apiserver

package
v1.110.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 14, 2025 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SecretWebhookKubeconfigDataKey is a constant for a key in the data of the secret containing a kubeconfig.
	SecretWebhookKubeconfigDataKey = "kubeconfig.yaml" // #nosec G101 -- No credential.

)

Variables

This section is empty.

Functions

func InjectAdmissionSettings

func InjectAdmissionSettings(deployment *appsv1.Deployment, configMapAdmissionConfigs *corev1.ConfigMap, secretAdmissionKubeconfigs *corev1.Secret, values Values)

InjectAdmissionSettings injects the admission settings into `gardener-apiserver` and `kube-apiserver` deployments.

func InjectAuditSettings

func InjectAuditSettings(deployment *appsv1.Deployment, configMapAuditPolicy *corev1.ConfigMap, secretWebhookKubeconfig *corev1.Secret, auditConfig *AuditConfig)

InjectAuditSettings injects the audit settings into `gardener-apiserver` and `kube-apiserver` deployments.

func InjectDefaultSettings

func InjectDefaultSettings(
	deployment *appsv1.Deployment,
	namePrefix string,
	values Values,
	secretCAETCD *corev1.Secret,
	secretETCDClient *corev1.Secret,
	secretServer *corev1.Secret,
)

InjectDefaultSettings injects default settings into `gardener-apiserver` and `kube-apiserver` deployments.

func InjectEncryptionSettings

func InjectEncryptionSettings(deployment *appsv1.Deployment, secretETCDEncryptionConfiguration *corev1.Secret)

InjectEncryptionSettings injects the encryption settings into `gardener-apiserver` and `kube-apiserver` deployments.

func ReconcileConfigMapAdmission

func ReconcileConfigMapAdmission(ctx context.Context, c client.Client, configMap *corev1.ConfigMap, values Values) error

ReconcileConfigMapAdmission reconciles the ConfigMap containing the configs for the admission plugins.

func ReconcileConfigMapAuditPolicy

func ReconcileConfigMapAuditPolicy(ctx context.Context, c client.Client, configMap *corev1.ConfigMap, auditConfig *AuditConfig) error

ReconcileConfigMapAuditPolicy reconciles the ConfigMap containing the audit policy.

func ReconcileSecretAdmissionKubeconfigs

func ReconcileSecretAdmissionKubeconfigs(ctx context.Context, c client.Client, secret *corev1.Secret, values Values) error

ReconcileSecretAdmissionKubeconfigs reconciles the secret containing the kubeconfig for admission plugins.

func ReconcileSecretAuditWebhookKubeconfig

func ReconcileSecretAuditWebhookKubeconfig(ctx context.Context, c client.Client, secret *corev1.Secret, auditConfig *AuditConfig) error

ReconcileSecretAuditWebhookKubeconfig reconciles the secret containing the kubeconfig for audit webhooks.

func ReconcileSecretETCDEncryptionConfiguration

func ReconcileSecretETCDEncryptionConfiguration(
	ctx context.Context,
	c client.Client,
	secretsManager secretsmanager.Interface,
	config ETCDEncryptionConfig,
	secretETCDEncryptionConfiguration *corev1.Secret,
	secretNameETCDEncryptionKey string,
	roleLabel string,
) error

ReconcileSecretETCDEncryptionConfiguration reconciles the ETCD encryption secret configuration.

func ReconcileSecretWebhookKubeconfig

func ReconcileSecretWebhookKubeconfig(ctx context.Context, c client.Client, secret *corev1.Secret, kubeconfig []byte) error

ReconcileSecretWebhookKubeconfig reconciles the secret containing a kubeconfig for webhooks.

Types

type AdmissionPluginConfig

type AdmissionPluginConfig struct {
	gardencorev1beta1.AdmissionPlugin
	// Kubeconfig is an optional API server connection configuration of this admission plugin. The configs for some
	// admission plugins like `ImagePolicyWebhook` or `ValidatingAdmissionWebhook` can take a reference to an API server
	Kubeconfig []byte
}

AdmissionPluginConfig contains information about a specific admission plugin and its corresponding configuration.

type AuditConfig

type AuditConfig struct {
	// Policy is the audit policy document in YAML format.
	Policy *string
	// Webhook contains configuration for the audit webhook.
	Webhook *AuditWebhook
}

AuditConfig contains information for configuring audit settings for the API server.

type AuditWebhook

type AuditWebhook struct {
	// Kubeconfig contains the API server file that defines the audit webhook configuration.
	Kubeconfig []byte
	// BatchMaxSize is the maximum size of a batch.
	BatchMaxSize *int32
	// Version is the API group and version used for serializing audit events written to webhook.
	Version *string
}

AuditWebhook contains configuration for the audit webhook.

type AutoscalingConfig

type AutoscalingConfig struct {
	// APIServerResources are the resource requirements for the API server container.
	APIServerResources corev1.ResourceRequirements
	// Replicas is the number of pod replicas for the API server.
	Replicas *int32
	// MinReplicas are the minimum Replicas for horizontal autoscaling.
	MinReplicas int32
	// MaxReplicas are the maximum Replicas for horizontal autoscaling.
	MaxReplicas int32
	// ScaleDownDisabled states whether scale-down shall be disabled.
	ScaleDownDisabled bool
}

AutoscalingConfig contains information for configuring autoscaling settings for the API server.

type ETCDEncryptionConfig

type ETCDEncryptionConfig struct {
	// RotationPhase specifies the credentials rotation phase of the encryption key.
	RotationPhase gardencorev1beta1.CredentialsRotationPhase
	// EncryptWithCurrentKey specifies whether the current encryption key should be used for encryption. If this is
	// false and if there are two keys then the old key will be used for encryption while the current/new key will only
	// be used for decryption.
	EncryptWithCurrentKey bool
	// ResourcesToEncrypt are the resources which should be encrypted.
	ResourcesToEncrypt []string
	// EncryptedResources are the resources which are currently encrypted.
	EncryptedResources []string
}

ETCDEncryptionConfig contains configuration for the encryption of resources in etcd.

type Interface

type Interface interface {
	component.DeployWaiter
	// GetAutoscalingReplicas gets the Replicas field in the AutoscalingConfig of the Values of the deployer.
	GetAutoscalingReplicas() *int32
	// SetAutoscalingAPIServerResources sets the APIServerResources field in the AutoscalingConfig of the Values of the
	// deployer.
	SetAutoscalingAPIServerResources(corev1.ResourceRequirements)
	// SetAutoscalingReplicas sets the Replicas field in the AutoscalingConfig of the Values of the deployer.
	SetAutoscalingReplicas(*int32)
	// SetETCDEncryptionConfig sets the ETCDEncryptionConfig field in the Values of the deployer.
	SetETCDEncryptionConfig(ETCDEncryptionConfig)
}

Interface contains functions for a deployer for an API server built with k8s.io/apiserver.

type Values

type Values struct {
	// EnabledAdmissionPlugins is the list of admission plugins that should be enabled with configuration for the API server.
	EnabledAdmissionPlugins []AdmissionPluginConfig
	// DisabledAdmissionPlugins is the list of admission plugins that should be disabled for the API server.
	DisabledAdmissionPlugins []gardencorev1beta1.AdmissionPlugin
	// Audit contains information for configuring audit settings for the API server.
	Audit *AuditConfig
	// Autoscaling contains information for configuring autoscaling settings for the API server.
	Autoscaling AutoscalingConfig
	// ETCDEncryption contains configuration for the encryption of resources in etcd.
	ETCDEncryption ETCDEncryptionConfig
	// FeatureGates is the set of feature gates.
	FeatureGates map[string]bool
	// Logging contains configuration settings for the log and access logging verbosity
	Logging *gardencorev1beta1.APIServerLogging
	// Requests contains configuration for the API server requests.
	Requests *gardencorev1beta1.APIServerRequests
	// RuntimeVersion is the Kubernetes version of the runtime cluster.
	RuntimeVersion *semver.Version
	// WatchCacheSizes are the configured sizes for the watch caches.
	WatchCacheSizes *gardencorev1beta1.WatchCacheSizes
}

Values contains configuration values for the API server resources.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL