Documentation ¶
Overview ¶
Package injector implements FSM's automatic sidecar injection facility. The sidecar injector's mutating webhook admission controller intercepts pod creation requests to mutate the pod spec to inject the sidecar proxy.
Index ¶
- Constants
- func ConfigurePodInit(cfg configurator.Configurator, podOS string, pod *corev1.Pod, ...) error
- func GenerateIptablesCommands(proxyMode configv1alpha3.LocalProxyMode, outboundIPRangeExclusionList []string, ...) string
- func GetInitContainerSpec(containerName string, cfg configurator.Configurator, ...) corev1.Container
- func GetOutboundIPRangeListForPod(pod *corev1.Pod, annotation string) ([]string, error)
- func GetPortExclusionListForPod(pod *corev1.Pod, annotation string) ([]int, error)
- func GetProxyUUID(pod *corev1.Pod) (string, bool)
- func GetVolumeSpec(sidecarBootstrapConfigName string) corev1.Volume
- func IsMetricsEnabled(kubeController k8s.Controller, namespace string) (enabled bool, err error)
- func MergeIPRangeLists(podSpecific, global []string) []string
- func MergePortExclusionLists(podSpecificPortExclusionList, globalPortExclusionList []int) []int
- func NewMutatingWebhook(ctx context.Context, kubeClient kubernetes.Interface, ...) error
- func RewriteHealthProbes(pod *corev1.Pod) models.HealthProbes
- type Config
Constants ¶
const ( // OutboundPortExclusionListAnnotation is the annotation used for outbound port exclusions OutboundPortExclusionListAnnotation = "flomesh.io/outbound-port-exclusion-list" // InboundPortExclusionListAnnotation is the annotation used for inbound port exclusions InboundPortExclusionListAnnotation = "flomesh.io/inbound-port-exclusion-list" // OutboundIPRangeExclusionListAnnotation is the annotation used for outbound IP range exclusions OutboundIPRangeExclusionListAnnotation = "flomesh.io/outbound-ip-range-exclusion-list" // OutboundIPRangeInclusionListAnnotation is the annotation used for outbound IP range inclusions OutboundIPRangeInclusionListAnnotation = "flomesh.io/outbound-ip-range-inclusion-list" )
const ( // MutatingWebhookName is the name of the mutating webhook used for sidecar injection MutatingWebhookName = "fsm-inject.k8s.io" // BootstrapSecretPrefix is the prefix of bootstrap Secret. BootstrapSecretPrefix = "sidecar-bootstrap-config-" )
const (
// SidecarBootstrapConfigVolume defines sidecar bootstrap config volume.
SidecarBootstrapConfigVolume = "sidecar-bootstrap-config-volume"
)
Variables ¶
This section is empty.
Functions ¶
func ConfigurePodInit ¶ added in v1.0.0
func ConfigurePodInit(cfg configurator.Configurator, podOS string, pod *corev1.Pod, fsmContainerPullPolicy corev1.PullPolicy) error
ConfigurePodInit patch the init container to pod.
func GenerateIptablesCommands ¶ added in v1.0.0
func GenerateIptablesCommands(proxyMode configv1alpha3.LocalProxyMode, outboundIPRangeExclusionList []string, outboundIPRangeInclusionList []string, outboundPortExclusionList []int, inboundPortExclusionList []int, networkInterfaceExclusionList []string) string
GenerateIptablesCommands generates a list of iptables commands to set up sidecar interception and redirection
func GetInitContainerSpec ¶ added in v1.0.0
func GetInitContainerSpec(containerName string, cfg configurator.Configurator, outboundIPRangeExclusionList []string, outboundIPRangeInclusionList []string, outboundPortExclusionList []int, inboundPortExclusionList []int, enablePrivilegedInitContainer bool, pullPolicy corev1.PullPolicy, networkInterfaceExclusionList []string) corev1.Container
GetInitContainerSpec returns the spec of init container.
func GetOutboundIPRangeListForPod ¶ added in v1.0.0
GetOutboundIPRangeListForPod returns a list of IP ranges to include/exclude from sidecar traffic interception for the given pod and annotation kind.
IP ranges are included/excluded from sidecar interception when the pod is explicitly annotated with a single or comma separate list of IP CIDR ranges.
The kind of exclusion (inclusion vs exclusion) is determined by the specified annotation.
The function returns an error when it is unable to determine whether IP ranges need to be excluded from outbound sidecar interception.
func GetPortExclusionListForPod ¶ added in v1.0.0
GetPortExclusionListForPod gets a list of ports to exclude from sidecar traffic interception for the given pod and annotation kind.
Ports are excluded from sidecar interception when the pod is explicitly annotated with a single or comma separate list of ports.
The kind of exclusion (inbound vs outbound) is determined by the specified annotation.
The function returns an error when it is unable to determine whether ports need to be excluded from outbound sidecar interception.
func GetProxyUUID ¶ added in v1.0.0
GetProxyUUID return proxy uuid retrieved from sidecar bootstrap config volume.
func GetVolumeSpec ¶ added in v1.0.0
GetVolumeSpec returns a volume to add to the POD
func IsMetricsEnabled ¶ added in v1.0.0
func IsMetricsEnabled(kubeController k8s.Controller, namespace string) (enabled bool, err error)
IsMetricsEnabled return whether metrics is enabled.
func MergeIPRangeLists ¶ added in v1.0.0
MergeIPRangeLists merges the pod specific and global IP range (exclusion/inclusion) lists
func MergePortExclusionLists ¶ added in v1.0.0
MergePortExclusionLists merges the pod specific and global port exclusion lists
func NewMutatingWebhook ¶ added in v1.0.0
func NewMutatingWebhook(ctx context.Context, kubeClient kubernetes.Interface, certManager *certificate.Manager, kubeController k8s.Controller, meshName, fsmNamespace, webhookConfigName, fsmVersion string, webhookTimeout int32, enableReconciler bool, cfg configurator.Configurator, fsmContainerPullPolicy corev1.PullPolicy) error
NewMutatingWebhook starts a new web server handling requests from the injector MutatingWebhookConfiguration
func RewriteHealthProbes ¶ added in v1.0.0
func RewriteHealthProbes(pod *corev1.Pod) models.HealthProbes
RewriteHealthProbes rewrites health probes