apiserver

package
v2.21.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 22, 2023 License: Apache-2.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AdmissionControlCreator 

func AdmissionControlCreator(data *resources.TemplateData) reconciling.NamedConfigMapCreatorGetter

func ApiserverInternalAllowReconciler added in v2.21.10 

func ApiserverInternalAllowReconciler() reconciling.NamedNetworkPolicyCreatorGetter

ApiserverInternalAllowReconciler returns a func to create/update the apiserver-internal-allow egress policy. This policy is necessary since konnectivity-server (sidecar to kube-apiserver when konnectivity is enabled) needs to talk to the Kubernetes API to validate tokens coming from konnectivity-agent.

This was previously handled with a policy called cluster-external-addr-allow that allowed connection to the the external endpoint, but no reasoning for this design choice could be found in code comments or PR descriptions. Upstream itself uses localhost in an example (see https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/a38752dc9884a1fc1c32652eacb38aed21e4ab25/examples/kubernetes/kubeconfig#L11), so the strong assumption here is that this was never necessary.

func AuditConfigMapCreator 

func AuditConfigMapCreator(data *resources.TemplateData) reconciling.NamedConfigMapCreatorGetter

func CABundleCreator added in v2.17.0 

func CABundleCreator(data caBundleProvider) reconciling.NamedConfigMapCreatorGetter

func DNSAllowCreator added in v2.17.4 

func DNSAllowCreator(c *kubermaticv1.Cluster, data *resources.TemplateData) reconciling.NamedNetworkPolicyCreatorGetter

DNSAllowCreator returns a func to create/update the apiserver DNS allow egress policy.

func DenyAllPolicyCreator added in v2.17.4 

func DenyAllPolicyCreator() reconciling.NamedNetworkPolicyCreatorGetter

DenyAllPolicyCreator returns a func to create/update the apiserver deny all egress policy.

func DeploymentCreator 

func DeploymentCreator(data *resources.TemplateData, enableOIDCAuthentication bool) reconciling.NamedDeploymentCreatorGetter

DeploymentCreator returns the function to create and update the API server deployment.

func EctdAllowCreator added in v2.17.4 

func EctdAllowCreator(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyCreatorGetter

EctdAllowCreator returns a func to create/update the apiserver ETCD allow egress policy.

func EgressSelectorConfigCreator added in v2.18.0 

func EgressSelectorConfigCreator() reconciling.NamedConfigMapCreatorGetter

EgressSelectorConfigCreator returns function to create cm that contains egress selection configuration for apiserver to work with konnectivity proxy.

func EncryptionConfigurationSecretCreator added in v2.21.0 

func EncryptionConfigurationSecretCreator(data encryptionData) reconciling.NamedSecretCreatorGetter

func EncryptionResourcesForDeletion added in v2.21.0 

func EncryptionResourcesForDeletion(namespace string) []ctrlruntimeclient.Object

func EtcdClientCertificateCreator 

func EtcdClientCertificateCreator(data etcdClientCertificateCreatorData) reconciling.NamedSecretCreatorGetter

EtcdClientCertificateCreator returns a function to create/update the secret with the client certificate for authenticating against etcd.

func FluentBitSecretCreator added in v2.21.0 

func FluentBitSecretCreator(data *resources.TemplateData) reconciling.NamedSecretCreatorGetter

FluentBitSecretCreator returns a reconciling.NamedSecretCreatorGetter for a secret that contains fluent-bit configuration for the audit-logs sidecar.

func FrontProxyClientCertificateCreator 

func FrontProxyClientCertificateCreator(data frontProxyClientCertificateCreatorData) reconciling.NamedSecretCreatorGetter

FrontProxyClientCertificateCreator returns a function to create/update the secret with the client certificate for authenticating against extension apiserver.

func GetEnvVars 

func GetEnvVars(data kubeAPIServerEnvData) ([]corev1.EnvVar, error)

func IsRunningWrapper 

func IsRunningWrapper(data isRunningInitContainerData, spec corev1.PodSpec, containersToWrap sets.String, crdsToWaitFor ...string) (*corev1.PodSpec, error)

IsRunningWrapper wraps the named containers in the pod with a check if the API server is reachable. This is achieved by copying a `http-prober` binary via an init container into an emptyDir volume, then mounting that volume onto all named containers and replacing the command with a call to the `http-prober` binary. The http prober binary gets the original command as serialized string and does an syscall.Exec onto it once the apiserver became reachable.

func KubeletClientCertificateCreator 

func KubeletClientCertificateCreator(data kubeletClientCertificateCreatorData) reconciling.NamedSecretCreatorGetter

KubeletClientCertificateCreator returns a function to create/update a secret with the client certificate for the apiserver -> kubelet connection.

func MachineControllerWebhookCreator added in v2.17.4 

func MachineControllerWebhookCreator(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyCreatorGetter

func MetricsServerAllowCreator added in v2.17.4 

func MetricsServerAllowCreator(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyCreatorGetter

func OIDCIssuerAllowCreator added in v2.18.3 

func OIDCIssuerAllowCreator(egressIPs []net.IP) reconciling.NamedNetworkPolicyCreatorGetter

OIDCIssuerAllowCreator returns a func to create/update the apiserver oidc-issuer-allow egress policy.

func OpenVPNServerAllowCreator added in v2.17.4 

func OpenVPNServerAllowCreator(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyCreatorGetter

OpenVPNServerAllowCreator returns a func to create/update the apiserver OpenVPN allow egress policy.

func PodDisruptionBudgetCreator 

func PodDisruptionBudgetCreator() reconciling.NamedPodDisruptionBudgetCreatorGetter

PodDisruptionBudgetCreator returns a func to create/update the apiserver PodDisruptionBudget.

func ServiceAccountKeyCreator 

func ServiceAccountKeyCreator() reconciling.NamedSecretCreatorGetter

ServiceAccountKeyCreator returns a function to create/update a secret with the ServiceAccount key.

func ServiceCreator 

func ServiceCreator(exposeStrategy kubermaticv1.ExposeStrategy, externalURL string) reconciling.NamedServiceCreatorGetter

ServiceCreator returns the function to reconcile the external API server service.

func TLSServingCertificateCreator 

func TLSServingCertificateCreator(data tlsServingCertCreatorData) reconciling.NamedSecretCreatorGetter

TLSServingCertificateCreator returns a function to create/update the secret with the apiserver tls certificate used to serve https.

func TokenUsersCreator 

func TokenUsersCreator(data *resources.TemplateData) reconciling.NamedSecretCreatorGetter

TokenUsers returns a secret containing the tokens csv.

func TokenViewerCreator 

func TokenViewerCreator() reconciling.NamedSecretCreatorGetter

TokenViewerCreator returns a secret containing the viewer token.

func UserClusterWebhookCreator added in v2.21.0 

func UserClusterWebhookCreator(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyCreatorGetter

Types

type AdmissionConfiguration 

type AdmissionConfiguration struct {
	Kind string `yaml:"kind,omitempty"`

	APIVersion string `yaml:"apiVersion,omitempty"`

	// Plugins allows specifying a configuration per admission control plugin.
	Plugins []AdmissionPluginConfiguration `yaml:"plugins,omitempty"`
}

AdmissionConfiguration provides versioned configuration for admission controllers.

type AdmissionPluginConfiguration 

type AdmissionPluginConfiguration struct {
	// Name is the name of the admission controller.
	// It must match the registered admission plugin name.
	Name string `yaml:"name"`

	// Path is the path to a configuration file that contains the plugin's
	// configuration
	Path string `yaml:"path"`
}

AdmissionPluginConfiguration provides the configuration for a single plug-in.

type EventConfiguration added in v2.19.0 

type EventConfiguration struct {
	Kind       string       `yaml:"kind"`
	APIVersion string       `yaml:"apiVersion"`
	Limits     []EventLimit `yaml:"limits"`
}

type EventLimit added in v2.19.0 

type EventLimit struct {
	Type      string `yaml:"type"`
	QPS       int32  `yaml:"qps"`
	Burst     int32  `yaml:"burst"`
	CacheSize int32  `yaml:"cacheSize,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.