Documentation ¶
Index ¶
- Variables
- func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]*configapi.AdmissionPluginConfig) (*apiserver.AdmissionConfiguration, error)
- func IsAdmissionPluginActivated(name string, config io.Reader) bool
- func NewAdmissionChains(admissionConfigFiles []string, ...) (admission.Interface, error)
- func NewPluginInitializer(externalImageRegistryHostname string, internalImageRegistryHostname string, ...) (admission.PluginInitializer, error)
- func RegisterAllAdmissionPlugins(plugins *admission.Plugins)
- func RegisterOpenshiftAdmissionPlugins(plugins *admission.Plugins)
- type InformerAccess
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // these are admission plugins that cannot be applied until after the kubeapiserver starts. // TODO if nothing comes to mind in 3.10, kill this SkipRunLevelZeroPlugins = sets.NewString() // these are admission plugins that cannot be applied until after the openshiftapiserver apiserver starts. SkipRunLevelOnePlugins = sets.NewString( "ProjectRequestLimit", "openshift.io/RestrictSubjectBindings", "openshift.io/ClusterResourceQuota", imagepolicy.PluginName, overrideapi.PluginName, "OriginPodNodeEnvironment", "RunOnceDuration", sccadmission.PluginName, "SCCExecRestrictions", ) // KubeAdmissionPlugins gives the in-order default admission chain for kube resources. KubeAdmissionPlugins = []string{ "AlwaysAdmit", "NamespaceAutoProvision", "NamespaceExists", lifecycle.PluginName, "EventRateLimit", "RunOnceDuration", "PodNodeConstraints", "OriginPodNodeEnvironment", "PodNodeSelector", overrideapi.PluginName, externalipranger.ExternalIPPluginName, restrictedendpoints.RestrictedEndpointsPluginName, imagepolicy.PluginName, "ImagePolicyWebhook", "PodPreset", "LimitRanger", "ServiceAccount", noderestriction.PluginName, "SecurityContextDeny", sccadmission.PluginName, "PodSecurityPolicy", "DenyEscalatingExec", "DenyExecOnPrivileged", storageclassdefaultadmission.PluginName, expandpvcadmission.PluginName, "AlwaysPullImages", "LimitPodHardAntiAffinityTopology", "SCCExecRestrictions", "PersistentVolumeLabel", "OwnerReferencesPermissionEnforcement", ingressadmission.IngressAdmission, "Priority", "ExtendedResourceToleration", "DefaultTolerationSeconds", "StorageObjectInUseProtection", "Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook", "PodTolerationRestriction", "AlwaysDeny", "ResourceQuota", "openshift.io/ClusterResourceQuota", } // combinedAdmissionControlPlugins gives the in-order default admission chain for all resources resources. // When possible, this list is used. The set of openshift+kube chains must exactly match this set. In addition, // the order specified in the openshift and kube chains must match the order here. CombinedAdmissionControlPlugins = []string{ "AlwaysAdmit", "NamespaceAutoProvision", "NamespaceExists", lifecycle.PluginName, "EventRateLimit", "ProjectRequestLimit", "openshift.io/RestrictSubjectBindings", "openshift.io/JenkinsBootstrapper", "openshift.io/BuildConfigSecretInjector", "BuildByStrategy", imageadmission.PluginName, "RunOnceDuration", "PodNodeConstraints", "OriginPodNodeEnvironment", "PodNodeSelector", overrideapi.PluginName, externalipranger.ExternalIPPluginName, restrictedendpoints.RestrictedEndpointsPluginName, imagepolicy.PluginName, "ImagePolicyWebhook", "PodPreset", "LimitRanger", "ServiceAccount", noderestriction.PluginName, "SecurityContextDeny", sccadmission.PluginName, "PodSecurityPolicy", "DenyEscalatingExec", "DenyExecOnPrivileged", storageclassdefaultadmission.PluginName, expandpvcadmission.PluginName, "AlwaysPullImages", "LimitPodHardAntiAffinityTopology", "SCCExecRestrictions", "PersistentVolumeLabel", "OwnerReferencesPermissionEnforcement", ingressadmission.IngressAdmission, "Priority", "ExtendedResourceToleration", "DefaultTolerationSeconds", "StorageObjectInUseProtection", "Initializers", "MutatingAdmissionWebhook", "ValidatingAdmissionWebhook", "PodTolerationRestriction", "AlwaysDeny", "ResourceQuota", "openshift.io/ClusterResourceQuota", } )
View Source
var ( DefaultOnPlugins = sets.NewString( "openshift.io/JenkinsBootstrapper", "openshift.io/BuildConfigSecretInjector", "BuildByStrategy", storageclassdefaultadmission.PluginName, imageadmission.PluginName, lifecycle.PluginName, "OriginPodNodeEnvironment", "PodNodeSelector", "Priority", externalipranger.ExternalIPPluginName, restrictedendpoints.RestrictedEndpointsPluginName, "LimitRanger", "ServiceAccount", noderestriction.PluginName, securityadmission.PluginName, "StorageObjectInUseProtection", "SCCExecRestrictions", "PersistentVolumeLabel", "DefaultStorageClass", "OwnerReferencesPermissionEnforcement", "PodTolerationRestriction", "ResourceQuota", "openshift.io/ClusterResourceQuota", "openshift.io/IngressAdmission", ) // DefaultOffPlugins includes plugins which require explicit configuration to run // if you wire them incorrectly, they may prevent the server from starting DefaultOffPlugins = sets.NewString( "ProjectRequestLimit", "RunOnceDuration", "PodNodeConstraints", overrideapi.PluginName, imagepolicyapi.PluginName, "AlwaysPullImages", "ImagePolicyWebhook", "openshift.io/RestrictSubjectBindings", "LimitPodHardAntiAffinityTopology", "DefaultTolerationSeconds", "PodPreset", "EventRateLimit", "PodSecurityPolicy", "Initializers", "ValidatingAdmissionWebhook", "MutatingAdmissionWebhook", "ExtendedResourceToleration", expandpvcadmission.PluginName, "AlwaysAdmit", "AlwaysDeny", "DenyEscalatingExec", "DenyExecOnPrivileged", "NamespaceAutoProvision", "NamespaceExists", "SecurityContextDeny", ) )
View Source
var OriginAdmissionPlugins = admission.NewPlugins()
TODO register this per apiserver or at least per process
Functions ¶
func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig ¶
func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]*configapi.AdmissionPluginConfig) (*apiserver.AdmissionConfiguration, error)
func NewAdmissionChains ¶
func NewPluginInitializer ¶
func NewPluginInitializer( externalImageRegistryHostname string, internalImageRegistryHostname string, cloudConfigFile string, jenkinsConfig configapi.JenkinsPipelineConfig, privilegedLoopbackConfig *rest.Config, informers InformerAccess, authorizer authorizer.Authorizer, projectCache *projectcache.ProjectCache, restMapper meta.RESTMapper, clusterQuotaMappingController *clusterquotamapping.ClusterQuotaMappingController, ) (admission.PluginInitializer, error)
func RegisterAllAdmissionPlugins ¶
RegisterAllAdmissionPlugins registers all admission plugins
Types ¶
type InformerAccess ¶
type InformerAccess interface { GetInternalKubernetesInformers() kinternalinformers.SharedInformerFactory GetKubernetesInformers() kexternalinformers.SharedInformerFactory GetOpenshiftImageInformers() imagev1informer.SharedInformerFactory GetInternalOpenshiftQuotaInformers() quotainformer.SharedInformerFactory GetInternalOpenshiftSecurityInformers() securityinformer.SharedInformerFactory GetOpenshiftUserInformers() userv1informer.SharedInformerFactory }
Click to show internal directories.
Click to hide internal directories.