admission

Documentation

Overview

The admission package provides libraries for creating admission webhooks.

Example

package main

import (
	"fmt"

	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
	"k8s.io/api/admission/v1beta1"

	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func main() {
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	})
	admission.ListenAndServeTLS("")
}

Index

• Variables
• func AllowResponse() *v1beta1.AdmissionResponse
• func Decode(review v1beta1.AdmissionReview, object runtime.Object, ...) *v1beta1.AdmissionResponse
• func DenyResponse(msg string) *v1beta1.AdmissionResponse
• func ErrorResponse(err error) *v1beta1.AdmissionResponse
• func HandleFunc(path string, gvr metav1.GroupVersionResource, fn AdmissionFunc)
• func ListenAndServeTLS(addr string) error
• type AdmissionFunc
• type AdmissionManager
  • func (e *AdmissionManager) HandleFunc(path string, gvr metav1.GroupVersionResource, fn AdmissionFunc)

Examples

• Package
• AdmissionFunc
• AllowResponse
• Decode
• DenyResponse
• ErrorResponse
• HandleFunc

Variables

var DefaultAdmissionFns = &AdmissionManager{
	SMux: http.DefaultServeMux,
}

DefaultAdmissionFns is the default admission control functions registry

Functions

func AllowResponse

func AllowResponse() *v1beta1.AdmissionResponse

AllowResponse returns a new response for admitting a request

Example

package main

import (
	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
)

func main() {
	admission.AllowResponse()
}

func Decode

func Decode(review v1beta1.AdmissionReview, object runtime.Object,
	resourceType metav1.GroupVersionResource) *v1beta1.AdmissionResponse

Decode reads the Raw data from review and deserializes it into object returning a non-nil reponse if there was an error

Example

package main

import (
	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
	"k8s.io/api/admission/v1beta1"

	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func main() {
	var review v1beta1.AdmissionReview
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	pod := corev1.Pod{}
	if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
		// Send error resp
	}
}

func DenyResponse

func DenyResponse(msg string) *v1beta1.AdmissionResponse

DenyResponse returns a new response for denying a request

Example

package main

import (
	"fmt"
	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
)

func main() {
	admission.DenyResponse(fmt.Sprintf("some deny explanation"))
}

func ErrorResponse

func ErrorResponse(err error) *v1beta1.AdmissionResponse

ErrorResponse creates a new AdmissionResponse for an error handling the request

Example

package main

import (
	"fmt"
	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
)

func main() {
	admission.ErrorResponse(fmt.Errorf("some error explanation"))
}

func HandleFunc

func HandleFunc(path string, gvr metav1.GroupVersionResource, fn AdmissionFunc)

HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified

Example

package main

import (
	"fmt"

	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
	"k8s.io/api/admission/v1beta1"

	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func main() {
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	})
}

func ListenAndServeTLS

func ListenAndServeTLS(addr string) error

Types

type AdmissionFunc

type AdmissionFunc func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse

AdmissionFunc implements an AdmissionReview operation for a GroupVersionResource

Example

package main

import (
	"fmt"

	"github.com/kubernetes-sigs/kubebuilder/pkg/internal/admission"
	"k8s.io/api/admission/v1beta1"

	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func main() {
	var _ admission.AdmissionFunc = func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	}
}

type AdmissionManager

type AdmissionManager struct {
	Entries map[string]admissionHandler
	SMux    *http.ServeMux
}

AdmissionManager manages admission controllers

func (*AdmissionManager) HandleFunc

func (e *AdmissionManager) HandleFunc(path string, gvr metav1.GroupVersionResource, fn AdmissionFunc)

HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified