options

package
v0.0.0-...-f60eec5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 5, 2023 License: Apache-2.0 Imports: 51 Imported by: 0

Documentation

Overview

Package options contains flags and options for initializing kube-apiserver

Index

Constants

View Source
const DefaultEtcdPathPrefix = "/registry"

DefaultEtcdPathPrefix is the default key prefix of etcd for API Server

Variables

AllOrderedPlugins is the list of all the plugins in order.

View Source
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}

DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs

View Source
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}

DefaultServiceNodePortRange is the default port range for NodePort services.

Functions

func DefaultOffAdmissionPlugins

func DefaultOffAdmissionPlugins() sets.String

DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.

func NewSecureServingOptions

func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback

NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform

func RegisterAllAdmissionPlugins

func RegisterAllAdmissionPlugins(plugins *admission.Plugins)

RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.

Types

type AdmissionOptions

type AdmissionOptions struct {
	// GenericAdmission holds the generic admission options.
	GenericAdmission *genericoptions.AdmissionOptions
}

AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.

func NewAdmissionOptions

func NewAdmissionOptions() *AdmissionOptions

NewAdmissionOptions creates a new instance of AdmissionOptions Note:

In addition it calls RegisterAllAdmissionPlugins to register
all kube-apiserver admission plugins.

Provides the list of RecommendedPluginOrder that holds sane values
that can be used by servers that don't care about admission chain.
Servers that do care can overwrite/append that field after creation.

func (*AdmissionOptions) AddFlags

func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet

func (*AdmissionOptions) ApplyTo

func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeAPIServerClientConfig *rest.Config,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error

ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.

func (*AdmissionOptions) Validate

func (a *AdmissionOptions) Validate() []error

Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.

type AnonymousAuthenticationOptions

type AnonymousAuthenticationOptions struct {
	Allow bool
}

AnonymousAuthenticationOptions contains anonymous authentication options for API Server

type BootstrapTokenAuthenticationOptions

type BootstrapTokenAuthenticationOptions struct {
	Enable bool
}

BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server

type BuiltInAuthenticationOptions

type BuiltInAuthenticationOptions struct {
	APIAudiences    []string
	Anonymous       *AnonymousAuthenticationOptions
	BootstrapToken  *BootstrapTokenAuthenticationOptions
	ClientCert      *genericoptions.ClientCertAuthenticationOptions
	OIDC            *OIDCAuthenticationOptions
	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
	ServiceAccounts *ServiceAccountAuthenticationOptions
	TokenFile       *TokenFileAuthenticationOptions
	WebHook         *WebHookAuthenticationOptions

	TokenSuccessCacheTTL time.Duration
	TokenFailureCacheTTL time.Duration
}

BuiltInAuthenticationOptions contains all build-in authentication options for API Server

func NewBuiltInAuthenticationOptions

func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions

NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL

func (*BuiltInAuthenticationOptions) AddFlags

func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authentication for a API Server

func (*BuiltInAuthenticationOptions) ApplyAuthorization

func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)

ApplyAuthorization will conditionally modify the authentication options based on the authorization options

func (*BuiltInAuthenticationOptions) ApplyTo

ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.

func (*BuiltInAuthenticationOptions) ToAuthenticationConfig

func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)

ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config

func (*BuiltInAuthenticationOptions) Validate

func (o *BuiltInAuthenticationOptions) Validate() []error

Validate checks invalid config combination

func (*BuiltInAuthenticationOptions) WithAll

WithAll set default value for every build-in authentication option

func (*BuiltInAuthenticationOptions) WithAnonymous

WithAnonymous set default value for anonymous authentication

func (*BuiltInAuthenticationOptions) WithBootstrapToken

WithBootstrapToken set default value for bootstrap token authentication

func (*BuiltInAuthenticationOptions) WithClientCert

WithClientCert set default value for client cert

func (*BuiltInAuthenticationOptions) WithOIDC

WithOIDC set default value for OIDC authentication

func (*BuiltInAuthenticationOptions) WithRequestHeader

WithRequestHeader set default value for request header authentication

func (*BuiltInAuthenticationOptions) WithServiceAccounts

WithServiceAccounts set default value for service account authentication

func (*BuiltInAuthenticationOptions) WithTokenFile

WithTokenFile set default value for token file authentication

func (*BuiltInAuthenticationOptions) WithWebHook

WithWebHook set default value for web hook authentication

type BuiltInAuthorizationOptions

type BuiltInAuthorizationOptions struct {
	Modes                       []string
	PolicyFile                  string
	WebhookConfigFile           string
	WebhookVersion              string
	WebhookCacheAuthorizedTTL   time.Duration
	WebhookCacheUnauthorizedTTL time.Duration
	// WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff
}

BuiltInAuthorizationOptions contains all build-in authorization options for API Server

func NewBuiltInAuthorizationOptions

func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions

NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value

func (*BuiltInAuthorizationOptions) AddFlags

func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authorization for a API Server

func (*BuiltInAuthorizationOptions) ToAuthorizationConfig

func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config

ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config

func (*BuiltInAuthorizationOptions) Validate

func (o *BuiltInAuthorizationOptions) Validate() []error

Validate checks invalid config combination

type EmbeddedEtcd

type EmbeddedEtcd struct {
	Enabled bool

	Directory    string
	PeerPort     string
	ClientPort   string
	WalSizeBytes int64
}

func NewEmbeddedEtcd

func NewEmbeddedEtcd() *EmbeddedEtcd

func (*EmbeddedEtcd) AddFlags

func (e *EmbeddedEtcd) AddFlags(fs *pflag.FlagSet)

func (*EmbeddedEtcd) Validate

func (e *EmbeddedEtcd) Validate() []error

type OIDCAuthenticationOptions

type OIDCAuthenticationOptions struct {
	CAFile         string
	ClientID       string
	IssuerURL      string
	UsernameClaim  string
	UsernamePrefix string
	GroupsClaim    string
	GroupsPrefix   string
	SigningAlgs    []string
	RequiredClaims map[string]string
}

OIDCAuthenticationOptions contains OIDC authentication options for API Server

type ServerRunOptions

type ServerRunOptions struct {
	GenericServerRunOptions *genericoptions.ServerRunOptions
	Etcd                    *genericoptions.EtcdOptions
	SecureServing           *genericoptions.SecureServingOptionsWithLoopback
	Audit                   *genericoptions.AuditOptions
	Features                *genericoptions.FeatureOptions
	Admission               *AdmissionOptions
	Authentication          *BuiltInAuthenticationOptions
	Authorization           *BuiltInAuthorizationOptions
	APIEnablement           *genericoptions.APIEnablementOptions
	EgressSelector          *genericoptions.EgressSelectorOptions
	Metrics                 *metrics.Options
	Logs                    *logs.Options
	Traces                  *genericoptions.TracingOptions

	AllowPrivileged          bool
	EventTTL                 time.Duration
	MaxConnectionBytesPerSec int64
	// ServiceClusterIPRange is mapped to input provided by user
	ServiceClusterIPRanges string
	// APIServerServiceIP is the first valid IP from PrimaryServiceClusterIPRange
	APIServerServiceIP net.IP
	// PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
	// of parsing ServiceClusterIPRange into actual values
	PrimaryServiceClusterIPRange   net.IPNet
	SecondaryServiceClusterIPRange net.IPNet

	EnableAggregatorRouting bool

	EndpointReconcilerType string

	IdentityLeaseDurationSeconds      int
	IdentityLeaseRenewIntervalSeconds int

	ServiceAccountSigningKeyFile     string
	ServiceAccountIssuer             serviceaccount.TokenGenerator
	ServiceAccountTokenMaxExpiration time.Duration

	KubeletConfig kubeletclient.KubeletClientConfig

	ShowHiddenMetricsForVersion string

	EmbeddedEtcd  *EmbeddedEtcd
	ClientKeyFile string
}

ServerRunOptions runs a kubernetes api server.

func NewServerRunOptions

func NewServerRunOptions() *ServerRunOptions

NewServerRunOptions creates a new ServerRunOptions object with default parameters

func (*ServerRunOptions) AddFlags

func (e *ServerRunOptions) AddFlags(fs *pflag.FlagSet)

func (*ServerRunOptions) Validate

func (s *ServerRunOptions) Validate(args []string) error

type ServiceAccountAuthenticationOptions

type ServiceAccountAuthenticationOptions struct {
	KeyFiles         []string
	Lookup           bool
	Issuers          []string
	JWKSURI          string
	MaxExpiration    time.Duration
	ExtendExpiration bool
}

ServiceAccountAuthenticationOptions contains service account authentication options for API Server

type TokenFileAuthenticationOptions

type TokenFileAuthenticationOptions struct {
	TokenFile string
}

TokenFileAuthenticationOptions contains token file authentication options for API Server

type WebHookAuthenticationOptions

type WebHookAuthenticationOptions struct {
	ConfigFile string
	Version    string
	CacheTTL   time.Duration

	// RetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	RetryBackoff *wait.Backoff
}

WebHookAuthenticationOptions contains web hook authentication options for API Server

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL