v1beta1

package
v0.31.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 23, 2024 License: Apache-2.0 Imports: 8 Imported by: 18

Documentation

Overview

Package v1beta1 is the v1beta1 version of the API.

Index

Constants

View Source
const (
	TypeWebhook                                          AuthorizerType = "Webhook"
	FailurePolicyNoOpinion                               string         = "NoOpinion"
	FailurePolicyDeny                                    string         = "Deny"
	AuthorizationWebhookConnectionInfoTypeKubeConfigFile string         = "KubeConfigFile"
	AuthorizationWebhookConnectionInfoTypeInCluster      string         = "InClusterConfig"
)
View Source
const ConfigGroupName = "apiserver.config.k8s.io"
View Source
const GroupName = "apiserver.k8s.io"

Variables

View Source
var (
	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var ConfigSchemeGroupVersion = schema.GroupVersion{Group: ConfigGroupName, Version: "v1beta1"}

ConfigSchemeGroupVersion is group version used to register these objects

View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Convert_apiserver_AnonymousAuthCondition_To_v1beta1_AnonymousAuthCondition added in v0.31.0

func Convert_apiserver_AnonymousAuthCondition_To_v1beta1_AnonymousAuthCondition(in *apiserver.AnonymousAuthCondition, out *AnonymousAuthCondition, s conversion.Scope) error

Convert_apiserver_AnonymousAuthCondition_To_v1beta1_AnonymousAuthCondition is an autogenerated conversion function.

func Convert_apiserver_AnonymousAuthConfig_To_v1beta1_AnonymousAuthConfig added in v0.31.0

func Convert_apiserver_AnonymousAuthConfig_To_v1beta1_AnonymousAuthConfig(in *apiserver.AnonymousAuthConfig, out *AnonymousAuthConfig, s conversion.Scope) error

Convert_apiserver_AnonymousAuthConfig_To_v1beta1_AnonymousAuthConfig is an autogenerated conversion function.

func Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConfiguration added in v0.30.0

func Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConfiguration(in *apiserver.AuthenticationConfiguration, out *AuthenticationConfiguration, s conversion.Scope) error

Convert_apiserver_AuthenticationConfiguration_To_v1beta1_AuthenticationConfiguration is an autogenerated conversion function.

func Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration added in v0.30.0

func Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration(in *apiserver.AuthorizationConfiguration, out *AuthorizationConfiguration, s conversion.Scope) error

Convert_apiserver_AuthorizationConfiguration_To_v1beta1_AuthorizationConfiguration is an autogenerated conversion function.

func Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration added in v0.30.0

func Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error

Convert_apiserver_AuthorizerConfiguration_To_v1beta1_AuthorizerConfiguration is an autogenerated conversion function.

func Convert_apiserver_ClaimMappings_To_v1beta1_ClaimMappings added in v0.30.0

func Convert_apiserver_ClaimMappings_To_v1beta1_ClaimMappings(in *apiserver.ClaimMappings, out *ClaimMappings, s conversion.Scope) error

Convert_apiserver_ClaimMappings_To_v1beta1_ClaimMappings is an autogenerated conversion function.

func Convert_apiserver_ClaimOrExpression_To_v1beta1_ClaimOrExpression added in v0.30.0

func Convert_apiserver_ClaimOrExpression_To_v1beta1_ClaimOrExpression(in *apiserver.ClaimOrExpression, out *ClaimOrExpression, s conversion.Scope) error

Convert_apiserver_ClaimOrExpression_To_v1beta1_ClaimOrExpression is an autogenerated conversion function.

func Convert_apiserver_ClaimValidationRule_To_v1beta1_ClaimValidationRule added in v0.30.0

func Convert_apiserver_ClaimValidationRule_To_v1beta1_ClaimValidationRule(in *apiserver.ClaimValidationRule, out *ClaimValidationRule, s conversion.Scope) error

Convert_apiserver_ClaimValidationRule_To_v1beta1_ClaimValidationRule is an autogenerated conversion function.

func Convert_apiserver_Connection_To_v1beta1_Connection

func Convert_apiserver_Connection_To_v1beta1_Connection(in *apiserver.Connection, out *Connection, s conversion.Scope) error

Convert_apiserver_Connection_To_v1beta1_Connection is an autogenerated conversion function.

func Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection

func Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection(in *apiserver.EgressSelection, out *EgressSelection, s conversion.Scope) error

Convert_apiserver_EgressSelection_To_v1beta1_EgressSelection is an autogenerated conversion function.

func Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration

func Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration(in *apiserver.EgressSelectorConfiguration, out *EgressSelectorConfiguration, s conversion.Scope) error

Convert_apiserver_EgressSelectorConfiguration_To_v1beta1_EgressSelectorConfiguration is an autogenerated conversion function.

func Convert_apiserver_ExtraMapping_To_v1beta1_ExtraMapping added in v0.30.0

func Convert_apiserver_ExtraMapping_To_v1beta1_ExtraMapping(in *apiserver.ExtraMapping, out *ExtraMapping, s conversion.Scope) error

Convert_apiserver_ExtraMapping_To_v1beta1_ExtraMapping is an autogenerated conversion function.

func Convert_apiserver_Issuer_To_v1beta1_Issuer added in v0.30.0

func Convert_apiserver_Issuer_To_v1beta1_Issuer(in *apiserver.Issuer, out *Issuer, s conversion.Scope) error

Convert_apiserver_Issuer_To_v1beta1_Issuer is an autogenerated conversion function.

func Convert_apiserver_JWTAuthenticator_To_v1beta1_JWTAuthenticator added in v0.30.0

func Convert_apiserver_JWTAuthenticator_To_v1beta1_JWTAuthenticator(in *apiserver.JWTAuthenticator, out *JWTAuthenticator, s conversion.Scope) error

Convert_apiserver_JWTAuthenticator_To_v1beta1_JWTAuthenticator is an autogenerated conversion function.

func Convert_apiserver_PrefixedClaimOrExpression_To_v1beta1_PrefixedClaimOrExpression added in v0.30.0

func Convert_apiserver_PrefixedClaimOrExpression_To_v1beta1_PrefixedClaimOrExpression(in *apiserver.PrefixedClaimOrExpression, out *PrefixedClaimOrExpression, s conversion.Scope) error

Convert_apiserver_PrefixedClaimOrExpression_To_v1beta1_PrefixedClaimOrExpression is an autogenerated conversion function.

func Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport

func Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport(in *apiserver.TCPTransport, out *TCPTransport, s conversion.Scope) error

Convert_apiserver_TCPTransport_To_v1beta1_TCPTransport is an autogenerated conversion function.

func Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig

func Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig(in *apiserver.TLSConfig, out *TLSConfig, s conversion.Scope) error

Convert_apiserver_TLSConfig_To_v1beta1_TLSConfig is an autogenerated conversion function.

func Convert_apiserver_TracingConfiguration_To_v1beta1_TracingConfiguration added in v0.27.0

func Convert_apiserver_TracingConfiguration_To_v1beta1_TracingConfiguration(in *apiserver.TracingConfiguration, out *TracingConfiguration, s conversion.Scope) error

Convert_apiserver_TracingConfiguration_To_v1beta1_TracingConfiguration is an autogenerated conversion function.

func Convert_apiserver_Transport_To_v1beta1_Transport

func Convert_apiserver_Transport_To_v1beta1_Transport(in *apiserver.Transport, out *Transport, s conversion.Scope) error

Convert_apiserver_Transport_To_v1beta1_Transport is an autogenerated conversion function.

func Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport

func Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport(in *apiserver.UDSTransport, out *UDSTransport, s conversion.Scope) error

Convert_apiserver_UDSTransport_To_v1beta1_UDSTransport is an autogenerated conversion function.

func Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule added in v0.30.0

func Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule(in *apiserver.UserValidationRule, out *UserValidationRule, s conversion.Scope) error

Convert_apiserver_UserValidationRule_To_v1beta1_UserValidationRule is an autogenerated conversion function.

func Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration added in v0.30.0

func Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error

Convert_apiserver_WebhookConfiguration_To_v1beta1_WebhookConfiguration is an autogenerated conversion function.

func Convert_apiserver_WebhookConnectionInfo_To_v1beta1_WebhookConnectionInfo added in v0.30.0

func Convert_apiserver_WebhookConnectionInfo_To_v1beta1_WebhookConnectionInfo(in *apiserver.WebhookConnectionInfo, out *WebhookConnectionInfo, s conversion.Scope) error

Convert_apiserver_WebhookConnectionInfo_To_v1beta1_WebhookConnectionInfo is an autogenerated conversion function.

func Convert_apiserver_WebhookMatchCondition_To_v1beta1_WebhookMatchCondition added in v0.30.0

func Convert_apiserver_WebhookMatchCondition_To_v1beta1_WebhookMatchCondition(in *apiserver.WebhookMatchCondition, out *WebhookMatchCondition, s conversion.Scope) error

Convert_apiserver_WebhookMatchCondition_To_v1beta1_WebhookMatchCondition is an autogenerated conversion function.

func Convert_v1beta1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition added in v0.31.0

func Convert_v1beta1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition(in *AnonymousAuthCondition, out *apiserver.AnonymousAuthCondition, s conversion.Scope) error

Convert_v1beta1_AnonymousAuthCondition_To_apiserver_AnonymousAuthCondition is an autogenerated conversion function.

func Convert_v1beta1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig added in v0.31.0

func Convert_v1beta1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig(in *AnonymousAuthConfig, out *apiserver.AnonymousAuthConfig, s conversion.Scope) error

Convert_v1beta1_AnonymousAuthConfig_To_apiserver_AnonymousAuthConfig is an autogenerated conversion function.

func Convert_v1beta1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration added in v0.30.0

func Convert_v1beta1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration(in *AuthenticationConfiguration, out *apiserver.AuthenticationConfiguration, s conversion.Scope) error

Convert_v1beta1_AuthenticationConfiguration_To_apiserver_AuthenticationConfiguration is an autogenerated conversion function.

func Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration added in v0.30.0

func Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration(in *AuthorizationConfiguration, out *apiserver.AuthorizationConfiguration, s conversion.Scope) error

Convert_v1beta1_AuthorizationConfiguration_To_apiserver_AuthorizationConfiguration is an autogenerated conversion function.

func Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration added in v0.30.0

func Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error

Convert_v1beta1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration is an autogenerated conversion function.

func Convert_v1beta1_ClaimMappings_To_apiserver_ClaimMappings added in v0.30.0

func Convert_v1beta1_ClaimMappings_To_apiserver_ClaimMappings(in *ClaimMappings, out *apiserver.ClaimMappings, s conversion.Scope) error

Convert_v1beta1_ClaimMappings_To_apiserver_ClaimMappings is an autogenerated conversion function.

func Convert_v1beta1_ClaimOrExpression_To_apiserver_ClaimOrExpression added in v0.30.0

func Convert_v1beta1_ClaimOrExpression_To_apiserver_ClaimOrExpression(in *ClaimOrExpression, out *apiserver.ClaimOrExpression, s conversion.Scope) error

Convert_v1beta1_ClaimOrExpression_To_apiserver_ClaimOrExpression is an autogenerated conversion function.

func Convert_v1beta1_ClaimValidationRule_To_apiserver_ClaimValidationRule added in v0.30.0

func Convert_v1beta1_ClaimValidationRule_To_apiserver_ClaimValidationRule(in *ClaimValidationRule, out *apiserver.ClaimValidationRule, s conversion.Scope) error

Convert_v1beta1_ClaimValidationRule_To_apiserver_ClaimValidationRule is an autogenerated conversion function.

func Convert_v1beta1_Connection_To_apiserver_Connection

func Convert_v1beta1_Connection_To_apiserver_Connection(in *Connection, out *apiserver.Connection, s conversion.Scope) error

Convert_v1beta1_Connection_To_apiserver_Connection is an autogenerated conversion function.

func Convert_v1beta1_EgressSelection_To_apiserver_EgressSelection

func Convert_v1beta1_EgressSelection_To_apiserver_EgressSelection(in *EgressSelection, out *apiserver.EgressSelection, s conversion.Scope) error

func Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration

func Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration(in *EgressSelectorConfiguration, out *apiserver.EgressSelectorConfiguration, s conversion.Scope) error

Convert_v1beta1_EgressSelectorConfiguration_To_apiserver_EgressSelectorConfiguration is an autogenerated conversion function.

func Convert_v1beta1_ExtraMapping_To_apiserver_ExtraMapping added in v0.30.0

func Convert_v1beta1_ExtraMapping_To_apiserver_ExtraMapping(in *ExtraMapping, out *apiserver.ExtraMapping, s conversion.Scope) error

Convert_v1beta1_ExtraMapping_To_apiserver_ExtraMapping is an autogenerated conversion function.

func Convert_v1beta1_Issuer_To_apiserver_Issuer added in v0.30.0

func Convert_v1beta1_Issuer_To_apiserver_Issuer(in *Issuer, out *apiserver.Issuer, s conversion.Scope) error

Convert_v1beta1_Issuer_To_apiserver_Issuer is an autogenerated conversion function.

func Convert_v1beta1_JWTAuthenticator_To_apiserver_JWTAuthenticator added in v0.30.0

func Convert_v1beta1_JWTAuthenticator_To_apiserver_JWTAuthenticator(in *JWTAuthenticator, out *apiserver.JWTAuthenticator, s conversion.Scope) error

Convert_v1beta1_JWTAuthenticator_To_apiserver_JWTAuthenticator is an autogenerated conversion function.

func Convert_v1beta1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression added in v0.30.0

func Convert_v1beta1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression(in *PrefixedClaimOrExpression, out *apiserver.PrefixedClaimOrExpression, s conversion.Scope) error

Convert_v1beta1_PrefixedClaimOrExpression_To_apiserver_PrefixedClaimOrExpression is an autogenerated conversion function.

func Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport

func Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport(in *TCPTransport, out *apiserver.TCPTransport, s conversion.Scope) error

Convert_v1beta1_TCPTransport_To_apiserver_TCPTransport is an autogenerated conversion function.

func Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig

func Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig(in *TLSConfig, out *apiserver.TLSConfig, s conversion.Scope) error

Convert_v1beta1_TLSConfig_To_apiserver_TLSConfig is an autogenerated conversion function.

func Convert_v1beta1_TracingConfiguration_To_apiserver_TracingConfiguration added in v0.27.0

func Convert_v1beta1_TracingConfiguration_To_apiserver_TracingConfiguration(in *TracingConfiguration, out *apiserver.TracingConfiguration, s conversion.Scope) error

Convert_v1beta1_TracingConfiguration_To_apiserver_TracingConfiguration is an autogenerated conversion function.

func Convert_v1beta1_Transport_To_apiserver_Transport

func Convert_v1beta1_Transport_To_apiserver_Transport(in *Transport, out *apiserver.Transport, s conversion.Scope) error

Convert_v1beta1_Transport_To_apiserver_Transport is an autogenerated conversion function.

func Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport

func Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport(in *UDSTransport, out *apiserver.UDSTransport, s conversion.Scope) error

Convert_v1beta1_UDSTransport_To_apiserver_UDSTransport is an autogenerated conversion function.

func Convert_v1beta1_UserValidationRule_To_apiserver_UserValidationRule added in v0.30.0

func Convert_v1beta1_UserValidationRule_To_apiserver_UserValidationRule(in *UserValidationRule, out *apiserver.UserValidationRule, s conversion.Scope) error

Convert_v1beta1_UserValidationRule_To_apiserver_UserValidationRule is an autogenerated conversion function.

func Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration added in v0.30.0

func Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error

Convert_v1beta1_WebhookConfiguration_To_apiserver_WebhookConfiguration is an autogenerated conversion function.

func Convert_v1beta1_WebhookConnectionInfo_To_apiserver_WebhookConnectionInfo added in v0.30.0

func Convert_v1beta1_WebhookConnectionInfo_To_apiserver_WebhookConnectionInfo(in *WebhookConnectionInfo, out *apiserver.WebhookConnectionInfo, s conversion.Scope) error

Convert_v1beta1_WebhookConnectionInfo_To_apiserver_WebhookConnectionInfo is an autogenerated conversion function.

func Convert_v1beta1_WebhookMatchCondition_To_apiserver_WebhookMatchCondition added in v0.30.0

func Convert_v1beta1_WebhookMatchCondition_To_apiserver_WebhookMatchCondition(in *WebhookMatchCondition, out *apiserver.WebhookMatchCondition, s conversion.Scope) error

Convert_v1beta1_WebhookMatchCondition_To_apiserver_WebhookMatchCondition is an autogenerated conversion function.

func RegisterConversions

func RegisterConversions(s *runtime.Scheme) error

RegisterConversions adds conversion functions to the given scheme. Public to allow building arbitrary schemes.

func RegisterDefaults

func RegisterDefaults(scheme *runtime.Scheme) error

RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.

func SetDefaults_WebhookConfiguration added in v0.30.0

func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration)

func SetObjectDefaults_AuthorizationConfiguration added in v0.30.0

func SetObjectDefaults_AuthorizationConfiguration(in *AuthorizationConfiguration)

Types

type AnonymousAuthCondition added in v0.31.0

type AnonymousAuthCondition struct {
	// Path for which anonymous auth is enabled.
	Path string `json:"path"`
}

AnonymousAuthCondition describes the condition under which anonymous auth should be enabled.

func (*AnonymousAuthCondition) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnonymousAuthCondition.

func (*AnonymousAuthCondition) DeepCopyInto added in v0.31.0

func (in *AnonymousAuthCondition) DeepCopyInto(out *AnonymousAuthCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AnonymousAuthConfig added in v0.31.0

type AnonymousAuthConfig struct {
	Enabled bool `json:"enabled"`

	// If set, anonymous auth is only allowed if the request meets one of the
	// conditions.
	Conditions []AnonymousAuthCondition `json:"conditions,omitempty"`
}

AnonymousAuthConfig provides the configuration for the anonymous authenticator.

func (*AnonymousAuthConfig) DeepCopy added in v0.31.0

func (in *AnonymousAuthConfig) DeepCopy() *AnonymousAuthConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnonymousAuthConfig.

func (*AnonymousAuthConfig) DeepCopyInto added in v0.31.0

func (in *AnonymousAuthConfig) DeepCopyInto(out *AnonymousAuthConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AudienceMatchPolicyType added in v0.30.0

type AudienceMatchPolicyType string

AudienceMatchPolicyType is a set of valid values for issuer.audienceMatchPolicy

const (
	// MatchAny means the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny"
)

Valid types for AudienceMatchPolicyType

type AuthenticationConfiguration added in v0.30.0

type AuthenticationConfiguration struct {
	metav1.TypeMeta

	// jwt is a list of authenticator to authenticate Kubernetes users using
	// JWT compliant tokens. The authenticator will attempt to parse a raw ID token,
	// verify it's been signed by the configured issuer. The public key to verify the
	// signature is discovered from the issuer's public endpoint using OIDC discovery.
	// For an incoming token, each JWT authenticator will be attempted in
	// the order in which it is specified in this list.  Note however that
	// other authenticators may run before or after the JWT authenticators.
	// The specific position of JWT authenticators in relation to other
	// authenticators is neither defined nor stable across releases.  Since
	// each JWT authenticator must have a unique issuer URL, at most one
	// JWT authenticator will attempt to cryptographically validate the token.
	//
	// The minimum valid JWT payload must contain the following claims:
	// {
	//		"iss": "https://issuer.example.com",
	//		"aud": ["audience"],
	//		"exp": 1234567890,
	//		"<username claim>": "username"
	// }
	JWT []JWTAuthenticator `json:"jwt"`

	// If present --anonymous-auth must not be set
	Anonymous *AnonymousAuthConfig `json:"anonymous,omitempty"`
}

AuthenticationConfiguration provides versioned configuration for authentication.

func (*AuthenticationConfiguration) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfiguration.

func (*AuthenticationConfiguration) DeepCopyInto added in v0.30.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthenticationConfiguration) DeepCopyObject added in v0.30.0

func (in *AuthenticationConfiguration) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AuthorizationConfiguration added in v0.30.0

type AuthorizationConfiguration struct {
	metav1.TypeMeta

	// Authorizers is an ordered list of authorizers to
	// authorize requests against.
	// This is similar to the --authorization-modes kube-apiserver flag
	// Must be at least one.
	Authorizers []AuthorizerConfiguration `json:"authorizers"`
}

func (*AuthorizationConfiguration) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationConfiguration.

func (*AuthorizationConfiguration) DeepCopyInto added in v0.30.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthorizationConfiguration) DeepCopyObject added in v0.30.0

func (in *AuthorizationConfiguration) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AuthorizerConfiguration added in v0.30.0

type AuthorizerConfiguration struct {
	// Type refers to the type of the authorizer
	// "Webhook" is supported in the generic API server
	// Other API servers may support additional authorizer
	// types like Node, RBAC, ABAC, etc.
	Type string `json:"type"`

	// Name used to describe the webhook
	// This is explicitly used in monitoring machinery for metrics
	// Note: Names must be DNS1123 labels like `myauthorizername` or
	//		 subdomains like `myauthorizer.example.domain`
	// Required, with no default
	Name string `json:"name"`

	// Webhook defines the configuration for a Webhook authorizer
	// Must be defined when Type=Webhook
	// Must not be defined when Type!=Webhook
	Webhook *WebhookConfiguration `json:"webhook,omitempty"`
}

func (*AuthorizerConfiguration) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizerConfiguration.

func (*AuthorizerConfiguration) DeepCopyInto added in v0.30.0

func (in *AuthorizerConfiguration) DeepCopyInto(out *AuthorizerConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthorizerType added in v0.30.0

type AuthorizerType string

type ClaimMappings added in v0.30.0

type ClaimMappings struct {
	// username represents an option for the username attribute.
	// The claim's value must be a singular string.
	// Same as the --oidc-username-claim and --oidc-username-prefix flags.
	// If username.expression is set, the expression must produce a string value.
	// If username.expression uses 'claims.email', then 'claims.email_verified' must be used in
	// username.expression or extra[*].valueExpression or claimValidationRules[*].expression.
	// An example claim validation rule expression that matches the validation automatically
	// applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true)'.
	//
	// In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
	// the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
	// For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
	// For prefix:
	//     (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
	//         set username.prefix=""
	//     (2) --oidc-username-prefix="" and  --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
	//         behavior using authentication config, set username.prefix="<value of issuer.url>#"
	//     (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>"
	// +required
	Username PrefixedClaimOrExpression `json:"username"`
	// groups represents an option for the groups attribute.
	// The claim's value must be a string or string array claim.
	// If groups.claim is set, the prefix must be specified (and can be the empty string).
	// If groups.expression is set, the expression must produce a string or string array value.
	//  "", [], and null values are treated as the group mapping not being present.
	// +optional
	Groups PrefixedClaimOrExpression `json:"groups,omitempty"`

	// uid represents an option for the uid attribute.
	// Claim must be a singular string claim.
	// If uid.expression is set, the expression must produce a string value.
	// +optional
	UID ClaimOrExpression `json:"uid"`

	// extra represents an option for the extra attribute.
	// expression must produce a string or string array value.
	// If the value is empty, the extra mapping will not be present.
	//
	// hard-coded extra key/value
	// - key: "foo"
	//   valueExpression: "'bar'"
	// This will result in an extra attribute - foo: ["bar"]
	//
	// hard-coded key, value copying claim value
	// - key: "foo"
	//   valueExpression: "claims.some_claim"
	// This will result in an extra attribute - foo: [value of some_claim]
	//
	// hard-coded key, value derived from claim value
	// - key: "admin"
	//   valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
	// This will result in:
	//  - if is_admin claim is present and true, extra attribute - admin: ["true"]
	//  - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
	//
	// +optional
	Extra []ExtraMapping `json:"extra,omitempty"`
}

ClaimMappings provides the configuration for claim mapping

func (*ClaimMappings) DeepCopy added in v0.30.0

func (in *ClaimMappings) DeepCopy() *ClaimMappings

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimMappings.

func (*ClaimMappings) DeepCopyInto added in v0.30.0

func (in *ClaimMappings) DeepCopyInto(out *ClaimMappings)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClaimOrExpression added in v0.30.0

type ClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Either claim or expression must be set.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim.
	// +optional
	Expression string `json:"expression,omitempty"`
}

ClaimOrExpression provides the configuration for a single claim or expression.

func (*ClaimOrExpression) DeepCopy added in v0.30.0

func (in *ClaimOrExpression) DeepCopy() *ClaimOrExpression

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimOrExpression.

func (*ClaimOrExpression) DeepCopyInto added in v0.30.0

func (in *ClaimOrExpression) DeepCopyInto(out *ClaimOrExpression)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClaimValidationRule added in v0.30.0

type ClaimValidationRule struct {
	// claim is the name of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim keys are supported.
	// Mutually exclusive with expression and message.
	// +optional
	Claim string `json:"claim,omitempty"`
	// requiredValue is the value of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim values are supported.
	// If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
	// Mutually exclusive with expression and message.
	// +optional
	RequiredValue string `json:"requiredValue,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	// Must produce a boolean.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
	// Must return true for the validation to pass.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Expression string `json:"expression,omitempty"`
	// message customizes the returned error message when expression returns false.
	// message is a literal string.
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Message string `json:"message,omitempty"`
}

ClaimValidationRule provides the configuration for a single claim validation rule.

func (*ClaimValidationRule) DeepCopy added in v0.30.0

func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimValidationRule.

func (*ClaimValidationRule) DeepCopyInto added in v0.30.0

func (in *ClaimValidationRule) DeepCopyInto(out *ClaimValidationRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Connection

type Connection struct {
	// Protocol is the protocol used to connect from client to the konnectivity server.
	ProxyProtocol ProtocolType `json:"proxyProtocol,omitempty"`

	// Transport defines the transport configurations we use to dial to the konnectivity server.
	// This is required if ProxyProtocol is HTTPConnect or GRPC.
	// +optional
	Transport *Transport `json:"transport,omitempty"`
}

Connection provides the configuration for a single egress selection client.

func (*Connection) DeepCopy

func (in *Connection) DeepCopy() *Connection

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Connection.

func (*Connection) DeepCopyInto

func (in *Connection) DeepCopyInto(out *Connection)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EgressSelection

type EgressSelection struct {
	// name is the name of the egress selection.
	// Currently supported values are "controlplane", "master", "etcd" and "cluster"
	// The "master" egress selector is deprecated in favor of "controlplane"
	Name string `json:"name"`

	// connection is the exact information used to configure the egress selection
	Connection Connection `json:"connection"`
}

EgressSelection provides the configuration for a single egress selection client.

func (*EgressSelection) DeepCopy

func (in *EgressSelection) DeepCopy() *EgressSelection

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressSelection.

func (*EgressSelection) DeepCopyInto

func (in *EgressSelection) DeepCopyInto(out *EgressSelection)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EgressSelectorConfiguration

type EgressSelectorConfiguration struct {
	metav1.TypeMeta `json:",inline"`

	// connectionServices contains a list of egress selection client configurations
	EgressSelections []EgressSelection `json:"egressSelections"`
}

EgressSelectorConfiguration provides versioned configuration for egress selector clients.

func (*EgressSelectorConfiguration) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressSelectorConfiguration.

func (*EgressSelectorConfiguration) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EgressSelectorConfiguration) DeepCopyObject

func (in *EgressSelectorConfiguration) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ExtraMapping added in v0.30.0

type ExtraMapping struct {
	// key is a string to use as the extra attribute key.
	// key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
	// subdomain as defined by RFC 1123. All characters trailing the first "/" must
	// be valid HTTP Path characters as defined by RFC 3986.
	// key must be lowercase.
	// Required to be unique.
	// +required
	Key string `json:"key"`

	// valueExpression is a CEL expression to extract extra attribute value.
	// valueExpression must produce a string or string array value.
	// "", [], and null values are treated as the extra mapping not being present.
	// Empty string values contained within a string array are filtered out.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	ValueExpression string `json:"valueExpression"`
}

ExtraMapping provides the configuration for a single extra mapping.

func (*ExtraMapping) DeepCopy added in v0.30.0

func (in *ExtraMapping) DeepCopy() *ExtraMapping

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping.

func (*ExtraMapping) DeepCopyInto added in v0.30.0

func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Issuer added in v0.30.0

type Issuer struct {
	// url points to the issuer URL in a format https://url or https://url/path.
	// This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
	// Same value as the --oidc-issuer-url flag.
	// Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL.
	// Required to be unique across all JWT authenticators.
	// Note that egress selection configuration is not used for this network connection.
	// +required
	URL string `json:"url"`

	// discoveryURL, if specified, overrides the URL used to fetch discovery
	// information instead of using "{url}/.well-known/openid-configuration".
	// The exact value specified is used, so "/.well-known/openid-configuration"
	// must be included in discoveryURL if needed.
	//
	// The "issuer" field in the fetched discovery information must match the "issuer.url" field
	// in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT.
	// This is for scenarios where the well-known and jwks endpoints are hosted at a different
	// location than the issuer (such as locally in the cluster).
	//
	// Example:
	// A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace'
	// and discovery information is available at '/.well-known/openid-configuration'.
	// discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration"
	// certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate
	// must be set to 'oidc.oidc-namespace'.
	//
	// curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field)
	// {
	//     issuer: "https://oidc.example.com" (.url field)
	// }
	//
	// discoveryURL must be different from url.
	// Required to be unique across all JWT authenticators.
	// Note that egress selection configuration is not used for this network connection.
	// +optional
	DiscoveryURL *string `json:"discoveryURL,omitempty"`

	// certificateAuthority contains PEM-encoded certificate authority certificates
	// used to validate the connection when fetching discovery information.
	// If unset, the system verifier is used.
	// Same value as the content of the file referenced by the --oidc-ca-file flag.
	// +optional
	CertificateAuthority string `json:"certificateAuthority,omitempty"`

	// audiences is the set of acceptable audiences the JWT must be issued to.
	// At least one of the entries must match the "aud" claim in presented JWTs.
	// Same value as the --oidc-client-id flag (though this field supports an array).
	// Required to be non-empty.
	// +required
	Audiences []string `json:"audiences"`

	// audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
	// Allowed values are:
	// 1. "MatchAny" when multiple audiences are specified and
	// 2. empty (or unset) or "MatchAny" when a single audience is specified.
	//
	// - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	// For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).
	//
	// - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).
	//
	// For more nuanced audience validation, use claimValidationRules.
	//   example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.
	// +optional
	AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"`
}

Issuer provides the configuration for an external provider's specific settings.

func (*Issuer) DeepCopy added in v0.30.0

func (in *Issuer) DeepCopy() *Issuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

func (*Issuer) DeepCopyInto added in v0.30.0

func (in *Issuer) DeepCopyInto(out *Issuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTAuthenticator added in v0.30.0

type JWTAuthenticator struct {
	// issuer contains the basic OIDC provider connection options.
	// +required
	Issuer Issuer `json:"issuer"`

	// claimValidationRules are rules that are applied to validate token claims to authenticate users.
	// +optional
	ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"`

	// claimMappings points claims of a token to be treated as user attributes.
	// +required
	ClaimMappings ClaimMappings `json:"claimMappings"`

	// userValidationRules are rules that are applied to final user before completing authentication.
	// These allow invariants to be applied to incoming identities such as preventing the
	// use of the system: prefix that is commonly used by Kubernetes components.
	// The validation rules are logically ANDed together and must all return true for the validation to pass.
	// +optional
	UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`
}

JWTAuthenticator provides the configuration for a single JWT authenticator.

func (*JWTAuthenticator) DeepCopy added in v0.30.0

func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.

func (*JWTAuthenticator) DeepCopyInto added in v0.30.0

func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrefixedClaimOrExpression added in v0.30.0

type PrefixedClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`
	// prefix is prepended to claim's value to prevent clashes with existing names.
	// prefix needs to be set if claim is set and can be the empty string.
	// Mutually exclusive with expression.
	// +optional
	Prefix *string `json:"prefix,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and prefix.
	// +optional
	Expression string `json:"expression,omitempty"`
}

PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.

func (*PrefixedClaimOrExpression) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimOrExpression.

func (*PrefixedClaimOrExpression) DeepCopyInto added in v0.30.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ProtocolType

type ProtocolType string

ProtocolType is a set of valid values for Connection.ProtocolType

const (
	// Use HTTPConnect to connect to konnectivity server
	ProtocolHTTPConnect ProtocolType = "HTTPConnect"
	// Use grpc to connect to konnectivity server
	ProtocolGRPC ProtocolType = "GRPC"
	// Connect directly (skip konnectivity server)
	ProtocolDirect ProtocolType = "Direct"
)

Valid types for ProtocolType for konnectivity server

type TCPTransport

type TCPTransport struct {
	// URL is the location of the konnectivity server to connect to.
	// As an example it might be "https://127.0.0.1:8131"
	URL string `json:"url,omitempty"`

	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
	// +optional
	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
}

TCPTransport provides the information to connect to konnectivity server via TCP

func (*TCPTransport) DeepCopy

func (in *TCPTransport) DeepCopy() *TCPTransport

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPTransport.

func (*TCPTransport) DeepCopyInto

func (in *TCPTransport) DeepCopyInto(out *TCPTransport)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TLSConfig

type TLSConfig struct {
	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
	// Must be absent/empty if TCPTransport.URL is prefixed with http://
	// If absent while TCPTransport.URL is prefixed with https://, default to system trust roots.
	// +optional
	CABundle string `json:"caBundle,omitempty"`

	// clientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server.
	// Must be absent/empty if TCPTransport.URL is prefixed with http://
	// Must be configured if TCPTransport.URL is prefixed with https://
	// +optional
	ClientKey string `json:"clientKey,omitempty"`

	// clientCert is the file location of the client certificate to be used in mtls handshakes with the konnectivity server.
	// Must be absent/empty if TCPTransport.URL is prefixed with http://
	// Must be configured if TCPTransport.URL is prefixed with https://
	// +optional
	ClientCert string `json:"clientCert,omitempty"`
}

TLSConfig provides the authentication information to connect to konnectivity server Only used with TCPTransport

func (*TLSConfig) DeepCopy

func (in *TLSConfig) DeepCopy() *TLSConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.

func (*TLSConfig) DeepCopyInto

func (in *TLSConfig) DeepCopyInto(out *TLSConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TracingConfiguration added in v0.27.0

type TracingConfiguration struct {
	metav1.TypeMeta `json:",inline"`

	// Embed the component config tracing configuration struct
	tracingapi.TracingConfiguration `json:",inline"`
}

TracingConfiguration provides versioned configuration for tracing clients.

func (*TracingConfiguration) DeepCopy added in v0.27.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TracingConfiguration.

func (*TracingConfiguration) DeepCopyInto added in v0.27.0

func (in *TracingConfiguration) DeepCopyInto(out *TracingConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TracingConfiguration) DeepCopyObject added in v0.27.0

func (in *TracingConfiguration) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Transport

type Transport struct {
	// TCP is the TCP configuration for communicating with the konnectivity server via TCP
	// ProxyProtocol of GRPC is not supported with TCP transport at the moment
	// Requires at least one of TCP or UDS to be set
	// +optional
	TCP *TCPTransport `json:"tcp,omitempty"`

	// UDS is the UDS configuration for communicating with the konnectivity server via UDS
	// Requires at least one of TCP or UDS to be set
	// +optional
	UDS *UDSTransport `json:"uds,omitempty"`
}

Transport defines the transport configurations we use to dial to the konnectivity server

func (*Transport) DeepCopy

func (in *Transport) DeepCopy() *Transport

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Transport.

func (*Transport) DeepCopyInto

func (in *Transport) DeepCopyInto(out *Transport)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type UDSTransport

type UDSTransport struct {
	// UDSName is the name of the unix domain socket to connect to konnectivity server
	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket)
	UDSName string `json:"udsName,omitempty"`
}

UDSTransport provides the information to connect to konnectivity server via UDS

func (*UDSTransport) DeepCopy

func (in *UDSTransport) DeepCopy() *UDSTransport

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDSTransport.

func (*UDSTransport) DeepCopyInto

func (in *UDSTransport) DeepCopyInto(out *UDSTransport)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type UserValidationRule added in v0.30.0

type UserValidationRule struct {
	// expression represents the expression which will be evaluated by CEL.
	// Must return true for the validation to pass.
	//
	// CEL expressions have access to the contents of UserInfo, organized into CEL variable:
	// - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
	//    Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
	//    API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	Expression string `json:"expression"`

	// message customizes the returned error message when rule returns false.
	// message is a literal string.
	// +optional
	Message string `json:"message,omitempty"`
}

UserValidationRule provides the configuration for a single user info validation rule.

func (*UserValidationRule) DeepCopy added in v0.30.0

func (in *UserValidationRule) DeepCopy() *UserValidationRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserValidationRule.

func (*UserValidationRule) DeepCopyInto added in v0.30.0

func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookConfiguration added in v0.30.0

type WebhookConfiguration struct {
	// The duration to cache 'authorized' responses from the webhook
	// authorizer.
	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
	// Default: 5m0s
	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
	// The duration to cache 'unauthorized' responses from the webhook
	// authorizer.
	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
	// Default: 30s
	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
	// Timeout for the webhook request
	// Maximum allowed value is 30s.
	// Required, no default value.
	Timeout metav1.Duration `json:"timeout"`
	// The API version of the authorization.k8s.io SubjectAccessReview to
	// send to and expect from the webhook.
	// Same as setting `--authorization-webhook-version` flag
	// Valid values: v1beta1, v1
	// Required, no default value
	SubjectAccessReviewVersion string `json:"subjectAccessReviewVersion"`
	// MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview
	// version the CEL expressions are evaluated against
	// Valid values: v1
	// Required, no default value
	MatchConditionSubjectAccessReviewVersion string `json:"matchConditionSubjectAccessReviewVersion"`
	// Controls the authorization decision when a webhook request fails to
	// complete or returns a malformed response or errors evaluating
	// matchConditions.
	// Valid values:
	//   - NoOpinion: continue to subsequent authorizers to see if one of
	//     them allows the request
	//   - Deny: reject the request without consulting subsequent authorizers
	// Required, with no default.
	FailurePolicy string `json:"failurePolicy"`

	// ConnectionInfo defines how we talk to the webhook
	ConnectionInfo WebhookConnectionInfo `json:"connectionInfo"`

	// matchConditions is a list of conditions that must be met for a request to be sent to this
	// webhook. An empty list of matchConditions matches all requests.
	// There are a maximum of 64 match conditions allowed.
	//
	// The exact matching logic is (in order):
	//   1. If at least one matchCondition evaluates to FALSE, then the webhook is skipped.
	//   2. If ALL matchConditions evaluate to TRUE, then the webhook is called.
	//   3. If at least one matchCondition evaluates to an error (but none are FALSE):
	//      - If failurePolicy=Deny, then the webhook rejects the request
	//      - If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
	MatchConditions []WebhookMatchCondition `json:"matchConditions"`
}

func (*WebhookConfiguration) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.

func (*WebhookConfiguration) DeepCopyInto added in v0.30.0

func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookConnectionInfo added in v0.30.0

type WebhookConnectionInfo struct {
	// Controls how the webhook should communicate with the server.
	// Valid values:
	// - KubeConfigFile: use the file specified in kubeConfigFile to locate the
	//   server.
	// - InClusterConfig: use the in-cluster configuration to call the
	//   SubjectAccessReview API hosted by kube-apiserver. This mode is not
	//   allowed for kube-apiserver.
	Type string `json:"type"`

	// Path to KubeConfigFile for connection info
	// Required, if connectionInfo.Type is KubeConfig
	KubeConfigFile *string `json:"kubeConfigFile"`
}

func (*WebhookConnectionInfo) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConnectionInfo.

func (*WebhookConnectionInfo) DeepCopyInto added in v0.30.0

func (in *WebhookConnectionInfo) DeepCopyInto(out *WebhookConnectionInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookMatchCondition added in v0.30.0

type WebhookMatchCondition struct {
	// expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
	// CEL expressions have access to the contents of the SubjectAccessReview in v1 version.
	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
	// the contents would be converted to the v1 version before evaluating the CEL expression.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	Expression string `json:"expression"`
}

func (*WebhookMatchCondition) DeepCopy added in v0.30.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookMatchCondition.

func (*WebhookMatchCondition) DeepCopyInto added in v0.30.0

func (in *WebhookMatchCondition) DeepCopyInto(out *WebhookMatchCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL