configuration

package
v1.20.1-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 8, 2025 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const CacheSyncTimeout = 2 * time.Minute

CacheSyncTimeout is the default timeout to wait for the webhook controller informers to synchronize when starting to watch cluster resources. After this timeout, if not synchronized, the watch will be cancelled, causing the process to error and exit.

View Source
const CertDir = "/certs"

CertDir matches the mountPath specified in admission-webhook.yaml.

View Source
const ContainerPort = 10250

ContainerPort is the port where the webhook serves at.

To communicate with a webhook, the API Server sends requests directly to the webhook pod(s) (i.e., the target port ofof the webhook Service) instead of the service port of the Service.

By default, the firewall rules on a private GKE cluster restrict your cluster control plane to only initiate TCP connections to your nodes and Pods on ports 443 (HTTPS) and 10250 (kubelet). See https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules.

Setting ContainerPort to a value other than 443 or 10250 would require our customers to add a firewall rule allowing the API Server to initiate TCP connections to the webhook Pods on the port.

Setting ContainerPort to 443 requires elevated permissions, and should be avoided.

View Source
const GracefulShutdownTimeout = 10 * time.Second

GracefulShutdownTimeout is the default timeout to wait for the webhook controller to exit after receiving an exit signal (SIGTERM or SIGINT). After this timeout, the controller manager will exit anyway.

View Source
const HealthProbePort = 10258

HealthProbePort is used by the kubelet to probe the health & readiness of the webhook containers.

This port is only accessed on the same node, so it doesn't need to be allowlisted in any firewall.

View Source
const InvalidWebhookWarningCode = "2014"

InvalidWebhookWarningCode signals that the webhook was illegally modified. We automatically resolve these issues. There's no point in breaking ourselves when we encounter these issues so we immediately fix these.

View Source
const Name = ShortName + "." + configsync.GroupName

Name is both: 1) The metadata.name of the ValidatingWebhookConfiguration, and 2) The .name of every ValidatingWebhook in the ValidatingWebhookConfiguration.

View Source
const ServicePort = 443

ServicePort matches the service port in the admission-webhook Service object. Use 443 here to be consistent with the settings of other webhooks in ACM.

View Source
const ServingPath = "/" + ShortName

ServingPath is the path the webhook is served.

View Source
const ShortName = "admission-webhook"

ShortName is the short name of the ValidatingWebhookConfiguration for the Admission Controller.

Variables

This section is empty.

Functions

func InvalidWebhookWarning

func InvalidWebhookWarning(msg string) status.Error

InvalidWebhookWarning lets the user know we removed an invalid webhook when merging.

func Merge

Merge merges two sets of ValidatingWebhookConfigurations so that the resulting Configuration matches the union of the initial two.

The intent is that left is the Configuration currently on the server and right is the Configuration generated from the declared configuration in a repository. (The logic should be symmetric, so this shouldn't have to be the case.)

The resulting merged Configuration meets the following criteria:

  1. All Webhooks contain exactly one rule, matching all resources of a given GroupVersion.
  2. Webhooks are sorted by the GroupVersion they match.
  3. All invalid webhooks are removed.

Cannot return error or panic as we never want this to get stuck.

Modifies left.

func Update

Update modifies the ValidatingWebhookConfiguration on the cluster to match all types declared in objs.

Returns an error if the API Server returns invalid API Resource lists or there is a problem updating the Configuration.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL