options

package
v1.32.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 17, 2024 License: Apache-2.0 Imports: 84 Imported by: 179

Documentation

Overview

Package options contains flags and options for initializing kube-apiserver

Index

Constants

View Source 
const DefaultEtcdPathPrefix = "/registry"

DefaultEtcdPathPrefix is the default key prefix of etcd for API Server

Variables

View Source 
var AllOrderedPlugins = []string{
	admit.PluginName,
	autoprovision.PluginName,
	lifecycle.PluginName,
	exists.PluginName,
	antiaffinity.PluginName,
	limitranger.PluginName,
	serviceaccount.PluginName,
	noderestriction.PluginName,
	nodetaint.PluginName,
	alwayspullimages.PluginName,
	imagepolicy.PluginName,
	podsecurity.PluginName,
	podnodeselector.PluginName,
	podpriority.PluginName,
	defaulttolerationseconds.PluginName,
	podtolerationrestriction.PluginName,
	eventratelimit.PluginName,
	extendedresourcetoleration.PluginName,
	setdefault.PluginName,
	storageobjectinuseprotection.PluginName,
	gc.PluginName,
	resize.PluginName,
	runtimeclass.PluginName,
	certapproval.PluginName,
	certsigning.PluginName,
	ctbattest.PluginName,
	certsubjectrestriction.PluginName,
	defaultingressclass.PluginName,
	denyserviceexternalips.PluginName,

	mutatingwebhook.PluginName,
	validatingadmissionpolicy.PluginName,
	validatingwebhook.PluginName,
	resourcequota.PluginName,
	deny.PluginName,
}

AllOrderedPlugins is the list of all the plugins in order.

View Source 
var DefaultServiceIPCIDR = net.IPNet{IP: netutils.ParseIPSloppy("10.0.0.0"), Mask: net.CIDRMask(24, 32)}

DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs

View Source 
var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768}

DefaultServiceNodePortRange is the default port range for NodePort services.

View Source 
var UpdateAuthenticationConfigTimeout = time.Minute

UpdateAuthenticationConfigTimeout controls how long we wait for calls to updateAuthenticationConfig to succeed. Exported as a variable so that it can be overridden in integration tests.

Functions

func DefaultOffAdmissionPlugins added in v1.10.0 

func DefaultOffAdmissionPlugins() sets.Set[string]

DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.

func NewSecureServingOptions 

func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback

NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by "normal" API servers running on the platform

func RegisterAllAdmissionPlugins added in v1.10.0 

func RegisterAllAdmissionPlugins(plugins *admission.Plugins)

RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.

Types

type AdmissionOptions added in v1.10.0 

type AdmissionOptions struct {
	// GenericAdmission holds the generic admission options.
	GenericAdmission *genericoptions.AdmissionOptions
	// DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins.
	// They are mutually exclusive, specify both will lead to an error.
	PluginNames []string
}

AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.

func NewAdmissionOptions added in v1.10.0 

func NewAdmissionOptions() *AdmissionOptions

NewAdmissionOptions creates a new instance of AdmissionOptions Note: 

In addition it calls RegisterAllAdmissionPlugins to register
all kube-apiserver admission plugins.

Provides the list of RecommendedPluginOrder that holds sane values
that can be used by servers that don't care about admission chain.
Servers that do care can overwrite/append that field after creation.

func (*AdmissionOptions) AddFlags added in v1.10.0 

func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet

func (*AdmissionOptions) ApplyTo added in v1.10.0 

func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeClient kubernetes.Interface,
	dynamicClient dynamic.Interface,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error

ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.

func (*AdmissionOptions) Validate added in v1.10.0 

func (a *AdmissionOptions) Validate() []error

Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.

type AnonymousAuthenticationOptions 

type AnonymousAuthenticationOptions struct {
	Allow bool
	// contains filtered or unexported fields
}

AnonymousAuthenticationOptions contains anonymous authentication options for API Server

type BootstrapTokenAuthenticationOptions 

type BootstrapTokenAuthenticationOptions struct {
	Enable bool
}

BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server

type BuiltInAuthenticationOptions 

type BuiltInAuthenticationOptions struct {
	APIAudiences    []string
	Anonymous       *AnonymousAuthenticationOptions
	BootstrapToken  *BootstrapTokenAuthenticationOptions
	ClientCert      *genericoptions.ClientCertAuthenticationOptions
	OIDC            *OIDCAuthenticationOptions
	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
	ServiceAccounts *ServiceAccountAuthenticationOptions
	TokenFile       *TokenFileAuthenticationOptions
	WebHook         *WebHookAuthenticationOptions

	AuthenticationConfigFile string

	TokenSuccessCacheTTL time.Duration
	TokenFailureCacheTTL time.Duration
}

BuiltInAuthenticationOptions contains all build-in authentication options for API Server

func NewBuiltInAuthenticationOptions 

func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions

NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL

func (*BuiltInAuthenticationOptions) AddFlags 

func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authentication for a API Server

func (*BuiltInAuthenticationOptions) ApplyAuthorization 

func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)

ApplyAuthorization will conditionally modify the authentication options based on the authorization options

func (*BuiltInAuthenticationOptions) ApplyTo 

func (o *BuiltInAuthenticationOptions) ApplyTo(
	ctx context.Context,
	authInfo *genericapiserver.AuthenticationInfo,
	secureServing *genericapiserver.SecureServingInfo,
	egressSelector *egressselector.EgressSelector,
	openAPIConfig *openapicommon.Config,
	openAPIV3Config *openapicommon.OpenAPIV3Config,
	extclient kubernetes.Interface,
	versionedInformer informers.SharedInformerFactory,
	apiServerID string) error

ApplyTo requires already applied OpenAPIConfig and EgressSelector if present. The input context controls the lifecycle of background goroutines started to reload the authentication config file.

func (*BuiltInAuthenticationOptions) ToAuthenticationConfig 

func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)

ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config. Returns an empty config if o is nil.

func (*BuiltInAuthenticationOptions) Validate 

func (o *BuiltInAuthenticationOptions) Validate() []error

Validate checks invalid config combination

func (*BuiltInAuthenticationOptions) WithAll 

func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions

WithAll set default value for every build-in authentication option

func (*BuiltInAuthenticationOptions) WithAnonymous added in v1.8.0 

func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions

WithAnonymous set default value for anonymous authentication

func (*BuiltInAuthenticationOptions) WithBootstrapToken 

func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions

WithBootstrapToken set default value for bootstrap token authentication

func (*BuiltInAuthenticationOptions) WithClientCert 

func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions

WithClientCert set default value for client cert

func (*BuiltInAuthenticationOptions) WithOIDC 

func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions

WithOIDC set default value for OIDC authentication

func (*BuiltInAuthenticationOptions) WithRequestHeader 

func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions

WithRequestHeader set default value for request header authentication

func (*BuiltInAuthenticationOptions) WithServiceAccounts 

func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions

WithServiceAccounts set default value for service account authentication

func (*BuiltInAuthenticationOptions) WithTokenFile 

func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions

WithTokenFile set default value for token file authentication

func (*BuiltInAuthenticationOptions) WithWebHook 

func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions

WithWebHook set default value for web hook authentication

type BuiltInAuthorizationOptions 

type BuiltInAuthorizationOptions struct {
	Modes                       []string
	PolicyFile                  string
	WebhookConfigFile           string
	WebhookVersion              string
	WebhookCacheAuthorizedTTL   time.Duration
	WebhookCacheUnauthorizedTTL time.Duration
	// WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff

	// AuthorizationConfigurationFile is mutually exclusive with all of:
	//	- Modes
	//	- WebhookConfigFile
	//	- WebHookVersion
	//	- WebhookCacheAuthorizedTTL
	//	- WebhookCacheUnauthorizedTTL
	AuthorizationConfigurationFile string

	AreLegacyFlagsSet func() bool
}

BuiltInAuthorizationOptions contains all build-in authorization options for API Server

func NewBuiltInAuthorizationOptions 

func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions

NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value

func (*BuiltInAuthorizationOptions) AddFlags 

func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authorization for a API Server

func (*BuiltInAuthorizationOptions) Complete added in v1.29.0 

func (o *BuiltInAuthorizationOptions) Complete() []error

Complete modifies authorization options

func (*BuiltInAuthorizationOptions) ToAuthorizationConfig 

func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) (*authorizer.Config, error)

ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config

func (*BuiltInAuthorizationOptions) Validate 

func (o *BuiltInAuthorizationOptions) Validate() []error

Validate checks invalid config combination

type CloudProviderOptions 

type CloudProviderOptions struct {
	CloudConfigFile string
	CloudProvider   string
}

CloudProviderOptions contains cloud provider config

func NewCloudProviderOptions 

func NewCloudProviderOptions() *CloudProviderOptions

NewCloudProviderOptions creates a default CloudProviderOptions

func (*CloudProviderOptions) AddFlags 

func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of cloud provider for a API Server

func (*CloudProviderOptions) Validate 

func (opts *CloudProviderOptions) Validate() []error

Validate checks invalid config

type OIDCAuthenticationOptions 

type OIDCAuthenticationOptions struct {
	CAFile         string
	ClientID       string
	IssuerURL      string
	UsernameClaim  string
	UsernamePrefix string
	GroupsClaim    string
	GroupsPrefix   string
	SigningAlgs    []string
	RequiredClaims map[string]string
	// contains filtered or unexported fields
}

OIDCAuthenticationOptions contains OIDC authentication options for API Server

type ServiceAccountAuthenticationOptions 

type ServiceAccountAuthenticationOptions struct {
	KeyFiles         []string
	Lookup           bool
	Issuers          []string
	JWKSURI          string
	MaxExpiration    time.Duration
	ExtendExpiration bool
	// OptionalTokenGetter is a function that returns a service account token getter.
	// If not set, the default token getter will be used.
	OptionalTokenGetter func(factory informers.SharedInformerFactory) serviceaccount.ServiceAccountTokenGetter
}

ServiceAccountAuthenticationOptions contains service account authentication options for API Server

type TokenFileAuthenticationOptions 

type TokenFileAuthenticationOptions struct {
	TokenFile string
}

TokenFileAuthenticationOptions contains token file authentication options for API Server

type WebHookAuthenticationOptions 

type WebHookAuthenticationOptions struct {
	ConfigFile string
	Version    string
	CacheTTL   time.Duration

	// RetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	RetryBackoff *wait.Backoff
}

WebHookAuthenticationOptions contains web hook authentication options for API Server

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.