Documentation ¶
Index ¶
- Constants
- Variables
- func AdmissionReviewAdapterToKube(ar *AdmissionReview, apiVersion string) runtime.Object
- func AllSynced[T Syncer](syncers []T) bool
- func BuildClientCmd(kubeconfig, context string, overrides ...func(*clientcmd.ConfigOverrides)) clientcmd.ClientConfig
- func BuildClientConfig(kubeconfig, context string) (*rest.Config, error)
- func CheckPodReady(pod *corev1.Pod) error
- func CheckPodReadyOrComplete(pod *corev1.Pod) error
- func CheckPodTerminal(pod *corev1.Pod) bool
- func ConfigLoadingRules(kubeconfig string) *clientcmd.ClientConfigLoadingRules
- func DefaultRestConfig(kubeconfig, configContext string, fns ...func(*rest.Config)) (*rest.Config, error)
- func FindIstiodMonitoringPort(pod *v1.Pod) int
- func GetDeployMetaFromPod(pod *corev1.Pod) (types.NamespacedName, metav1.TypeMeta)
- func GetVersionAsInt(client Client) int
- func GetWorkloadMetaFromPod(pod *corev1.Pod) (types.NamespacedName, metav1.TypeMeta)
- func HTTPConfigReader(req *http.Request) ([]byte, error)
- func InClusterConfig(fns ...func(*rest.Config)) (*rest.Config, error)
- func IsAtLeastVersion(client Client, minorVersion uint) bool
- func IsKubeAtLeastOrLessThanVersion(clusterVersion *kubeVersion.Info, minorVersion uint, atLeast bool) bool
- func IsLessThanVersion(client Client, minorVersion uint) bool
- func IstioUserAgent() string
- func NewClientConfigForRestConfig(restConfig *rest.Config) clientcmd.ClientConfig
- func NewRPCCredentials(kubeClient Client, tokenNamespace, tokenSA string, tokenAudiences []string, ...) (credentials.PerRPCCredentials, error)
- func NewUntrustedRestConfig(kubeConfig []byte, configOverrides ...func(*rest.Config)) (*rest.Config, error)
- func SetRestDefaults(config *rest.Config) *rest.Config
- func SlowConvertKindsToRuntimeObjects(in []crd.IstioKind) ([]runtime.Object, error)
- func SlowConvertToRuntimeObject(in *crd.IstioKind) (runtime.Object, error)
- func StripNodeUnusedFields(obj any) (any, error)
- func StripPodUnusedFields(obj any) (any, error)
- func WaitForCacheSync(name string, stop <-chan struct{}, cacheSyncs ...cache.InformerSynced) (r bool)
- type AdmissionRequest
- type AdmissionResponse
- type AdmissionReview
- type CLIClient
- type Client
- type ClientOption
- type PartialFactory
- type PortForwarder
- type PortManager
- type Syncer
Constants ¶
const ( // Operation constants Create string = "CREATE" Update string = "UPDATE" Delete string = "DELETE" Connect string = "CONNECT" )
const MaxRequestBodyBytes = int64(6 * 1024 * 1024)
MaxRequestBodyBytes represents the max size of Kubernetes objects we read. Kubernetes allows a 2x buffer on the max etcd size (https://github.com/kubernetes/kubernetes/blob/0afa569499d480df4977568454a50790891860f5/staging/src/k8s.io/apiserver/pkg/server/config.go#L362). We allow an additional 2x buffer, as it is still fairly cheap (6mb)
const (
RunningStatus = "status.phase=Running"
)
Variables ¶
var ( IstioScheme = istioScheme() IstioCodec = serializer.NewCodecFactory(IstioScheme) )
IstioScheme returns a scheme will all known Istio-related types added
var FakeIstioScheme = func() *runtime.Scheme { s := istioScheme() s.AddKnownTypeWithName(schema.GroupVersionKind{Group: "fake-metadata-client-group", Version: "v1", Kind: "List"}, &metav1.List{}) return s }()
FakeIstioScheme is an IstioScheme that has List type registered.
var NewCrdWatcher func(Client) kubetypes.CrdWatcher
Functions ¶
func AdmissionReviewAdapterToKube ¶
func AdmissionReviewAdapterToKube(ar *AdmissionReview, apiVersion string) runtime.Object
func BuildClientCmd ¶
func BuildClientCmd(kubeconfig, context string, overrides ...func(*clientcmd.ConfigOverrides)) clientcmd.ClientConfig
BuildClientCmd builds a client cmd config from a kubeconfig filepath and context. It overrides the current context with the one provided (empty to use default).
