Documentation ¶
Overview ¶
Package options contains flags and options for initializing kube-apiserver
Index ¶
- Constants
- Variables
- func DefaultOffAdmissionPlugins() sets.String
- func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
- func RegisterAllAdmissionPlugins(plugins *admission.Plugins)
- type AdmissionOptions
- type AnonymousAuthenticationOptions
- type BootstrapTokenAuthenticationOptions
- type BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
- func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
- func (o *BuiltInAuthenticationOptions) ApplyTo(ctx context.Context, authInfo *genericapiserver.AuthenticationInfo, ...) error
- func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
- func (o *BuiltInAuthenticationOptions) Validate() []error
- func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
- func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
- type BuiltInAuthorizationOptions
- func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
- func (o *BuiltInAuthorizationOptions) Complete() []error
- func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) (*authorizer.Config, error)
- func (o *BuiltInAuthorizationOptions) Validate() []error
- type CloudProviderOptions
- type OIDCAuthenticationOptions
- type ServiceAccountAuthenticationOptions
- type TokenFileAuthenticationOptions
- type WebHookAuthenticationOptions
Constants ¶
const DefaultEtcdPathPrefix = "/registry"
DefaultEtcdPathPrefix is the default key prefix of etcd for API Server
Variables ¶
var AllOrderedPlugins = []string{ admit.PluginName, autoprovision.PluginName, lifecycle.PluginName, exists.PluginName, antiaffinity.PluginName, limitranger.PluginName, serviceaccount.PluginName, noderestriction.PluginName, nodetaint.PluginName, alwayspullimages.PluginName, imagepolicy.PluginName, podsecurity.PluginName, podnodeselector.PluginName, podpriority.PluginName, defaulttolerationseconds.PluginName, podtolerationrestriction.PluginName, eventratelimit.PluginName, extendedresourcetoleration.PluginName, label.PluginName, setdefault.PluginName, storageobjectinuseprotection.PluginName, gc.PluginName, resize.PluginName, runtimeclass.PluginName, certapproval.PluginName, certsigning.PluginName, ctbattest.PluginName, certsubjectrestriction.PluginName, defaultingressclass.PluginName, denyserviceexternalips.PluginName, mutatingwebhook.PluginName, validatingadmissionpolicy.PluginName, validatingwebhook.PluginName, resourcequota.PluginName, deny.PluginName, }
AllOrderedPlugins is the list of all the plugins in order.
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}
DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}
DefaultServiceNodePortRange is the default port range for NodePort services.
var UpdateAuthenticationConfigTimeout = time.Minute
UpdateAuthenticationConfigTimeout controls how long we wait for calls to updateAuthenticationConfig to succeed. Exported as a variable so that it can be overridden in integration tests.
Functions ¶
func DefaultOffAdmissionPlugins ¶ added in v1.10.0
DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func NewSecureServingOptions ¶
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform
func RegisterAllAdmissionPlugins ¶ added in v1.10.0
RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.
Types ¶
type AdmissionOptions ¶ added in v1.10.0
type AdmissionOptions struct { // GenericAdmission holds the generic admission options. GenericAdmission *genericoptions.AdmissionOptions // DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins. // They are mutually exclusive, specify both will lead to an error. PluginNames []string }
AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.
func NewAdmissionOptions ¶ added in v1.10.0
func NewAdmissionOptions() *AdmissionOptions
NewAdmissionOptions creates a new instance of AdmissionOptions Note:
In addition it calls RegisterAllAdmissionPlugins to register all kube-apiserver admission plugins. Provides the list of RecommendedPluginOrder that holds sane values that can be used by servers that don't care about admission chain. Servers that do care can overwrite/append that field after creation.
func (*AdmissionOptions) AddFlags ¶ added in v1.10.0
func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)
AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet
func (*AdmissionOptions) ApplyTo ¶ added in v1.10.0
func (a *AdmissionOptions) ApplyTo( c *server.Config, informers informers.SharedInformerFactory, kubeClient kubernetes.Interface, dynamicClient dynamic.Interface, features featuregate.FeatureGate, pluginInitializers ...admission.PluginInitializer, ) error
ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.
func (*AdmissionOptions) Validate ¶ added in v1.10.0
func (a *AdmissionOptions) Validate() []error
Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.
type AnonymousAuthenticationOptions ¶
type AnonymousAuthenticationOptions struct {
Allow bool
}
AnonymousAuthenticationOptions contains anonymous authentication options for API Server
type BootstrapTokenAuthenticationOptions ¶
type BootstrapTokenAuthenticationOptions struct {
Enable bool
}
BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server
type BuiltInAuthenticationOptions ¶
type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions BootstrapToken *BootstrapTokenAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions OIDC *OIDCAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions TokenFile *TokenFileAuthenticationOptions WebHook *WebHookAuthenticationOptions AuthenticationConfigFile string TokenSuccessCacheTTL time.Duration TokenFailureCacheTTL time.Duration }
BuiltInAuthenticationOptions contains all build-in authentication options for API Server
func NewBuiltInAuthenticationOptions ¶
func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions
NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL
func (*BuiltInAuthenticationOptions) AddFlags ¶
func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authentication for a API Server
func (*BuiltInAuthenticationOptions) ApplyAuthorization ¶
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)
ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (*BuiltInAuthenticationOptions) ApplyTo ¶
func (o *BuiltInAuthenticationOptions) ApplyTo( ctx context.Context, authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, openAPIV3Config *openapicommon.OpenAPIV3Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory, apiServerID string) error
ApplyTo requires already applied OpenAPIConfig and EgressSelector if present. The input context controls the lifecycle of background goroutines started to reload the authentication config file.
func (*BuiltInAuthenticationOptions) ToAuthenticationConfig ¶
func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)
ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config. Returns an empty config if o is nil.
func (*BuiltInAuthenticationOptions) Validate ¶
func (o *BuiltInAuthenticationOptions) Validate() []error
Validate checks invalid config combination
func (*BuiltInAuthenticationOptions) WithAll ¶
func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions
WithAll set default value for every build-in authentication option
func (*BuiltInAuthenticationOptions) WithAnonymous ¶ added in v1.8.0
func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions
WithAnonymous set default value for anonymous authentication
func (*BuiltInAuthenticationOptions) WithBootstrapToken ¶
func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions
WithBootstrapToken set default value for bootstrap token authentication
func (*BuiltInAuthenticationOptions) WithClientCert ¶
func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions
WithClientCert set default value for client cert
func (*BuiltInAuthenticationOptions) WithOIDC ¶
func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
WithOIDC set default value for OIDC authentication
func (*BuiltInAuthenticationOptions) WithRequestHeader ¶
func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions
WithRequestHeader set default value for request header authentication
func (*BuiltInAuthenticationOptions) WithServiceAccounts ¶
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions
WithServiceAccounts set default value for service account authentication
func (*BuiltInAuthenticationOptions) WithTokenFile ¶
func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions
WithTokenFile set default value for token file authentication
func (*BuiltInAuthenticationOptions) WithWebHook ¶
func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions
WithWebHook set default value for web hook authentication
type BuiltInAuthorizationOptions ¶
type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string WebhookConfigFile string WebhookVersion string WebhookCacheAuthorizedTTL time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff // AuthorizationConfigurationFile is mutually exclusive with all of: // - Modes // - WebhookConfigFile // - WebHookVersion // - WebhookCacheAuthorizedTTL // - WebhookCacheUnauthorizedTTL AuthorizationConfigurationFile string AreLegacyFlagsSet func() bool }
BuiltInAuthorizationOptions contains all build-in authorization options for API Server
func NewBuiltInAuthorizationOptions ¶
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions
NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
func (*BuiltInAuthorizationOptions) AddFlags ¶
func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of authorization for a API Server
func (*BuiltInAuthorizationOptions) Complete ¶ added in v1.29.0
func (o *BuiltInAuthorizationOptions) Complete() []error
Complete modifies authorization options
func (*BuiltInAuthorizationOptions) ToAuthorizationConfig ¶
func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) (*authorizer.Config, error)
ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config
func (*BuiltInAuthorizationOptions) Validate ¶
func (o *BuiltInAuthorizationOptions) Validate() []error
Validate checks invalid config combination
type CloudProviderOptions ¶
CloudProviderOptions contains cloud provider config
func NewCloudProviderOptions ¶
func NewCloudProviderOptions() *CloudProviderOptions
NewCloudProviderOptions creates a default CloudProviderOptions
func (*CloudProviderOptions) AddFlags ¶
func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet)
AddFlags returns flags of cloud provider for a API Server
func (*CloudProviderOptions) Validate ¶
func (opts *CloudProviderOptions) Validate() []error
Validate checks invalid config
type OIDCAuthenticationOptions ¶
type OIDCAuthenticationOptions struct { CAFile string ClientID string IssuerURL string UsernameClaim string UsernamePrefix string GroupsClaim string GroupsPrefix string SigningAlgs []string RequiredClaims map[string]string // contains filtered or unexported fields }
OIDCAuthenticationOptions contains OIDC authentication options for API Server
type ServiceAccountAuthenticationOptions ¶
type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool Issuers []string JWKSURI string MaxExpiration time.Duration ExtendExpiration bool }
ServiceAccountAuthenticationOptions contains service account authentication options for API Server
type TokenFileAuthenticationOptions ¶
type TokenFileAuthenticationOptions struct {
TokenFile string
}
TokenFileAuthenticationOptions contains token file authentication options for API Server
type WebHookAuthenticationOptions ¶
type WebHookAuthenticationOptions struct { ConfigFile string Version string CacheTTL time.Duration // RetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. RetryBackoff *wait.Backoff }
WebHookAuthenticationOptions contains web hook authentication options for API Server