validators

package
v0.0.0-...-44dad58 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2021 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AnchorServingPath = "/validate-hnc-x-k8s-io-v1alpha2-subnamespaceanchors"
)

AnchorServingPath is where the validator will run. Must be kept in sync with the kubebuilder markers below.

View Source 
const (
	ConfigServingPath = "/validate-hnc-x-k8s-io-v1alpha2-hncconfigurations"
)

ConfigServingPath is where the validator will run. Must be kept in sync with the kubebuilder markers below.

View Source 
const (
	// HierarchyServingPath is where the validator will run. Must be kept in sync with the
	// kubebuilder marker below.
	HierarchyServingPath = "/validate-hnc-x-k8s-io-v1alpha2-hierarchyconfigurations"
)
View Source 
const (
	NamespaceServingPath = "/validate-v1-namespace"
)

NamespaceServingPath is where the validator will run. Must be kept in sync with the kubebuilder markers below.

View Source 
const (
	ObjectsServingPath = "/validate-objects"
)

ObjectsServingPath is where the validator will run. Must be kept in sync with the kubebuilder markers below.

Variables

This section is empty.

Functions

func Create 

func Create(mgr ctrl.Manager, f *forest.Forest)

Create creates all validators. This function is called from main.go.

func CreateCertsIfNeeded 

func CreateCertsIfNeeded(mgr ctrl.Manager, novalidation, internalCert, restartOnSecretRefresh bool) (chan struct{}, error)

CreateCertsIfNeeded creates all certs for webhooks. This function is called from main.go.

Types

type Anchor 

type Anchor struct {
	Log    logr.Logger
	Forest *forest.Forest
	// contains filtered or unexported fields
}

func (*Anchor) Handle 

func (v *Anchor) Handle(ctx context.Context, req admission.Request) admission.Response

Handle implements the validation webhook.

func (*Anchor) InjectDecoder 

func (v *Anchor) InjectDecoder(d *admission.Decoder) error

type HNCConfig 

type HNCConfig struct {
	Log    logr.Logger
	Forest *forest.Forest
	// contains filtered or unexported fields
}

func (*HNCConfig) Handle 

func (c *HNCConfig) Handle(ctx context.Context, req admission.Request) admission.Response

func (*HNCConfig) InjectConfig 

func (c *HNCConfig) InjectConfig(cf *rest.Config) error

func (*HNCConfig) InjectDecoder 

func (c *HNCConfig) InjectDecoder(d *admission.Decoder) error

type Hierarchy 

type Hierarchy struct {
	Log    logr.Logger
	Forest *forest.Forest
	// contains filtered or unexported fields
}

func (*Hierarchy) Handle 

func (v *Hierarchy) Handle(ctx context.Context, req admission.Request) admission.Response

Handle implements the validation webhook.

During updates, the validator currently ignores the existing state of the object (`oldObject`). The reason is that most of the checks being performed are on the state of the entire forest, not on any one object, so having the _very_ latest information on _one_ object doesn't really help us. That is, we're basically forced to assume that the in-memory forest is fully up-to-date.

Obviously, there are times when this assumption will be incorrect - for example, when the HNC is just starting up, or perhaps if there have been a lot of changes made very quickly that the reconciler has't caught up with yet. In such cases, this validator can produce both false negatives (legal changes are incorrectly rejected) or false positives (illegal changes are mistakenly allowed). False negatives can easily be retried and so are not a significant problem, since (by definition) we expect the problem to be transient.

False positives are a more serious concern, and fall into two categories: structural failures, and authz failures. Regarding structural failures, the reconciler has been designed to assume that the validator is _never_ running, and any illegal configuration that makes it into K8s will simply be reported via HierarchyConfiguration.Status.Conditions. It's the admins' responsibilities to monitor these conditions and ensure that, transient exceptions aside, all namespaces are condition-free. Note that even if the validator is working perfectly, it's still possible to introduce structural failures, as described in the user docs.

Authz false positives are prevented as described by the comments to `getServerChecks`.

func (*Hierarchy) InjectClient 

func (v *Hierarchy) InjectClient(c client.Client) error

func (*Hierarchy) InjectDecoder 

func (v *Hierarchy) InjectDecoder(d *admission.Decoder) error

type Namespace 

type Namespace struct {
	Log    logr.Logger
	Forest *forest.Forest
	// contains filtered or unexported fields
}

func (*Namespace) Handle 

func (v *Namespace) Handle(ctx context.Context, req admission.Request) admission.Response

Handle implements the validation webhook.

func (*Namespace) InjectDecoder 

func (v *Namespace) InjectDecoder(d *admission.Decoder) error

type Object 

type Object struct {
	Log    logr.Logger
	Forest *forest.Forest
	// contains filtered or unexported fields
}

func (*Object) Handle 

func (o *Object) Handle(ctx context.Context, req admission.Request) admission.Response

func (*Object) InjectClient 

func (o *Object) InjectClient(c client.Client) error

func (*Object) InjectDecoder 

func (o *Object) InjectDecoder(d *admission.Decoder) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.