options

package
v0.32.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 27, 2024 License: Apache-2.0 Imports: 96 Imported by: 1,055

Documentation

Overview

package options is the public flags and options used by a generic api server. It takes a minimal set of dependencies and does not reference implementations, in order to ensure it may be reused by multiple components (such as CLI commands that wish to generate or validate config).

Index

Constants

View Source
const (
	// ModeBatch indicates that the audit backend should buffer audit events
	// internally, sending batch updates either once a certain number of
	// events have been received or a certain amount of time has passed.
	ModeBatch = "batch"
	// ModeBlocking causes the audit backend to block on every attempt to process
	// a set of events. This causes requests to the API server to wait for the
	// flush before sending a response.
	ModeBlocking = "blocking"
	// ModeBlockingStrict is the same as ModeBlocking, except when there is
	// a failure during audit logging at RequestReceived stage, the whole
	// request to apiserver will fail.
	ModeBlockingStrict = "blocking-strict"
)

Variables

AllowedModes is the modes known for audit backends.

Functions

func CreateListener

func CreateListener(network, addr string, config net.ListenConfig) (net.Listener, int, error)

func DefaultAuthWebhookRetryBackoff added in v0.20.0

func DefaultAuthWebhookRetryBackoff() *wait.Backoff

DefaultAuthWebhookRetryBackoff is the default backoff parameters for both authentication and authorization webhook used by the apiserver.

func ParseWatchCacheSizes

func ParseWatchCacheSizes(cacheSizes []string) (map[schema.GroupResource]int, error)

ParseWatchCacheSizes turns a list of cache size values into a map of group resources to requested sizes.

func ReadTracingConfiguration added in v0.25.0

func ReadTracingConfiguration(configFilePath string) (*tracingapi.TracingConfiguration, error)

ReadTracingConfiguration reads the tracing configuration from a file

func WriteWatchCacheSizes

func WriteWatchCacheSizes(watchCacheSizes map[schema.GroupResource]int) ([]string, error)

WriteWatchCacheSizes turns a map of cache size values into a list of string specifications.

Types

type APIEnablementOptions

type APIEnablementOptions struct {
	RuntimeConfig cliflag.ConfigurationMap
}

APIEnablementOptions contains the options for which resources to turn on and off. Given small aggregated API servers, this option isn't required for "normal" API servers

func NewAPIEnablementOptions

func NewAPIEnablementOptions() *APIEnablementOptions

func (*APIEnablementOptions) AddFlags

func (s *APIEnablementOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags for a specific APIServer to the specified FlagSet

func (*APIEnablementOptions) ApplyTo

func (s *APIEnablementOptions) ApplyTo(c *server.Config, defaultResourceConfig *serverstore.ResourceConfig, registry resourceconfig.GroupVersionRegistry) error

ApplyTo override MergedResourceConfig with defaults and registry

func (*APIEnablementOptions) Validate

func (s *APIEnablementOptions) Validate(registries ...GroupRegistry) []error

Validate validates RuntimeConfig with a list of registries. Usually this list only has one element, the apiserver registry of the process. But in the advanced (and usually not recommended) case of delegated apiservers there can be more. Validate will filter out the known groups of each registry. If anything is left over after that, an error is returned.

type AdmissionOptions

type AdmissionOptions struct {
	// RecommendedPluginOrder holds an ordered list of plugin names we recommend to use by default
	RecommendedPluginOrder []string
	// DefaultOffPlugins is a set of plugin names that is disabled by default
	DefaultOffPlugins sets.Set[string]

	// EnablePlugins indicates plugins to be enabled passed through `--enable-admission-plugins`.
	EnablePlugins []string
	// DisablePlugins indicates plugins to be disabled passed through `--disable-admission-plugins`.
	DisablePlugins []string
	// ConfigFile is the file path with admission control configuration.
	ConfigFile string
	// Plugins contains all registered plugins.
	Plugins *admission.Plugins
	// Decorators is a list of admission decorator to wrap around the admission plugins
	Decorators admission.Decorators
}

AdmissionOptions holds the admission options

func NewAdmissionOptions

func NewAdmissionOptions() *AdmissionOptions

NewAdmissionOptions creates a new instance of AdmissionOptions Note:

In addition it calls RegisterAllAdmissionPlugins to register
all generic admission plugins.

Provides the list of RecommendedPluginOrder that holds sane values
that can be used by servers that don't care about admission chain.
Servers that do care can overwrite/append that field after creation.

func (*AdmissionOptions) AddFlags

func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for a specific APIServer to the specified FlagSet

func (*AdmissionOptions) ApplyTo

func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeClient kubernetes.Interface,
	dynamicClient dynamic.Interface,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error

ApplyTo adds the admission chain to the server configuration. In case admission plugin names were not provided by a cluster-admin they will be prepared from the recommended/default values. In addition the method lazily initializes a generic plugin that is appended to the list of pluginInitializers note this method uses:

genericconfig.Authorizer

func (*AdmissionOptions) Validate

func (a *AdmissionOptions) Validate() []error

Validate verifies flags passed to AdmissionOptions.

type AuditBatchOptions

type AuditBatchOptions struct {
	// Should the backend asynchronous batch events to the webhook backend or
	// should the backend block responses?
	//
	// Defaults to asynchronous batch events.
	Mode string
	// Configuration for batching backend. Only used in batch mode.
	BatchConfig pluginbuffered.BatchConfig
}

func (*AuditBatchOptions) AddFlags

func (o *AuditBatchOptions) AddFlags(pluginName string, fs *pflag.FlagSet)

type AuditLogOptions

type AuditLogOptions struct {
	Path       string
	MaxAge     int
	MaxBackups int
	MaxSize    int
	Format     string
	Compress   bool

	BatchOptions    AuditBatchOptions
	TruncateOptions AuditTruncateOptions

	// API group version used for serializing audit events.
	GroupVersionString string
}

AuditLogOptions determines the output of the structured audit log by default.

func (*AuditLogOptions) AddFlags

func (o *AuditLogOptions) AddFlags(fs *pflag.FlagSet)

func (*AuditLogOptions) Validate

func (o *AuditLogOptions) Validate() []error

type AuditOptions

type AuditOptions struct {
	// Policy configuration file for filtering audit events that are captured.
	// If unspecified, a default is provided.
	PolicyFile string

	// Plugin options
	LogOptions     AuditLogOptions
	WebhookOptions AuditWebhookOptions
}

func NewAuditOptions

func NewAuditOptions() *AuditOptions

func (*AuditOptions) AddFlags

func (o *AuditOptions) AddFlags(fs *pflag.FlagSet)

func (*AuditOptions) ApplyTo

func (o *AuditOptions) ApplyTo(
	c *server.Config,
) error

func (*AuditOptions) Validate

func (o *AuditOptions) Validate() []error

Validate checks invalid config combination

type AuditTruncateOptions

type AuditTruncateOptions struct {
	// Whether truncating is enabled or not.
	Enabled bool

	// Truncating configuration.
	TruncateConfig plugintruncate.Config
}

func NewAuditTruncateOptions

func NewAuditTruncateOptions() AuditTruncateOptions

func (*AuditTruncateOptions) AddFlags

func (o *AuditTruncateOptions) AddFlags(pluginName string, fs *pflag.FlagSet)

func (*AuditTruncateOptions) Validate

func (o *AuditTruncateOptions) Validate(pluginName string) error

type AuditWebhookOptions

type AuditWebhookOptions struct {
	ConfigFile     string
	InitialBackoff time.Duration

	BatchOptions    AuditBatchOptions
	TruncateOptions AuditTruncateOptions

	// API group version used for serializing audit events.
	GroupVersionString string
}

AuditWebhookOptions control the webhook configuration for audit events.

func (*AuditWebhookOptions) AddFlags

func (o *AuditWebhookOptions) AddFlags(fs *pflag.FlagSet)

func (*AuditWebhookOptions) Validate

func (o *AuditWebhookOptions) Validate() []error

type CertKey

type CertKey struct {
	// CertFile is a file containing a PEM-encoded certificate, and possibly the complete certificate chain
	CertFile string
	// KeyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile
	KeyFile string
}

type ClientCertAuthenticationOptions

type ClientCertAuthenticationOptions struct {
	// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
	ClientCA string

	// CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
	// Generally this is the CA bundle file used to authenticate client certificates
	// If non-nil, this takes priority over the ClientCA file.
	CAContentProvider dynamiccertificates.CAContentProvider
}

ClientCertAuthenticationOptions provides different options for client cert auth. You should use `GetClientVerifyOptionFn` to get the verify options for your authenticator.

func (*ClientCertAuthenticationOptions) AddFlags

func (*ClientCertAuthenticationOptions) GetClientCAContentProvider added in v0.17.0

GetClientVerifyOptionFn provides verify options for your authenticator while respecting the preferred order of verifiers.

type CoreAPIOptions

type CoreAPIOptions struct {
	// CoreAPIKubeconfigPath is a filename for a kubeconfig file to contact the core API server with.
	// If it is not set, the in cluster config is used.
	CoreAPIKubeconfigPath string
}

CoreAPIOptions contains options to configure the connection to a core API Kubernetes apiserver.

func NewCoreAPIOptions

func NewCoreAPIOptions() *CoreAPIOptions

func (*CoreAPIOptions) AddFlags

func (o *CoreAPIOptions) AddFlags(fs *pflag.FlagSet)

func (*CoreAPIOptions) ApplyTo

func (o *CoreAPIOptions) ApplyTo(config *server.RecommendedConfig) error

func (*CoreAPIOptions) Validate

func (o *CoreAPIOptions) Validate() []error

type DelegatingAuthenticationOptions

type DelegatingAuthenticationOptions struct {
	// RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the
	// TokenAccessReview.authentication.k8s.io endpoint for checking tokens.
	RemoteKubeConfigFile string
	// RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or
	// a missing in-cluster config will be fatal.
	RemoteKubeConfigFileOptional bool

	// CacheTTL is the length of time that a token authentication answer will be cached.
	CacheTTL time.Duration

	ClientCert    ClientCertAuthenticationOptions
	RequestHeader RequestHeaderAuthenticationOptions

	// SkipInClusterLookup indicates missing authentication configuration should not be retrieved from the cluster configmap
	SkipInClusterLookup bool

	// TolerateInClusterLookupFailure indicates failures to look up authentication configuration from the cluster configmap should not be fatal.
	// Setting this can result in an authenticator that will reject all requests.
	TolerateInClusterLookupFailure bool

	// WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff

	// TokenRequestTimeout specifies a time limit for requests made by the authorization webhook client.
	// The default value is set to 10 seconds.
	TokenRequestTimeout time.Duration

	// CustomRoundTripperFn allows for specifying a middleware function for custom HTTP behaviour for the authentication webhook client.
	CustomRoundTripperFn transport.WrapperFunc

	// Anonymous gives user an option to enable/disable Anonymous authentication.
	Anonymous *apiserver.AnonymousAuthConfig
}

DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to the root kube API server. The API federator will act as a front proxy and direction connections will be able to delegate to the core kube API server

func NewDelegatingAuthenticationOptions

func NewDelegatingAuthenticationOptions() *DelegatingAuthenticationOptions

func (*DelegatingAuthenticationOptions) AddFlags

func (*DelegatingAuthenticationOptions) ApplyTo

func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.AuthenticationInfo, servingInfo *server.SecureServingInfo, openAPIConfig *openapicommon.Config) error

func (*DelegatingAuthenticationOptions) Validate

func (s *DelegatingAuthenticationOptions) Validate() []error

func (*DelegatingAuthenticationOptions) WithCustomRetryBackoff added in v0.20.0

func (s *DelegatingAuthenticationOptions) WithCustomRetryBackoff(backoff wait.Backoff)

WithCustomRetryBackoff sets the custom backoff parameters for the authentication webhook retry logic.

func (*DelegatingAuthenticationOptions) WithCustomRoundTripper added in v0.22.0

func (s *DelegatingAuthenticationOptions) WithCustomRoundTripper(rt transport.WrapperFunc)

WithCustomRoundTripper allows for specifying a middleware function for custom HTTP behaviour for the authentication webhook client.

func (*DelegatingAuthenticationOptions) WithRequestTimeout added in v0.20.7

func (s *DelegatingAuthenticationOptions) WithRequestTimeout(timeout time.Duration)

WithRequestTimeout sets the given timeout for requests made by the authentication webhook client.

type DelegatingAuthorizationOptions

type DelegatingAuthorizationOptions struct {
	// RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the
	// SubjectAccessReview.authorization.k8s.io endpoint for checking tokens.
	RemoteKubeConfigFile string
	// RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or
	// a missing in-cluster config will be fatal.
	RemoteKubeConfigFileOptional bool

	// AllowCacheTTL is the length of time that a successful authorization response will be cached
	AllowCacheTTL time.Duration

	// DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached.
	// You generally want more responsive, "deny, try again" flows.
	DenyCacheTTL time.Duration

	// AlwaysAllowPaths are HTTP paths which are excluded from authorization. They can be plain
	// paths or end in * in which case prefix-match is applied. A leading / is optional.
	AlwaysAllowPaths []string

	// AlwaysAllowGroups are groups which are allowed to take any actions.  In kube, this is system:masters.
	AlwaysAllowGroups []string

	// ClientTimeout specifies a time limit for requests made by SubjectAccessReviews client.
	// The default value is set to 10 seconds.
	ClientTimeout time.Duration

	// WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff

	// CustomRoundTripperFn allows for specifying a middleware function for custom HTTP behaviour for the authorization webhook client.
	CustomRoundTripperFn transport.WrapperFunc
}

DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to the root kube API server. WARNING: never assume that every authenticated incoming request already does authorization. The aggregator in the kube API server does this today, but this behaviour is not guaranteed in the future.

func NewDelegatingAuthorizationOptions

func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions

func (*DelegatingAuthorizationOptions) AddFlags

func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet)

func (*DelegatingAuthorizationOptions) ApplyTo

func (*DelegatingAuthorizationOptions) Validate

func (s *DelegatingAuthorizationOptions) Validate() []error

func (*DelegatingAuthorizationOptions) WithAlwaysAllowGroups

func (s *DelegatingAuthorizationOptions) WithAlwaysAllowGroups(groups ...string) *DelegatingAuthorizationOptions

WithAlwaysAllowGroups appends the list of paths to AlwaysAllowGroups

func (*DelegatingAuthorizationOptions) WithAlwaysAllowPaths

func (s *DelegatingAuthorizationOptions) WithAlwaysAllowPaths(paths ...string) *DelegatingAuthorizationOptions

WithAlwaysAllowPaths appends the list of paths to AlwaysAllowPaths

func (*DelegatingAuthorizationOptions) WithClientTimeout added in v0.17.15

func (s *DelegatingAuthorizationOptions) WithClientTimeout(timeout time.Duration)

WithClientTimeout sets the given timeout for SAR client used by this authorizer

func (*DelegatingAuthorizationOptions) WithCustomRetryBackoff added in v0.20.0

func (s *DelegatingAuthorizationOptions) WithCustomRetryBackoff(backoff wait.Backoff)

WithCustomRetryBackoff sets the custom backoff parameters for the authorization webhook retry logic.

func (*DelegatingAuthorizationOptions) WithCustomRoundTripper added in v0.22.0

func (s *DelegatingAuthorizationOptions) WithCustomRoundTripper(rt transport.WrapperFunc)

WithCustomRoundTripper allows for specifying a middleware function for custom HTTP behaviour for the authorization webhook client.

type DynamicRequestHeaderController added in v0.19.0

DynamicRequestHeaderController combines DynamicCAFromConfigMapController and RequestHeaderAuthRequestController into one controller for dynamically filling RequestHeaderConfig struct

func (*DynamicRequestHeaderController) Run added in v0.19.0

func (c *DynamicRequestHeaderController) Run(ctx context.Context, workers int)

func (*DynamicRequestHeaderController) RunOnce added in v0.19.0

type EgressSelectorOptions added in v0.16.4

type EgressSelectorOptions struct {
	// ConfigFile is the file path with api-server egress selector configuration.
	ConfigFile string
}

EgressSelectorOptions holds the api server egress selector options. See https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1281-network-proxy/README.md

func NewEgressSelectorOptions added in v0.16.4

func NewEgressSelectorOptions() *EgressSelectorOptions

NewEgressSelectorOptions creates a new instance of EgressSelectorOptions

The option is to point to a configuration file for egress/konnectivity. This determines which types of requests use egress/konnectivity and how they use it. If empty the API Server will attempt to connect directly using the network.

func (*EgressSelectorOptions) AddFlags added in v0.16.4

func (o *EgressSelectorOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for a specific APIServer to the specified FlagSet

func (*EgressSelectorOptions) ApplyTo added in v0.16.4

func (o *EgressSelectorOptions) ApplyTo(c *server.Config) error

ApplyTo adds the egress selector settings to the server configuration. In case egress selector settings were not provided by a cluster-admin they will be prepared from the recommended/default/no-op values.

func (*EgressSelectorOptions) Validate added in v0.16.4

func (o *EgressSelectorOptions) Validate() []error

Validate verifies flags passed to EgressSelectorOptions.

type EtcdOptions

type EtcdOptions struct {
	StorageConfig                           storagebackend.Config
	EncryptionProviderConfigFilepath        string
	EncryptionProviderConfigAutomaticReload bool

	EtcdServersOverrides []string

	// To enable protobuf as storage format, it is enough
	// to set it to "application/vnd.kubernetes.protobuf".
	DefaultStorageMediaType string
	DeleteCollectionWorkers int
	EnableGarbageCollection bool

	// Set EnableWatchCache to false to disable all watch caches
	EnableWatchCache bool
	// Set DefaultWatchCacheSize to zero to disable watch caches for those resources that have no explicit cache size set
	DefaultWatchCacheSize int
	// WatchCacheSizes represents override to a given resource
	WatchCacheSizes []string

	// SkipHealthEndpoints, when true, causes the Apply methods to not set up health endpoints.
	// This allows multiple invocations of the Apply methods without duplication of said endpoints.
	SkipHealthEndpoints bool
}

func NewEtcdOptions

func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions

func (*EtcdOptions) AddFlags

func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet

func (*EtcdOptions) ApplyTo

func (s *EtcdOptions) ApplyTo(c *server.Config) error

ApplyTo mutates the provided server.Config. It must never mutate the receiver (EtcdOptions).

func (*EtcdOptions) ApplyWithStorageFactoryTo

func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error

ApplyWithStorageFactoryTo mutates the provided server.Config. It must never mutate the receiver (EtcdOptions).

func (*EtcdOptions) CreateRESTOptionsGetter added in v0.28.0

func (s *EtcdOptions) CreateRESTOptionsGetter(factory serverstorage.StorageFactory, resourceTransformers storagevalue.ResourceTransformers) generic.RESTOptionsGetter

func (*EtcdOptions) Validate

func (s *EtcdOptions) Validate() []error

type FeatureOptions

type FeatureOptions struct {
	EnableProfiling           bool
	DebugSocketPath           string
	EnableContentionProfiling bool
	EnablePriorityAndFairness bool
}

func NewFeatureOptions

func NewFeatureOptions() *FeatureOptions

func (*FeatureOptions) AddFlags

func (o *FeatureOptions) AddFlags(fs *pflag.FlagSet)

func (*FeatureOptions) ApplyTo

func (*FeatureOptions) Validate

func (o *FeatureOptions) Validate() []error

type GeneratableKeyCert

type GeneratableKeyCert struct {
	// CertKey allows setting an explicit cert/key file to use.
	CertKey CertKey

	// CertDirectory specifies a directory to write generated certificates to if CertFile/KeyFile aren't explicitly set.
	// PairName is used to determine the filenames within CertDirectory.
	// If CertDirectory and PairName are not set, an in-memory certificate will be generated.
	CertDirectory string
	// PairName is the name which will be used with CertDirectory to make a cert and key filenames.
	// It becomes CertDirectory/PairName.crt and CertDirectory/PairName.key
	PairName string

	// GeneratedCert holds an in-memory generated certificate if CertFile/KeyFile aren't explicitly set, and CertDirectory/PairName are not set.
	GeneratedCert dynamiccertificates.CertKeyContentProvider

	// FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests.
	// The format is:
	// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
	// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
	FixtureDirectory string
}

type GroupRegistry added in v0.23.0

type GroupRegistry interface {
	// IsRegistered returns true if given group is registered.
	IsGroupRegistered(group string) bool
}

GroupRegistry provides a method to check whether given group is registered.

type RecommendedOptions

type RecommendedOptions struct {
	Etcd           *EtcdOptions
	SecureServing  *SecureServingOptionsWithLoopback
	Authentication *DelegatingAuthenticationOptions
	Authorization  *DelegatingAuthorizationOptions
	Audit          *AuditOptions
	Features       *FeatureOptions
	CoreAPI        *CoreAPIOptions

	// FeatureGate is a way to plumb feature gate through if you have them.
	FeatureGate featuregate.FeatureGate
	// ExtraAdmissionInitializers is called once after all ApplyTo from the options above, to pass the returned
	// admission plugin initializers to Admission.ApplyTo.
	ExtraAdmissionInitializers func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error)
	Admission                  *AdmissionOptions
	// API Server Egress Selector is used to control outbound traffic from the API Server
	EgressSelector *EgressSelectorOptions
	// Traces contains options to control distributed request tracing.
	Traces *TracingOptions
}

RecommendedOptions contains the recommended options for running an API server. If you add something to this list, it should be in a logical grouping. Each of them can be nil to leave the feature unconfigured on ApplyTo.

func NewRecommendedOptions

func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions

func (*RecommendedOptions) AddFlags

func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet)

func (*RecommendedOptions) ApplyTo

func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error

ApplyTo adds RecommendedOptions to the server configuration. pluginInitializers can be empty, it is only need for additional initializers.

func (*RecommendedOptions) Validate

func (o *RecommendedOptions) Validate() []error

type RequestHeaderAuthenticationOptions

type RequestHeaderAuthenticationOptions struct {
	// ClientCAFile is the root certificate bundle to verify client certificates on incoming requests
	// before trusting usernames in headers.
	ClientCAFile string

	UsernameHeaders     []string
	UIDHeaders          []string
	GroupHeaders        []string
	ExtraHeaderPrefixes []string
	AllowedNames        []string
}

func (*RequestHeaderAuthenticationOptions) AddFlags

func (*RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig

func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() (*authenticatorfactory.RequestHeaderConfig, error)

ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options if necessary, nil otherwise.

func (*RequestHeaderAuthenticationOptions) Validate added in v0.17.0

func (s *RequestHeaderAuthenticationOptions) Validate() []error

type SecureServingOptions

type SecureServingOptions struct {
	BindAddress net.IP
	// BindPort is ignored when Listener is set, will serve https even with 0.
	BindPort int
	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
	// "tcp4", and "tcp6".
	BindNetwork string
	// DisableHTTP2Serving indicates that http2 serving should not be enabled.
	DisableHTTP2Serving bool
	// Required set to true means that BindPort cannot be zero.
	Required bool
	// ExternalAddress is the address advertised, even if BindAddress is a loopback. By default this
	// is set to BindAddress if the later no loopback, or to the first host interface address.
	ExternalAddress net.IP

	// Listener is the secure server network listener.
	// either Listener or BindAddress/BindPort/BindNetwork is set,
	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
	Listener net.Listener

	// ServerCert is the TLS cert info for serving secure traffic
	ServerCert GeneratableKeyCert
	// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
	SNICertKeys []cliflag.NamedCertKey
	// CipherSuites is the list of allowed cipher suites for the server.
	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
	CipherSuites []string
	// MinTLSVersion is the minimum TLS version supported.
	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
	MinTLSVersion string

	// HTTP2MaxStreamsPerConnection is the limit that the api server imposes on each client.
	// A value of zero means to use the default provided by golang's HTTP/2 support.
	HTTP2MaxStreamsPerConnection int

	// PermitPortSharing controls if SO_REUSEPORT is used when binding the port, which allows
	// more than one instance to bind on the same address and port.
	PermitPortSharing bool

	// PermitAddressSharing controls if SO_REUSEADDR is used when binding the port.
	PermitAddressSharing bool
}

func NewSecureServingOptions

func NewSecureServingOptions() *SecureServingOptions

func (*SecureServingOptions) AddFlags

func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet)

func (*SecureServingOptions) ApplyTo

func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error

ApplyTo fills up serving information in the server configuration.

func (*SecureServingOptions) DefaultExternalAddress

func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error)

func (*SecureServingOptions) MaybeDefaultWithSelfSignedCerts

func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress string, alternateDNS []string, alternateIPs []net.IP) error

func (*SecureServingOptions) Validate

func (s *SecureServingOptions) Validate() []error

func (*SecureServingOptions) WithLoopback

type SecureServingOptionsWithLoopback

type SecureServingOptionsWithLoopback struct {
	*SecureServingOptions
}

func (*SecureServingOptionsWithLoopback) ApplyTo

func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.SecureServingInfo, loopbackClientConfig **rest.Config) error

ApplyTo fills up serving information in the server configuration.

type ServerRunOptions

type ServerRunOptions struct {
	AdvertiseAddress net.IP

	CorsAllowedOriginList        []string
	HSTSDirectives               []string
	ExternalHost                 string
	MaxRequestsInFlight          int
	MaxMutatingRequestsInFlight  int
	RequestTimeout               time.Duration
	GoawayChance                 float64
	LivezGracePeriod             time.Duration
	MinRequestTimeout            int
	StorageInitializationTimeout time.Duration
	ShutdownDelayDuration        time.Duration
	// We intentionally did not add a flag for this option. Users of the
	// apiserver library can wire it to a flag.
	JSONPatchMaxCopyBytes int64
	// The limit on the request body size that would be accepted and
	// decoded in a write request. 0 means no limit.
	// We intentionally did not add a flag for this option. Users of the
	// apiserver library can wire it to a flag.
	MaxRequestBodyBytes int64

	// ShutdownSendRetryAfter dictates when to initiate shutdown of the HTTP
	// Server during the graceful termination of the apiserver. If true, we wait
	// for non longrunning requests in flight to be drained and then initiate a
	// shutdown of the HTTP Server. If false, we initiate a shutdown of the HTTP
	// Server as soon as ShutdownDelayDuration has elapsed.
	// If enabled, after ShutdownDelayDuration elapses, any incoming request is
	// rejected with a 429 status code and a 'Retry-After' response.
	ShutdownSendRetryAfter bool

	// ShutdownWatchTerminationGracePeriod, if set to a positive value,
	// is the maximum duration the apiserver will wait for all active
	// watch request(s) to drain.
	// Once this grace period elapses, the apiserver will no longer
	// wait for any active watch request(s) in flight to drain, it will
	// proceed to the next step in the graceful server shutdown process.
	// If set to a positive value, the apiserver will keep track of the
	// number of active watch request(s) in flight and during shutdown
	// it will wait, at most, for the specified duration and allow these
	// active watch requests to drain with some rate limiting in effect.
	// The default is zero, which implies the apiserver will not keep
	// track of active watch request(s) in flight and will not wait
	// for them to drain, this maintains backward compatibility.
	// This grace period is orthogonal to other grace periods, and
	// it is not overridden by any other grace period.
	ShutdownWatchTerminationGracePeriod time.Duration

	// ComponentGlobalsRegistry is the registry where the effective versions and feature gates for all components are stored.
	ComponentGlobalsRegistry featuregate.ComponentGlobalsRegistry
	// ComponentName is name under which the server's global variabled are registered in the ComponentGlobalsRegistry.
	ComponentName string
}

ServerRunOptions contains the options while running a generic api server.

func NewServerRunOptions

func NewServerRunOptions() *ServerRunOptions

func NewServerRunOptionsForComponent added in v0.31.0

func NewServerRunOptionsForComponent(componentName string, componentGlobalsRegistry featuregate.ComponentGlobalsRegistry) *ServerRunOptions

func (*ServerRunOptions) AddUniversalFlags

func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet)

AddUniversalFlags adds flags for a specific APIServer to the specified FlagSet

func (*ServerRunOptions) ApplyTo

func (s *ServerRunOptions) ApplyTo(c *server.Config) error

ApplyTo applies the run options to the method receiver and returns self

func (*ServerRunOptions) Complete added in v0.31.0

func (s *ServerRunOptions) Complete() error

Complete fills missing fields with defaults.

func (*ServerRunOptions) DefaultAdvertiseAddress

func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error

DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.

func (*ServerRunOptions) Validate

func (s *ServerRunOptions) Validate() []error

Validate checks validation of ServerRunOptions

type SimpleStorageFactory added in v0.26.0

type SimpleStorageFactory struct {
	StorageConfig storagebackend.Config
}

SimpleStorageFactory provides a StorageFactory implementation that should be used when different resources essentially share the same storage config (as defined by the given storagebackend.Config). It assumes the resources are stored at a path that is purely based on the schema.GroupResource. Users that need flexibility and per resource overrides should use DefaultStorageFactory instead.

func (*SimpleStorageFactory) Backends added in v0.26.0

func (s *SimpleStorageFactory) Backends() []serverstorage.Backend

func (*SimpleStorageFactory) Configs added in v0.26.7

func (*SimpleStorageFactory) NewConfig added in v0.26.0

func (*SimpleStorageFactory) ResourcePrefix added in v0.26.0

func (s *SimpleStorageFactory) ResourcePrefix(resource schema.GroupResource) string

type StorageFactoryRestOptionsFactory

type StorageFactoryRestOptionsFactory struct {
	Options        EtcdOptions
	StorageFactory serverstorage.StorageFactory
}

func (*StorageFactoryRestOptionsFactory) GetRESTOptions

type TracingOptions added in v0.22.0

type TracingOptions struct {
	// ConfigFile is the file path with api-server tracing configuration.
	ConfigFile string
}

TracingOptions contain configuration options for tracing exporters

func NewTracingOptions added in v0.22.0

func NewTracingOptions() *TracingOptions

NewTracingOptions creates a new instance of TracingOptions

func (*TracingOptions) AddFlags added in v0.22.0

func (o *TracingOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to tracing to the specified FlagSet

func (*TracingOptions) ApplyTo added in v0.22.0

ApplyTo fills up Tracing config with options.

func (*TracingOptions) Validate added in v0.22.0

func (o *TracingOptions) Validate() (errs []error)

Validate verifies flags passed to TracingOptions.

Directories

Path Synopsis
authenticationconfig
authorizationconfig

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL