webhook

package

v1.12.1 Latest Latest Go to latest Published: Feb 19, 2025 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/googlecloudplatform/gcs-fuse-csi-driver

Documentation ¶

Index ¶

Constants
Variables
func ExtractImageAndDeleteContainer(podSpec *corev1.PodSpec, containerName string) (string, error)
func GetNativeSidecarContainerSpec(c *Config) corev1.Container
func GetSATokenVolume(projectID string) corev1.Volume
func GetSecurityContext() *corev1.SecurityContext
func GetSidecarContainerSpec(c *Config) corev1.Container
func GetSidecarContainerVolumeSpec(existingVolumes ...corev1.Volume) []corev1.Volume
func LogPodMutation(pod *corev1.Pod, sidecarConfig *Config)
func ParseBool(str string) (bool, error)
func ValidatePodHasSidecarContainerInjected(pod *corev1.Pod) (bool, bool)
type Config
- func FakeConfig() *Config
- func LoadConfig(...) *Config
type SidecarInjector

Constants ¶

View Source

const (
	GcsFuseVolumeEnableAnnotation        = "gke-gcsfuse/volumes"
	GcsFuseNativeSidecarEnableAnnotation = "gke-gcsfuse/enable-native-sidecar"
)

View Source

const (
	GcsFuseSidecarName                     = "gke-gcsfuse-sidecar"
	MetadataPrefetchSidecarName            = "gke-gcsfuse-metadata-prefetch"
	SidecarContainerTmpVolumeName          = "gke-gcsfuse-tmp"
	SidecarContainerTmpVolumeMountPath     = "/gcsfuse-tmp"
	SidecarContainerBufferVolumeName       = "gke-gcsfuse-buffer"
	SidecarContainerBufferVolumeMountPath  = "/gcsfuse-buffer"
	SidecarContainerCacheVolumeName        = "gke-gcsfuse-cache"
	SidecarContainerCacheVolumeMountPath   = "/gcsfuse-cache"
	SidecarContainerSATokenVolumeName      = "gcsfuse-sa-token"  // #nosec G101
	SidecarContainerSATokenVolumeMountPath = "/gcsfuse-sa-token" // #nosec G101
	K8STokenPath                           = "token"             // #nosec G101

	// See the nonroot user discussion: https://github.com/GoogleContainerTools/distroless/issues/443
	NobodyUID = 65534
	NobodyGID = 65534
)

View Source

const IstioSidecarName = "istio-proxy"

Variables ¶

View Source

var (

	// gke-gcsfuse-sidecar volumeMounts.
	TmpVolumeMount = corev1.VolumeMount{
		Name:      SidecarContainerTmpVolumeName,
		MountPath: SidecarContainerTmpVolumeMountPath,
	}
)

Functions ¶

func ExtractImageAndDeleteContainer ¶ added in v1.8.0

func ExtractImageAndDeleteContainer(podSpec *corev1.PodSpec, containerName string) (string, error)

ExtractImageAndDeleteContainer supports the injection of custom sidecar images. We iterate the container list and find a container named "containerName" If we find "containerName":

extract the container image
removes the container definition from the container list.
verifies if the image is valid
return image

We support custom sidecar images because:

Requirement for Privately Hosted Sidecar Image feature, for clusters running with limited internet access.
Allow fast testing of new sidecar image on a production environment, usually related to a new gcsfuse binary.

func GetNativeSidecarContainerSpec ¶ added in v1.2.0

func GetNativeSidecarContainerSpec(c *Config) corev1.Container

func GetSATokenVolume ¶ added in v1.11.0

func GetSATokenVolume(projectID string) corev1.Volume

func GetSecurityContext ¶ added in v1.8.0

func GetSecurityContext() *corev1.SecurityContext

GetSecurityContext ensures the sidecar that uses it follows Restricted Pod Security Standard. See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

func GetSidecarContainerSpec ¶

func GetSidecarContainerSpec(c *Config) corev1.Container

func GetSidecarContainerVolumeSpec ¶

func GetSidecarContainerVolumeSpec(existingVolumes ...corev1.Volume) []corev1.Volume

GetSidecarContainerVolumeSpec returns volumes required by the sidecar container, skipping the existing custom volumes.

func LogPodMutation ¶ added in v1.3.0

func LogPodMutation(pod *corev1.Pod, sidecarConfig *Config)

func ParseBool ¶ added in v1.8.0

func ParseBool(str string) (bool, error)

func ValidatePodHasSidecarContainerInjected ¶

func ValidatePodHasSidecarContainerInjected(pod *corev1.Pod) (bool, bool)

ValidatePodHasSidecarContainerInjected validates the following:

One of the container or init container name matches the sidecar container name.
The container uses NobodyUID and NobodyGID.
The container uses the temp volume.
The temp volume have correct volume mount paths.
The Pod has the temp volume and the volume is an emptyDir volumes.

Returns two booleans:

True when either native or regular sidecar is present.
True iff the sidecar present is a native sidecar container.

Types ¶

type Config ¶

type Config struct {
	ShouldInjectSAVolume   bool   `json:"-"`
	PodHostNetworkSetting  bool   `json:"-"`
	ContainerImage         string `json:"-"`
	MetadataContainerImage string `json:"-"`
	ImagePullPolicy        string `json:"-"`
	//nolint:tagliatelle
	CPURequest resource.Quantity `json:"gke-gcsfuse/cpu-request,omitempty"`
	//nolint:tagliatelle
	CPULimit resource.Quantity `json:"gke-gcsfuse/cpu-limit,omitempty"`
	//nolint:tagliatelle
	MemoryRequest resource.Quantity `json:"gke-gcsfuse/memory-request,omitempty"`
	//nolint:tagliatelle
	MemoryLimit resource.Quantity `json:"gke-gcsfuse/memory-limit,omitempty"`
	//nolint:tagliatelle
	EphemeralStorageRequest resource.Quantity `json:"gke-gcsfuse/ephemeral-storage-request,omitempty"`
	//nolint:tagliatelle
	EphemeralStorageLimit resource.Quantity `json:"gke-gcsfuse/ephemeral-storage-limit,omitempty"`
}

func FakeConfig ¶

func FakeConfig() *Config

func LoadConfig ¶

func LoadConfig(containerImage, metadataContainerImage, imagePullPolicy, cpuRequest, cpuLimit, memoryRequest, memoryLimit, ephemeralStorageRequest, ephemeralStorageLimit string) *Config

type SidecarInjector ¶

type SidecarInjector struct {
	Client client.Client
	// default sidecar container config values, can be overwritten by the pod annotations
	Config        *Config
	Decoder       admission.Decoder
	NodeLister    listersv1.NodeLister
	PvcLister     listersv1.PersistentVolumeClaimLister
	PvLister      listersv1.PersistentVolumeLister
	ServerVersion *version.Version
}

func (*SidecarInjector) GetMetadataPrefetchSidecarContainerSpec ¶ added in v1.8.0

func (si *SidecarInjector) GetMetadataPrefetchSidecarContainerSpec(pod *corev1.Pod, image string) corev1.Container

func (*SidecarInjector) GetNativeMetadataPrefetchSidecarContainerSpec ¶ added in v1.8.0

func (si *SidecarInjector) GetNativeMetadataPrefetchSidecarContainerSpec(pod *corev1.Pod, image string) corev1.Container

func (*SidecarInjector) GetPV ¶ added in v1.8.0

func (si *SidecarInjector) GetPV(name string) (*corev1.PersistentVolume, error)

func (*SidecarInjector) GetPVC ¶ added in v1.8.0

func (si *SidecarInjector) GetPVC(namespace, name string) (*corev1.PersistentVolumeClaim, error)

func (*SidecarInjector) GetPreprovisionCSIVolume ¶ added in v1.8.0

func (si *SidecarInjector) GetPreprovisionCSIVolume(csiDriver string, pvc *corev1.PersistentVolumeClaim) (*corev1.PersistentVolume, bool, error)

GetPreprovisionCSIVolume gets the pre-provisioned persistentVolume when backed by the desired csiDriver.

func (*SidecarInjector) Handle ¶

func (si *SidecarInjector) Handle(ctx context.Context, req admission.Request) admission.Response

Handle injects a gcsfuse sidecar container and a emptyDir to incoming qualified pods.

func (*SidecarInjector) IsPreprovisionCSIVolume ¶ added in v1.8.0

func (si *SidecarInjector) IsPreprovisionCSIVolume(csiDriver string, pvc *corev1.PersistentVolumeClaim) (bool, error)

IsPreprovisionCSIVolume checks whether the volume is a pre-provisioned volume for the desired csiDriver.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL