server

package
v0.18.16-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2021 License: Apache-2.0 Imports: 78 Imported by: 3,496

Documentation

Overview

Package server contains the plumbing to create kubernetes-like API server command.

Index

Constants

View Source
const (
	// DefaultLegacyAPIPrefix is where the legacy APIs will be located.
	DefaultLegacyAPIPrefix = "/api"

	// APIGroupPrefix is where non-legacy API group will be located.
	APIGroupPrefix = "/apis"
)
View Source
const LoopbackClientServerNameOverride = "apiserver-loopback-client"

LoopbackClientServerNameOverride is passed to the apiserver from the loopback client in order to select the loopback certificate via SNI if TLS is used.

Variables

This section is empty.

Functions

func AuthorizeClientBearerToken

func AuthorizeClientBearerToken(loopback *restclient.Config, authn *AuthenticationInfo, authz *AuthorizationInfo)

AuthorizeClientBearerToken wraps the authenticator and authorizer in loopback authentication logic if the loopback client config is specified AND it has a bearer token. Note that if either authn or authz is nil, this function won't add a token authenticator or authorizer.

func DefaultBuildHandlerChain

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler

func DefaultOpenAPIConfig

func DefaultOpenAPIConfig(getDefinitions openapicommon.GetOpenAPIDefinitions, defNamer *apiopenapi.DefinitionNamer) *openapicommon.Config

func LoopbackHostPort

func LoopbackHostPort(bindAddress string) (string, string, error)

LoopbackHostPort returns the host and port loopback REST clients should use to contact the server.

func NewRequestInfoResolver

func NewRequestInfoResolver(c *Config) *apirequest.RequestInfoFactory

func RegisterAllAdmissionPlugins

func RegisterAllAdmissionPlugins(plugins *admission.Plugins)

RegisterAllAdmissionPlugins registers all admission plugins

func RequestShutdown

func RequestShutdown() bool

RequestShutdown emulates a received event that is considered as shutdown signal (SIGTERM/SIGINT) This returns whether a handler was notified

func RunServer

func RunServer(
	server *http.Server,
	ln net.Listener,
	shutDownTimeout time.Duration,
	stopCh <-chan struct{},
) (<-chan struct{}, error)

RunServer spawns a go-routine continuously serving until the stopCh is closed. It returns a stoppedCh that is closed when all non-hijacked active requests have been processed. This function does not block TODO: make private when insecure serving is gone from the kube-apiserver

func SetupSignalHandler

func SetupSignalHandler() <-chan struct{}

SetupSignalHandler registered for SIGTERM and SIGINT. A stop channel is returned which is closed on one of these signals. If a second signal is caught, the program is terminated with exit code 1.

Types

type APIGroupInfo

type APIGroupInfo struct {
	PrioritizedVersions []schema.GroupVersion
	// Info about the resources in this group. It's a map from version to resource to the storage.
	VersionedResourcesStorageMap map[string]map[string]rest.Storage
	// OptionsExternalVersion controls the APIVersion used for common objects in the
	// schema like api.Status, api.DeleteOptions, and metav1.ListOptions. Other implementors may
	// define a version "v1beta1" but want to use the Kubernetes "v1" internal objects.
	// If nil, defaults to groupMeta.GroupVersion.
	// TODO: Remove this when https://github.com/kubernetes/kubernetes/issues/19018 is fixed.
	OptionsExternalVersion *schema.GroupVersion
	// MetaGroupVersion defaults to "meta.k8s.io/v1" and is the scheme group version used to decode
	// common API implementations like ListOptions. Future changes will allow this to vary by group
	// version (for when the inevitable meta/v2 group emerges).
	MetaGroupVersion *schema.GroupVersion

	// Scheme includes all of the types used by this group and how to convert between them (or
	// to convert objects from outside of this group that are accepted in this API).
	// TODO: replace with interfaces
	Scheme *runtime.Scheme
	// NegotiatedSerializer controls how this group encodes and decodes data
	NegotiatedSerializer runtime.NegotiatedSerializer
	// ParameterCodec performs conversions for query parameters passed to API calls
	ParameterCodec runtime.ParameterCodec

	// StaticOpenAPISpec is the spec derived from the definitions of all resources installed together.
	// It is set during InstallAPIGroups, InstallAPIGroup, and InstallLegacyAPIGroup.
	StaticOpenAPISpec *spec.Swagger
}

Info about an API group.

func NewDefaultAPIGroupInfo

func NewDefaultAPIGroupInfo(group string, scheme *runtime.Scheme, parameterCodec runtime.ParameterCodec, codecs serializer.CodecFactory) APIGroupInfo

NewDefaultAPIGroupInfo returns an APIGroupInfo stubbed with "normal" values exposed for easier composition from other packages

type APIServerHandler

type APIServerHandler struct {
	// FullHandlerChain is the one that is eventually served with.  It should include the full filter
	// chain and then call the Director.
	FullHandlerChain http.Handler
	// The registered APIs.  InstallAPIs uses this.  Other servers probably shouldn't access this directly.
	GoRestfulContainer *restful.Container
	// NonGoRestfulMux is the final HTTP handler in the chain.
	// It comes after all filters and the API handling
	// This is where other servers can attach handler to various parts of the chain.
	NonGoRestfulMux *mux.PathRecorderMux

	// Director is here so that we can properly handle fall through and proxy cases.
	// This looks a bit bonkers, but here's what's happening.  We need to have /apis handling registered in gorestful in order to have
	// swagger generated for compatibility.  Doing that with `/apis` as a webservice, means that it forcibly 404s (no defaulting allowed)
	// all requests which are not /apis or /apis/.  We need those calls to fall through behind goresful for proper delegation.  Trying to
	// register for a pattern which includes everything behind it doesn't work because gorestful negotiates for verbs and content encoding
	// and all those things go crazy when gorestful really just needs to pass through.  In addition, openapi enforces unique verb constraints
	// which we don't fit into and it still muddies up swagger.  Trying to switch the webservices into a route doesn't work because the
	//  containing webservice faces all the same problems listed above.
	// This leads to the crazy thing done here.  Our mux does what we need, so we'll place it in front of gorestful.  It will introspect to
	// decide if the route is likely to be handled by goresful and route there if needed.  Otherwise, it goes to PostGoRestful mux in
	// order to handle "normal" paths and delegation. Hopefully no API consumers will ever have to deal with this level of detail.  I think
	// we should consider completely removing gorestful.
	// Other servers should only use this opaquely to delegate to an API server.
	Director http.Handler
}

APIServerHandlers holds the different http.Handlers used by the API server. This includes the full handler chain, the director (which chooses between gorestful and nonGoRestful, the gorestful handler (used for the API) which falls through to the nonGoRestful handler on unregistered paths, and the nonGoRestful handler (which can contain a fallthrough of its own) FullHandlerChain -> Director -> {GoRestfulContainer,NonGoRestfulMux} based on inspection of registered web services

func NewAPIServerHandler

func NewAPIServerHandler(name string, s runtime.NegotiatedSerializer, handlerChainBuilder HandlerChainBuilderFn, notFoundHandler http.Handler) *APIServerHandler

func (*APIServerHandler) ListedPaths

func (a *APIServerHandler) ListedPaths() []string

ListedPaths returns the paths that should be shown under /

func (*APIServerHandler) ServeHTTP

func (a *APIServerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP makes it an http.Handler

type AuthenticationInfo

type AuthenticationInfo struct {
	// APIAudiences is a list of identifier that the API identifies as. This is
	// used by some authenticators to validate audience bound credentials.
	APIAudiences authenticator.Audiences
	// Authenticator determines which subject is making the request
	Authenticator authenticator.Request
	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
	// If this is true, a basic auth challenge is returned on authentication failure
	// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
	SupportsBasicAuth bool
}

func (*AuthenticationInfo) ApplyClientCert

func (c *AuthenticationInfo) ApplyClientCert(clientCA dynamiccertificates.CAContentProvider, servingInfo *SecureServingInfo) error

type AuthorizationInfo

type AuthorizationInfo struct {
	// Authorizer determines whether the subject is allowed to make the request based only
	// on the RequestURI
	Authorizer authorizer.Authorizer
}

type CompletedConfig

type CompletedConfig struct {
	// contains filtered or unexported fields
}

func (CompletedConfig) New

func (c CompletedConfig) New(name string, delegationTarget DelegationTarget) (*GenericAPIServer, error)

New creates a new server which logically combines the handling chain with the passed server. name is used to differentiate for logging. The handler chain in particular can be difficult as it starts delgating. delegationTarget may not be nil.

type Config

type Config struct {
	// SecureServing is required to serve https
	SecureServing *SecureServingInfo

	// Authentication is the configuration for authentication
	Authentication AuthenticationInfo

	// Authorization is the configuration for authorization
	Authorization AuthorizationInfo

	// LoopbackClientConfig is a config for a privileged loopback connection to the API server
	// This is required for proper functioning of the PostStartHooks on a GenericAPIServer
	// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone
	LoopbackClientConfig *restclient.Config

	// EgressSelector provides a lookup mechanism for dialing outbound connections.
	// It does so based on a EgressSelectorConfiguration which was read at startup.
	EgressSelector *egressselector.EgressSelector

	// RuleResolver is required to get the list of rules that apply to a given user
	// in a given namespace
	RuleResolver authorizer.RuleResolver
	// AdmissionControl performs deep inspection of a given request (including content)
	// to set values and determine whether its allowed
	AdmissionControl      admission.Interface
	CorsAllowedOriginList []string

	// FlowControl, if not nil, gives priority and fairness to request handling
	FlowControl utilflowcontrol.Interface

	EnableIndex     bool
	EnableProfiling bool
	EnableDiscovery bool
	// Requires generic profiling enabled
	EnableContentionProfiling bool
	EnableMetrics             bool

	DisabledPostStartHooks sets.String
	// done values in this values for this map are ignored.
	PostStartHooks map[string]PostStartHookConfigEntry

	// Version will enable the /version endpoint if non-nil
	Version *version.Info
	// AuditBackend is where audit events are sent to.
	AuditBackend audit.Backend
	// AuditPolicyChecker makes the decision of whether and how to audit log a request.
	AuditPolicyChecker auditpolicy.Checker
	// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
	// Will default to a value based on secure serving info and available ipv4 IPs.
	ExternalAddress string

	// BuildHandlerChainFunc allows you to build custom handler chains by decorating the apiHandler.
	BuildHandlerChainFunc func(apiHandler http.Handler, c *Config) (secure http.Handler)
	// HandlerChainWaitGroup allows you to wait for all chain handlers exit after the server shutdown.
	HandlerChainWaitGroup *utilwaitgroup.SafeWaitGroup
	// DiscoveryAddresses is used to build the IPs pass to discovery. If nil, the ExternalAddress is
	// always reported
	DiscoveryAddresses discovery.Addresses
	// The default set of healthz checks. There might be more added via AddHealthChecks dynamically.
	HealthzChecks []healthz.HealthChecker
	// The default set of livez checks. There might be more added via AddHealthChecks dynamically.
	LivezChecks []healthz.HealthChecker
	// The default set of readyz-only checks. There might be more added via AddReadyzChecks dynamically.
	ReadyzChecks []healthz.HealthChecker
	// LegacyAPIGroupPrefixes is used to set up URL parsing for authorization and for validating requests
	// to InstallLegacyAPIGroup. New API servers don't generally have legacy groups at all.
	LegacyAPIGroupPrefixes sets.String
	// RequestInfoResolver is used to assign attributes (used by admission and authorization) based on a request URL.
	// Use-cases that are like kubelets may need to customize this.
	RequestInfoResolver apirequest.RequestInfoResolver
	// Serializer is required and provides the interface for serializing and converting objects to and from the wire
	// The default (api.Codecs) usually works fine.
	Serializer runtime.NegotiatedSerializer
	// OpenAPIConfig will be used in generating OpenAPI spec. This is nil by default. Use DefaultOpenAPIConfig for "working" defaults.
	OpenAPIConfig *openapicommon.Config

	// RESTOptionsGetter is used to construct RESTStorage types via the generic registry.
	RESTOptionsGetter genericregistry.RESTOptionsGetter

	// If specified, all requests except those which match the LongRunningFunc predicate will timeout
	// after this duration.
	RequestTimeout time.Duration
	// If specified, long running requests such as watch will be allocated a random timeout between this value, and
	// twice this value.  Note that it is up to the request handlers to ignore or honor this timeout. In seconds.
	MinRequestTimeout int

	// This represents the maximum amount of time it should take for apiserver to complete its startup
	// sequence and become healthy. From apiserver's start time to when this amount of time has
	// elapsed, /livez will assume that unfinished post-start hooks will complete successfully and
	// therefore return true.
	LivezGracePeriod time.Duration
	// ShutdownDelayDuration allows to block shutdown for some time, e.g. until endpoints pointing to this API server
	// have converged on all node. During this time, the API server keeps serving, /healthz will return 200,
	// but /readyz will return failure.
	ShutdownDelayDuration time.Duration

	// The limit on the total size increase all "copy" operations in a json
	// patch may cause.
	// This affects all places that applies json patch in the binary.
	JSONPatchMaxCopyBytes int64
	// The limit on the request size that would be accepted and decoded in a write request
	// 0 means no limit.
	MaxRequestBodyBytes int64
	// MaxRequestsInFlight is the maximum number of parallel non-long-running requests. Every further
	// request has to wait. Applies only to non-mutating requests.
	MaxRequestsInFlight int
	// MaxMutatingRequestsInFlight is the maximum number of parallel mutating requests. Every further
	// request has to wait.
	MaxMutatingRequestsInFlight int
	// Predicate which is true for paths of long-running http requests
	LongRunningFunc apirequest.LongRunningRequestCheck

	// GoawayChance is the probability that send a GOAWAY to HTTP/2 clients. When client received
	// GOAWAY, the in-flight requests will not be affected and new requests will use
	// a new TCP connection to triggering re-balancing to another server behind the load balance.
	// Default to 0, means never send GOAWAY. Max is 0.02 to prevent break the apiserver.
	GoawayChance float64

	// MergedResourceConfig indicates which groupVersion enabled and its resources enabled/disabled.
	// This is composed of genericapiserver defaultAPIResourceConfig and those parsed from flags.
	// If not specify any in flags, then genericapiserver will only enable defaultAPIResourceConfig.
	MergedResourceConfig *serverstore.ResourceConfig

	// PublicAddress is the IP address where members of the cluster (kubelet,
	// kube-proxy, services, etc.) can reach the GenericAPIServer.
	// If nil or 0.0.0.0, the host's default interface will be used.
	PublicAddress net.IP

	// EquivalentResourceRegistry provides information about resources equivalent to a given resource,
	// and the kind associated with a given resource. As resources are installed, they are registered here.
	EquivalentResourceRegistry runtime.EquivalentResourceRegistry
}

Config is a structure used to configure a GenericAPIServer. Its members are sorted roughly in order of importance for composers.

func NewConfig

func NewConfig(codecs serializer.CodecFactory) *Config

NewConfig returns a Config struct with the default values

func (*Config) AddHealthChecks added in v0.16.4

func (c *Config) AddHealthChecks(healthChecks ...healthz.HealthChecker)

AddHealthChecks adds a health check to our config to be exposed by the health endpoints of our configured apiserver. We should prefer this to adding healthChecks directly to the config unless we explicitly want to add a healthcheck only to a specific health endpoint.

func (*Config) AddPostStartHook added in v0.17.0

func (c *Config) AddPostStartHook(name string, hook PostStartHookFunc) error

AddPostStartHook allows you to add a PostStartHook that will later be added to the server itself in a New call. Name conflicts will cause an error.

func (*Config) AddPostStartHookOrDie added in v0.17.0

func (c *Config) AddPostStartHookOrDie(name string, hook PostStartHookFunc)

AddPostStartHookOrDie allows you to add a PostStartHook, but dies on failure.

func (*Config) Complete

func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedConfig

Complete fills in any fields not set that are required to have valid data and can be derived from other fields. If you're going to `ApplyOptions`, do that first. It's mutating the receiver.

type DelegationTarget

type DelegationTarget interface {
	// UnprotectedHandler returns a handler that is NOT protected by a normal chain
	UnprotectedHandler() http.Handler

	// PostStartHooks returns the post-start hooks that need to be combined
	PostStartHooks() map[string]postStartHookEntry

	// PreShutdownHooks returns the pre-stop hooks that need to be combined
	PreShutdownHooks() map[string]preShutdownHookEntry

	// HealthzChecks returns the healthz checks that need to be combined
	HealthzChecks() []healthz.HealthChecker

	// ListedPaths returns the paths for supporting an index
	ListedPaths() []string

	// NextDelegate returns the next delegationTarget in the chain of delegations
	NextDelegate() DelegationTarget

	// PrepareRun does post API installation setup steps. It calls recursively the same function of the delegates.
	PrepareRun() preparedGenericAPIServer
}

