Documentation ¶
Overview ¶
Package options contains flags and options for initializing kube-apiserver
Index ¶
- Constants
- Variables
- func DefaultOffAdmissionPlugins() sets.String
- func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
- func RegisterAllAdmissionPlugins(plugins *admission.Plugins)
- type AdmissionOptions
- type AnonymousAuthenticationOptions
- type BootstrapTokenAuthenticationOptions
- type BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
- func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
- func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, ...) error
- func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
- func (o *BuiltInAuthenticationOptions) Validate() []error
- func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
- type BuiltInAuthorizationOptions
- type EmbeddedEtcd
- type OIDCAuthenticationOptions
- type ServerRunOptions
- type ServiceAccountAuthenticationOptions
- type TokenFileAuthenticationOptions
- type WebHookAuthenticationOptions
Constants ¶
const DefaultEtcdPathPrefix = "/registry"
DefaultEtcdPathPrefix is the default key prefix of etcd for API Server
Variables ¶
var AllOrderedPlugins = []string{ autoprovision.PluginName, lifecycle.PluginName, exists.PluginName, serviceaccount.PluginName, eventratelimit.PluginName, gc.PluginName, certapproval.PluginName, certsigning.PluginName, certsubjectrestriction.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName, resourcequota.PluginName, }
AllOrderedPlugins is the list of all the plugins in order.
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}
DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}
DefaultServiceNodePortRange is the default port range for NodePort services.
Functions ¶
func DefaultOffAdmissionPlugins ¶
DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func NewSecureServingOptions ¶
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform
func RegisterAllAdmissionPlugins ¶
RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.
Types ¶
type AdmissionOptions ¶
type AdmissionOptions struct { // GenericAdmission holds the generic admission options. GenericAdmission *genericoptions.AdmissionOptions }
AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.
func NewAdmissionOptions ¶
func NewAdmissionOptions() *AdmissionOptions
NewAdmissionOptions creates a new instance of AdmissionOptions Note:
In addition it calls RegisterAllAdmissionPlugins to register all kube-apiserver admission plugins. Provides the list of RecommendedPluginOrder that holds sane values that can be used by servers that don't care about admission chain. Servers that do care can overwrite/append that field after creation.
func (*AdmissionOptions) AddFlags ¶
func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet
func (*AdmissionOptions) ApplyTo ¶
func (a *AdmissionOptions) ApplyTo( c *server.Config, informers informers.SharedInformerFactory, kubeAPIServerClientConfig *rest.Config, features featuregate.FeatureGate, pluginInitializers ...admission.PluginInitializer, ) error
ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.
func (*AdmissionOptions) Validate ¶
func (a *AdmissionOptions) Validate() []error
Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.
type AnonymousAuthenticationOptions ¶
type AnonymousAuthenticationOptions struct {
Allow bool
}
AnonymousAuthenticationOptions contains anonymous authentication options for API Server
type BootstrapTokenAuthenticationOptions ¶
type BootstrapTokenAuthenticationOptions struct {
Enable bool
}
BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server
type BuiltInAuthenticationOptions ¶
type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions BootstrapToken *BootstrapTokenAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions OIDC *OIDCAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions TokenFile *TokenFileAuthenticationOptions WebHook *WebHookAuthenticationOptions TokenSuccessCacheTTL time.Duration TokenFailureCacheTTL time.Duration }
BuiltInAuthenticationOptions contains all build-in authentication options for API Server
func NewBuiltInAuthenticationOptions ¶
func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions
NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL
func (*BuiltInAuthenticationOptions) AddFlags ¶
func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authentication for a API Server
func (*BuiltInAuthenticationOptions) ApplyAuthorization ¶
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (*BuiltInAuthenticationOptions) ApplyTo ¶
func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, openAPIV3Config *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error
ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.
func (*BuiltInAuthenticationOptions) ToAuthenticationConfig ¶
func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config
func (*BuiltInAuthenticationOptions) Validate ¶
func (o *BuiltInAuthenticationOptions) Validate() []error
Validate checks invalid config combination
func (*BuiltInAuthenticationOptions) WithAll ¶
func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
WithAll set default value for every build-in authentication option
func (*BuiltInAuthenticationOptions) WithAnonymous ¶
func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
WithAnonymous set default value for anonymous authentication
func (*BuiltInAuthenticationOptions) WithBootstrapToken ¶
func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
WithBootstrapToken set default value for bootstrap token authentication
func (*BuiltInAuthenticationOptions) WithClientCert ¶
func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
WithClientCert set default value for client cert
func (*BuiltInAuthenticationOptions) WithOIDC ¶
func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
WithOIDC set default value for OIDC authentication
func (*BuiltInAuthenticationOptions) WithRequestHeader ¶
func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
WithRequestHeader set default value for request header authentication
func (*BuiltInAuthenticationOptions) WithServiceAccounts ¶
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
WithServiceAccounts set default value for service account authentication
func (*BuiltInAuthenticationOptions) WithTokenFile ¶
func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
WithTokenFile set default value for token file authentication
func (*BuiltInAuthenticationOptions) WithWebHook ¶
func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
WithWebHook set default value for web hook authentication
type BuiltInAuthorizationOptions ¶
type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string WebhookConfigFile string WebhookVersion string WebhookCacheAuthorizedTTL time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff }
BuiltInAuthorizationOptions contains all build-in authorization options for API Server
func NewBuiltInAuthorizationOptions ¶
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions
NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
func (*BuiltInAuthorizationOptions) AddFlags ¶
func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authorization for a API Server
func (*BuiltInAuthorizationOptions) ToAuthorizationConfig ¶
func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config
ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config
func (*BuiltInAuthorizationOptions) Validate ¶
func (o *BuiltInAuthorizationOptions) Validate() []error
Validate checks invalid config combination
type EmbeddedEtcd ¶
type EmbeddedEtcd struct { Enabled bool Directory string PeerPort string ClientPort string WalSizeBytes int64 }
func NewEmbeddedEtcd ¶
func NewEmbeddedEtcd() *EmbeddedEtcd
func (*EmbeddedEtcd) AddFlags ¶
func (e *EmbeddedEtcd) AddFlags(fs *pflag.FlagSet)
func (*EmbeddedEtcd) Validate ¶
func (e *EmbeddedEtcd) Validate() []error
type OIDCAuthenticationOptions ¶
type OIDCAuthenticationOptions struct { CAFile string ClientID string IssuerURL string UsernameClaim string UsernamePrefix string GroupsClaim string GroupsPrefix string SigningAlgs []string RequiredClaims map[string]string }
OIDCAuthenticationOptions contains OIDC authentication options for API Server
type ServerRunOptions ¶
type ServerRunOptions struct { GenericServerRunOptions *genericoptions.ServerRunOptions Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptionsWithLoopback Audit *genericoptions.AuditOptions Features *genericoptions.FeatureOptions Admission *AdmissionOptions Authentication *BuiltInAuthenticationOptions Authorization *BuiltInAuthorizationOptions APIEnablement *genericoptions.APIEnablementOptions EgressSelector *genericoptions.EgressSelectorOptions Metrics *metrics.Options Logs *logs.Options Traces *genericoptions.TracingOptions AllowPrivileged bool EventTTL time.Duration MaxConnectionBytesPerSec int64 // ServiceClusterIPRange is mapped to input provided by user ServiceClusterIPRanges string // APIServerServiceIP is the first valid IP from PrimaryServiceClusterIPRange APIServerServiceIP net.IP // PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results // of parsing ServiceClusterIPRange into actual values PrimaryServiceClusterIPRange net.IPNet SecondaryServiceClusterIPRange net.IPNet EnableAggregatorRouting bool EndpointReconcilerType string IdentityLeaseDurationSeconds int IdentityLeaseRenewIntervalSeconds int ServiceAccountSigningKeyFile string ServiceAccountIssuer serviceaccount.TokenGenerator ServiceAccountTokenMaxExpiration time.Duration KubeletConfig kubeletclient.KubeletClientConfig ShowHiddenMetricsForVersion string EmbeddedEtcd *EmbeddedEtcd ClientKeyFile string }
ServerRunOptions runs a kubernetes api server.
func NewServerRunOptions ¶
func NewServerRunOptions() *ServerRunOptions
NewServerRunOptions creates a new ServerRunOptions object with default parameters
func (*ServerRunOptions) AddFlags ¶
func (e *ServerRunOptions) AddFlags(fs *pflag.FlagSet)
func (*ServerRunOptions) Validate ¶
func (s *ServerRunOptions) Validate(args []string) error
type ServiceAccountAuthenticationOptions ¶
type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool Issuers []string JWKSURI string MaxExpiration time.Duration ExtendExpiration bool }
ServiceAccountAuthenticationOptions contains service account authentication options for API Server
type TokenFileAuthenticationOptions ¶
type TokenFileAuthenticationOptions struct {
TokenFile string
}
TokenFileAuthenticationOptions contains token file authentication options for API Server
type WebHookAuthenticationOptions ¶
type WebHookAuthenticationOptions struct { ConfigFile string Version string CacheTTL time.Duration // RetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. RetryBackoff *wait.Backoff }
WebHookAuthenticationOptions contains web hook authentication options for API Server