Documentation
¶
Overview ¶
Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.
The following snippet is an example implementation of mutating handler.
type Mutator struct {
client client.Client
decoder types.Decoder
}
func (m *Mutator) mutatePodsFn(ctx context.Context, pod *corev1.Pod) error {
// your logic to mutate the passed-in pod.
}
func (m *Mutator) Handle(ctx context.Context, req types.Request) types.Response {
pod := &corev1.Pod{}
err := m.decoder.Decode(req, pod)
if err != nil {
return admission.ErrorResponse(http.StatusBadRequest, err)
}
// Do deepcopy before actually mutate the object.
copy := pod.DeepCopy()
err = m.mutatePodsFn(ctx, copy)
if err != nil {
return admission.ErrorResponse(http.StatusInternalServerError, err)
}
return admission.PatchResponse(pod, copy)
}
// InjectClient is called by the Manager and provides a client.Client to the Mutator instance.
func (m *Mutator) InjectClient(c client.Client) error {
h.client = c
return nil
}
// InjectDecoder is called by the Manager and provides a types.Decoder to the Mutator instance.
func (m *Mutator) InjectDecoder(d types.Decoder) error {
h.decoder = d
return nil
}
The following snippet is an example implementation of validating handler.
type Handler struct {
client client.Client
decoder types.Decoder
}
func (v *Validator) validatePodsFn(ctx context.Context, pod *corev1.Pod) (bool, string, error) {
// your business logic
}
func (v *Validator) Handle(ctx context.Context, req types.Request) types.Response {
pod := &corev1.Pod{}
err := h.decoder.Decode(req, pod)
if err != nil {
return admission.ErrorResponse(http.StatusBadRequest, err)
}
allowed, reason, err := h.validatePodsFn(ctx, pod)
if err != nil {
return admission.ErrorResponse(http.StatusInternalServerError, err)
}
return admission.ValidationResponse(allowed, reason)
}
// InjectClient is called by the Manager and provides a client.Client to the Validator instance.
func (v *Validator) InjectClient(c client.Client) error {
h.client = c
return nil
}
// InjectDecoder is called by the Manager and provides a types.Decoder to the Validator instance.
func (v *Validator) InjectDecoder(d types.Decoder) error {
h.decoder = d
return nil
}
Index ¶
- func ErrorResponse(code int32, err error) types.Response
- func NewDecoder(scheme *runtime.Scheme) (types.Decoder, error)
- func PatchResponse(original, current runtime.Object) types.Response
- func ValidationResponse(allowed bool, reason string) types.Response
- type DecodeFunc
- type Handler
- type HandlerFunc
- type Webhook
- func (w *Webhook) Add(handlers ...Handler)
- func (w *Webhook) GetName() string
- func (w *Webhook) GetPath() string
- func (w *Webhook) GetType() types.WebhookType
- func (w *Webhook) Handle(ctx context.Context, req atypes.Request) atypes.Response
- func (w *Webhook) Handler() http.Handler
- func (w *Webhook) InjectClient(c client.Client) error
- func (w *Webhook) InjectDecoder(d atypes.Decoder) error
- func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (w *Webhook) Validate() error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ErrorResponse ¶
ErrorResponse creates a new Response for error-handling a request.
func NewDecoder ¶
NewDecoder creates a Decoder given the runtime.Scheme
func PatchResponse ¶
PatchResponse returns a new response with json patch.
Types ¶
type DecodeFunc ¶
DecodeFunc is a function that implements the Decoder interface.
type HandlerFunc ¶
HandlerFunc implements Handler interface using a single function.
type Webhook ¶
type Webhook struct {
// Name is the name of the webhook
Name string
// Type is the webhook type, i.e. mutating, validating
Type types.WebhookType
// Path is the path this webhook will serve.
Path string
// Rules maps to the Rules field in admissionregistrationv1beta1.Webhook
Rules []admissionregistrationv1beta1.RuleWithOperations
// FailurePolicy maps to the FailurePolicy field in admissionregistrationv1beta1.Webhook
// This optional. If not set, will be defaulted to Ignore (fail-open) by the server.
// More details: https://github.com/kubernetes/api/blob/f5c295feaba2cbc946f0bbb8b535fc5f6a0345ee/admissionregistration/v1beta1/types.go#L144-L147
FailurePolicy *admissionregistrationv1beta1.FailurePolicyType
// NamespaceSelector maps to the NamespaceSelector field in admissionregistrationv1beta1.Webhook
// This optional.
NamespaceSelector *metav1.LabelSelector
// Handlers contains a list of handlers. Each handler may only contains the business logic for its own feature.
// For example, feature foo and bar can be in the same webhook if all the other configurations are the same.
// The handler will be invoked sequentially as the order in the list.
// Note: if you are using mutating webhook with multiple handlers, it's your responsibility to
// ensure the handlers are not generating conflicting JSON patches.
Handlers []Handler
// contains filtered or unexported fields
}
Webhook represents each individual webhook.
func (*Webhook) GetType ¶
func (w *Webhook) GetType() types.WebhookType
GetType returns the type of the webhook.
func (*Webhook) Handle ¶
Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.
func (*Webhook) InjectClient ¶
InjectClient injects the client into the handlers
func (*Webhook) InjectDecoder ¶
InjectDecoder injects the decoder into the handlers
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.