Documentation ¶
Overview ¶
Package options contains flags and options for initializing kube-apiserver
Index ¶
- Constants
- Variables
- func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, ...) error
- func DefaultOffAdmissionPlugins() sets.String
- func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
- func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
- func RegisterAllAdmissionPlugins(plugins *admission.Plugins)
- type AdmissionOptions
- type AnonymousAuthenticationOptions
- type BootstrapTokenAuthenticationOptions
- type BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
- func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
- func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, ...) error
- func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
- func (o *BuiltInAuthenticationOptions) Validate() []error
- func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
- type BuiltInAuthorizationOptions
- type CloudProviderOptions
- type OIDCAuthenticationOptions
- type ServiceAccountAuthenticationOptions
- type TokenFileAuthenticationOptions
- type WebHookAuthenticationOptions
Constants ¶
const DefaultEtcdPathPrefix = "/registry"
DefaultEtcdPathPrefix is the default key prefix of etcd for API Server
Variables ¶
var AllOrderedPlugins = []string{ admit.PluginName, autoprovision.PluginName, lifecycle.PluginName, exists.PluginName, scdeny.PluginName, antiaffinity.PluginName, limitranger.PluginName, serviceaccount.PluginName, noderestriction.PluginName, nodetaint.PluginName, alwayspullimages.PluginName, imagepolicy.PluginName, podsecuritypolicy.PluginName, podnodeselector.PluginName, podpriority.PluginName, defaulttolerationseconds.PluginName, podtolerationrestriction.PluginName, exec.DenyEscalatingExec, exec.DenyExecOnPrivileged, eventratelimit.PluginName, extendedresourcetoleration.PluginName, label.PluginName, setdefault.PluginName, storageobjectinuseprotection.PluginName, gc.PluginName, resize.PluginName, runtimeclass.PluginName, certapproval.PluginName, certsigning.PluginName, certsubjectrestriction.PluginName, defaultingressclass.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName, resourcequota.PluginName, deny.PluginName, }
AllOrderedPlugins is the list of all the plugins in order.
var DefaultServiceIPCIDR = net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(24, 32)}
DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs
DefaultServiceNodePortRange is the default port range for NodePort services.
Functions ¶
func DefaultAdvertiseAddress ¶
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error
DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions. If the SecureServingOptions is not present, DefaultExternalAddress will fall back to the insecure ServingOptions.
func DefaultOffAdmissionPlugins ¶
DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func NewInsecureServingOptions ¶
func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
NewInsecureServingOptions gives default values for the kube-apiserver. TODO: switch insecure serving off by default
func NewSecureServingOptions ¶
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform
Types ¶
type AdmissionOptions ¶
type AdmissionOptions struct { // GenericAdmission holds the generic admission options. GenericAdmission *genericoptions.AdmissionOptions // DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins. // They are mutually exclusive, specify both will lead to an error. PluginNames []string }
AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.
func NewAdmissionOptions ¶
func NewAdmissionOptions() *AdmissionOptions
NewAdmissionOptions creates a new instance of AdmissionOptions Note:
In addition it calls RegisterAllAdmissionPlugins to register all kube-apiserver admission plugins. Provides the list of RecommendedPluginOrder that holds sane values that can be used by servers that don't care about admission chain. Servers that do care can overwrite/append that field after creation.
func (*AdmissionOptions) AddFlags ¶
func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet
func (*AdmissionOptions) ApplyTo ¶
func (a *AdmissionOptions) ApplyTo( c *server.Config, informers informers.SharedInformerFactory, kubeAPIServerClientConfig *rest.Config, features featuregate.FeatureGate, pluginInitializers ...admission.PluginInitializer, ) error
ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.
func (*AdmissionOptions) Validate ¶
func (a *AdmissionOptions) Validate() []error
Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.
type AnonymousAuthenticationOptions ¶
type AnonymousAuthenticationOptions struct {
Allow bool
}
AnonymousAuthenticationOptions contains anonymous authentication options for API Server
type BootstrapTokenAuthenticationOptions ¶
type BootstrapTokenAuthenticationOptions struct {
Enable bool
}
BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server
type BuiltInAuthenticationOptions ¶
type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions BootstrapToken *BootstrapTokenAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions OIDC *OIDCAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions TokenFile *TokenFileAuthenticationOptions WebHook *WebHookAuthenticationOptions TokenSuccessCacheTTL time.Duration TokenFailureCacheTTL time.Duration }
BuiltInAuthenticationOptions contains all build-in authentication options for API Server
func NewBuiltInAuthenticationOptions ¶
func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions
NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL
func (*BuiltInAuthenticationOptions) AddFlags ¶
func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authentication for a API Server
func (*BuiltInAuthenticationOptions) ApplyAuthorization ¶
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (*BuiltInAuthenticationOptions) ApplyTo ¶
func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error
ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.
func (*BuiltInAuthenticationOptions) ToAuthenticationConfig ¶
func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config
func (*BuiltInAuthenticationOptions) Validate ¶
func (o *BuiltInAuthenticationOptions) Validate() []error
Validate checks invalid config combination
func (*BuiltInAuthenticationOptions) WithAll ¶
func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
WithAll set default value for every build-in authentication option
func (*BuiltInAuthenticationOptions) WithAnonymous ¶
func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
WithAnonymous set default value for anonymous authentication
func (*BuiltInAuthenticationOptions) WithBootstrapToken ¶
func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
WithBootstrapToken set default value for bootstrap token authentication
func (*BuiltInAuthenticationOptions) WithClientCert ¶
func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
WithClientCert set default value for client cert
func (*BuiltInAuthenticationOptions) WithOIDC ¶
func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
WithOIDC set default value for OIDC authentication
func (*BuiltInAuthenticationOptions) WithRequestHeader ¶
func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
WithRequestHeader set default value for request header authentication
func (*BuiltInAuthenticationOptions) WithServiceAccounts ¶
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
WithServiceAccounts set default value for service account authentication
func (*BuiltInAuthenticationOptions) WithTokenFile ¶
func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
WithTokenFile set default value for token file authentication
func (*BuiltInAuthenticationOptions) WithWebHook ¶
func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
WithWebHook set default value for web hook authentication
type BuiltInAuthorizationOptions ¶
type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string WebhookConfigFile string WebhookVersion string WebhookCacheAuthorizedTTL time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff }
BuiltInAuthorizationOptions contains all build-in authorization options for API Server
func NewBuiltInAuthorizationOptions ¶
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions
NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
func (*BuiltInAuthorizationOptions) AddFlags ¶
func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authorization for a API Server
func (*BuiltInAuthorizationOptions) ToAuthorizationConfig ¶
func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config
ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config
func (*BuiltInAuthorizationOptions) Validate ¶
func (o *BuiltInAuthorizationOptions) Validate() []error
Validate checks invalid config combination
type CloudProviderOptions ¶
CloudProviderOptions contains cloud provider config
func NewCloudProviderOptions ¶
func NewCloudProviderOptions() *CloudProviderOptions
NewCloudProviderOptions creates a default CloudProviderOptions
func (*CloudProviderOptions) AddFlags ¶
func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of cloud provider for a API Server
func (*CloudProviderOptions) Validate ¶
func (s *CloudProviderOptions) Validate() []error
Validate checks invalid config
type OIDCAuthenticationOptions ¶
type OIDCAuthenticationOptions struct { CAFile string ClientID string IssuerURL string UsernameClaim string UsernamePrefix string GroupsClaim string GroupsPrefix string SigningAlgs []string RequiredClaims map[string]string }
OIDCAuthenticationOptions contains OIDC authentication options for API Server
type ServiceAccountAuthenticationOptions ¶
type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool Issuer string JWKSURI string MaxExpiration time.Duration ExtendExpiration bool }
ServiceAccountAuthenticationOptions contains service account authentication options for API Server
type TokenFileAuthenticationOptions ¶
type TokenFileAuthenticationOptions struct {
TokenFile string
}
TokenFileAuthenticationOptions contains token file authentication options for API Server
type WebHookAuthenticationOptions ¶
type WebHookAuthenticationOptions struct { ConfigFile string Version string CacheTTL time.Duration // RetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. RetryBackoff *wait.Backoff }
WebHookAuthenticationOptions contains web hook authentication options for API Server