ext

package
v0.5.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2025 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	AddToScheme = schemeBuilder.AddToScheme
)

Functions

func ConvertListOptions added in v0.5.2 

func ConvertListOptions(options *metainternalversion.ListOptions) (*metav1.ListOptions, error)

ConvertListOptions converts an internal ListOptions to one used by client-go.

This can be useful if wrapping Watch or List methods to client-go's equivalent.

func ConvertToTable added in v0.5.2 

func ConvertToTable[T runtime.Object](ctx context.Context, object runtime.Object, tableOptions runtime.Object, groupResource schema.GroupResource, columnDefs []metav1.TableColumnDefinition, convertFn ConvertFunc[T]) (*metav1.Table, error)

ConvertToTable helps implement rest.Lister and rest.TableConvertor.

It converts an object or a list of objects to a Table, which is used by kubectl (and Rancher UI) to display a table of the items.

func ConvertToTableDefault added in v0.5.2 

func ConvertToTableDefault[T runtime.Object](ctx context.Context, object runtime.Object, tableOptions runtime.Object, groupResource schema.GroupResource) (*metav1.Table, error)

ConvertToTableDefault helps implement rest.Lister and rest.TableConvertor.

This uses the default table conversion that displays the following two columns: Name and Created At.

func CreateOrUpdate added in v0.5.2 

func CreateOrUpdate[T runtime.Object](
	ctx context.Context,
	name string,
	objInfo rest.UpdatedObjectInfo,
	createValidation rest.ValidateObjectFunc,
	updateValidation rest.ValidateObjectUpdateFunc,
	forceAllowCreate bool,
	options *metav1.UpdateOptions,
	getFn func(ctx context.Context, name string, opts *metav1.GetOptions) (T, error),
	createFn func(ctx context.Context, obj T, opts *metav1.CreateOptions) (T, error),
	updateFn func(ctx context.Context, obj T, opts *metav1.UpdateOptions) (T, error),
) (runtime.Object, bool, error)

CreateOrUpdate helps implement rest.Updater by handling most of the logic.

It will call getFn to find the object. If not found, then createFn will be called, which should create the object. Otherwise, the updateFn will be called, which should update the object.

createValidation is called before createFn. It will do validation such as:

updateValidation is called before updateFn. It will do validation such as: - running mutating/validating webhooks (though we're not using them yet)

Types

type AccessSetAuthorizer 

type AccessSetAuthorizer struct {
	// contains filtered or unexported fields
}

func NewAccessSetAuthorizer 

func NewAccessSetAuthorizer(asl accesscontrol.AccessSetLookup) *AccessSetAuthorizer

func (*AccessSetAuthorizer) Authorize 

func (a *AccessSetAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

Authorize implements authorizer.Authorizer.

type ConvertFunc added in v0.5.2 

type ConvertFunc[T runtime.Object] func(obj T) []string

ConvertFunc will convert an object to a list of cell in a metav1.Table (think kubectl get table output)

type DefaultAuthenticator added in v0.5.5 

type DefaultAuthenticator struct {
	// contains filtered or unexported fields
}

DefaultAuthenticator is an authenticator.Request that authenticates a user by:

  • making sure the client uses a certificate signed by the CA defined in the `extension-apiserver-authentication` configmap in the `kube-system` namespace and
  • making sure the CN of the cert is part of the allow list, also defined in the same configmap

This authentication is better explained in https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/

This authenticator is a dynamiccertificates.ControllerRunner which means it will run in the background to dynamically watch the content of the configmap.

When using the DefaultAuthenticator, it is suggested to call RunOnce() to initialize the CA state. It is also possible to watch for changes to the CA bundle with the AddListener() method. Here's an example usage: 

auth, err := NewDefaultAuthenticator(client)
if err != nil {
   return err
}
auth.AddListener(myListener{auth: auth}) // myListener should react to CA bundle changes
err = auth.RunOnce(ctx)

func NewDefaultAuthenticator added in v0.5.5 

func NewDefaultAuthenticator(client kubernetes.Interface) (*DefaultAuthenticator, error)

NewDefaultAuthenticator creates a DefaultAuthenticator

func (*DefaultAuthenticator) AddListener added in v0.5.5 

func (b *DefaultAuthenticator) AddListener(listener dynamiccertificates.Listener)

AuthenticateRequest implements dynamiccertificates.Notifier This is part of the dynamiccertificates.CAContentProvider interface.

func (*DefaultAuthenticator) AuthenticateRequest added in v0.5.5 

func (b *DefaultAuthenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

AuthenticateRequest implements authenticator.Request

func (*DefaultAuthenticator) CurrentCABundleContent added in v0.5.5 

func (b *DefaultAuthenticator) CurrentCABundleContent() []byte

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*DefaultAuthenticator) Name added in v0.5.5 

func (b *DefaultAuthenticator) Name() string

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*DefaultAuthenticator) Run added in v0.5.5 

func (b *DefaultAuthenticator) Run(ctx context.Context, workers int)

AuthenticateRequest implements dynamiccertificates.ControllerRunner.

It will be called by the "SecureServing" when starting the extension API server

func (*DefaultAuthenticator) RunOnce added in v0.5.5 

func (b *DefaultAuthenticator) RunOnce(ctx context.Context) error

AuthenticateRequest implements dynamiccertificates.ControllerRunner

func (*DefaultAuthenticator) VerifyOptions added in v0.5.5 

func (b *DefaultAuthenticator) VerifyOptions() (x509.VerifyOptions, bool)

AuthenticateRequest implements dynamiccertificates.CAContentProvider

type ExtensionAPIServer 

type ExtensionAPIServer struct {
	// contains filtered or unexported fields
}

ExtensionAPIServer wraps a genericapiserver.GenericAPIServer to implement a Kubernetes extension API server.

Use NewExtensionAPIServer to create an ExtensionAPIServer.

Use ExtensionAPIServer.Install to add a new resource store onto an existing ExtensionAPIServer. Each resources will then be reachable via /apis/<group>/<version>/<resource> as defined by the Kubernetes API.

When ExtensionAPIServer.Run is called, a separate HTTPS server is started. This server is meant for the main kube-apiserver to communicate with our extension API server. We can expect the following requests from the main kube-apiserver: 

<path>                 <user>                 <groups>
/openapi/v2            system:aggregator      [system:authenticated]
/openapi/v3            system:aggregator      [system:authenticated]
/apis                  system:kube-aggregator [system:masters system:authenticated]
/apis/ext.cattle.io/v1 system:kube-aggregator [system:masters system:authenticated]

func NewExtensionAPIServer 

func NewExtensionAPIServer(scheme *runtime.Scheme, codecs serializer.CodecFactory, opts ExtensionAPIServerOptions) (*ExtensionAPIServer, error)

func (*ExtensionAPIServer) GetAuthorizer added in v0.5.2 

func (s *ExtensionAPIServer) GetAuthorizer() authorizer.Authorizer

GetAuthorizer returns the authorizer used by the extension server to authorize requests

This can be used to inject the authorizer in stores that need them.

func (*ExtensionAPIServer) Install added in v0.5.2 

func (s *ExtensionAPIServer) Install(resourceName string, gvk schema.GroupVersionKind, storage rest.Storage) error

Install adds a new store to the extension API server.

resourceName should be the plural form of the resource, the same that usually goes in a schema.GroupVersionResource. For example, for a token store, it would be tokens.

gvk is the schema.GroupVersionKind that defines the input / output for the store. The kind must be singular name and in PascalCase. For example, for a token store, the kind would be Token.

A store implements handlers for the various operations (verbs) supported for a defined GVK / GVR. For example, a store for a (apiVersion: ext.cattle.io/v1, kind: Tokens) Custom Resource could implement create and watch verbs.

A store MUST implement the following interfaces: rest.Storage, rest.Scoper, rest.GroupVersionKindProvider and rest.SingularNameProvider.

Implementing the various verbs goes as follows:

Most of these methods have a context.Context parameter that can be used to get more information about the request. Here are some examples:

For an example store implementing these, please look at the testStore type with the caveat that it is a dummy test-special purpose store.

Note that errors returned by any operations above MUST be of type k8s.io/apimachinery/pkg/api/errors.APIStatus. These can be created with k8s.io/apimachinery/pkg/api/errors.NewNotFound, etc. If an error of unknown type is returned, the library will log an error message.

func (*ExtensionAPIServer) Run 

func (s *ExtensionAPIServer) Run(ctx context.Context) error

Run prepares and runs the separate HTTPS server. It also configures the handler so that ServeHTTP can be used.

func (*ExtensionAPIServer) ServeHTTP 

func (s *ExtensionAPIServer) ServeHTTP(w http.ResponseWriter, req *http.Request)

type ExtensionAPIServerOptions 

type ExtensionAPIServerOptions struct {
	// GetOpenAPIDefinitions is collection of all definitions. Required.
	GetOpenAPIDefinitions             openapicommon.GetOpenAPIDefinitions
	OpenAPIDefinitionNameReplacements map[string]string

	// Authenticator will be used to authenticate requests coming to the
	// extension API server. Required.
	//
	// If the authenticator implements [dynamiccertificates.CAContentProvider], the
	// ClientCA will be set on the underlying SecureServing struct. If the authenticator
	// implements [dynamiccertificates.ControllerRunner] too, then Run() will be called so
	// that the authenticators can run in the background. (See DefaultAuthenticator for
	// example).
	//
	// Use a UnionAuthenticator to have multiple ways of authenticating requests. See
	// [NewUnionAuthenticator] for an example.
	Authenticator authenticator.Request

	// Authorizer will be used to authorize requests based on the user,
	// operation and resources. Required.
	//
	// Use [NewAccessSetAuthorizer] for an authorizer that uses Steve's access set.
	Authorizer authorizer.Authorizer

	// Listener is the TCP listener that is used to listen to the extension API server
	// that is reached by the main kube-apiserver. Required.
	Listener net.Listener

	// EffectiveVersion determines which features and apis are supported
	// by our custom API server.
	//
	// This is a new alpha feature from Kubernetes, the details can be
	// found here: https://github.com/kubernetes/enhancements/tree/master/keps/sig-architecture/4330-compatibility-versions
	//
	// If nil, the default version is the version of the Kubernetes Go library
	// compiled in the final binary.
	EffectiveVersion utilversion.EffectiveVersion

	SNICerts []dynamiccertificates.SNICertKeyContentProvider
}

type UnionAuthenticator added in v0.5.5 

type UnionAuthenticator struct {
	// contains filtered or unexported fields
}

UnionAuthenticator chains authenticators together to allow many ways of authenticating requests for the extension API server. For example, we might want to use Rancher's token authentication and fallback to the default authentication (mTLS) defined by Kubernetes.

UnionAuthenticator is both a dynamiccertificates.ControllerRunner and a dynamiccertificates.CAContentProvider.

func NewUnionAuthenticator added in v0.5.5 

func NewUnionAuthenticator(authenticators ...authenticator.Request) *UnionAuthenticator

NewUnionAuthenticator creates a UnionAuthenticator.

The authenticators will be tried one by one, in the order they are given, until one succeed or all fails.

Here's an example usage: 

customAuth := authenticator.RequestFunc(func(req *http.Request) (*Response, bool, error) {
	// use request to determine what the user is, otherwise return false
})
default, err := NewDefaultAuthenticator(client)
if err != nil {
	return err
}
auth := NewUnionAuthenticator(customAuth, default)
err = auth.RunOnce(ctx)

func (*UnionAuthenticator) AddListener added in v0.5.5 

func (u *UnionAuthenticator) AddListener(listener dynamiccertificates.Listener)

AuthenticateRequest implements dynamiccertificates.Notifier This is part of the dynamiccertificates.CAContentProvider interface.

func (*UnionAuthenticator) AuthenticateRequest added in v0.5.5 

func (u *UnionAuthenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

AuthenticateRequest implements authenticator.Request

func (*UnionAuthenticator) CurrentCABundleContent added in v0.5.5 

func (u *UnionAuthenticator) CurrentCABundleContent() []byte

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*UnionAuthenticator) Name added in v0.5.5 

func (u *UnionAuthenticator) Name() string

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*UnionAuthenticator) Run added in v0.5.5 

func (u *UnionAuthenticator) Run(ctx context.Context, workers int)

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*UnionAuthenticator) RunOnce added in v0.5.5 

func (u *UnionAuthenticator) RunOnce(ctx context.Context) error

AuthenticateRequest implements dynamiccertificates.CAContentProvider

func (*UnionAuthenticator) VerifyOptions added in v0.5.5 

func (u *UnionAuthenticator) VerifyOptions() (x509.VerifyOptions, bool)

AuthenticateRequest implements dynamiccertificates.CAContentProvider

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.