DelegationTarget is an interface which allows for composition of API servers with top level handling that works as expected.

func NewEmptyDelegate

func NewEmptyDelegate() DelegationTarget

type DeprecatedInsecureServingInfo

type DeprecatedInsecureServingInfo struct {
	// Listener is the secure server network listener.
	Listener net.Listener
	// optional server name for log messages
	Name string
}

DeprecatedInsecureServingInfo is the main context object for the insecure http server. HTTP does NOT include authentication or authorization. You shouldn't be using this. It makes sig-auth sad.

func (*DeprecatedInsecureServingInfo) NewLoopbackClientConfig

func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error)

func (*DeprecatedInsecureServingInfo) Serve

func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error

Serve starts an insecure http server with the given handler. It fails only if the initial listen call fails. It does not block.

type GenericAPIServer

type GenericAPIServer struct {

	// LoopbackClientConfig is a config for a privileged loopback connection to the API server
	LoopbackClientConfig *restclient.Config

	// ShutdownTimeout is the timeout used for server shutdown. This specifies the timeout before server
	// gracefully shutdown returns.
	ShutdownTimeout time.Duration

	// SecureServingInfo holds configuration of the TLS server.
	SecureServingInfo *SecureServingInfo

	// ExternalAddress is the address (hostname or IP and port) that should be used in
	// external (public internet) URLs for this GenericAPIServer.
	ExternalAddress string

	// Serializer controls how common API objects not in a group/version prefix are serialized for this server.
	// Individual APIGroups may define their own serializers.
	Serializer runtime.NegotiatedSerializer

	// "Outputs"
	// Handler holds the handlers being used by this API server
	Handler *APIServerHandler

	// DiscoveryGroupManager serves /apis
	DiscoveryGroupManager discovery.GroupManager

	// OpenAPIVersionedService controls the /openapi/v2 endpoint, and can be used to update the served spec.
	// It is set during PrepareRun.
	OpenAPIVersionedService *handler.OpenAPIService

	// StaticOpenAPISpec is the spec derived from the restful container endpoints.
	// It is set during PrepareRun.
	StaticOpenAPISpec *spec.Swagger

	// auditing. The backend is started after the server starts listening.
	AuditBackend audit.Backend

	// Authorizer determines whether a user is allowed to make a certain request. The Handler does a preliminary
	// authorization check using the request URI but it may be necessary to make additional checks, such as in
	// the create-on-update case
	Authorizer authorizer.Authorizer

	// EquivalentResourceRegistry provides information about resources equivalent to a given resource,
	// and the kind associated with a given resource. As resources are installed, they are registered here.
	EquivalentResourceRegistry runtime.EquivalentResourceRegistry

	// HandlerChainWaitGroup allows you to wait for all chain handlers finish after the server shutdown.
	HandlerChainWaitGroup *utilwaitgroup.SafeWaitGroup

	// ShutdownDelayDuration allows to block shutdown for some time, e.g. until endpoints pointing to this API server
	// have converged on all node. During this time, the API server keeps serving, /healthz will return 200,
	// but /readyz will return failure.
	ShutdownDelayDuration time.Duration
	// contains filtered or unexported fields
}

GenericAPIServer contains state for a Kubernetes cluster api server.

func (*GenericAPIServer) AddBootSequenceHealthChecks added in v0.16.4

func (s *GenericAPIServer) AddBootSequenceHealthChecks(checks ...healthz.HealthChecker) error

AddBootSequenceHealthChecks adds health checks to the old healthz endpoint (for backwards compatibility reasons) as well as livez and readyz. The livez grace period is defined by the value of the command-line flag --livez-grace-period; before the grace period elapses, the livez health checks will default to healthy. One may want to set a grace period in order to prevent the kubelet from restarting the kube-apiserver due to long-ish boot sequences. Readyz health checks, on the other hand, have no grace period, since readyz should fail until boot fully completes.

func (*GenericAPIServer) AddHealthChecks added in v0.16.4

func (s *GenericAPIServer) AddHealthChecks(checks ...healthz.HealthChecker) error

AddHealthChecks adds HealthCheck(s) to health endpoints (healthz, livez, readyz) but configures the liveness grace period to be zero, which means we expect this health check to immediately indicate that the apiserver is unhealthy.

func (*GenericAPIServer) AddPostStartHook

func (s *GenericAPIServer) AddPostStartHook(name string, hook PostStartHookFunc) error

AddPostStartHook allows you to add a PostStartHook.

func (*GenericAPIServer) AddPostStartHookOrDie

func (s *GenericAPIServer) AddPostStartHookOrDie(name string, hook PostStartHookFunc)

AddPostStartHookOrDie allows you to add a PostStartHook, but dies on failure

func (*GenericAPIServer) AddPreShutdownHook

func (s *GenericAPIServer) AddPreShutdownHook(name string, hook PreShutdownHookFunc) error

AddPreShutdownHook allows you to add a PreShutdownHook.

func (*GenericAPIServer) AddPreShutdownHookOrDie

func (s *GenericAPIServer) AddPreShutdownHookOrDie(name string, hook PreShutdownHookFunc)

AddPreShutdownHookOrDie allows you to add a PostStartHook, but dies on failure

func (*GenericAPIServer) HealthzChecks

func (s *GenericAPIServer) HealthzChecks() []healthz.HealthChecker

func (*GenericAPIServer) InstallAPIGroup

func (s *GenericAPIServer) InstallAPIGroup(apiGroupInfo *APIGroupInfo) error

Exposes the given api group in the API.

func (*GenericAPIServer) InstallAPIGroups

func (s *GenericAPIServer) InstallAPIGroups(apiGroupInfos ...*APIGroupInfo) error

Exposes given api groups in the API.

func (*GenericAPIServer) InstallLegacyAPIGroup

func (s *GenericAPIServer) InstallLegacyAPIGroup(apiPrefix string, apiGroupInfo *APIGroupInfo) error

func (*GenericAPIServer) ListedPaths

func (s *GenericAPIServer) ListedPaths() []string

func (*GenericAPIServer) NextDelegate

func (s *GenericAPIServer) NextDelegate() DelegationTarget

func (*GenericAPIServer) PostStartHooks

func (s *GenericAPIServer) PostStartHooks() map[string]postStartHookEntry

func (*GenericAPIServer) PreShutdownHooks

func (s *GenericAPIServer) PreShutdownHooks() map[string]preShutdownHookEntry

func (*GenericAPIServer) PrepareRun

func (s *GenericAPIServer) PrepareRun() preparedGenericAPIServer

PrepareRun does post API installation setup steps. It calls recursively the same function of the delegates.

func (*GenericAPIServer) RunPostStartHooks

func (s *GenericAPIServer) RunPostStartHooks(stopCh <-chan struct{})

RunPostStartHooks runs the PostStartHooks for the server

func (*GenericAPIServer) RunPreShutdownHooks

func (s *GenericAPIServer) RunPreShutdownHooks() error

RunPreShutdownHooks runs the PreShutdownHooks for the server

func (*GenericAPIServer) UnprotectedHandler

func (s *GenericAPIServer) UnprotectedHandler() http.Handler

type HandlerChainBuilderFn

type HandlerChainBuilderFn func(apiHandler http.Handler) http.Handler

HandlerChainBuilderFn is used to wrap the GoRestfulContainer handler using the provided handler chain. It is normally used to apply filtering like authentication and authorization

type InsecureSuperuser

type InsecureSuperuser struct{}

InsecureSuperuser implements authenticator.Request to always return a superuser. This is functionally equivalent to skipping authentication and authorization, but allows apiserver code to stop special-casing a nil user to skip authorization checks.

func (InsecureSuperuser) AuthenticateRequest

func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

type PostStartHookConfigEntry added in v0.17.0

type PostStartHookConfigEntry struct {
	// contains filtered or unexported fields
}

type PostStartHookContext

type PostStartHookContext struct {
	// LoopbackClientConfig is a config for a privileged loopback connection to the API server
	LoopbackClientConfig *restclient.Config
	// StopCh is the channel that will be closed when the server stops
	StopCh <-chan struct{}
}

PostStartHookContext provides information about this API server to a PostStartHookFunc

type PostStartHookFunc

type PostStartHookFunc func(context PostStartHookContext) error

PostStartHookFunc is a function that is called after the server has started. It must properly handle cases like:

  1. asynchronous start in multiple API server processes
  2. conflicts between the different processes all trying to perform the same action
  3. partially complete work (API server crashes while running your hook)
  4. API server access **BEFORE** your hook has completed

Think of it like a mini-controller that is super privileged and gets to run in-process If you use this feature, tag @deads2k on github who has promised to review code for anyone's PostStartHook until it becomes easier to use.

type PostStartHookProvider

type PostStartHookProvider interface {
	PostStartHook() (string, PostStartHookFunc, error)
}

PostStartHookProvider is an interface in addition to provide a post start hook for the api server

type PreShutdownHookFunc

type PreShutdownHookFunc func() error

PreShutdownHookFunc is a function that can be added to the shutdown logic.

type RecommendedConfig

type RecommendedConfig struct {
	Config

	// SharedInformerFactory provides shared informers for Kubernetes resources. This value is set by
	// RecommendedOptions.CoreAPI.ApplyTo called by RecommendedOptions.ApplyTo. It uses an in-cluster client config
	// by default, or the kubeconfig given with kubeconfig command line flag.
	SharedInformerFactory informers.SharedInformerFactory

	// ClientConfig holds the kubernetes client configuration.
	// This value is set by RecommendedOptions.CoreAPI.ApplyTo called by RecommendedOptions.ApplyTo.
	// By default in-cluster client config is used.
	ClientConfig *restclient.Config
}

func NewRecommendedConfig

func NewRecommendedConfig(codecs serializer.CodecFactory) *RecommendedConfig

NewRecommendedConfig returns a RecommendedConfig struct with the default values

func (*RecommendedConfig) Complete

func (c *RecommendedConfig) Complete() CompletedConfig

Complete fills in any fields not set that are required to have valid data and can be derived from other fields. If you're going to `ApplyOptions`, do that first. It's mutating the receiver.

type SecureServingInfo

type SecureServingInfo struct {
	// Listener is the secure server network listener.
	Listener net.Listener

	// Cert is the main server cert which is used if SNI does not match. Cert must be non-nil and is
	// allowed to be in SNICerts.
	Cert dynamiccertificates.CertKeyContentProvider

	// SNICerts are the TLS certificates used for SNI.
	SNICerts []dynamiccertificates.SNICertKeyContentProvider

	// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
	ClientCA dynamiccertificates.CAContentProvider

	// MinTLSVersion optionally overrides the minimum TLS version supported.
	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
	MinTLSVersion uint16

	// CipherSuites optionally overrides the list of allowed cipher suites for the server.
	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
	CipherSuites []uint16

	// HTTP2MaxStreamsPerConnection is the limit that the api server imposes on each client.
	// A value of zero means to use the default provided by golang's HTTP/2 support.
	HTTP2MaxStreamsPerConnection int

	// DisableHTTP2 indicates that http2 should not be enabled.
	DisableHTTP2 bool
}

func (*SecureServingInfo) HostPort

func (s *SecureServingInfo) HostPort() (string, int, error)

func (*SecureServingInfo) NewClientConfig

func (s *SecureServingInfo) NewClientConfig(caCert []byte) (*restclient.Config, error)

func (*SecureServingInfo) NewLoopbackClientConfig

func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert []byte) (*restclient.Config, error)

func (*SecureServingInfo) Serve

func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) (<-chan struct{}, error)

Serve runs the secure http server. It fails only if certificates cannot be loaded or the initial listen call fails. The actual server loop (stoppable by closing stopCh) runs in a go routine, i.e. Serve does not block. It returns a stoppedCh that is closed when all non-hijacked active requests have been processed.

Directories

Path Synopsis
Package filters contains all the http handler chain filters which are not api related.
Package filters contains all the http handler chain filters which are not api related.
Package healthz implements basic http server health checking.
Package healthz implements basic http server health checking.
Package httplog contains a helper object and functions to maintain a log along with an http response.
Package httplog contains a helper object and functions to maintain a log along with an http response.
Package mux contains abstractions for http multiplexing of APIs.
Package mux contains abstractions for http multiplexing of APIs.
package options is the public flags and options used by a generic api server.
package options is the public flags and options used by a generic api server.
Package resourceconfig contains the resource config related helper functions.
Package resourceconfig contains the resource config related helper functions.
Package routes holds a collection of optional genericapiserver http handlers.
Package routes holds a collection of optional genericapiserver http handlers.
Package storage contains the plumbing to setup the etcd storage of the apiserver.
Package storage contains the plumbing to setup the etcd storage of the apiserver.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL