Documentation
¶
Overview ¶
Package filters contains all the http handler chain filters which _are_ api related, i.e. which are prerequisite for the API services to work (in contrast to the filters in the server package which are not part of the API contract).
Index ¶
- func GetAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error)
- func NoMuxAndDiscoveryIncompleteKey(ctx context.Context) bool
- func Unauthorized(s runtime.NegotiatedSerializer) http.Handler
- func WithAudit(handler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator, ...) http.Handler
- func WithAuditInit(handler http.Handler) http.Handler
- func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler, ...) http.Handler
- func WithAuthorization(hhandler http.Handler, auth authorizer.Authorizer, ...) http.Handler
- func WithCacheControl(handler http.Handler) http.Handler
- func WithFailedAuthenticationAudit(failedHandler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator) http.Handler
- func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler
- func WithLatencyTrackers(handler http.Handler) http.Handler
- func WithMuxAndDiscoveryComplete(handler http.Handler, muxAndDiscoveryCompleteSignal <-chan struct{}) http.Handler
- func WithRequestDeadline(handler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator, ...) http.Handler
- func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver) http.Handler
- func WithRequestReceivedTimestamp(handler http.Handler) http.Handler
- func WithStorageVersionPrecondition(handler http.Handler, svm storageversion.Manager, ...) http.Handler
- func WithTracing(handler http.Handler, tp trace.TracerProvider) http.Handler
- func WithWarningRecorder(handler http.Handler) http.Handler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAuthorizerAttributes ¶
func GetAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error)
func NoMuxAndDiscoveryIncompleteKey ¶ added in v0.23.0
NoMuxAndDiscoveryIncompleteKey checks if the context contains muxAndDiscoveryIncompleteKey. The presence of the key indicates the request has been made when the HTTP paths weren't installed.
func Unauthorized ¶
func Unauthorized(s runtime.NegotiatedSerializer) http.Handler
func WithAudit ¶
func WithAudit(handler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator, longRunningCheck request.LongRunningRequestCheck) http.Handler
WithAudit decorates a http.Handler with audit logging information for all the requests coming to the server. Audit level is decided according to requests' attributes and audit policy. Logs are emitted to the audit sink to process events. If sink or audit policy is nil, no decoration takes place.
func WithAuditInit ¶ added in v0.26.0
WithAuditInit initializes the audit context and attaches the Audit-ID associated with a request.
a. If the caller does not specify a value for Audit-ID in the request header, we generate a new audit ID b. We echo the Audit-ID value to the caller via the response Header 'Audit-ID'.
func WithAuthentication ¶
func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler, apiAuds authenticator.Audiences, requestHeaderConfig *authenticatorfactory.RequestHeaderConfig) http.Handler
WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then stores any such user found onto the provided context for the request. If authentication fails or returns an error the failed handler is used. On success, "Authorization" header is removed from the request and handler is invoked to serve the request.
func WithAuthorization ¶
func WithAuthorization(hhandler http.Handler, auth authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler
WithAuthorization passes all authorized requests on to handler, and returns a forbidden error otherwise.
func WithCacheControl ¶ added in v0.16.4
WithCacheControl sets the Cache-Control header to "no-cache, private" because all servers are protected by authn/authz. see https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching#defining_optimal_cache-control_policy
func WithFailedAuthenticationAudit ¶
func WithFailedAuthenticationAudit(failedHandler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator) http.Handler
WithFailedAuthenticationAudit decorates a failed http.Handler used in WithAuthentication handler. It is meant to log only failed authentication requests.
func WithImpersonation ¶
func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler
WithImpersonation is a filter that will inspect and check requests that attempt to change the user.Info for their requests
func WithLatencyTrackers ¶ added in v0.24.0
WithLatencyTrackers adds a LatencyTrackers instance to the context associated with a request so that we can measure latency incurred in various components within the apiserver.
func WithMuxAndDiscoveryComplete ¶ added in v0.23.0
func WithMuxAndDiscoveryComplete(handler http.Handler, muxAndDiscoveryCompleteSignal <-chan struct{}) http.Handler
WithMuxAndDiscoveryComplete puts the muxAndDiscoveryIncompleteKey in the context if a request has been made before muxAndDiscoveryCompleteSignal has been ready. Putting the key protect us from returning a 404 response instead of a 503. It is especially important for controllers like GC and NS since they act on 404s.
The presence of the key is checked in the NotFoundHandler (staging/src/k8s.io/apiserver/pkg/util/notfoundhandler/not_found_handler.go)
The primary reason this filter exists is to protect from a potential race between the client's requests reaching the NotFoundHandler and the server becoming ready. Without the protection key a request could still get a 404 response when the registered signals changed their status just slightly before reaching the new handler. In that case, the presence of the key will make the handler return a 503 instead of a 404.
func WithRequestDeadline ¶ added in v0.21.0
func WithRequestDeadline(handler http.Handler, sink audit.Sink, policy audit.PolicyRuleEvaluator, longRunning request.LongRunningRequestCheck, negotiatedSerializer runtime.NegotiatedSerializer, requestTimeoutMaximum time.Duration) http.Handler
WithRequestDeadline determines the timeout duration applicable to the given request and sets a new context with the appropriate deadline. auditWrapper provides an http.Handler that audits a failed request. longRunning returns true if he given request is a long running request. requestTimeoutMaximum specifies the default request timeout value.
func WithRequestInfo ¶
WithRequestInfo attaches a RequestInfo to the context.
func WithRequestReceivedTimestamp ¶ added in v0.20.0
WithRequestReceivedTimestamp attaches the ReceivedTimestamp (the time the request reached the apiserver) to the context.
func WithStorageVersionPrecondition ¶ added in v0.20.0
func WithStorageVersionPrecondition(handler http.Handler, svm storageversion.Manager, s runtime.NegotiatedSerializer) http.Handler
WithStorageVersionPrecondition checks if the storage version barrier has completed, if not, it only passes the following API requests: 1. non-resource requests, 2. read requests, 3. write requests to the storageversion API, 4. create requests to the namespace API sent by apiserver itself, 5. write requests to the lease API in kube-system namespace, 6. resources whose StorageVersion is not pending update, including non-persisted resources.
func WithTracing ¶ added in v0.22.0
WithTracing adds tracing to requests if the incoming request is sampled
Types ¶
This section is empty.
Source Files