Documentation ¶
Overview ¶
Package app does all of the work necessary to create a Kubernetes APIServer by binding together the API, master and APIServer infrastructure. It can be configured and called directly or via the hyperkube framework.
Package origin provides objects for creating an OpenShift Origin server
Index ¶
- Variables
- func LegacyStorage(storage map[schema.GroupVersion]map[string]rest.Storage) map[string]rest.Storage
- func NewAssetServerConfigFromMasterConfig(masterConfigOptions configapi.MasterConfig) (*assetapiserver.AssetServerConfig, error)
- func NewLeaderElection(options configapi.MasterConfig, ...) (plug.Plug, func(), error)
- func NewOAuthServerConfigFromMasterConfig(masterConfig *MasterConfig) (*oauthapiserver.OAuthServerConfig, error)
- func WithPatternPrefixHandler(handler http.Handler, patternHandler http.Handler, prefixes ...string) http.Handler
- type InformerAccess
- type MasterConfig
- func (c *MasterConfig) KubeClientsetExternal() kclientsetexternal.Interface
- func (c *MasterConfig) KubeClientsetInternal() kclientsetinternal.Interface
- func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController
- func (c *MasterConfig) Run(kubeAPIServerConfig *kubeapiserver.Config, controllerPlug plug.Plug, ...) error
- func (c *MasterConfig) RunDNSServer()
- func (c *MasterConfig) WebConsoleEnabled() bool
- func (c *MasterConfig) WebConsoleStandalone() bool
- type OpenshiftAPIConfig
- type OpenshiftAPIServer
- type OpenshiftNonAPIConfig
- type OpenshiftNonAPIServer
- type SecurityAllocationController
Constants ¶
This section is empty.
Variables ¶
var ( // OriginLegacyKinds lists all kinds that are locked to the legacy Origin API schema. // This list should not grow and adding a new types to the locked Origin API schema will // cause a unit test failure. OriginLegacyKinds = sets.NewString( "AppliedClusterResourceQuota", "AppliedClusterResourceQuotaList", "BinaryBuildRequestOptions", "Build", "BuildConfig", "BuildConfigList", "BuildList", "BuildLog", "BuildLogOptions", "BuildRequest", "ClusterNetwork", "ClusterNetworkList", "ClusterPolicy", "ClusterPolicyBinding", "ClusterPolicyBindingList", "ClusterPolicyList", "ClusterResourceQuota", "ClusterResourceQuotaList", "ClusterRole", "ClusterRoleBinding", "ClusterRoleBindingList", "ClusterRoleList", "DeploymentConfig", "DeploymentConfigList", "DeploymentConfigRollback", "DeploymentLog", "DeploymentLogOptions", "DeploymentRequest", "EgressNetworkPolicy", "EgressNetworkPolicyList", "Group", "GroupList", "HostSubnet", "HostSubnetList", "Identity", "IdentityList", "Image", "ImageList", "ImageSignature", "ImageStream", "ImageStreamImage", "ImageStreamImport", "ImageStreamList", "ImageStreamMapping", "ImageStreamTag", "ImageStreamTagList", "IsPersonalSubjectAccessReview", "LocalResourceAccessReview", "LocalSubjectAccessReview", "NetNamespace", "NetNamespaceList", "OAuthAccessToken", "OAuthAccessTokenList", "OAuthAuthorizeToken", "OAuthAuthorizeTokenList", "OAuthClient", "OAuthClientAuthorization", "OAuthClientAuthorizationList", "OAuthClientList", "OAuthRedirectReference", "PodSecurityPolicyReview", "PodSecurityPolicySelfSubjectReview", "PodSecurityPolicySubjectReview", "Policy", "PolicyBinding", "PolicyBindingList", "PolicyList", "ProcessedTemplate", "Project", "ProjectList", "ProjectRequest", "ResourceAccessReview", "ResourceAccessReviewResponse", "Role", "RoleBinding", "RoleBindingList", "RoleBindingRestriction", "RoleBindingRestrictionList", "RoleList", "Route", "RouteList", "SelfSubjectRulesReview", "SubjectAccessReview", "SubjectAccessReviewResponse", "SubjectRulesReview", "Template", "TemplateConfig", "TemplateList", "User", "UserIdentityMapping", "UserList", ) // OriginLegacyResources lists all Origin resources that are locked for the legacy v1 // Origin API. This list should not grow. OriginLegacyResources = sets.NewString( "appliedClusterResourceQuotas", "buildConfigs", "builds", "clusterNetworks", "clusterPolicies", "clusterPolicyBindings", "clusterResourceQuotas", "clusterRoleBindings", "clusterRoles", "deploymentConfigRollbacks", "deploymentConfigs", "egressNetworkPolicies", "groups", "hostSubnets", "identities", "imageStreamImages", "imageStreamImports", "imageStreamMappings", "imageStreamTags", "imageStreams", "images", "imagesignatures", "localResourceAccessReviews", "localSubjectAccessReviews", "netNamespaces", "oAuthAccessTokens", "oAuthAuthorizeTokens", "oAuthClientAuthorizations", "oAuthClients", "podSecurityPolicyReviews", "podSecurityPolicySelfSubjectReviews", "podSecurityPolicySubjectReviews", "policies", "policyBindings", "processedTemplates", "projectRequests", "projects", "resourceAccessReviews", "roleBindingRestrictions", "roleBindings", "roles", "routes", "selfSubjectRulesReviews", "subjectAccessReviews", "subjectRulesReviews", "templates", "userIdentityMappings", "users", ) // OriginLegacySubresources lists all Origin sub-resources that are locked for the // legacy v1 Origin API. This list should not grow. OriginLegacySubresources = sets.NewString( "clusterResourceQuotas/status", "processedTemplates", "imageStreams/status", "imageStreams/secrets", "generateDeploymentConfigs", "deploymentConfigs/log", "deploymentConfigs/instantiate", "deploymentConfigs/scale", "deploymentConfigs/status", "deploymentConfigs/rollback", "routes/status", "builds/clone", "builds/log", "builds/details", "buildConfigs/webhooks", "buildConfigs/instantiate", "buildConfigs/instantiatebinary", ) )
var ( // KubeAdmissionPlugins gives the in-order default admission chain for kube resources. KubeAdmissionPlugins = []string{ lifecycle.PluginName, "RunOnceDuration", "PodNodeConstraints", "OriginPodNodeEnvironment", "PodNodeSelector", overrideapi.PluginName, serviceadmit.ExternalIPPluginName, serviceadmit.RestrictedEndpointsPluginName, imagepolicy.PluginName, "ImagePolicyWebhook", "PodPreset", "LimitRanger", "ServiceAccount", noderestriction.PluginName, "SecurityContextConstraint", storageclassdefaultadmission.PluginName, "AlwaysPullImages", "LimitPodHardAntiAffinityTopology", "SCCExecRestrictions", "PersistentVolumeLabel", "OwnerReferencesPermissionEnforcement", ingressadmission.IngressAdmission, "DefaultTolerationSeconds", "Initializers", "GenericAdmissionWebhook", "PodTolerationRestriction", "ResourceQuota", "openshift.io/ClusterResourceQuota", } // CombinedAdmissionControlPlugins gives the in-order default admission chain for all resources resources. // When possible, this list is used. The set of openshift+kube chains must exactly match this set. In addition, // the order specified in the openshift and kube chains must match the order here. CombinedAdmissionControlPlugins = []string{ lifecycle.PluginName, "ProjectRequestLimit", "OriginNamespaceLifecycle", "openshift.io/RestrictSubjectBindings", "PodNodeConstraints", "openshift.io/JenkinsBootstrapper", "openshift.io/BuildConfigSecretInjector", "BuildByStrategy", imageadmission.PluginName, "RunOnceDuration", "PodNodeConstraints", "OriginPodNodeEnvironment", "PodNodeSelector", overrideapi.PluginName, serviceadmit.ExternalIPPluginName, serviceadmit.RestrictedEndpointsPluginName, imagepolicy.PluginName, "ImagePolicyWebhook", "PodPreset", "LimitRanger", "ServiceAccount", noderestriction.PluginName, "SecurityContextConstraint", storageclassdefaultadmission.PluginName, "AlwaysPullImages", "LimitPodHardAntiAffinityTopology", "SCCExecRestrictions", "PersistentVolumeLabel", "OwnerReferencesPermissionEnforcement", ingressadmission.IngressAdmission, "DefaultTolerationSeconds", "Initializers", "GenericAdmissionWebhook", "PodTolerationRestriction", "ResourceQuota", "openshift.io/ClusterResourceQuota", } )
Functions ¶
func LegacyStorage ¶
LegacyStorage returns a storage for locked legacy types.
func NewAssetServerConfigFromMasterConfig ¶
func NewAssetServerConfigFromMasterConfig(masterConfigOptions configapi.MasterConfig) (*assetapiserver.AssetServerConfig, error)
TODO this is taking a very large config for a small piece of it. The information must be broken up at some point so that we can run this in a pod. This is an indication of leaky abstraction because it spent too much time in openshift start
func NewLeaderElection ¶
func NewLeaderElection(options configapi.MasterConfig, leader componentconfig.LeaderElectionConfiguration, kc kclientsetexternal.Interface, eventClient v1core.EventInterface) (plug.Plug, func(), error)
NewLeaderElection returns a plug that blocks controller startup until the lease is acquired and a function that will start the process to attain the lease. There are two modes for lease operation - a legacy mode that directly connects to etcd, and the preferred mode which coordinates on a service endpoints object in the kube-system namespace. Because legacy mode and the new mode do not coordinate on the same key, an upgrade must stop all controllers before changing the configuration and starting controllers with the new config.
func NewOAuthServerConfigFromMasterConfig ¶
func NewOAuthServerConfigFromMasterConfig(masterConfig *MasterConfig) (*oauthapiserver.OAuthServerConfig, error)
TODO this is taking a very large config for a small piece of it. The information must be broken up at some point so that we can run this in a pod. This is an indication of leaky abstraction because it spent too much time in openshift start
Types ¶
type InformerAccess ¶
type InformerAccess interface { GetInternalKubeInformers() kinternalinformers.SharedInformerFactory GetExternalKubeInformers() kinformers.SharedInformerFactory GetClientGoKubeInformers() kubeclientgoinformers.SharedInformerFactory GetAuthorizationInformers() authorizationinformer.SharedInformerFactory GetImageInformers() imageinformer.SharedInformerFactory GetQuotaInformers() quotainformer.SharedInformerFactory GetSecurityInformers() securityinformer.SharedInformerFactory GetUserInformers() userinformer.SharedInformerFactory }
type MasterConfig ¶
type MasterConfig struct { Options configapi.MasterConfig RESTMapper *discovery.DeferredDiscoveryRESTMapper // RESTOptionsGetter provides access to storage and RESTOptions for a particular resource RESTOptionsGetter restoptions.Getter RuleResolver rbacregistryvalidation.AuthorizationRuleResolver Authenticator authenticator.Request Authorizer kauthorizer.Authorizer SubjectLocator authorizer.SubjectLocator ProjectAuthorizationCache *projectauth.AuthorizationCache ProjectCache *projectcache.ProjectCache ClusterQuotaMappingController *clusterquotamapping.ClusterQuotaMappingController LimitVerifier imageadmission.LimitVerifier // RequestContextMapper maps requests to contexts RequestContextMapper apirequest.RequestContextMapper AdmissionControl admission.Interface // KubeAdmissionControl holds the kube admission chain. Because of the way the plugin initializer is built // you'll be passing information in this direction either way. Knowing how to build this chain requires knowledge // of both the origin config AND the kube config, so this spot makes more sense. KubeAdmissionControl admission.Interface // RegistryHostnameRetriever retrieves the name of the integrated registry, or false if no such registry // is available. RegistryHostnameRetriever imageapi.RegistryHostnameRetriever KubeletClientConfig *kubeletclient.KubeletClientConfig // PrivilegedLoopbackClientConfig is the client configuration used to call OpenShift APIs from system components // To apply different access control to a system component, create a client config specifically for that component. PrivilegedLoopbackClientConfig restclient.Config // PrivilegedLoopbackKubernetesClientsetInternal is the client used to call Kubernetes APIs from system components, // built from KubeClientConfig. It should only be accessed via the *TestingClient() helper methods. To apply // different access control to a system component, create a separate client/config specifically for // that component. PrivilegedLoopbackKubernetesClientsetInternal kclientsetinternal.Interface // PrivilegedLoopbackKubernetesClientsetExternal is the client used to call Kubernetes APIs from system components, // built from KubeClientConfig. It should only be accessed via the *TestingClient() helper methods. To apply // different access control to a system component, create a separate client/config specifically for // that component. PrivilegedLoopbackKubernetesClientsetExternal kclientsetexternal.Interface AuditBackend audit.Backend // TODO inspect uses to eliminate them InternalKubeInformers kinternalinformers.SharedInformerFactory ClientGoKubeInformers kubeclientgoinformers.SharedInformerFactory AuthorizationInformers authorizationinformer.SharedInformerFactory QuotaInformers quotainformer.SharedInformerFactory SecurityInformers securityinformer.SharedInformerFactory UserInformers userinformer.SharedInformerFactory }
MasterConfig defines the required parameters for starting the OpenShift master
func BuildMasterConfig ¶ added in v0.3.3
func BuildMasterConfig(options configapi.MasterConfig, informers InformerAccess) (*MasterConfig, error)
BuildMasterConfig builds and returns the OpenShift master configuration based on the provided options
func (*MasterConfig) KubeClientsetExternal ¶
func (c *MasterConfig) KubeClientsetExternal() kclientsetexternal.Interface
KubeClientsetInternal returns the kubernetes client object
func (*MasterConfig) KubeClientsetInternal ¶
func (c *MasterConfig) KubeClientsetInternal() kclientsetinternal.Interface
KubeClientsetInternal returns the kubernetes client object
func (*MasterConfig) RouteAllocator ¶ added in v0.4.2
func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController
RouteAllocator returns a route allocation controller.
func (*MasterConfig) Run ¶ added in v0.2.1
func (c *MasterConfig) Run(kubeAPIServerConfig *kubeapiserver.Config, controllerPlug plug.Plug, stopCh <-chan struct{}) error
Run launches the OpenShift master by creating a kubernetes master, installing OpenShift APIs into it and then running it.
func (*MasterConfig) RunDNSServer ¶ added in v0.4.2
func (c *MasterConfig) RunDNSServer()
RunDNSServer starts the DNS server
func (*MasterConfig) WebConsoleEnabled ¶ added in v1.0.5
func (c *MasterConfig) WebConsoleEnabled() bool
WebConsoleEnabled says whether web ui is not a disabled feature and asset service is configured.
func (*MasterConfig) WebConsoleStandalone ¶
func (c *MasterConfig) WebConsoleStandalone() bool
type OpenshiftAPIConfig ¶
type OpenshiftAPIConfig struct { GenericConfig *genericapiserver.Config KubeClientInternal kclientsetinternal.Interface KubeletClientConfig *kubeletclient.KubeletClientConfig KubeInternalInformers kinternalinformers.SharedInformerFactory QuotaInformers quotainformer.SharedInformerFactory SecurityInformers securityinformer.SharedInformerFactory // these are all required to build our storage RuleResolver rbacregistryvalidation.AuthorizationRuleResolver SubjectLocator authorizer.SubjectLocator // for Images LimitVerifier imageadmission.LimitVerifier // RegistryHostnameRetriever retrieves the internal and external hostname of // the integrated registry, or false if no such registry is available. RegistryHostnameRetriever imageapi.RegistryHostnameRetriever AllowedRegistriesForImport *configapi.AllowedRegistries MaxImagesBulkImportedPerRepository int RouteAllocator *routeallocationcontroller.RouteAllocationController ProjectAuthorizationCache *projectauth.AuthorizationCache ProjectCache *projectcache.ProjectCache ProjectRequestTemplate string ProjectRequestMessage string EnableBuilds bool // oauth API server ServiceAccountMethod configapi.GrantHandlerType ClusterQuotaMappingController *clusterquotamapping.ClusterQuotaMappingController // SCCStorage is actually created with a kubernetes restmapper options to have the correct prefix, // so we have to have it special cased here to point to the right spot. SCCStorage *sccstorage.REST }
func (*OpenshiftAPIConfig) Complete ¶
func (c *OpenshiftAPIConfig) Complete() completedConfig
Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (*OpenshiftAPIConfig) SkipComplete ¶
func (c *OpenshiftAPIConfig) SkipComplete() completedConfig
SkipComplete provides a way to construct a server instance without config completion.
func (*OpenshiftAPIConfig) Validate ¶
func (c *OpenshiftAPIConfig) Validate() error
Validate helps ensure that we build this config correctly, because there are lots of bits to remember for now
type OpenshiftAPIServer ¶
type OpenshiftAPIServer struct {
GenericAPIServer *genericapiserver.GenericAPIServer
}
OpenshiftAPIServer is only responsible for serving the APIs for Openshift It does NOT expose oauth, related oauth endpoints, or any kube APIs.
type OpenshiftNonAPIConfig ¶
type OpenshiftNonAPIConfig struct { GenericConfig *genericapiserver.Config // these are only needed for the controller endpoint which should be moved out and made an optional // add-on in the chain (as the final delegate) when running an all-in-one ControllerPlug plug.Plug MasterPublicURL string EnableOAuth bool }
func (*OpenshiftNonAPIConfig) Complete ¶
func (c *OpenshiftNonAPIConfig) Complete() completedOpenshiftNonAPIConfig
Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (*OpenshiftNonAPIConfig) SkipComplete ¶
func (c *OpenshiftNonAPIConfig) SkipComplete() completedOpenshiftNonAPIConfig
SkipComplete provides a way to construct a server instance without config completion.
type OpenshiftNonAPIServer ¶
type OpenshiftNonAPIServer struct {
GenericAPIServer *genericapiserver.GenericAPIServer
}
OpenshiftNonAPIServer serves non-API endpoints for openshift.
type SecurityAllocationController ¶
type SecurityAllocationController struct { SecurityAllocator *configapi.SecurityAllocator OpenshiftRESTOptionsGetter restoptions.Getter ExternalKubeInformers kexternalinformers.SharedInformerFactory KubeExternalClient kclientsetexternal.Interface }
func (SecurityAllocationController) RunSecurityAllocationController ¶
func (c SecurityAllocationController) RunSecurityAllocationController()
RunSecurityAllocationController starts the security allocation controller process.