This is a modified version of k8s.io/client-go/tools/clientcmd/BuildConfigFromFlags with the difference that it loads default configs if not running in-cluster.
func BuildClientConfig ¶
BuildClientConfig builds a client rest config from a kubeconfig filepath and context. It overrides the current context with the one provided (empty to use default).
This is a modified version of k8s.io/client-go/tools/clientcmd/BuildConfigFromFlags with the difference that it loads default configs if not running in-cluster.
func CheckPodReady ¶
CheckPodReady returns nil if the given pod and all of its containers are ready.
func CheckPodReadyOrComplete ¶
CheckPodReadyOrComplete returns nil if the given pod and all of its containers are ready or terminated successfully.
func CheckPodTerminal ¶
CheckPodTerminal returns true if the pod's phase is terminal (succeeded || failed) usually used to filter cron jobs.
func ConfigLoadingRules ¶
func ConfigLoadingRules(kubeconfig string) *clientcmd.ClientConfigLoadingRules
func DefaultRestConfig ¶
func DefaultRestConfig(kubeconfig, configContext string, fns ...func(*rest.Config)) (*rest.Config, error)
DefaultRestConfig returns the rest.Config for the given kube config file and context.
func GetDeployMetaFromPod ¶
GetDeployMetaFromPod heuristically derives deployment metadata from the pod spec.
func GetVersionAsInt ¶
GetVersionAsInt returns the the kubernetes version as an integer. For example, on Kubernetes v1.15.2, GetVersionAsInt returns 115
func GetWorkloadMetaFromPod ¶
GetWorkloadMetaFromPod heuristically derives workload name and type metadata from the pod spec. This respects the workload-name override; to just use heuristics only use GetDeployMetaFromPod.
func HTTPConfigReader ¶
HTTPConfigReader is reads an HTTP request, imposing size restrictions aligned with Kubernetes limits
func InClusterConfig ¶
InClusterConfig returns the rest.Config for in cluster usage. Typically, DefaultRestConfig is used and this is auto detected; usage directly allows explicitly overriding to use in-cluster.
func IsAtLeastVersion ¶
IsAtLeastVersion returns true if the client is at least the specified version. For example, on Kubernetes v1.15.2, IsAtLeastVersion(13) == true, IsAtLeastVersion(17) == false
func IsKubeAtLeastOrLessThanVersion ¶
func IsKubeAtLeastOrLessThanVersion(clusterVersion *kubeVersion.Info, minorVersion uint, atLeast bool) bool
IsKubeAtLeastOrLessThanVersion returns if the kubernetes version is at least or less than the specified version.
func IsLessThanVersion ¶
IsLessThanVersion returns true if the client version is less than the specified version. For example, on Kubernetes v1.15.2, IsLessThanVersion(13) == false, IsLessThanVersion(17) == true
func IstioUserAgent ¶
func IstioUserAgent() string
IstioUserAgent returns the user agent string based on the command being used. example: pilot-discovery/1.9.5 or istioctl/1.10.0 This is a specialized version of rest.DefaultKubernetesUserAgent()
func NewClientConfigForRestConfig ¶
func NewClientConfigForRestConfig(restConfig *rest.Config) clientcmd.ClientConfig
NewClientConfigForRestConfig creates a new k8s clientcmd.ClientConfig from the given rest.Config.
func NewRPCCredentials ¶
func NewRPCCredentials(kubeClient Client, tokenNamespace, tokenSA string, tokenAudiences []string, expirationSeconds, sunsetPeriodSeconds int64, ) (credentials.PerRPCCredentials, error)
NewRPCCredentials creates a PerRPCCredentials capable of getting tokens from Istio and tracking their expiration
func NewUntrustedRestConfig ¶
func NewUntrustedRestConfig(kubeConfig []byte, configOverrides ...func(*rest.Config)) (*rest.Config, error)
NewUntrustedRestConfig returns the rest.Config for the given kube config context. This is suitable for access to remote clusters from untrusted kubeConfig inputs. The kubeconfig is sanitized and unsafe auth methods are denied.
func SetRestDefaults ¶
SetRestDefaults is a helper function that sets default values for the given rest.Config. This function is idempotent.
func SlowConvertToRuntimeObject ¶
SlowConvertToRuntimeObject converts an IstioKind to a runtime.Object. As the name implies, it is not efficient.
func StripNodeUnusedFields ¶
StripNodeUnusedFields is the transform function for shared node informers, it removes unused fields from objects before they are stored in the cache to save memory.
func StripPodUnusedFields ¶
StripPodUnusedFields is the transform function for shared pod informers, it removes unused fields from objects before they are stored in the cache to save memory.
func WaitForCacheSync ¶
func WaitForCacheSync(name string, stop <-chan struct{}, cacheSyncs ...cache.InformerSynced) (r bool)
WaitForCacheSync waits until all caches are synced. This will return true only if things synced successfully before the stop channel is closed. This function also lives in the Kubernetes cache library. However, that library will poll with 100ms fixed interval. Often the cache syncs in a few ms, but we are delayed a full 100ms. This is especially apparent in tests, which previously spent most of their time just in the 100ms wait interval.
To optimize this, this function performs exponential backoff. This is generally safe because cache.InformerSynced functions are ~always quick to run. However, if the sync functions do perform expensive checks this function may not be suitable.
Types ¶
type AdmissionRequest ¶
type AdmissionRequest struct { // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are // otherwise identical (parallel requests, requests when earlier requests did not modify etc) // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. UID types.UID `json:"uid"` // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) Kind metav1.GroupVersionKind `json:"kind"` // Resource is the fully-qualified resource being requested (for example, v1.pods) Resource metav1.GroupVersionResource `json:"resource"` // SubResource is the subresource being requested, if any (for example, "status" or "scale") SubResource string `json:"subResource,omitempty"` // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. // // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, // an API request to apps/v1beta1 deployments would be converted and sent to the webhook // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). // RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty"` // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. // // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, // an API request to apps/v1beta1 deployments would be converted and sent to the webhook // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). // RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty"` // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. RequestSubResource string `json:"requestSubResource,omitempty"` // UserInfo is information about the requesting user UserInfo authenticationv1.UserInfo `json:"userInfo"` // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and // rely on the server to generate the name. If that is the case, this field will contain an empty string. Name string `json:"name,omitempty"` // Namespace is the namespace associated with the request (if any). Namespace string `json:"namespace,omitempty"` // Operation is the operation being performed. This may be different than the operation // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. Operation string `json:"operation"` // Object is the object from the incoming request. Object runtime.RawExtension `json:"object,omitempty"` // OldObject is the existing object. Only populated for DELETE and UPDATE requests. OldObject runtime.RawExtension `json:"oldObject,omitempty"` // DryRun indicates that modifications will definitely not be persisted for this request. // Defaults to false. DryRun *bool `json:"dryRun,omitempty"` // Options is the operation option structure of the operation being performed. // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be // different than the options the caller provided. e.g. for a patch request the performed // Operation might be a CREATE, in which case the Options will a // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. Options runtime.RawExtension `json:"options,omitempty"` }
AdmissionRequest describes the admission.Attributes for the admission request.
type AdmissionResponse ¶
type AdmissionResponse struct { // UID is an identifier for the individual request/response. // This should be copied over from the corresponding AdmissionRequest. UID types.UID `json:"uid"` // Allowed indicates whether or not the admission request was permitted. Allowed bool `json:"allowed"` // Result contains extra details into why an admission request was denied. // This field IS NOT consulted in any way if "Allowed" is "true". Result *metav1.Status `json:"status,omitempty"` // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. Patch []byte `json:"patch,omitempty"` // The type of Patch. Currently we only allow "JSONPatch". PatchType *string `json:"patchType,omitempty"` // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by // the admission webhook to add additional context to the audit log for this request. AuditAnnotations map[string]string `json:"auditAnnotations,omitempty"` // warnings is a list of warning messages to return to the requesting API client. // Warning messages describe a problem the client making the API request should correct or be aware of. // Limit warnings to 120 characters if possible. // Warnings over 256 characters and large numbers of warnings may be truncated. Warnings []string `json:"warnings,omitempty"` }
AdmissionResponse describes an admission response.
type AdmissionReview ¶
type AdmissionReview struct { // TypeMeta describes an individual object in an API response or request // with strings representing the type of the object and its API schema version. // Structures that are versioned or persisted should inline TypeMeta. metav1.TypeMeta // Request describes the attributes for the admission request. Request *AdmissionRequest `json:"request,omitempty"` // Response describes the attributes for the admission response. Response *AdmissionResponse `json:"response,omitempty"` }
AdmissionReview describes an admission review request/response.
func AdmissionReviewKubeToAdapter ¶
func AdmissionReviewKubeToAdapter(object runtime.Object) (*AdmissionReview, error)
type CLIClient ¶
type CLIClient interface { Client // Revision of the Istio control plane. Revision() string // EnvoyDo makes a http request to the Envoy in the specified pod. EnvoyDo(ctx context.Context, podName, podNamespace, method, path string) ([]byte, error) // EnvoyDoWithPort makes a http request to the Envoy in the specified pod and port. EnvoyDoWithPort(ctx context.Context, podName, podNamespace, method, path string, port int) ([]byte, error) // AllDiscoveryDo makes a http request to each Istio discovery instance. AllDiscoveryDo(ctx context.Context, namespace, path string) (map[string][]byte, error) // GetIstioVersions gets the version for each Istio control plane component. GetIstioVersions(ctx context.Context, namespace string) (*version.MeshInfo, error) // PodsForSelector finds pods matching selector. PodsForSelector(ctx context.Context, namespace string, labelSelectors ...string) (*v1.PodList, error) // GetIstioPods retrieves the pod objects for Istio deployments GetIstioPods(ctx context.Context, namespace string, opts metav1.ListOptions) ([]v1.Pod, error) // GetProxyPods retrieves all the proxy pod objects: sidecar injected pods and gateway pods. GetProxyPods(ctx context.Context, limit int64, token string) (*v1.PodList, error) // PodExecCommands takes a list of commands and the pod data to run the commands in the specified pod. PodExecCommands(podName, podNamespace, container string, commands []string) (stdout string, stderr string, err error) // PodExec takes a command and the pod data to run the command in the specified pod. PodExec(podName, podNamespace, container string, command string) (stdout string, stderr string, err error) // PodLogs retrieves the logs for the given pod. PodLogs(ctx context.Context, podName string, podNamespace string, container string, previousLog bool) (string, error) // PodLogsFollow retrieves the logs for the given pod, following until the pod log stream is interrupted PodLogsFollow(ctx context.Context, podName string, podNamespace string, container string) (string, error) // ServicesForSelector finds services matching selector. ServicesForSelector(ctx context.Context, namespace string, labelSelectors ...string) (*v1.ServiceList, error) // NewPortForwarder creates a new PortForwarder configured for the given pod. If localPort=0, a port will be // dynamically selected. If localAddress is empty, "localhost" is used. NewPortForwarder(podName string, ns string, localAddress string, localPort int, podPort int) (PortForwarder, error) // ApplyYAMLFiles applies the resources in the given YAML files. ApplyYAMLFiles(namespace string, yamlFiles ...string) error // ApplyYAMLContents applies the resources in the given YAML strings. ApplyYAMLContents(namespace string, yamls ...string) error // ApplyYAMLFilesDryRun performs a dry run for applying the resource in the given YAML files ApplyYAMLFilesDryRun(namespace string, yamlFiles ...string) error // DeleteYAMLFiles deletes the resources in the given YAML files. DeleteYAMLFiles(namespace string, yamlFiles ...string) error // DeleteYAMLFilesDryRun performs a dry run for deleting the resources in the given YAML files. DeleteYAMLFilesDryRun(namespace string, yamlFiles ...string) error // CreatePerRPCCredentials creates a gRPC bearer token provider that can create (and renew!) Istio tokens CreatePerRPCCredentials(ctx context.Context, tokenNamespace, tokenServiceAccount string, audiences []string, expirationSeconds int64) (credentials.PerRPCCredentials, error) // UtilFactory returns a kubectl factory UtilFactory() PartialFactory // InvalidateDiscovery invalidates the discovery client, useful after manually changing CRD's InvalidateDiscovery() // DynamicClientFor builds a dynamic client to a resource DynamicClientFor(gvk schema.GroupVersionKind, obj *unstructured.Unstructured, namespace string) (dynamic.ResourceInterface, error) }
CLIClient is an extended client with additional helpers/functionality for Istioctl and testing. CLIClient is not appropriate for controllers, as it does a number of highly privileged or highly risky operations such as `exec`, `port-forward`, etc.
func NewCLIClient ¶
func NewCLIClient(clientConfig clientcmd.ClientConfig, opts ...ClientOption) (CLIClient, error)
NewCLIClient creates a Kubernetes client from the given ClientConfig. The "revision" parameter controls the behavior of GetIstioPods, by selecting a specific revision of the control plane. This is appropriate for use in CLI libraries because it exposes functionality unsafe for in-cluster controllers, and uses standard CLI (kubectl) caching.
func NewFakeClient ¶
NewFakeClient creates a new, fake, client
func SetRevisionForTest ¶
type Client ¶
type Client interface { // RESTConfig returns the Kubernetes rest.Config used to configure the clients. RESTConfig() *rest.Config // Ext returns the API extensions client. Ext() kubeExtClient.Interface // Kube returns the core kube client Kube() kubernetes.Interface // Dynamic client. Dynamic() dynamic.Interface // Metadata returns the Metadata kube client. Metadata() metadata.Interface // Istio returns the Istio kube client. Istio() istioclient.Interface // GatewayAPI returns the gateway-api kube client. GatewayAPI() gatewayapiclient.Interface // Informers returns an informer factory Informers() informerfactory.InformerFactory // CrdWatcher returns the CRD watcher for this client CrdWatcher() kubetypes.CrdWatcher // ObjectFilter returns an object filter that can be used to filter out unwanted objects based on configuration. // This must be set on a client with SetObjectFilter. ObjectFilter() kubetypes.DynamicObjectFilter // RunAndWait starts all informers and waits for their caches to sync. // Warning: this must be called AFTER .Informer() is called, which will register the informer. // "false" is returned if this prematurely exited without syncing. RunAndWait(stop <-chan struct{}) bool // WaitForCacheSync waits for all cache functions to sync, as well as all informers started by the *fake* client. WaitForCacheSync(name string, stop <-chan struct{}, cacheSyncs ...cache.InformerSynced) bool // GetKubernetesVersion returns the Kubernetes server version GetKubernetesVersion() (*kubeVersion.Info, error) // Shutdown closes all informers and waits for them to terminate Shutdown() // ClusterID returns the cluster this client is connected to ClusterID() cluster.ID }
Client is a helper for common Kubernetes client operations. This contains various different kubernetes clients using a shared config. It is expected that all of Istiod can share the same set of clients and informers. Sharing informers is especially important for load on the API server/Istiod itself.
func EnableCrdWatcher ¶
EnableCrdWatcher enables the CRD watcher on the client.
func SetObjectFilter ¶
func SetObjectFilter(c Client, filter kubetypes.DynamicObjectFilter) Client
SetObjectFilter adds an object filter to the client, which can later be returned with client.ObjectFilter()
type ClientOption ¶
ClientOption defines an option for configuring the CLIClient.
func WithCluster ¶
func WithCluster(id cluster.ID) ClientOption
WithCluster creates a ClientOption to set the cluster ID on the CLIClient.
func WithRevision ¶
func WithRevision(revision string) ClientOption
WithRevision creates a ClientOption to set the revision on the CLIClient.
type PartialFactory ¶
type PartialFactory interface { // DynamicClient returns a dynamic client ready for use DynamicClient() (dynamic.Interface, error) // KubernetesClientSet gives you back an external clientset KubernetesClientSet() (*kubernetes.Clientset, error) // Returns a RESTClient for accessing Kubernetes resources or an error. RESTClient() (*rest.RESTClient, error) // contains filtered or unexported methods }
type PortForwarder ¶
type PortForwarder interface { // Start runs this forwarder. Start() error // Address returns the local forwarded address. Only valid while the forwarder is running. Address() string // Close this forwarder and release an resources. Close() // ErrChan returns a channel that returns an error when one is encountered. While Start() may return an initial error, // the port-forward connection may be lost at anytime. The ErrChan can be read to determine if/when the port-forwarding terminates. // This can return nil if the port forwarding stops gracefully. ErrChan() <-chan error // WaitForStop blocks until connection closed (e.g. control-C interrupt) WaitForStop() }
PortForwarder manages the forwarding of a single port.
type PortManager ¶
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package apimirror contains copies of Kubernetes APIs.
|
Package apimirror contains copies of Kubernetes APIs. |
Package informerfactory provides a "factory" to generate informers.
|
Package informerfactory provides a "factory" to generate informers. |
Package inject implements kube-inject or webhoook autoinject feature to inject sidecar.
|
Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. |
Package labels provides utility methods for retrieving Istio-specific labels from Kubernetes resources.
|
Package labels provides utility methods for retrieving Istio-specific labels from Kubernetes resources. |
watcher
|
|