Documentation
¶
Index ¶
Examples ¶
Constants ¶
View Source
const MaxRequestBodyBytes = int64(6 * 1024 * 1024)
MaxRequestBodyBytes represents the max size of Kubernetes objects we read. Kubernetes allows a 2x buffer on the max etcd size (https://github.com/kubernetes/kubernetes/blob/0afa569499d480df4977568454a50790891860f5/staging/src/k8s.io/apiserver/pkg/server/config.go#L362). We allow an additional 2x buffer, as it is still fairly cheap (6mb) Taken from https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd
Variables ¶
This section is empty.
Functions ¶
func HandlerFor ¶
func HandlerFor(config HandlerConfig) (http.Handler, error)
HandlerFor returns a new http.Handler ready to handle admission reviews using a a webhook.
Example (ServeMultipleWebhooks) ¶
ServeMultipleWebhooks shows how to serve multiple webhooks in the same server.
package main
import (
"context"
"fmt"
"net/http"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
whhttp "github.com/slok/kubewebhook/v2/pkg/http"
"github.com/slok/kubewebhook/v2/pkg/model"
"github.com/slok/kubewebhook/v2/pkg/webhook/mutating"
"github.com/slok/kubewebhook/v2/pkg/webhook/validating"
)
func main() {
// Create (in)validator.
v := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
// Assume always is a pod (you should check type assertion is ok to not panic).
pod, ok := obj.(*corev1.Pod)
if !ok {
return &validating.ValidatorResult{Valid: true}, nil
}
return &validating.ValidatorResult{
Valid: false,
Message: fmt.Sprintf("%s/%s denied because all pods will be denied", pod.Namespace, pod.Name),
}, nil
})
// Create a stub mutator.
m := mutating.MutatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*mutating.MutatorResult, error) {
return &mutating.MutatorResult{}, nil
})
// Create webhooks (don't check error).
vcfg := validating.WebhookConfig{
ID: "validatingServeWebhook",
Obj: &corev1.Pod{},
Validator: v,
}
vwh, _ := validating.NewWebhook(vcfg)
vwhHandler, _ := whhttp.HandlerFor(whhttp.HandlerConfig{Webhook: vwh})
mcfg := mutating.WebhookConfig{
ID: "muratingServeWebhook",
Obj: &corev1.Pod{},
Mutator: m,
}
mwh, _ := mutating.NewWebhook(mcfg)
mwhHandler, _ := whhttp.HandlerFor(whhttp.HandlerConfig{Webhook: mwh})
// Create a muxer and handle different webhooks in different paths of the server.
mux := http.NewServeMux()
mux.Handle("/validate-pod", vwhHandler)
mux.Handle("/mutate-pod", mwhHandler)
_ = http.ListenAndServeTLS(":8080", "file.cert", "file.key", mux)
}
Output:
Example (ServeWebhook) ¶
ServeWebhook shows how to serve a validating webhook that denies all pods.
package main
import (
"context"
"fmt"
"net/http"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
whhttp "github.com/slok/kubewebhook/v2/pkg/http"
"github.com/slok/kubewebhook/v2/pkg/model"
"github.com/slok/kubewebhook/v2/pkg/webhook/validating"
)
func main() {
// Create (in)validator.
v := validating.ValidatorFunc(func(_ context.Context, _ *model.AdmissionReview, obj metav1.Object) (*validating.ValidatorResult, error) {
pod, ok := obj.(*corev1.Pod)
if !ok {
return &validating.ValidatorResult{Valid: true}, nil
}
return &validating.ValidatorResult{
Valid: false,
Message: fmt.Sprintf("%s/%s denied because all pods will be denied", pod.Namespace, pod.Name),
}, nil
})
// Create webhook (don't check error).
cfg := validating.WebhookConfig{
ID: "serveWebhook",
Obj: &corev1.Pod{},
Validator: v,
}
wh, _ := validating.NewWebhook(cfg)
// Get webhook handler and serve (webhooks need to be server with TLS).
whHandler, _ := whhttp.HandlerFor(whhttp.HandlerConfig{Webhook: wh})
_ = http.ListenAndServeTLS(":8080", "file.cert", "file.key", whHandler)
}
Output:
func MustHandlerFor ¶
func MustHandlerFor(config HandlerConfig) http.Handler
MustHandlerFor it's the same as HandleFor but will panic instead of returning a error.
Types ¶
Source Files
Click to show internal directories.
Click to hide internal directories.