apiserver

package
v1.104.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2024 License: Apache-2.0 Imports: 64 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SecretNameUserKubeconfig is the name for the user kubeconfig.
	SecretNameUserKubeconfig = "user-kubeconfig" // #nosec G101 -- No credential.
	// ServicePortName is the name of the port in the service.
	ServicePortName = "kube-apiserver"
	// UserNameVPNSeedClient is the user name for the HA vpn-seed-client components (used as common name in its client certificate)
	UserNameVPNSeedClient = "vpn-seed-client"
)
View Source
const (

	// ContainerNameKubeAPIServer is the name of the kube-apiserver container.
	ContainerNameKubeAPIServer = "kube-apiserver"
)
View Source
const ManagedResourceName = "shoot-core-kube-apiserver"

ManagedResourceName is the name of the ManagedResource containing the resource specifications.

View Source
const (
	// SecretStaticTokenName is a constant for the name of the static-token secret.
	SecretStaticTokenName = "kube-apiserver-static-token" // #nosec G101 -- No credential.

)

Variables

View Source
var (
	// IntervalWaitForDeployment is the interval used while waiting for the Deployments to become healthy
	// or deleted.
	IntervalWaitForDeployment = 5 * time.Second
	// TimeoutWaitForDeployment is the timeout used while waiting for the Deployments to become healthy
	// or deleted.
	TimeoutWaitForDeployment = 5 * time.Minute
	// Until is an alias for retry.Until. Exposed for tests.
	Until = retry.Until
)

Functions

func CentralLoggingConfiguration

func CentralLoggingConfiguration() (component.CentralLoggingConfig, error)

CentralLoggingConfiguration returns a fluent-bit parser and filter for the kube-apiserver logs.

func ComputeAuthenticationConfigRawConfig added in v1.102.0

func ComputeAuthenticationConfigRawConfig(oidc *gardencorev1beta1.OIDCConfig) (string, error)

ComputeAuthenticationConfigRawConfig computes a AuthenticationConfiguration from oidcConfiguration.

func GetLabels

func GetLabels() map[string]string

GetLabels returns the labels for the kube-apiserver.

func NewDependencyWatchdogProberConfiguration

func NewDependencyWatchdogProberConfiguration() ([]proberapi.DependentResourceInfo, error)

NewDependencyWatchdogProberConfiguration returns the configuration for the dependency watchdog (probe role) ensuring that its dependant pods are scaled as soon a prober fails.

func NewDependencyWatchdogWeederConfiguration

func NewDependencyWatchdogWeederConfiguration() (map[string]weederapi.DependantSelectors, error)

NewDependencyWatchdogWeederConfiguration returns the configuration for the dependency watchdog (weeder role) ensuring that its dependant pods are restarted as soon as it recovers from a crash loop.

Types

type AuthenticationWebhook

type AuthenticationWebhook struct {
	// Kubeconfig contains the webhook configuration for token authentication in kubeconfig format. The API server will
	// query the remote service to determine authentication for bearer tokens.
	Kubeconfig []byte
	// CacheTTL is the duration to cache responses from the webhook token authenticator.
	CacheTTL *time.Duration
	// Version is the API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.
	Version *string
}

AuthenticationWebhook contains configuration for the authentication webhook.

type AuthorizationWebhook

type AuthorizationWebhook struct {
	// Kubeconfig contains the webhook configuration in kubeconfig format. The API server will query the remote service
	// to determine access on the API server's secure port.
	Kubeconfig []byte
	// CacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer.
	CacheAuthorizedTTL *time.Duration
	// CacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer.
	CacheUnauthorizedTTL *time.Duration
	// Version is the API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the
	// webhook.
	Version *string
}

AuthorizationWebhook contains configuration for the authorization webhook.

type Images

type Images struct {
	// KubeAPIServer is the container image for the kube-apiserver.
	KubeAPIServer string
	// VPNClient is the container image for the vpn-seed-client.
	VPNClient string
}

Images is a set of container images used for the containers of the kube-apiserver pods.

type Interface

type Interface interface {
	apiserver.Interface
	// GetValues returns the current configuration values of the deployer.
	GetValues() Values
	// SetExternalHostname sets the ExternalHostname field in the Values of the deployer.
	SetExternalHostname(string)
	// SetExternalServer sets the ExternalServer field in the Values of the deployer.
	SetExternalServer(string)
	// SetNodeNetworkCIDRs sets the node CIDRs of the shoot network.
	SetNodeNetworkCIDRs([]net.IPNet)
	// SetServiceNetworkCIDRs sets the service CIDRs of the shoot network.
	SetServiceNetworkCIDRs([]net.IPNet)
	// SetPodNetworkCIDRs sets the pod CIDRs of the shoot network.
	SetPodNetworkCIDRs([]net.IPNet)
	// SetServerCertificateConfig sets the ServerCertificateConfig field in the Values of the deployer.
	SetServerCertificateConfig(ServerCertificateConfig)
	// SetServiceAccountConfig sets the ServiceAccount field in the Values of the deployer.
	SetServiceAccountConfig(ServiceAccountConfig)
	// SetSNIConfig sets the SNI field in the Values of the deployer.
	SetSNIConfig(SNIConfig)
}

Interface contains functions for a kube-apiserver deployer.

func New

func New(client kubernetes.Interface, namespace string, secretsManager secretsmanager.Interface, values Values) Interface

New creates a new instance of DeployWaiter for the kube-apiserver.

type SNIConfig

type SNIConfig struct {
	// Enabled states whether the SNI feature is enabled.
	Enabled bool
	// AdvertiseAddress is the address which should be advertised by the kube-apiserver.
	AdvertiseAddress string
	// TLS contains information for configuring the TLS SNI settings for the kube-apiserver.
	TLS []TLSSNIConfig
}

SNIConfig contains information for configuring SNI settings for the kube-apiserver.

type ServerCertificateConfig

type ServerCertificateConfig struct {
	// ExtraIPAddresses is a list of additional IP addresses to use for the SANS of the server certificate.
	ExtraIPAddresses []net.IP
	// ExtraDNSNames is a list of additional DNS names to use for the SANS of the server certificate.
	ExtraDNSNames []string
}

ServerCertificateConfig contains configuration for the server certificate.

type ServiceAccountConfig

type ServiceAccountConfig struct {
	// Issuer is the issuer of service accounts.
	Issuer string
	// AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
	AcceptedIssuers []string
	// JWKSURI is used to overwrite the URI for the JSON Web Key Set in the discovery document served at /.well-known/openid-configuration.
	JWKSURI *string
	// ExtendTokenExpiration states whether the service account token expirations should be extended.
	ExtendTokenExpiration *bool
	// MaxTokenExpiration states what the maximal token expiration should be.
	MaxTokenExpiration *metav1.Duration
	// RotationPhase specifies the credentials rotation phase of the service account signing key.
	RotationPhase gardencorev1beta1.CredentialsRotationPhase
}

ServiceAccountConfig contains information for configuring ServiceAccountConfig settings for the kube-apiserver.

func ComputeKubeAPIServerServiceAccountConfig added in v1.91.0

func ComputeKubeAPIServerServiceAccountConfig(
	config *gardencorev1beta1.ServiceAccountConfig,
	externalHostname string,
	serviceAccountKeyRotationPhase gardencorev1beta1.CredentialsRotationPhase,
) ServiceAccountConfig

ComputeKubeAPIServerServiceAccountConfig computes the ServiceAccountConfig needed to configure a kube-apiserver.

type TLSSNIConfig

type TLSSNIConfig struct {
	// SecretName is the name for an existing secret containing the TLS certificate and private key. Either this or both
	// Certificate and PrivateKey must be specified. If both is provided, SecretName is taking precedence.
	SecretName *string
	// Certificate is the TLS certificate. Either both this and PrivateKey, or SecretName must be specified. If both is
	// provided, SecretName is taking precedence.
	Certificate []byte
	// PrivateKey is the TLS certificate. Either both this and Certificate, or SecretName must be specified. If both is
	// provided, SecretName is taking precedence.
	PrivateKey []byte
	// DomainPatterns is an optional list of domain patterns which are fully qualified domain names, possibly with
	// prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the
	// apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names
	// of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns
	// trump over extracted names.
	DomainPatterns []string
}

TLSSNIConfig contains information for configuring the TLS SNI settings for the kube-apiserver.

type VPNConfig

type VPNConfig struct {
	// Enabled states whether VPN is enabled.
	Enabled bool
	// PodNetworkCIDRs are the CIDRs of the pod network.
	PodNetworkCIDRs []net.IPNet
	// NodeNetworkCIDRs are the CIDRs of the node network.
	NodeNetworkCIDRs []net.IPNet
	// HighAvailabilityEnabled states if VPN uses HA configuration.
	HighAvailabilityEnabled bool
	// HighAvailabilityNumberOfSeedServers is the number of VPN seed servers used for HA.
	HighAvailabilityNumberOfSeedServers int
	// HighAvailabilityNumberOfShootClients is the number of VPN shoot clients used for HA.
	HighAvailabilityNumberOfShootClients int
	// DisableNewVPN disable new VPN implementation.
	// TODO(MartinWeindel) Remove after feature gate `NewVPN` gets promoted to GA.
	DisableNewVPN bool
	// IPFamilies are the IPFamilies of the shoot.
	IPFamilies []gardencorev1beta1.IPFamily
}

VPNConfig contains information for configuring the VPN settings for the kube-apiserver.

type Values

type Values struct {
	apiserver.Values
	// AnonymousAuthenticationEnabled states whether anonymous authentication is enabled.
	AnonymousAuthenticationEnabled bool
	// APIAudiences are identifiers of the API. The service account token authenticator will validate that tokens used
	// against the API are bound to at least one of these audiences.
	APIAudiences []string
	// AuthenticationConfiguration contains authentication configuration.
	AuthenticationConfiguration *string
	// AuthenticationWebhook contains configuration for the authentication webhook.
	AuthenticationWebhook *AuthenticationWebhook
	// AuthorizationWebhook contains configuration for the authorization webhook.
	AuthorizationWebhook *AuthorizationWebhook
	// DefaultNotReadyTolerationSeconds indicates the tolerationSeconds of the toleration for notReady:NoExecute
	// that is added by default to every pod that does not already have such a toleration (flag `--default-not-ready-toleration-seconds`).
	DefaultNotReadyTolerationSeconds *int64
	// DefaultUnreachableTolerationSeconds indicates the tolerationSeconds of the toleration for unreachable:NoExecute
	// that is added by default to every pod that does not already have such a toleration (flag `--default-unreachable-toleration-seconds`).
	DefaultUnreachableTolerationSeconds *int64
	// EventTTL is the amount of time to retain events.
	EventTTL *metav1.Duration
	// ExternalHostname is the external hostname which should be exposed by the kube-apiserver.
	ExternalHostname string
	// ExternalServer is the external server which should be used when generating the user kubeconfig.
	ExternalServer string
	// Images is a set of container images used for the containers of the kube-apiserver pods.
	Images Images
	// IsWorkerless specifies whether the cluster managed by this API server has worker nodes.
	IsWorkerless bool
	// NamePrefix is the prefix for the resource names.
	NamePrefix string
	// OIDC contains information for configuring OIDC settings for the kube-apiserver.
	OIDC *gardencorev1beta1.OIDCConfig
	// PriorityClassName is the name of the priority class.
	PriorityClassName string
	// ResourcesToStoreInETCDEvents is a list of resources which should be stored in the etcd-events instead of the
	// etcd-main. The `events` resource in the `core` group is always stored in etcd-events.
	ResourcesToStoreInETCDEvents []schema.GroupResource
	// RuntimeConfig is the set of runtime configurations.
	RuntimeConfig map[string]bool
	// ServerCertificate contains configuration for the server certificate.
	ServerCertificate ServerCertificateConfig
	// ServiceAccount contains information for configuring ServiceAccount settings for the kube-apiserver.
	ServiceAccount ServiceAccountConfig
	// ServiceNetworkCIDRs are the CIDRs of the service network.
	ServiceNetworkCIDRs []net.IPNet
	// SNI contains information for configuring SNI settings for the kube-apiserver.
	SNI SNIConfig
	// StaticTokenKubeconfigEnabled indicates whether static token kubeconfig secret will be created for shoot.
	StaticTokenKubeconfigEnabled *bool
	// Version is the Kubernetes version for the kube-apiserver.
	Version *semver.Version
	// VPN contains information for configuring the VPN settings for the kube-apiserver.
	VPN VPNConfig
}

Values contains configuration values for the kube-apiserver resources.

Directories

Path Synopsis
Package mock is a generated GoMock package.
Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL