options

package
v1.24.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 22, 2023 License: Apache-2.0 Imports: 64 Imported by: 176

Documentation

Overview

Package options contains flags and options for initializing kube-apiserver

Index

Constants

View Source 
const DefaultEtcdPathPrefix = "/registry"

DefaultEtcdPathPrefix is the default key prefix of etcd for API Server

Variables

View Source 
var AllOrderedPlugins = []string{
	admit.PluginName,
	autoprovision.PluginName,
	lifecycle.PluginName,
	exists.PluginName,
	scdeny.PluginName,
	antiaffinity.PluginName,
	limitranger.PluginName,
	serviceaccount.PluginName,
	noderestriction.PluginName,
	nodetaint.PluginName,
	alwayspullimages.PluginName,
	imagepolicy.PluginName,
	podsecurity.PluginName,
	podsecuritypolicy.PluginName,
	podnodeselector.PluginName,
	podpriority.PluginName,
	defaulttolerationseconds.PluginName,
	podtolerationrestriction.PluginName,
	eventratelimit.PluginName,
	extendedresourcetoleration.PluginName,
	label.PluginName,
	setdefault.PluginName,
	storageobjectinuseprotection.PluginName,
	gc.PluginName,
	resize.PluginName,
	runtimeclass.PluginName,
	certapproval.PluginName,
	certsigning.PluginName,
	certsubjectrestriction.PluginName,
	defaultingressclass.PluginName,
	denyserviceexternalips.PluginName,

	mutatingwebhook.PluginName,
	validatingwebhook.PluginName,
	resourcequota.PluginName,
	deny.PluginName,
}

AllOrderedPlugins is the list of all the plugins in order.

View Source 
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}

DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs

View Source 
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}

DefaultServiceNodePortRange is the default port range for NodePort services.

Functions

func DefaultOffAdmissionPlugins added in v1.10.0 

func DefaultOffAdmissionPlugins() sets.String

DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.

func NewSecureServingOptions 

func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback

NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform

func RegisterAllAdmissionPlugins added in v1.10.0 

func RegisterAllAdmissionPlugins(plugins *admission.Plugins)

RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.

Types

type AdmissionOptions added in v1.10.0 

type AdmissionOptions struct {
	// GenericAdmission holds the generic admission options.
	GenericAdmission *genericoptions.AdmissionOptions
	// DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins.
	// They are mutually exclusive, specify both will lead to an error.
	PluginNames []string
}

AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.

func NewAdmissionOptions added in v1.10.0 

func NewAdmissionOptions() *AdmissionOptions

NewAdmissionOptions creates a new instance of AdmissionOptions Note: 

In addition it calls RegisterAllAdmissionPlugins to register
all kube-apiserver admission plugins.

Provides the list of RecommendedPluginOrder that holds sane values
that can be used by servers that don't care about admission chain.
Servers that do care can overwrite/append that field after creation.

func (*AdmissionOptions) AddFlags added in v1.10.0 

func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet

func (*AdmissionOptions) ApplyTo added in v1.10.0 

func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeAPIServerClientConfig *rest.Config,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error

ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.

func (*AdmissionOptions) Validate added in v1.10.0 

func (a *AdmissionOptions) Validate() []error

Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.

type AnonymousAuthenticationOptions 

type AnonymousAuthenticationOptions struct {
	Allow bool
}

AnonymousAuthenticationOptions contains anonymous authentication options for API Server

type BootstrapTokenAuthenticationOptions 

type BootstrapTokenAuthenticationOptions struct {
	Enable bool
}

BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server

type BuiltInAuthenticationOptions 

type BuiltInAuthenticationOptions struct {
	APIAudiences    []string
	Anonymous       *AnonymousAuthenticationOptions
	BootstrapToken  *BootstrapTokenAuthenticationOptions
	ClientCert      *genericoptions.ClientCertAuthenticationOptions
	OIDC            *OIDCAuthenticationOptions
	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
	ServiceAccounts *ServiceAccountAuthenticationOptions
	TokenFile       *TokenFileAuthenticationOptions
	WebHook         *WebHookAuthenticationOptions

	TokenSuccessCacheTTL time.Duration
	TokenFailureCacheTTL time.Duration
}

BuiltInAuthenticationOptions contains all build-in authentication options for API Server

func NewBuiltInAuthenticationOptions 

func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions

NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL

func (*BuiltInAuthenticationOptions) AddFlags 

func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authentication for a API Server

func (*BuiltInAuthenticationOptions) ApplyAuthorization 

func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)

ApplyAuthorization will conditionally modify the authentication options based on the authorization options

func (*BuiltInAuthenticationOptions) ApplyTo 

func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, openAPIV3Config *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error

ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.

func (*BuiltInAuthenticationOptions) ToAuthenticationConfig 

func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)

ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config

func (*BuiltInAuthenticationOptions) Validate 

func (o *BuiltInAuthenticationOptions) Validate() []error

Validate checks invalid config combination

func (*BuiltInAuthenticationOptions) WithAll 

func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions

WithAll set default value for every build-in authentication option

func (*BuiltInAuthenticationOptions) WithAnonymous added in v1.8.0 

func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions

WithAnonymous set default value for anonymous authentication

func (*BuiltInAuthenticationOptions) WithBootstrapToken 

func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions

WithBootstrapToken set default value for bootstrap token authentication

func (*BuiltInAuthenticationOptions) WithClientCert 

func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions

WithClientCert set default value for client cert

func (*BuiltInAuthenticationOptions) WithOIDC 

func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions

WithOIDC set default value for OIDC authentication

func (*BuiltInAuthenticationOptions) WithRequestHeader 

func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions

WithRequestHeader set default value for request header authentication

func (*BuiltInAuthenticationOptions) WithServiceAccounts 

func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions

WithServiceAccounts set default value for service account authentication

func (*BuiltInAuthenticationOptions) WithTokenFile 

func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions

WithTokenFile set default value for token file authentication

func (*BuiltInAuthenticationOptions) WithWebHook 

func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions

WithWebHook set default value for web hook authentication

type BuiltInAuthorizationOptions 

type BuiltInAuthorizationOptions struct {
	Modes                       []string
	PolicyFile                  string
	WebhookConfigFile           string
	WebhookVersion              string
	WebhookCacheAuthorizedTTL   time.Duration
	WebhookCacheUnauthorizedTTL time.Duration
	// WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff
}

BuiltInAuthorizationOptions contains all build-in authorization options for API Server

func NewBuiltInAuthorizationOptions 

func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions

NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value

func (*BuiltInAuthorizationOptions) AddFlags 

func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authorization for a API Server

func (*BuiltInAuthorizationOptions) ToAuthorizationConfig 

func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config

ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config

func (*BuiltInAuthorizationOptions) Validate 

func (o *BuiltInAuthorizationOptions) Validate() []error

Validate checks invalid config combination

type CloudProviderOptions 

type CloudProviderOptions struct {
	CloudConfigFile string
	CloudProvider   string
}

CloudProviderOptions contains cloud provider config

func NewCloudProviderOptions 

func NewCloudProviderOptions() *CloudProviderOptions

NewCloudProviderOptions creates a default CloudProviderOptions

func (*CloudProviderOptions) AddFlags 

func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of cloud provider for a API Server

func (*CloudProviderOptions) Validate 

func (s *CloudProviderOptions) Validate() []error

Validate checks invalid config

type OIDCAuthenticationOptions 

type OIDCAuthenticationOptions struct {
	CAFile         string
	ClientID       string
	IssuerURL      string
	UsernameClaim  string
	UsernamePrefix string
	GroupsClaim    string
	GroupsPrefix   string
	SigningAlgs    []string
	RequiredClaims map[string]string
}

OIDCAuthenticationOptions contains OIDC authentication options for API Server

type ServiceAccountAuthenticationOptions 

type ServiceAccountAuthenticationOptions struct {
	KeyFiles         []string
	Lookup           bool
	Issuers          []string
	JWKSURI          string
	MaxExpiration    time.Duration
	ExtendExpiration bool
}

ServiceAccountAuthenticationOptions contains service account authentication options for API Server

type TokenFileAuthenticationOptions 

type TokenFileAuthenticationOptions struct {
	TokenFile string
}

TokenFileAuthenticationOptions contains token file authentication options for API Server

type WebHookAuthenticationOptions 

type WebHookAuthenticationOptions struct {
	ConfigFile string
	Version    string
	CacheTTL   time.Duration

	// RetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	RetryBackoff *wait.Backoff
}

WebHookAuthenticationOptions contains web hook authentication options for API Server

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.