Documentation

Overview

    Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

    The following snippet is an example implementation of mutating handler.

    type Mutator struct {
    	client  client.Client
    	decoder types.Decoder
    }
    
    func (m *Mutator) mutatePodsFn(ctx context.Context, pod *corev1.Pod) error {
    	// your logic to mutate the passed-in pod.
    }
    
    func (m *Mutator) Handle(ctx context.Context, req types.Request) types.Response {
    	pod := &corev1.Pod{}
    	err := m.decoder.Decode(req, pod)
    	if err != nil {
    		return admission.ErrorResponse(http.StatusBadRequest, err)
    	}
    	// Do deepcopy before actually mutate the object.
    	copy := pod.DeepCopy()
    	err = m.mutatePodsFn(ctx, copy)
    	if err != nil {
    		return admission.ErrorResponse(http.StatusInternalServerError, err)
    	}
    	return admission.PatchResponse(pod, copy)
    }
    
    // InjectClient is called by the Manager and provides a client.Client to the Mutator instance.
    func (m *Mutator) InjectClient(c client.Client) error {
    	h.client = c
    	return nil
    }
    
    // InjectDecoder is called by the Manager and provides a types.Decoder to the Mutator instance.
    func (m *Mutator) InjectDecoder(d types.Decoder) error {
    	h.decoder = d
    	return nil
    }
    

    The following snippet is an example implementation of validating handler.

    type Handler struct {
    	client  client.Client
    	decoder types.Decoder
    }
    
    func (v *Validator) validatePodsFn(ctx context.Context, pod *corev1.Pod) (bool, string, error) {
    	// your business logic
    }
    
    func (v *Validator) Handle(ctx context.Context, req types.Request) types.Response {
    	pod := &corev1.Pod{}
    	err := h.decoder.Decode(req, pod)
    	if err != nil {
    		return admission.ErrorResponse(http.StatusBadRequest, err)
    	}
    
    	allowed, reason, err := h.validatePodsFn(ctx, pod)
    	if err != nil {
    		return admission.ErrorResponse(http.StatusInternalServerError, err)
    	}
    	return admission.ValidationResponse(allowed, reason)
    }
    
    // InjectClient is called by the Manager and provides a client.Client to the Validator instance.
    func (v *Validator) InjectClient(c client.Client) error {
    	h.client = c
    	return nil
    }
    
    // InjectDecoder is called by the Manager and provides a types.Decoder to the Validator instance.
    func (v *Validator) InjectDecoder(d types.Decoder) error {
    	h.decoder = d
    	return nil
    }
    

    Index

    Constants

    This section is empty.

    Variables

    This section is empty.

    Functions

    func ErrorResponse

    func ErrorResponse(code int32, err error) types.Response

      ErrorResponse creates a new Response for error-handling a request.

      func NewDecoder

      func NewDecoder(scheme *runtime.Scheme) (types.Decoder, error)

        NewDecoder creates a Decoder given the runtime.Scheme

        func PatchResponse

        func PatchResponse(original, current runtime.Object) types.Response

          PatchResponse returns a new response with json patch.

          func ValidationResponse

          func ValidationResponse(allowed bool, reason string) types.Response

            ValidationResponse returns a response for admitting a request.

            Types

            type DecodeFunc

            type DecodeFunc func(types.Request, runtime.Object) error

              DecodeFunc is a function that implements the Decoder interface.

              func (DecodeFunc) Decode

              func (f DecodeFunc) Decode(req types.Request, obj runtime.Object) error

                Decode implements the Decoder interface.

                type Handler

                type Handler interface {
                	Handle(context.Context, atypes.Request) atypes.Response
                }

                  Handler can handle an AdmissionRequest.

                  type HandlerFunc

                  type HandlerFunc func(context.Context, atypes.Request) atypes.Response

                    HandlerFunc implements Handler interface using a single function.

                    func (HandlerFunc) Handle

                      Handle process the AdmissionRequest by invoking the underlying function.

                      type Webhook

                      type Webhook struct {
                      	// Name is the name of the webhook
                      	Name string
                      	// Type is the webhook type, i.e. mutating, validating
                      	Type types.WebhookType
                      	// Path is the path this webhook will serve.
                      	Path string
                      	// Rules maps to the Rules field in admissionregistrationv1beta1.Webhook
                      	Rules []admissionregistrationv1beta1.RuleWithOperations
                      	// FailurePolicy maps to the FailurePolicy field in admissionregistrationv1beta1.Webhook
                      	// This optional. If not set, will be defaulted to Ignore (fail-open) by the server.
                      	// More details: https://github.com/kubernetes/api/blob/f5c295feaba2cbc946f0bbb8b535fc5f6a0345ee/admissionregistration/v1beta1/types.go#L144-L147
                      	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType
                      	// NamespaceSelector maps to the NamespaceSelector field in admissionregistrationv1beta1.Webhook
                      	// This optional.
                      	NamespaceSelector *metav1.LabelSelector
                      	// Handlers contains a list of handlers. Each handler may only contains the business logic for its own feature.
                      	// For example, feature foo and bar can be in the same webhook if all the other configurations are the same.
                      	// The handler will be invoked sequentially as the order in the list.
                      	// Note: if you are using mutating webhook with multiple handlers, it's your responsibility to
                      	// ensure the handlers are not generating conflicting JSON patches.
                      	Handlers []Handler
                      	// contains filtered or unexported fields
                      }

                        Webhook represents each individual webhook.

                        func (*Webhook) Add

                        func (w *Webhook) Add(handlers ...Handler)

                          Add adds additional handler(s) in the webhook

                          func (*Webhook) GetName

                          func (w *Webhook) GetName() string

                            GetName returns the name of the webhook.

                            func (*Webhook) GetPath

                            func (w *Webhook) GetPath() string

                              GetPath returns the path that the webhook registered.

                              func (*Webhook) GetType

                              func (w *Webhook) GetType() types.WebhookType

                                GetType returns the type of the webhook.

                                func (*Webhook) Handle

                                func (w *Webhook) Handle(ctx context.Context, req atypes.Request) atypes.Response

                                  Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

                                  func (*Webhook) Handler

                                  func (w *Webhook) Handler() http.Handler

                                    Handler returns a http.Handler for the webhook

                                    func (*Webhook) InjectClient

                                    func (w *Webhook) InjectClient(c client.Client) error

                                      InjectClient injects the client into the handlers

                                      func (*Webhook) InjectDecoder

                                      func (w *Webhook) InjectDecoder(d atypes.Decoder) error

                                        InjectDecoder injects the decoder into the handlers

                                        func (*Webhook) ServeHTTP

                                        func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)

                                        func (*Webhook) Validate

                                        func (w *Webhook) Validate() error

                                          Validate validates if the webhook is valid.

                                          Directories

                                          Path Synopsis
                                          Package builder provides methods to build admission webhooks.
                                          Package builder provides methods to build admission webhooks.