetes apiserver.
func NewCoreAPIOptions ¶
func NewCoreAPIOptions() *CoreAPIOptions
func (*CoreAPIOptions) AddFlags ¶
func (o *CoreAPIOptions) AddFlags(fs *pflag.FlagSet)
func (*CoreAPIOptions) ApplyTo ¶
func (o *CoreAPIOptions) ApplyTo(config *server.RecommendedConfig) error
func (*CoreAPIOptions) Validate ¶
func (o *CoreAPIOptions) Validate() []error
type DelegatingAuthenticationOptions ¶
type DelegatingAuthenticationOptions struct { // RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the // TokenAccessReview.authentication.k8s.io endpoint for checking tokens. RemoteKubeConfigFile string // RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or // a missing in-cluster config will be fatal. RemoteKubeConfigFileOptional bool // CacheTTL is the length of time that a token authentication answer will be cached. CacheTTL time.Duration ClientCert ClientCertAuthenticationOptions RequestHeader RequestHeaderAuthenticationOptions // SkipInClusterLookup indicates missing authentication configuration should not be retrieved from the cluster configmap SkipInClusterLookup bool // TolerateInClusterLookupFailure indicates failures to look up authentication configuration from the cluster configmap should not be fatal. // Setting this can result in an authenticator that will reject all requests. TolerateInClusterLookupFailure bool // WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff // ClientTimeout specifies a time limit for requests made by the authorization webhook client. // The default value is set to 10 seconds. ClientTimeout time.Duration }
DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to the root kube API server. The API federator will act as a front proxy and direction connections will be able to delegate to the core kube API server
func NewDelegatingAuthenticationOptions ¶
func NewDelegatingAuthenticationOptions() *DelegatingAuthenticationOptions
func (*DelegatingAuthenticationOptions) AddFlags ¶
func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
func (*DelegatingAuthenticationOptions) ApplyTo ¶
func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.AuthenticationInfo, servingInfo *server.SecureServingInfo, openAPIConfig *openapicommon.Config) error
func (*DelegatingAuthenticationOptions) Validate ¶
func (s *DelegatingAuthenticationOptions) Validate() []error
func (*DelegatingAuthenticationOptions) WithClientTimeout ¶
func (s *DelegatingAuthenticationOptions) WithClientTimeout(timeout time.Duration)
WithClientTimeout sets the given timeout for the authentication webhook client.
func (*DelegatingAuthenticationOptions) WithCustomRetryBackoff ¶
func (s *DelegatingAuthenticationOptions) WithCustomRetryBackoff(backoff wait.Backoff)
WithCustomRetryBackoff sets the custom backoff parameters for the authentication webhook retry logic.
type DelegatingAuthorizationOptions ¶
type DelegatingAuthorizationOptions struct { // RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the // SubjectAccessReview.authorization.k8s.io endpoint for checking tokens. RemoteKubeConfigFile string // RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or // a missing in-cluster config will be fatal. RemoteKubeConfigFileOptional bool // AllowCacheTTL is the length of time that a successful authorization response will be cached AllowCacheTTL time.Duration // DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached. // You generally want more responsive, "deny, try again" flows. DenyCacheTTL time.Duration // AlwaysAllowPaths are HTTP paths which are excluded from authorization. They can be plain // paths or end in * in which case prefix-match is applied. A leading / is optional. AlwaysAllowPaths []string // AlwaysAllowGroups are groups which are allowed to take any actions. In kube, this is system:masters. AlwaysAllowGroups []string // ClientTimeout specifies a time limit for requests made by SubjectAccessReviews client. // The default value is set to 10 seconds. ClientTimeout time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff }
DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to the root kube API server. WARNING: never assume that every authenticated incoming request already does authorization.
The aggregator in the kube API server does this today, but this behaviour is not guaranteed in the future.
func NewDelegatingAuthorizationOptions ¶
func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions
func (*DelegatingAuthorizationOptions) AddFlags ¶
func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
func (*DelegatingAuthorizationOptions) ApplyTo ¶
func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) error
func (*DelegatingAuthorizationOptions) Validate ¶
func (s *DelegatingAuthorizationOptions) Validate() []error
func (*DelegatingAuthorizationOptions) WithAlwaysAllowGroups ¶
func (s *DelegatingAuthorizationOptions) WithAlwaysAllowGroups(groups ...string) *DelegatingAuthorizationOptions
WithAlwaysAllowGroups appends the list of paths to AlwaysAllowGroups
func (*DelegatingAuthorizationOptions) WithAlwaysAllowPaths ¶
func (s *DelegatingAuthorizationOptions) WithAlwaysAllowPaths(paths ...string) *DelegatingAuthorizationOptions
WithAlwaysAllowPaths appends the list of paths to AlwaysAllowPaths
func (*DelegatingAuthorizationOptions) WithClientTimeout ¶
func (s *DelegatingAuthorizationOptions) WithClientTimeout(timeout time.Duration)
WithClientTimeout sets the given timeout for SAR client used by this authorizer
func (*DelegatingAuthorizationOptions) WithCustomRetryBackoff ¶
func (s *DelegatingAuthorizationOptions) WithCustomRetryBackoff(backoff wait.Backoff)
WithCustomRetryBackoff sets the custom backoff parameters for the authorization webhook retry logic.
type DeprecatedInsecureServingOptions ¶
type DeprecatedInsecureServingOptions struct { BindAddress net.IP BindPort int // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", // "tcp4", and "tcp6". BindNetwork string // Listener is the secure server network listener. // either Listener or BindAddress/BindPort/BindNetwork is set, // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. Listener net.Listener // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. // It defaults to options.CreateListener. ListenFunc func(network, addr string, config net.ListenConfig) (net.Listener, int, error) }
DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. No one should be using these anymore. DEPRECATED: all insecure serving options are removed in a future version
func (*DeprecatedInsecureServingOptions) AddFlags ¶
func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to insecure serving to the specified FlagSet.
func (*DeprecatedInsecureServingOptions) AddUnqualifiedFlags ¶
func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet)
AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
func (*DeprecatedInsecureServingOptions) ApplyTo ¶
func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error
ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo and kube-controller manager configuration. Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
func (*DeprecatedInsecureServingOptions) Validate ¶
func (s *DeprecatedInsecureServingOptions) Validate() []error
Validate ensures that the insecure port values within the range of the port.
func (*DeprecatedInsecureServingOptions) WithLoopback ¶
func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback
WithLoopback adds loopback functionality to the serving options.
type DeprecatedInsecureServingOptionsWithLoopback ¶
type DeprecatedInsecureServingOptionsWithLoopback struct {
*DeprecatedInsecureServingOptions
}
DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions. DEPRECATED: all insecure serving options will be removed in a future version, however note that there are security concerns over how health checks can work here - see e.g. #43784
func (*DeprecatedInsecureServingOptionsWithLoopback) ApplyTo ¶
func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error
ApplyTo fills up serving information in the server configuration.
type DynamicRequestHeaderController ¶
type DynamicRequestHeaderController struct { *dynamiccertificates.ConfigMapCAController *headerrequest.RequestHeaderAuthRequestController }
DynamicRequestHeaderController combines DynamicCAFromConfigMapController and RequestHeaderAuthRequestController into one controller for dynamically filling RequestHeaderConfig struct
func (*DynamicRequestHeaderController) Run ¶
func (c *DynamicRequestHeaderController) Run(workers int, stopCh <-chan struct{})
func (*DynamicRequestHeaderController) RunOnce ¶
func (c *DynamicRequestHeaderController) RunOnce() error
type EgressSelectorOptions ¶
type EgressSelectorOptions struct { // ConfigFile is the file path with api-server egress selector configuration. ConfigFile string }
EgressSelectorOptions holds the api server egress selector options. See https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/20190226-network-proxy.md
func NewEgressSelectorOptions ¶
func NewEgressSelectorOptions() *EgressSelectorOptions
NewEgressSelectorOptions creates a new instance of EgressSelectorOptions
The option is to point to a configuration file for egress/konnectivity. This determines which types of requests use egress/konnectivity and how they use it. If empty the API Server will attempt to connect directly using the network.
func (*EgressSelectorOptions) AddFlags ¶
func (o *EgressSelectorOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for a specific APIServer to the specified FlagSet
func (*EgressSelectorOptions) ApplyTo ¶
func (o *EgressSelectorOptions) ApplyTo(c *server.Config) error
ApplyTo adds the egress selector settings to the server configuration. In case egress selector settings were not provided by a cluster-admin they will be prepared from the recommended/default/no-op values.
func (*EgressSelectorOptions) Validate ¶
func (o *EgressSelectorOptions) Validate() []error
Validate verifies flags passed to EgressSelectorOptions.
type EtcdOptions ¶
type EtcdOptions struct { // The value of Paging on StorageConfig will be overridden by the // calculated feature gate value. StorageConfig storagebackend.Config EncryptionProviderConfigFilepath string EtcdServersOverrides []string // To enable protobuf as storage format, it is enough // to set it to "application/vnd.kubernetes.protobuf". DefaultStorageMediaType string DeleteCollectionWorkers int EnableGarbageCollection bool // Set EnableWatchCache to false to disable all watch caches EnableWatchCache bool // Set DefaultWatchCacheSize to zero to disable watch caches for those resources that have no explicit cache size set DefaultWatchCacheSize int // WatchCacheSizes represents override to a given resource WatchCacheSizes []string }
func NewEtcdOptions ¶
func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions
func (*EtcdOptions) AddFlags ¶
func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet)
AddEtcdFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet
func (*EtcdOptions) ApplyTo ¶
func (s *EtcdOptions) ApplyTo(c *server.Config) error
func (*EtcdOptions) ApplyWithStorageFactoryTo ¶
func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error
func (*EtcdOptions) Validate ¶
func (s *EtcdOptions) Validate() []error
type FeatureOptions ¶
func NewFeatureOptions ¶
func NewFeatureOptions() *FeatureOptions
func (*FeatureOptions) AddFlags ¶
func (o *FeatureOptions) AddFlags(fs *pflag.FlagSet)
func (*FeatureOptions) ApplyTo ¶
func (o *FeatureOptions) ApplyTo(c *server.Config) error
func (*FeatureOptions) Validate ¶
func (o *FeatureOptions) Validate() []error
type GeneratableKeyCert ¶
type GeneratableKeyCert struct { // CertKey allows setting an explicit cert/key file to use. CertKey CertKey // CertDirectory specifies a directory to write generated certificates to if CertFile/KeyFile aren't explicitly set. // PairName is used to determine the filenames within CertDirectory. // If CertDirectory and PairName are not set, an in-memory certificate will be generated. CertDirectory string // PairName is the name which will be used with CertDirectory to make a cert and key filenames. // It becomes CertDirectory/PairName.crt and CertDirectory/PairName.key PairName string // GeneratedCert holds an in-memory generated certificate if CertFile/KeyFile aren't explicitly set, and CertDirectory/PairName are not set. GeneratedCert dynamiccertificates.CertKeyContentProvider // FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests. // The format is: // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key FixtureDirectory string }
type GroupRegisty ¶
type GroupRegisty interface { // IsRegistered returns true if given group is registered. IsGroupRegistered(group string) bool }
GroupRegisty provides a method to check whether given group is registered.
type RecommendedOptions ¶
type RecommendedOptions struct { Etcd *EtcdOptions SecureServing *SecureServingOptionsWithLoopback Authentication *DelegatingAuthenticationOptions Authorization *DelegatingAuthorizationOptions Audit *AuditOptions Features *FeatureOptions CoreAPI *CoreAPIOptions // FeatureGate is a way to plumb feature gate through if you have them. FeatureGate featuregate.FeatureGate // ExtraAdmissionInitializers is called once after all ApplyTo from the options above, to pass the returned // admission plugin initializers to Admission.ApplyTo. ExtraAdmissionInitializers func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) Admission *AdmissionOptions // API Server Egress Selector is used to control outbound traffic from the API Server EgressSelector *EgressSelectorOptions }
RecommendedOptions contains the recommended options for running an API server. If you add something to this list, it should be in a logical grouping. Each of them can be nil to leave the feature unconfigured on ApplyTo.
func NewRecommendedOptions ¶
func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions
func (*RecommendedOptions) AddFlags ¶
func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet)
func (*RecommendedOptions) ApplyTo ¶
func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error
ApplyTo adds RecommendedOptions to the server configuration. pluginInitializers can be empty, it is only need for additional initializers.
func (*RecommendedOptions) Validate ¶
func (o *RecommendedOptions) Validate() []error
type RequestHeaderAuthenticationOptions ¶
type RequestHeaderAuthenticationOptions struct { // ClientCAFile is the root certificate bundle to verify client certificates on incoming requests // before trusting usernames in headers. ClientCAFile string UsernameHeaders []string GroupHeaders []string ExtraHeaderPrefixes []string AllowedNames []string }
func (*RequestHeaderAuthenticationOptions) AddFlags ¶
func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
func (*RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig ¶
func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() (*authenticatorfactory.RequestHeaderConfig, error)
ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options if necessary, nil otherwise.
func (*RequestHeaderAuthenticationOptions) Validate ¶
func (s *RequestHeaderAuthenticationOptions) Validate() []error
type SecureServingOptions ¶
type SecureServingOptions struct { BindAddress net.IP // BindPort is ignored when Listener is set, will serve https even with 0. BindPort int // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", // "tcp4", and "tcp6". BindNetwork string // Required set to true means that BindPort cannot be zero. Required bool // ExternalAddress is the address advertised, even if BindAddress is a loopback. By default this // is set to BindAddress if the later no loopback, or to the first host interface address. ExternalAddress net.IP // Listener is the secure server network listener. // either Listener or BindAddress/BindPort/BindNetwork is set, // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. Listener net.Listener // ServerCert is the TLS cert info for serving secure traffic ServerCert GeneratableKeyCert // SNICertKeys are named CertKeys for serving secure traffic with SNI support. SNICertKeys []cliflag.NamedCertKey // CipherSuites is the list of allowed cipher suites for the server. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). CipherSuites []string // MinTLSVersion is the minimum TLS version supported. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). MinTLSVersion string // HTTP2MaxStreamsPerConnection is the limit that the api server imposes on each client. // A value of zero means to use the default provided by golang's HTTP/2 support. HTTP2MaxStreamsPerConnection int // PermitPortSharing controls if SO_REUSEPORT is used when binding the port, which allows // more than one instance to bind on the same address and port. PermitPortSharing bool }
func NewSecureServingOptions ¶
func NewSecureServingOptions() *SecureServingOptions
func (*SecureServingOptions) AddFlags ¶
func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet)
func (*SecureServingOptions) ApplyTo ¶
func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
ApplyTo fills up serving information in the server configuration.
func (*SecureServingOptions) DefaultExternalAddress ¶
func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error)
func (*SecureServingOptions) MaybeDefaultWithSelfSignedCerts ¶
func (*SecureServingOptions) Validate ¶
func (s *SecureServingOptions) Validate() []error
func (*SecureServingOptions) WithLoopback ¶
func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback
type SecureServingOptionsWithLoopback ¶
type SecureServingOptionsWithLoopback struct {
*SecureServingOptions
}
func (*SecureServingOptionsWithLoopback) ApplyTo ¶
func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.SecureServingInfo, loopbackClientConfig **rest.Config) error
ApplyTo fills up serving information in the server configuration.
type ServerRunOptions ¶
type ServerRunOptions struct { AdvertiseAddress net.IP CorsAllowedOriginList []string ExternalHost string MaxRequestsInFlight int MaxMutatingRequestsInFlight int RequestTimeout time.Duration GoawayChance float64 LivezGracePeriod time.Duration MinRequestTimeout int ShutdownDelayDuration time.Duration // We intentionally did not add a flag for this option. Users of the // apiserver library can wire it to a flag. JSONPatchMaxCopyBytes int64 // The limit on the request body size that would be accepted and // decoded in a write request. 0 means no limit. // We intentionally did not add a flag for this option. Users of the // apiserver library can wire it to a flag. MaxRequestBodyBytes int64 EnablePriorityAndFairness bool }
ServerRunOptions contains the options while running a generic api server.
func NewServerRunOptions ¶
func NewServerRunOptions() *ServerRunOptions
func (*ServerRunOptions) AddUniversalFlags ¶
func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet)
AddUniversalFlags adds flags for a specific APIServer to the specified FlagSet
func (*ServerRunOptions) ApplyTo ¶
func (s *ServerRunOptions) ApplyTo(c *server.Config) error
ApplyTo applies the run options to the method receiver and returns self
func (*ServerRunOptions) DefaultAdvertiseAddress ¶
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error
DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.
func (*ServerRunOptions) Validate ¶
func (s *ServerRunOptions) Validate() []error
Validate checks validation of ServerRunOptions
type SimpleRestOptionsFactory ¶
type SimpleRestOptionsFactory struct {
Options EtcdOptions
}
func (*SimpleRestOptionsFactory) GetRESTOptions ¶
func (f *SimpleRestOptionsFactory) GetRESTOptions(resource schema.GroupResource) (generic.RESTOptions, error)
type StorageFactoryRestOptionsFactory ¶
type StorageFactoryRestOptionsFactory struct { Options EtcdOptions StorageFactory serverstorage.StorageFactory }
func (*StorageFactoryRestOptionsFactory) GetRESTOptions ¶
func (f *StorageFactoryRestOptionsFactory) GetRESTOptions(resource schema.GroupResource) (generic.RESTOptions, error)