Documentation ¶
Index ¶
- func AdmissionControlReconciler(data *resources.TemplateData) reconciling.NamedConfigMapReconcilerFactory
- func ApiserverInternalAllowReconciler() reconciling.NamedNetworkPolicyReconcilerFactory
- func AuditConfigMapReconciler(data *resources.TemplateData) reconciling.NamedConfigMapReconcilerFactory
- func CABundleReconciler(data caBundleProvider) reconciling.NamedConfigMapReconcilerFactory
- func DNSAllowReconciler(c *kubermaticv1.Cluster, data *resources.TemplateData) reconciling.NamedNetworkPolicyReconcilerFactory
- func DenyAllPolicyReconciler() reconciling.NamedNetworkPolicyReconcilerFactory
- func DeploymentReconciler(data *resources.TemplateData, enableOIDCAuthentication bool) reconciling.NamedDeploymentReconcilerFactory
- func EctdAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- func EgressSelectorConfigReconciler() reconciling.NamedConfigMapReconcilerFactory
- func EncryptionConfigurationSecretReconciler(data encryptionData) reconciling.NamedSecretReconcilerFactory
- func EncryptionResourcesForDeletion(namespace string) []ctrlruntimeclient.Object
- func EtcdClientCertificateReconciler(data etcdClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
- func FluentBitSecretReconciler(data *resources.TemplateData) reconciling.NamedSecretReconcilerFactory
- func FrontProxyClientCertificateReconciler(data frontProxyClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
- func GetEnvVars(data kubeAPIServerEnvData) ([]corev1.EnvVar, error)
- func IsRunningWrapper(data isRunningInitContainerData, spec corev1.PodSpec, ...) (*corev1.PodSpec, error)
- func KubeletClientCertificateReconciler(data kubeletClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
- func MachineControllerWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- func MetricsServerAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- func OIDCIssuerAllowReconciler(egressIPs []net.IP) reconciling.NamedNetworkPolicyReconcilerFactory
- func OSMWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- func OpenVPNServerAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- func PodDisruptionBudgetReconciler() reconciling.NamedPodDisruptionBudgetReconcilerFactory
- func SeedApiServerAllowReconciler(endpoints []net.IP) reconciling.NamedNetworkPolicyReconcilerFactory
- func ServiceAccountKeyReconciler() reconciling.NamedSecretReconcilerFactory
- func ServiceReconciler(exposeStrategy kubermaticv1.ExposeStrategy, externalURL string) reconciling.NamedServiceReconcilerFactory
- func TLSServingCertificateReconciler(data tlsServingCertReconcilerData) reconciling.NamedSecretReconcilerFactory
- func TokenUsersReconciler(data *resources.TemplateData) reconciling.NamedSecretReconcilerFactory
- func TokenViewerReconciler() reconciling.NamedSecretReconcilerFactory
- func UserClusterWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
- type AdmissionConfiguration
- type AdmissionPluginConfiguration
- type EventConfiguration
- type EventLimit
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AdmissionControlReconciler ¶ added in v2.22.0
func AdmissionControlReconciler(data *resources.TemplateData) reconciling.NamedConfigMapReconcilerFactory
func ApiserverInternalAllowReconciler ¶ added in v2.21.10
func ApiserverInternalAllowReconciler() reconciling.NamedNetworkPolicyReconcilerFactory
ApiserverInternalAllowReconciler returns a func to create/update the apiserver-internal-allow egress policy. This policy is necessary since konnectivity-server (sidecar to kube-apiserver when konnectivity is enabled) needs to talk to the Kubernetes API to validate tokens coming from konnectivity-agent.
This was previously handled with a policy called cluster-external-addr-allow that allowed connection to the the external endpoint, but no reasoning for this design choice could be found in code comments or PR descriptions. Upstream itself uses localhost in an example (see https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/a38752dc9884a1fc1c32652eacb38aed21e4ab25/examples/kubernetes/kubeconfig#L11), so the strong assumption here is that this was never necessary.
func AuditConfigMapReconciler ¶ added in v2.22.0
func AuditConfigMapReconciler(data *resources.TemplateData) reconciling.NamedConfigMapReconcilerFactory
func CABundleReconciler ¶ added in v2.22.0
func CABundleReconciler(data caBundleProvider) reconciling.NamedConfigMapReconcilerFactory
func DNSAllowReconciler ¶ added in v2.22.0
func DNSAllowReconciler(c *kubermaticv1.Cluster, data *resources.TemplateData) reconciling.NamedNetworkPolicyReconcilerFactory
DNSAllowReconciler returns a func to create/update the apiserver DNS allow egress policy.
func DenyAllPolicyReconciler ¶ added in v2.22.0
func DenyAllPolicyReconciler() reconciling.NamedNetworkPolicyReconcilerFactory
DenyAllPolicyReconciler returns a func to create/update the apiserver deny all egress policy.
func DeploymentReconciler ¶ added in v2.22.0
func DeploymentReconciler(data *resources.TemplateData, enableOIDCAuthentication bool) reconciling.NamedDeploymentReconcilerFactory
DeploymentReconciler returns the function to create and update the API server deployment.
func EctdAllowReconciler ¶ added in v2.22.0
func EctdAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
EctdAllowReconciler returns a func to create/update the apiserver ETCD allow egress policy.
func EgressSelectorConfigReconciler ¶ added in v2.22.0
func EgressSelectorConfigReconciler() reconciling.NamedConfigMapReconcilerFactory
EgressSelectorConfigReconciler returns function to create cm that contains egress selection configuration for apiserver to work with konnectivity proxy.
func EncryptionConfigurationSecretReconciler ¶ added in v2.22.0
func EncryptionConfigurationSecretReconciler(data encryptionData) reconciling.NamedSecretReconcilerFactory
func EncryptionResourcesForDeletion ¶ added in v2.21.0
func EncryptionResourcesForDeletion(namespace string) []ctrlruntimeclient.Object
func EtcdClientCertificateReconciler ¶ added in v2.22.0
func EtcdClientCertificateReconciler(data etcdClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
EtcdClientCertificateReconciler returns a function to create/update the secret with the client certificate for authenticating against etcd.
func FluentBitSecretReconciler ¶ added in v2.22.0
func FluentBitSecretReconciler(data *resources.TemplateData) reconciling.NamedSecretReconcilerFactory
FluentBitSecretReconciler returns a reconciling.NamedSecretReconcilerFactory for a secret that contains fluent-bit configuration for the audit-logs sidecar.
func FrontProxyClientCertificateReconciler ¶ added in v2.22.0
func FrontProxyClientCertificateReconciler(data frontProxyClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
FrontProxyClientCertificateReconciler returns a function to create/update the secret with the client certificate for authenticating against extension apiserver.
func GetEnvVars ¶
func IsRunningWrapper ¶
func IsRunningWrapper(data isRunningInitContainerData, spec corev1.PodSpec, containersToWrap sets.Set[string], crdsToWaitFor ...string) (*corev1.PodSpec, error)
IsRunningWrapper wraps the named containers in the pod with a check if the API server is reachable. This is achieved by copying a `http-prober` binary via an init container into an emptyDir volume, then mounting that volume onto all named containers and replacing the command with a call to the `http-prober` binary. The http prober binary gets the original command as serialized string and does an syscall.Exec onto it once the apiserver became reachable.
func KubeletClientCertificateReconciler ¶ added in v2.22.0
func KubeletClientCertificateReconciler(data kubeletClientCertificateReconcilerData) reconciling.NamedSecretReconcilerFactory
KubeletClientCertificateReconciler returns a function to create/update a secret with the client certificate for the apiserver -> kubelet connection.
func MachineControllerWebhookAllowReconciler ¶ added in v2.22.0
func MachineControllerWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
func MetricsServerAllowReconciler ¶ added in v2.22.0
func MetricsServerAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
func OIDCIssuerAllowReconciler ¶ added in v2.22.0
func OIDCIssuerAllowReconciler(egressIPs []net.IP) reconciling.NamedNetworkPolicyReconcilerFactory
OIDCIssuerAllowReconciler returns a func to create/update the apiserver oidc-issuer-allow egress policy.
func OSMWebhookAllowReconciler ¶ added in v2.22.0
func OSMWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
func OpenVPNServerAllowReconciler ¶ added in v2.22.0
func OpenVPNServerAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
OpenVPNServerAllowReconciler returns a func to create/update the apiserver OpenVPN allow egress policy.
func PodDisruptionBudgetReconciler ¶ added in v2.22.0
func PodDisruptionBudgetReconciler() reconciling.NamedPodDisruptionBudgetReconcilerFactory
PodDisruptionBudgetReconciler returns a func to create/update the apiserver PodDisruptionBudget.
func SeedApiServerAllowReconciler ¶ added in v2.24.0
func SeedApiServerAllowReconciler(endpoints []net.IP) reconciling.NamedNetworkPolicyReconcilerFactory
func ServiceAccountKeyReconciler ¶ added in v2.22.0
func ServiceAccountKeyReconciler() reconciling.NamedSecretReconcilerFactory
ServiceAccountKeyReconciler returns a function to create/update a secret with the ServiceAccount key.
func ServiceReconciler ¶ added in v2.22.0
func ServiceReconciler(exposeStrategy kubermaticv1.ExposeStrategy, externalURL string) reconciling.NamedServiceReconcilerFactory
ServiceReconciler returns the function to reconcile the external API server service.
func TLSServingCertificateReconciler ¶ added in v2.22.0
func TLSServingCertificateReconciler(data tlsServingCertReconcilerData) reconciling.NamedSecretReconcilerFactory
TLSServingCertificateReconciler returns a function to create/update the secret with the apiserver tls certificate used to serve https.
func TokenUsersReconciler ¶ added in v2.22.0
func TokenUsersReconciler(data *resources.TemplateData) reconciling.NamedSecretReconcilerFactory
TokenUsers returns a secret containing the tokens csv.
func TokenViewerReconciler ¶ added in v2.22.0
func TokenViewerReconciler() reconciling.NamedSecretReconcilerFactory
TokenViewerReconciler returns a secret containing the viewer token.
func UserClusterWebhookAllowReconciler ¶ added in v2.22.0
func UserClusterWebhookAllowReconciler(c *kubermaticv1.Cluster) reconciling.NamedNetworkPolicyReconcilerFactory
Types ¶
type AdmissionConfiguration ¶
type AdmissionConfiguration struct { Kind string `yaml:"kind,omitempty"` APIVersion string `yaml:"apiVersion,omitempty"` // Plugins allows specifying a configuration per admission control plugin. Plugins []AdmissionPluginConfiguration `yaml:"plugins,omitempty"` }
AdmissionConfiguration provides versioned configuration for admission controllers.
type AdmissionPluginConfiguration ¶
type AdmissionPluginConfiguration struct { // Name is the name of the admission controller. // It must match the registered admission plugin name. Name string `yaml:"name"` // Path is the path to a configuration file that contains the plugin's // configuration Path string `yaml:"path"` }
AdmissionPluginConfiguration provides the configuration for a single plug-in.
type EventConfiguration ¶ added in v2.19.0
type EventConfiguration struct { Kind string `yaml:"kind"` APIVersion string `yaml:"apiVersion"` Limits []EventLimit `yaml:"limits"` }
Source Files ¶
- admission-control.go
- audit.go
- cabundle.go
- deployment.go
- egressselectorconfigmap.go
- encryption.go
- etcd-client-certificate.go
- frontproxy-client-certificate.go
- is-running.go
- kubelet-client-certificate.go
- networkpolicy.go
- pdb.go
- service-account-key.go
- service.go
- tls-serving-certificate.go
- token-users.go