Documentation ¶
Overview ¶
Package options contains flags and options for initializing kube-apiserver
Index ¶
- Constants
- Variables
- func DefaultOffAdmissionPlugins() sets.String
- func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
- func RegisterAllAdmissionPlugins(plugins *admission.Plugins)
- type AdmissionOptions
- type AnonymousAuthenticationOptions
- type BootstrapTokenAuthenticationOptions
- type BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
- func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
- func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, ...) error
- func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
- func (o *BuiltInAuthenticationOptions) Validate() []error
- func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
- type BuiltInAuthorizationOptions
- type CloudProviderOptions
- type OIDCAuthenticationOptions
- type ServiceAccountAuthenticationOptions
- type TokenFileAuthenticationOptions
- type WebHookAuthenticationOptions
Constants ¶
const DefaultEtcdPathPrefix = "/registry"
DefaultEtcdPathPrefix is the default key prefix of etcd for API Server
Variables ¶
var AllOrderedPlugins = []string{ admit.PluginName, autoprovision.PluginName, lifecycle.PluginName, exists.PluginName, scdeny.PluginName, antiaffinity.PluginName, limitranger.PluginName, serviceaccount.PluginName, noderestriction.PluginName, nodetaint.PluginName, alwayspullimages.PluginName, imagepolicy.PluginName, podsecurity.PluginName, podsecuritypolicy.PluginName, podnodeselector.PluginName, podpriority.PluginName, defaulttolerationseconds.PluginName, podtolerationrestriction.PluginName, eventratelimit.PluginName, extendedresourcetoleration.PluginName, label.PluginName, setdefault.PluginName, storageobjectinuseprotection.PluginName, gc.PluginName, resize.PluginName, runtimeclass.PluginName, certapproval.PluginName, certsigning.PluginName, certsubjectrestriction.PluginName, defaultingressclass.PluginName, denyserviceexternalips.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName, resourcequota.PluginName, deny.PluginName, }
AllOrderedPlugins is the list of all the plugins in order.
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}
DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}
DefaultServiceNodePortRange is the default port range for NodePort services.
Functions ¶
func DefaultOffAdmissionPlugins ¶ added in v1.10.0
DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func NewSecureServingOptions ¶
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform
func RegisterAllAdmissionPlugins ¶ added in v1.10.0
RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.
Types ¶
type AdmissionOptions ¶ added in v1.10.0
type AdmissionOptions struct { // GenericAdmission holds the generic admission options. GenericAdmission *genericoptions.AdmissionOptions // DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins. // They are mutually exclusive, specify both will lead to an error. PluginNames []string }
AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.
func NewAdmissionOptions ¶ added in v1.10.0
func NewAdmissionOptions() *AdmissionOptions
NewAdmissionOptions creates a new instance of AdmissionOptions Note:
In addition it calls RegisterAllAdmissionPlugins to register all kube-apiserver admission plugins. Provides the list of RecommendedPluginOrder that holds sane values that can be used by servers that don't care about admission chain. Servers that do care can overwrite/append that field after creation.
func (*AdmissionOptions) AddFlags ¶ added in v1.10.0
func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet
func (*AdmissionOptions) ApplyTo ¶ added in v1.10.0
func (a *AdmissionOptions) ApplyTo( c *server.Config, informers informers.SharedInformerFactory, kubeAPIServerClientConfig *rest.Config, features featuregate.FeatureGate, pluginInitializers ...admission.PluginInitializer, ) error
ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.
func (*AdmissionOptions) Validate ¶ added in v1.10.0
func (a *AdmissionOptions) Validate() []error
Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.
type AnonymousAuthenticationOptions ¶
type AnonymousAuthenticationOptions struct {
Allow bool
}
AnonymousAuthenticationOptions contains anonymous authentication options for API Server
type BootstrapTokenAuthenticationOptions ¶
type BootstrapTokenAuthenticationOptions struct {
Enable bool
}
BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server
type BuiltInAuthenticationOptions ¶
type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions BootstrapToken *BootstrapTokenAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions OIDC *OIDCAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions TokenFile *TokenFileAuthenticationOptions WebHook *WebHookAuthenticationOptions TokenSuccessCacheTTL time.Duration TokenFailureCacheTTL time.Duration }
BuiltInAuthenticationOptions contains all build-in authentication options for API Server
func NewBuiltInAuthenticationOptions ¶
func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions
NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL
func (*BuiltInAuthenticationOptions) AddFlags ¶
func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authentication for a API Server
func (*BuiltInAuthenticationOptions) ApplyAuthorization ¶
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (*BuiltInAuthenticationOptions) ApplyTo ¶
func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error
ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.
func (*BuiltInAuthenticationOptions) ToAuthenticationConfig ¶
func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config
func (*BuiltInAuthenticationOptions) Validate ¶
func (o *BuiltInAuthenticationOptions) Validate() []error
Validate checks invalid config combination
func (*BuiltInAuthenticationOptions) WithAll ¶
func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
WithAll set default value for every build-in authentication option
func (*BuiltInAuthenticationOptions) WithAnonymous ¶ added in v1.8.0
func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
WithAnonymous set default value for anonymous authentication
func (*BuiltInAuthenticationOptions) WithBootstrapToken ¶
func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
WithBootstrapToken set default value for bootstrap token authentication
func (*BuiltInAuthenticationOptions) WithClientCert ¶
func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
WithClientCert set default value for client cert
func (*BuiltInAuthenticationOptions) WithOIDC ¶
func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
WithOIDC set default value for OIDC authentication
func (*BuiltInAuthenticationOptions) WithRequestHeader ¶
func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
WithRequestHeader set default value for request header authentication
func (*BuiltInAuthenticationOptions) WithServiceAccounts ¶
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
WithServiceAccounts set default value for service account authentication
func (*BuiltInAuthenticationOptions) WithTokenFile ¶
func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
WithTokenFile set default value for token file authentication
func (*BuiltInAuthenticationOptions) WithWebHook ¶
func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
WithWebHook set default value for web hook authentication
type BuiltInAuthorizationOptions ¶
type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string WebhookConfigFile string WebhookVersion string WebhookCacheAuthorizedTTL time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff }
BuiltInAuthorizationOptions contains all build-in authorization options for API Server
func NewBuiltInAuthorizationOptions ¶
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions
NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
func (*BuiltInAuthorizationOptions) AddFlags ¶
func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authorization for a API Server
func (*BuiltInAuthorizationOptions) ToAuthorizationConfig ¶
func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config
ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config
func (*BuiltInAuthorizationOptions) Validate ¶
func (o *BuiltInAuthorizationOptions) Validate() []error
Validate checks invalid config combination
type CloudProviderOptions ¶
CloudProviderOptions contains cloud provider config
func NewCloudProviderOptions ¶
func NewCloudProviderOptions() *CloudProviderOptions
NewCloudProviderOptions creates a default CloudProviderOptions
func (*CloudProviderOptions) AddFlags ¶
func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of cloud provider for a API Server
func (*CloudProviderOptions) Validate ¶
func (s *CloudProviderOptions) Validate() []error
Validate checks invalid config
type OIDCAuthenticationOptions ¶
type OIDCAuthenticationOptions struct { CAFile string ClientID string IssuerURL string UsernameClaim string UsernamePrefix string GroupsClaim string GroupsPrefix string SigningAlgs []string RequiredClaims map[string]string }
OIDCAuthenticationOptions contains OIDC authentication options for API Server
type ServiceAccountAuthenticationOptions ¶
type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool Issuers []string JWKSURI string MaxExpiration time.Duration ExtendExpiration bool }
ServiceAccountAuthenticationOptions contains service account authentication options for API Server
type TokenFileAuthenticationOptions ¶
type TokenFileAuthenticationOptions struct {
TokenFile string
}
TokenFileAuthenticationOptions contains token file authentication options for API Server
type WebHookAuthenticationOptions ¶
type WebHookAuthenticationOptions struct { ConfigFile string Version string CacheTTL time.Duration // RetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. RetryBackoff *wait.Backoff }
WebHookAuthenticationOptions contains web hook authentication options for API Server