kubeapiserver

package
v1.71.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2023 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 68 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SecretNameUserKubeconfig is the name for the user kubeconfig.
	SecretNameUserKubeconfig = "user-kubeconfig"
	// ServicePortName is the name of the port in the service.
	ServicePortName = "kube-apiserver"
	// UserNameVPNSeedClient is the user name for the HA vpn-seed-client components (used as common name in its client certificate)
	UserNameVPNSeedClient = "vpn-seed-client"
)
View Source 
const (

	// ContainerNameKubeAPIServer is the name of the kube-apiserver container.
	ContainerNameKubeAPIServer = "kube-apiserver"
)
View Source 
const ManagedResourceName = "shoot-core-kube-apiserver"

ManagedResourceName is the name of the ManagedResource containing the resource specifications.

View Source 
const (
	// SecretStaticTokenName is a constant for the name of the static-token secret.
	SecretStaticTokenName = "kube-apiserver-static-token"
)

Variables

View Source 
var (
	// IntervalWaitForDeployment is the interval used while waiting for the Deployments to become healthy
	// or deleted.
	IntervalWaitForDeployment = 5 * time.Second
	// TimeoutWaitForDeployment is the timeout used while waiting for the Deployments to become healthy
	// or deleted.
	TimeoutWaitForDeployment = 5 * time.Minute
)

Functions

func CentralLoggingConfiguration 

func CentralLoggingConfiguration() (component.CentralLoggingConfig, error)

CentralLoggingConfiguration returns a fluent-bit parser and filter for the kube-apiserver logs.

func GetLabels 

func GetLabels() map[string]string

GetLabels returns the labels for the kube-apiserver.

func NewDependencyWatchdogProberConfiguration 

func NewDependencyWatchdogProberConfiguration() ([]proberapi.DependentResourceInfo, error)

NewDependencyWatchdogProberConfiguration returns the configuration for the dependency watchdog (probe role) ensuring that its dependant pods are scaled as soon a prober fails.

func NewDependencyWatchdogWeederConfiguration 

func NewDependencyWatchdogWeederConfiguration() (map[string]weederapi.DependantSelectors, error)

NewDependencyWatchdogWeederConfiguration returns the configuration for the dependency watchdog (weeder role) ensuring that its dependant pods are restarted as soon as it recovers from a crash loop.

Types

type AdmissionPluginConfig 

type AdmissionPluginConfig struct {
	gardencorev1beta1.AdmissionPlugin
	// Kubeconfig is an optional kubeconfig for the configuration of this admission plugins. The configs for some
	// admission plugins like `ImagePolicyWebhook` or `ValidatingAdmissionWebhook` can take a reference to a kubeconfig.
	Kubeconfig []byte
}

AdmissionPluginConfig contains information about a specific admission plugin and its corresponding configuration.

type AuditConfig 

type AuditConfig struct {
	// Policy is the audit policy document in YAML format.
	Policy *string
	// Webhook contains configuration for the audit webhook.
	Webhook *AuditWebhook
}

AuditConfig contains information for configuring audit settings for the kube-apiserver.

type AuditWebhook 

type AuditWebhook struct {
	// Kubeconfig contains the kubeconfig formatted file that defines the audit webhook configuration.
	Kubeconfig []byte
	// BatchMaxSize is the maximum size of a batch.
	BatchMaxSize *int32
	// Version is the API group and version used for serializing audit events written to webhook.
	Version *string
}

AuditWebhook contains configuration for the audit webhook.

type AuthenticationWebhook 

type AuthenticationWebhook struct {
	// Kubeconfig contains the webhook configuration for token authentication in kubeconfig format. The API server will
	// query the remote service to determine authentication for bearer tokens.
	Kubeconfig []byte
	// CacheTTL is the duration to cache responses from the webhook token authenticator.
	CacheTTL *time.Duration
	// Version is the API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.
	Version *string
}

AuthenticationWebhook contains configuration for the authentication webhook.

type AuthorizationWebhook 

type AuthorizationWebhook struct {
	// Kubeconfig contains the webhook configuration in kubeconfig format. The API server will query the remote service
	// to determine access on the API server's secure port.
	Kubeconfig []byte
	// CacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer.
	CacheAuthorizedTTL *time.Duration
	// CacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer.
	CacheUnauthorizedTTL *time.Duration
	// Version is the API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the
	// webhook.
	Version *string
}

AuthorizationWebhook contains configuration for the authorization webhook.

type AutoscalingConfig 

type AutoscalingConfig struct {
	// APIServerResources are the resource requirements for the kube-apiserver container.
	APIServerResources corev1.ResourceRequirements
	// HVPAEnabled states whether an HVPA object shall be deployed. If false, HPA and VPA will be used.
	HVPAEnabled bool
	// Replicas is the number of pod replicas for the kube-apiserver.
	Replicas *int32
	// MinReplicas are the minimum Replicas for horizontal autoscaling.
	MinReplicas int32
	// MaxReplicas are the maximum Replicas for horizontal autoscaling.
	MaxReplicas int32
	// UseMemoryMetricForHvpaHPA states whether the memory metric shall be used when the HPA is configured in an HVPA
	// resource.
	UseMemoryMetricForHvpaHPA bool
	// ScaleDownDisabledForHvpa states whether scale-down shall be disabled when HPA or VPA are configured in an HVPA
	// resource.
	ScaleDownDisabledForHvpa bool
}

AutoscalingConfig contains information for configuring autoscaling settings for the kube-apiserver.

type ETCDEncryptionConfig 

type ETCDEncryptionConfig struct {
	// RotationPhase specifies the credentials rotation phase of the encryption key.
	RotationPhase gardencorev1beta1.CredentialsRotationPhase
	// EncryptWithCurrentKey specifies whether the current encryption key should be used for encryption. If this is
	// false and if there are two keys then the old key will be used for encryption while the current/new key will only
	// be used for decryption.
	EncryptWithCurrentKey bool
}

ETCDEncryptionConfig contains configuration for the encryption of resources in etcd.

type Images 

type Images struct {
	// APIServerProxyPodWebhook is the container image for the apiserver-proxy-pod-webhook.
	APIServerProxyPodWebhook string
	// KubeAPIServer is the container image for the kube-apiserver.
	KubeAPIServer string
	// VPNClient is the container image for the vpn-seed-client.
	VPNClient string
	// Watchdog is the container image for the termination-handler.
	Watchdog string
}

Images is a set of container images used for the containers of the kube-apiserver pods.

type Interface 

type Interface interface {
	component.DeployWaiter
	component.MonitoringComponent
	// GetAutoscalingReplicas gets the Replicas field in the AutoscalingConfig of the Values of the deployer.
	GetAutoscalingReplicas() *int32
	// GetValues returns the current configuration values of the deployer.
	GetValues() Values
	// SetAutoscalingAPIServerResources sets the APIServerResources field in the AutoscalingConfig of the Values of the
	// deployer.
	SetAutoscalingAPIServerResources(corev1.ResourceRequirements)
	// SetAutoscalingReplicas sets the Replicas field in the AutoscalingConfig of the Values of the deployer.
	SetAutoscalingReplicas(*int32)
	// SetETCDEncryptionConfig sets the ETCDEncryptionConfig field in the Values of the deployer.
	SetETCDEncryptionConfig(ETCDEncryptionConfig)
	// SetExternalHostname sets the ExternalHostname field in the Values of the deployer.
	SetExternalHostname(string)
	// SetExternalServer sets the ExternalServer field in the Values of the deployer.
	SetExternalServer(string)
	// SetServerCertificateConfig sets the ServerCertificateConfig field in the Values of the deployer.
	SetServerCertificateConfig(ServerCertificateConfig)
	// SetServiceAccountConfig sets the ServiceAccount field in the Values of the deployer.
	SetServiceAccountConfig(ServiceAccountConfig)
	// SetSNIConfig sets the SNI field in the Values of the deployer.
	SetSNIConfig(SNIConfig)
}

Interface contains functions for a kube-apiserver deployer.

func New 

func New(client kubernetes.Interface, namespace string, secretsManager secretsmanager.Interface, values Values) Interface

New creates a new instance of DeployWaiter for the kube-apiserver.

type SNIConfig 

type SNIConfig struct {
	// Enabled states whether the SNI feature is enabled.
	Enabled bool
	// PodMutatorEnabled states whether the pod mutator is enabled.
	PodMutatorEnabled bool
	// APIServerFQDN is the fully qualified domain name for the kube-apiserver.
	APIServerFQDN string
	// AdvertiseAddress is the address which should be advertised by the kube-apiserver.
	AdvertiseAddress string
	// TLS contains information for configuring the TLS SNI settings for the kube-apiserver.
	TLS []TLSSNIConfig
}

SNIConfig contains information for configuring SNI settings for the kube-apiserver.

type ServerCertificateConfig 

type ServerCertificateConfig struct {
	// ExtraIPAddresses is a list of additional IP addresses to use for the SANS of the server certificate.
	ExtraIPAddresses []net.IP
	// ExtraDNSNames is a list of additional DNS names to use for the SANS of the server certificate.
	ExtraDNSNames []string
}

ServerCertificateConfig contains configuration for the server certificate.

type ServiceAccountConfig 

type ServiceAccountConfig struct {
	// Issuer is the issuer of service accounts.
	Issuer string
	// AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
	AcceptedIssuers []string
	// ExtendTokenExpiration states whether the service account token expirations should be extended.
	ExtendTokenExpiration *bool
	// MaxTokenExpiration states what the maximal token expiration should be.
	MaxTokenExpiration *metav1.Duration
	// RotationPhase specifies the credentials rotation phase of the service account signing key.
	RotationPhase gardencorev1beta1.CredentialsRotationPhase
}

ServiceAccountConfig contains information for configuring ServiceAccountConfig settings for the kube-apiserver.

type TLSSNIConfig 

type TLSSNIConfig struct {
	// SecretName is the name for an existing secret containing the TLS certificate and private key. Either this or both
	// Certificate and PrivateKey must be specified. If both is provided, SecretName is taking precedence.
	SecretName *string
	// Certificate is the TLS certificate. Either both this and PrivateKey, or SecretName must be specified. If both is
	// provided, SecretName is taking precedence.
	Certificate []byte
	// PrivateKey is the TLS certificate. Either both this and Certificate, or SecretName must be specified. If both is
	// provided, SecretName is taking precedence.
	PrivateKey []byte
	// DomainPatterns is an optional list of domain patterns which are fully qualified domain names, possibly with
	// prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the
	// apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names
	// of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns
	// trump over extracted names.
	DomainPatterns []string
}

TLSSNIConfig contains information for configuring the TLS SNI settings for the kube-apiserver.

type VPNConfig 

type VPNConfig struct {
	// Enabled states whether VPN is enabled.
	Enabled bool
	// PodNetworkCIDR is the CIDR of the pod network.
	PodNetworkCIDR string
	// NodeNetworkCIDR is the CIDR of the node network.
	NodeNetworkCIDR *string
	// HighAvailabilityEnabled states if VPN uses HA configuration.
	HighAvailabilityEnabled bool
	// HighAvailabilityNumberOfSeedServers is the number of VPN seed servers used for HA
	HighAvailabilityNumberOfSeedServers int
	// HighAvailabilityNumberOfShootClients is the number of VPN shoot clients used for HA
	HighAvailabilityNumberOfShootClients int
}

VPNConfig contains information for configuring the VPN settings for the kube-apiserver.

type Values 

type Values struct {
	// EnabledAdmissionPlugins is the list of admission plugins that should be enabled with configuration for the kube-apiserver.
	EnabledAdmissionPlugins []AdmissionPluginConfig
	// DisabledAdmissionPlugins is the list of admission plugins that should be disabled for the kube-apiserver.
	DisabledAdmissionPlugins []gardencorev1beta1.AdmissionPlugin
	// AnonymousAuthenticationEnabled states whether anonymous authentication is enabled.
	AnonymousAuthenticationEnabled bool
	// APIAudiences are identifiers of the API. The service account token authenticator will validate that tokens used
	// against the API are bound to at least one of these audiences.
	APIAudiences []string
	// Audit contains information for configuring audit settings for the kube-apiserver.
	Audit *AuditConfig
	// AuthenticationWebhook contains configuration for the authentication webhook.
	AuthenticationWebhook *AuthenticationWebhook
	// AuthorizationWebhook contains configuration for the authorization webhook.
	AuthorizationWebhook *AuthorizationWebhook
	// Autoscaling contains information for configuring autoscaling settings for the kube-apiserver.
	Autoscaling AutoscalingConfig
	// DefaultNotReadyTolerationSeconds indicates the tolerationSeconds of the toleration for notReady:NoExecute
	// that is added by default to every pod that does not already have such a toleration (flag `--default-not-ready-toleration-seconds`).
	DefaultNotReadyTolerationSeconds *int64
	// DefaultUnreachableTolerationSeconds indicates the tolerationSeconds of the toleration for unreachable:NoExecute
	// that is added by default to every pod that does not already have such a toleration (flag `--default-unreachable-toleration-seconds`).
	DefaultUnreachableTolerationSeconds *int64
	// ETCDEncryption contains configuration for the encryption of resources in etcd.
	ETCDEncryption ETCDEncryptionConfig
	// EventTTL is the amount of time to retain events.
	EventTTL *metav1.Duration
	// ExternalHostname is the external hostname which should be exposed by the kube-apiserver.
	ExternalHostname string
	// ExternalServer is the external server which should be used when generating the user kubeconfig.
	ExternalServer string
	// FeatureGates is the set of feature gates.
	FeatureGates map[string]bool
	// Images is a set of container images used for the containers of the kube-apiserver pods.
	Images Images
	// IsWorkerless specifies whether the cluster managed by this API server has worker nodes.
	IsWorkerless bool
	// Logging contains configuration settings for the log and access logging verbosity
	Logging *gardencorev1beta1.KubeAPIServerLogging
	// NamePrefix is the prefix for the resource names.
	NamePrefix string
	// OIDC contains information for configuring OIDC settings for the kube-apiserver.
	OIDC *gardencorev1beta1.OIDCConfig
	// PriorityClassName is the name of the priority class.
	PriorityClassName string
	// Requests contains configuration for the kube-apiserver requests.
	Requests *gardencorev1beta1.KubeAPIServerRequests
	// ResourcesToStoreInETCDEvents is a list of resources which should be stored in the etcd-events instead of the
	// etcd-main. The `events` resource in the `core` group is always stored in etcd-events.
	ResourcesToStoreInETCDEvents []schema.GroupResource
	// RuntimeConfig is the set of runtime configurations.
	RuntimeConfig map[string]bool
	// RuntimeVersion is the Kubernetes version of the runtime cluster.
	RuntimeVersion *semver.Version
	// ServerCertificate contains configuration for the server certificate.
	ServerCertificate ServerCertificateConfig
	// ServiceAccount contains information for configuring ServiceAccount settings for the kube-apiserver.
	ServiceAccount ServiceAccountConfig
	// ServiceNetworkCIDR is the CIDR of the service network.
	ServiceNetworkCIDR string
	// SNI contains information for configuring SNI settings for the kube-apiserver.
	SNI SNIConfig
	// StaticTokenKubeconfigEnabled indicates whether static token kubeconfig secret will be created for shoot.
	StaticTokenKubeconfigEnabled *bool
	// Version is the Kubernetes version for the kube-apiserver.
	Version *semver.Version
	// VPN contains information for configuring the VPN settings for the kube-apiserver.
	VPN VPNConfig
	// WatchCacheSizes are the configured sizes for the watch caches.
	WatchCacheSizes *gardencorev1beta1.WatchCacheSizes
}

Values contains configuration values for the kube-apiserver resources.

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.