Documentation
¶
Index ¶
Constants ¶
const (
CloudscaleLoadbalancerUUIDAnnotation = "k8s.cloudscale.ch/loadbalancer-uuid"
)
const OpenShiftProjectRequesterAnnotation = "openshift.io/requester"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type NamespaceMetadataValidator ¶ added in v0.16.0
type NamespaceMetadataValidator struct {
Decoder admission.Decoder
Skipper skipper.Skipper
// ReservedNamespace is a list of namespaces that are reserved and do not count towards the quota.
// Supports '*' and '?' wildcards.
ReservedNamespaces []string
// AllowedAnnotations is a list of annotations that are allowed on the namespace.
// Supports '*' and '?' wildcards.
AllowedAnnotations []string
// AllowedLabels is a list of labels that are allowed on the namespace.
// Supports '*' and '?' wildcards.
AllowedLabels []string
}
NamespaceMetadataValidator validates the metadata of a namespace.
type NamespaceProjectOrganizationMutator ¶ added in v0.16.0
type NamespaceProjectOrganizationMutator struct {
Decoder admission.Decoder
Client client.Reader
Skipper skipper.Skipper
// OrganizationLabel is the label used to mark namespaces to belong to an organization
OrganizationLabel string
// UserDefaultOrganizationAnnotation is the annotation the default organization setting for a user is stored in.
UserDefaultOrganizationAnnotation string
}
NamespaceProjectOrganizationMutator adds the OrganizationLabel to namespace and project create requests.
func (*NamespaceProjectOrganizationMutator) Handle ¶ added in v0.16.0
func (m *NamespaceProjectOrganizationMutator) Handle(ctx context.Context, req admission.Request) admission.Response
Handle handles the admission requests
If the requestor is a service account:
- Project requests are denied.
- Namespace requests are checked against the organization of the service account's namespace.
- If the organization is not set in the request, the organization of the service account's namespace is added.
- If the service account's namespace has no organization set, the request is denied.
If the requestor is an OpenShift user: - If there is no OrganizationLabel set on the object, the default organization of the user is used; if there is no default organization set for the user, the request is denied. - Namespace requests use the username of the requests user info. - Project requests use the annotation `openshift.io/requester` on the project object. If the annotation is not set, the request is allowed. - If the user is not a member of the organization, the request is denied; this is done by checking for an OpenShift group with the same name as the organization.
type NamespaceQuotaValidator ¶ added in v0.10.0
type NamespaceQuotaValidator struct {
Decoder admission.Decoder
// Client is used to fetch namespace counts
Client client.Reader
Skipper skipper.Skipper
// SkipValidateQuota allows skipping the quota validation.
// If the validation is skipped only the organization label is checked.
SkipValidateQuota bool
OrganizationLabel string
UserDefaultOrganizationAnnotation string
// SelectedProfile is the name of the ZoneUsageProfile to use for the quota
// An empty string means that the legacy namespace quota is used if set.
SelectedProfile string
// QuotaOverrideNamespace is the namespace in which the quota overrides are stored
QuotaOverrideNamespace string
// EnableLegacyNamespaceQuota enables the legacy namespace quota.
EnableLegacyNamespaceQuota bool
// LegacyNamespaceQuota is the namespace quota for legacy mode.
// It is used if no ZoneUsageProfile is selected.
LegacyNamespaceQuota int
}
NamespaceQuotaValidator checks if a user is allowed to create a namespace. The user or the namespace must have a label with the organization name. The organization name is used to count the number of namespaces for the organization.
type PodNodeSelectorMutator ¶ added in v0.6.0
type PodNodeSelectorMutator struct {
Decoder admission.Decoder
// Client is used to fetch namespace metadata
Client client.Reader
// DefaultNodeSelector is the default node selector to apply to pods
DefaultNodeSelector map[string]string
// DefaultNamespaceNodeSelectorAnnotation is the annotation to use for the default node selector
DefaultNamespaceNodeSelectorAnnotation string
Skipper skipper.Skipper
}
PodNodeSelectorMutator checks namespaces for allowed node selectors.
type PodRunOnceActiveDeadlineSecondsMutator ¶ added in v0.18.0
type PodRunOnceActiveDeadlineSecondsMutator struct {
Decoder admission.Decoder
// Client is used to fetch namespace metadata for the override annotation
Client client.Reader
// DefaultNamespaceNodeSelectorAnnotation is the annotation to use for the default node selector
OverrideAnnotation string
// DefaultActiveDeadlineSeconds is the default activeDeadlineSeconds to apply to pods
DefaultActiveDeadlineSeconds int
Skipper skipper.Skipper
}
PodRunOnceActiveDeadlineSecondsMutator adds .spec.activeDeadlineSeconds to pods with the restartPolicy set to "OnFailure" or "Never".
type RatioValidator ¶
type RatioValidator struct {
Decoder admission.Decoder
Client client.Client
Ratio ratioFetcher
RatioLimits limits.Limits
RatioWarnThreshold *inf.Dec
// DefaultNodeSelector is the default node selector to apply to pods
DefaultNodeSelector map[string]string
// DefaultNamespaceNodeSelectorAnnotation is the annotation to use for the default node selector
DefaultNamespaceNodeSelectorAnnotation string
}
RatioValidator checks for every action in a namespace whether the Memory to CPU ratio limit is exceeded and will return a warning if it is.
type ReservedResourceQuotaLimitRangeValidator ¶ added in v0.19.0
type ReservedResourceQuotaLimitRangeValidator struct {
Decoder admission.Decoder
Skipper skipper.Skipper
ReservedResourceQuotaNames []string
ReservedLimitRangeNames []string
}
ReservedResourceQuotaLimitRangeValidator denies changes to reserved resourcequota and limitrange objects.
type ServiceCloudscaleLBValidator ¶ added in v0.14.0
ServiceCloudscaleLBValidator denies changes to the k8s.cloudscale.ch/loadbalancer-uuid annotation.
Source Files