Documentation
¶
Index ¶
- Constants
- Variables
- type FailurePolicyType
- type MatchPolicyType
- type MutatingWebhook
- type MutatingWebhookConfiguration
- type MutatingWebhookConfigurationList
- type OperationType
- type ReinvocationPolicyType
- type Rule
- type RuleWithOperations
- type ScopeType
- type ServiceReference
- type SideEffectClass
- type ValidatingWebhook
- type ValidatingWebhookConfiguration
- type ValidatingWebhookConfigurationList
- type WebhookClientConfig
Constants ¶
View Source
const GroupName = "admissionregistration.k8s.io"
Variables ¶
View Source
var ( GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"} SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme SchemaGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} )
Functions ¶
This section is empty.
Types ¶
type FailurePolicyType ¶
type FailurePolicyType string
const ( FailurePolicyTypeIgnore FailurePolicyType = "Ignore" FailurePolicyTypeFail FailurePolicyType = "Fail" )
type MatchPolicyType ¶
type MatchPolicyType string
const ( MatchPolicyTypeExact MatchPolicyType = "Exact" MatchPolicyTypeEquivalent MatchPolicyType = "Equivalent" )
type MutatingWebhook ¶
type MutatingWebhook struct {
// The name of the admission webhook.
// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
// of the organization.
// Required.
Name string `json:"name"`
// ClientConfig defines how to communicate with the hook.
// Required
ClientConfig WebhookClientConfig `json:"clientConfig"`
// Rules describes what operations on what resources/subresources the webhook cares about.
// The webhook cares about an operation if it matches _any_ Rule.
// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
// from putting the cluster in a state which cannot be recovered from without completely
// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
Rules []RuleWithOperations `json:"rules"`
// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
// allowed values are Ignore or Fail. Defaults to Fail.
FailurePolicy FailurePolicyType `json:"failurePolicy,omitempty"`
// matchPolicy defines how the "rules" list is used to match incoming requests.
// Allowed values are "Exact" or "Equivalent".
// - Exact: match a request only if it exactly matches a specified rule.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
// Defaults to "Equivalent"
MatchPolicy MatchPolicyType `json:"matchPolicy,omitempty"`
// NamespaceSelector decides whether to run the webhook on an object based
// on whether the namespace for that object matches the selector. If the
// object itself is a namespace, the matching is performed on
// object.metadata.labels. If the object is another cluster scoped resource,
// it never skips the webhook.
// For example, to run the webhook on any objects whose namespace is not
// associated with "runlevel" of "0" or "1"; you will set the selector as
// follows:
// "namespaceSelector": {
// "matchExpressions": [
// {
// "key": "runlevel",
// "operator": "NotIn",
// "values": [
// "0",
// "1"
// ]
// }
// ]
// }
// If instead you want to only run the webhook on any objects whose
// namespace is associated with the "environment" of "prod" or "staging";
// you will set the selector as follows:
// "namespaceSelector": {
// "matchExpressions": [
// {
// "key": "environment",
// "operator": "In",
// "values": [
// "prod",
// "staging"
// ]
// }
// ]
// }
// See
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
// for more examples of label selectors.
// Default to the empty LabelSelector, which matches everything.
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// ObjectSelector decides whether to run the webhook based on if the
// object has matching labels. objectSelector is evaluated against both
// the oldObject and newObject that would be sent to the webhook, and
// is considered to match if either object matches the selector. A null
// object (oldObject in the case of create, or newObject in the case of
// delete) or an object that cannot have labels (like a
// DeploymentRollback or a PodProxyOptions object) is not considered to
// match.
// Use the object selector only if the webhook is opt-in, because end
// users may skip the admission webhook by setting the labels.
// Default to the empty LabelSelector, which matches everything.
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
// SideEffects states whether this webhook has side effects.
// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission chain and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some.
SideEffects SideEffectClass `json:"sideEffects,omitempty"`
// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
// the webhook call will be ignored or the API call will fail based on the
// failure policy.
// The timeout value must be between 1 and 30 seconds.
// Default to 10 seconds.
TimeoutSeconds int `json:"timeoutSeconds,omitempty"`
// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
// versions the Webhook expects. API server will try to use first version in
// the list which it supports. If none of the versions specified in this list
// supported by API server, validation will fail for this object.
// If a persisted webhook configuration specifies allowed versions and does not
// include any versions known to the API Server, calls to the webhook will fail
// and be subject to the failure policy.
AdmissionReviewVersions []string `json:"admissionReviewVersions"`
// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
// Allowed values are "Never" and "IfNeeded".
// Never: the webhook will not be called more than once in a single admission evaluation.
// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
// if the object being admitted is modified by other admission plugins after the initial webhook call.
// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
// Note:
// * the number of additional invocations is not guaranteed to be exactly one.
// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
// * webhooks that use this option may be reordered to minimize the number of additional invocations.
// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
// Defaults to "Never".
ReinvocationPolicy ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
}
func (*MutatingWebhook) DeepCopy ¶
func (in *MutatingWebhook) DeepCopy() *MutatingWebhook
func (*MutatingWebhook) DeepCopyInto ¶
func (in *MutatingWebhook) DeepCopyInto(out *MutatingWebhook)
type MutatingWebhookConfiguration ¶
type MutatingWebhookConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata"`
// Webhooks is a list of webhooks and the affected resources and operations.
Webhooks []MutatingWebhook `json:"webhooks"`
}
func (*MutatingWebhookConfiguration) DeepCopy ¶
func (in *MutatingWebhookConfiguration) DeepCopy() *MutatingWebhookConfiguration
func (*MutatingWebhookConfiguration) DeepCopyInto ¶
func (in *MutatingWebhookConfiguration) DeepCopyInto(out *MutatingWebhookConfiguration)
func (*MutatingWebhookConfiguration) DeepCopyObject ¶
func (in *MutatingWebhookConfiguration) DeepCopyObject() runtime.Object
type MutatingWebhookConfigurationList ¶
type MutatingWebhookConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []MutatingWebhookConfiguration `json:"items"`
}
func (*MutatingWebhookConfigurationList) DeepCopy ¶
func (in *MutatingWebhookConfigurationList) DeepCopy() *MutatingWebhookConfigurationList
func (*MutatingWebhookConfigurationList) DeepCopyInto ¶
func (in *MutatingWebhookConfigurationList) DeepCopyInto(out *MutatingWebhookConfigurationList)
func (*MutatingWebhookConfigurationList) DeepCopyObject ¶
func (in *MutatingWebhookConfigurationList) DeepCopyObject() runtime.Object
type OperationType ¶
type OperationType string
const ( OperationTypeASTERISK OperationType = "*" OperationTypeCREATE OperationType = "CREATE" OperationTypeUPDATE OperationType = "UPDATE" OperationTypeDELETE OperationType = "DELETE" OperationTypeCONNECT OperationType = "CONNECT" )
type ReinvocationPolicyType ¶
type ReinvocationPolicyType string
const ( ReinvocationPolicyTypeNever ReinvocationPolicyType = "Never" ReinvocationPolicyTypeIfNeeded ReinvocationPolicyType = "IfNeeded" )
type Rule ¶
type Rule struct {
// APIGroups is the API groups the resources belong to. '*' is all groups.
// If '*' is present, the length of the slice must be one.
// Required.
APIGroups []string `json:"apiGroups"`
// APIVersions is the API versions the resources belong to. '*' is all versions.
// If '*' is present, the length of the slice must be one.
// Required.
APIVersions []string `json:"apiVersions"`
// Resources is a list of resources this rule applies to.
// For example:
// 'pods' means pods.
// 'pods/log' means the log subresource of pods.
// '*' means all resources, but not subresources.
// 'pods/*' means all subresources of pods.
// '*/scale' means all scale subresources.
// '*/*' means all resources and their subresources.
// If wildcard is present, the validation rule will ensure resources do not
// overlap with each other.
// Depending on the enclosing object, subresources might not be allowed.
// Required.
Resources []string `json:"resources"`
// scope specifies the scope of this rule.
// Valid values are "Cluster", "Namespaced", and "*"
// "Cluster" means that only cluster-scoped resources will match this rule.
// Namespace API objects are cluster-scoped.
// "Namespaced" means that only namespaced resources will match this rule.
// "*" means that there are no scope restrictions.
// Subresources match the scope of their parent resource.
// Default is "*".
Scope ScopeType `json:"scope,omitempty"`
}
func (*Rule) DeepCopyInto ¶
type RuleWithOperations ¶
type RuleWithOperations struct {
// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
// for all of those operations and any future admission operations that are added.
// If '*' is present, the length of the slice must be one.
// Required.
Operations []OperationType `json:"operations"`
// Rule is embedded, it describes other criteria of the rule, like
// APIGroups, APIVersions, Resources, etc.
Rule `json:",inline"`
}
func (*RuleWithOperations) DeepCopy ¶
func (in *RuleWithOperations) DeepCopy() *RuleWithOperations
func (*RuleWithOperations) DeepCopyInto ¶
func (in *RuleWithOperations) DeepCopyInto(out *RuleWithOperations)
type ServiceReference ¶
type ServiceReference struct {
// `namespace` is the namespace of the service.
// Required
Namespace string `json:"namespace"`
// `name` is the name of the service.
// Required
Name string `json:"name"`
// `path` is an optional URL path which will be sent in any request to
// this service.
Path string `json:"path,omitempty"`
// If specified, the port on the service that hosting webhook.
// Default to 443 for backward compatibility.
// `port` should be a valid port number (1-65535, inclusive).
Port int `json:"port,omitempty"`
}
func (*ServiceReference) DeepCopy ¶
func (in *ServiceReference) DeepCopy() *ServiceReference
func (*ServiceReference) DeepCopyInto ¶
func (in *ServiceReference) DeepCopyInto(out *ServiceReference)
type SideEffectClass ¶
type SideEffectClass string
const ( SideEffectClassUnknown SideEffectClass = "Unknown" SideEffectClassNone SideEffectClass = "None" SideEffectClassSome SideEffectClass = "Some" SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun" )
type ValidatingWebhook ¶
type ValidatingWebhook struct {
// The name of the admission webhook.
// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
// of the organization.
// Required.
Name string `json:"name"`
// ClientConfig defines how to communicate with the hook.
// Required
ClientConfig WebhookClientConfig `json:"clientConfig"`
// Rules describes what operations on what resources/subresources the webhook cares about.
// The webhook cares about an operation if it matches _any_ Rule.
// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
// from putting the cluster in a state which cannot be recovered from without completely
// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
Rules []RuleWithOperations `json:"rules"`
// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
// allowed values are Ignore or Fail. Defaults to Fail.
FailurePolicy FailurePolicyType `json:"failurePolicy,omitempty"`
// matchPolicy defines how the "rules" list is used to match incoming requests.
// Allowed values are "Exact" or "Equivalent".
// - Exact: match a request only if it exactly matches a specified rule.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
// Defaults to "Equivalent"
MatchPolicy MatchPolicyType `json:"matchPolicy,omitempty"`
// NamespaceSelector decides whether to run the webhook on an object based
// on whether the namespace for that object matches the selector. If the
// object itself is a namespace, the matching is performed on
// object.metadata.labels. If the object is another cluster scoped resource,
// it never skips the webhook.
// For example, to run the webhook on any objects whose namespace is not
// associated with "runlevel" of "0" or "1"; you will set the selector as
// follows:
// "namespaceSelector": {
// "matchExpressions": [
// {
// "key": "runlevel",
// "operator": "NotIn",
// "values": [
// "0",
// "1"
// ]
// }
// ]
// }
// If instead you want to only run the webhook on any objects whose
// namespace is associated with the "environment" of "prod" or "staging";
// you will set the selector as follows:
// "namespaceSelector": {
// "matchExpressions": [
// {
// "key": "environment",
// "operator": "In",
// "values": [
// "prod",
// "staging"
// ]
// }
// ]
// }
// See
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
// for more examples of label selectors.
// Default to the empty LabelSelector, which matches everything.
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// ObjectSelector decides whether to run the webhook based on if the
// object has matching labels. objectSelector is evaluated against both
// the oldObject and newObject that would be sent to the webhook, and
// is considered to match if either object matches the selector. A null
// object (oldObject in the case of create, or newObject in the case of
// delete) or an object that cannot have labels (like a
// DeploymentRollback or a PodProxyOptions object) is not considered to
// match.
// Use the object selector only if the webhook is opt-in, because end
// users may skip the admission webhook by setting the labels.
// Default to the empty LabelSelector, which matches everything.
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
// SideEffects states whether this webhook has side effects.
// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
// rejected by a future step in the admission chain and the side effects therefore need to be undone.
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
// sideEffects == Unknown or Some.
SideEffects SideEffectClass `json:"sideEffects,omitempty"`
// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
// the webhook call will be ignored or the API call will fail based on the
// failure policy.
// The timeout value must be between 1 and 30 seconds.
// Default to 10 seconds.
TimeoutSeconds int `json:"timeoutSeconds,omitempty"`
// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
// versions the Webhook expects. API server will try to use first version in
// the list which it supports. If none of the versions specified in this list
// supported by API server, validation will fail for this object.
// If a persisted webhook configuration specifies allowed versions and does not
// include any versions known to the API Server, calls to the webhook will fail
// and be subject to the failure policy.
AdmissionReviewVersions []string `json:"admissionReviewVersions"`
}
func (*ValidatingWebhook) DeepCopy ¶
func (in *ValidatingWebhook) DeepCopy() *ValidatingWebhook
func (*ValidatingWebhook) DeepCopyInto ¶
func (in *ValidatingWebhook) DeepCopyInto(out *ValidatingWebhook)
type ValidatingWebhookConfiguration ¶
type ValidatingWebhookConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata"`
// Webhooks is a list of webhooks and the affected resources and operations.
Webhooks []ValidatingWebhook `json:"webhooks"`
}
func (*ValidatingWebhookConfiguration) DeepCopy ¶
func (in *ValidatingWebhookConfiguration) DeepCopy() *ValidatingWebhookConfiguration
func (*ValidatingWebhookConfiguration) DeepCopyInto ¶
func (in *ValidatingWebhookConfiguration) DeepCopyInto(out *ValidatingWebhookConfiguration)
func (*ValidatingWebhookConfiguration) DeepCopyObject ¶
func (in *ValidatingWebhookConfiguration) DeepCopyObject() runtime.Object
type ValidatingWebhookConfigurationList ¶
type ValidatingWebhookConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []ValidatingWebhookConfiguration `json:"items"`
}
func (*ValidatingWebhookConfigurationList) DeepCopy ¶
func (in *ValidatingWebhookConfigurationList) DeepCopy() *ValidatingWebhookConfigurationList
func (*ValidatingWebhookConfigurationList) DeepCopyInto ¶
func (in *ValidatingWebhookConfigurationList) DeepCopyInto(out *ValidatingWebhookConfigurationList)
func (*ValidatingWebhookConfigurationList) DeepCopyObject ¶
func (in *ValidatingWebhookConfigurationList) DeepCopyObject() runtime.Object
type WebhookClientConfig ¶
type WebhookClientConfig struct {
// `url` gives the location of the webhook, in standard URL form
// (`scheme://host:port/path`). Exactly one of `url` or `service`
// must be specified.
// The `host` should not refer to a service running in the cluster; use
// the `service` field instead. The host might be resolved via external
// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
// in-cluster DNS as that would be a layering violation). `host` may
// also be an IP address.
// Please note that using `localhost` or `127.0.0.1` as a `host` is
// risky unless you take great care to run this webhook on all hosts
// which run an apiserver which might need to make calls to this
// webhook. Such installs are likely to be non-portable, i.e., not easy
// to turn up in a new cluster.
// The scheme must be "https"; the URL must begin with "https://".
// A path is optional, and if present may be any string permissible in
// a URL. You may use the path to pass an arbitrary string to the
// webhook, for example, a cluster identifier.
// Attempting to use a user or basic auth e.g. "user:password@" is not
// allowed. Fragments ("#...") and query parameters ("?...") are not
// allowed, either.
URL string `json:"url,omitempty"`
// `service` is a reference to the service for this webhook. Either
// `service` or `url` must be specified.
// If the webhook is running within the cluster, then you should use `service`.
Service *ServiceReference `json:"service,omitempty"`
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// If unspecified, system trust roots on the apiserver are used.
CABundle []byte `json:"caBundle,omitempty"`
}
func (*WebhookClientConfig) DeepCopy ¶
func (in *WebhookClientConfig) DeepCopy() *WebhookClientConfig
func (*WebhookClientConfig) DeepCopyInto ¶
func (in *WebhookClientConfig) DeepCopyInto(out *WebhookClientConfig)
Source Files
Click to show internal directories.
Click to hide internal directories.