Documentation

Overview

Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

The following snippet is an example implementation of mutating handler.

type Mutator struct {
	client  client.Client
	decoder types.Decoder
}

func (m *Mutator) mutatePodsFn(ctx context.Context, pod *corev1.Pod) error {
	// your logic to mutate the passed-in pod.
}

func (m *Mutator) Handle(ctx context.Context, req types.Request) types.Response {
	pod := &corev1.Pod{}
	err := m.decoder.Decode(req, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusBadRequest, err)
	}
	// Do deepcopy before actually mutate the object.
	copy := pod.DeepCopy()
	err = m.mutatePodsFn(ctx, copy)
	if err != nil {
		return admission.ErrorResponse(http.StatusInternalServerError, err)
	}
	return admission.PatchResponse(pod, copy)
}

// InjectClient is called by the Manager and provides a client.Client to the Mutator instance.
func (m *Mutator) InjectClient(c client.Client) error {
	h.client = c
	return nil
}

// InjectDecoder is called by the Manager and provides a types.Decoder to the Mutator instance.
func (m *Mutator) InjectDecoder(d types.Decoder) error {
	h.decoder = d
	return nil
}

The following snippet is an example implementation of validating handler.

type Handler struct {
	client  client.Client
	decoder types.Decoder
}

func (v *Validator) validatePodsFn(ctx context.Context, pod *corev1.Pod) (bool, string, error) {
	// your business logic
}

func (v *Validator) Handle(ctx context.Context, req types.Request) types.Response {
	pod := &corev1.Pod{}
	err := h.decoder.Decode(req, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusBadRequest, err)
	}

	allowed, reason, err := h.validatePodsFn(ctx, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusInternalServerError, err)
	}
	return admission.ValidationResponse(allowed, reason)
}

// InjectClient is called by the Manager and provides a client.Client to the Validator instance.
func (v *Validator) InjectClient(c client.Client) error {
	h.client = c
	return nil
}

// InjectDecoder is called by the Manager and provides a types.Decoder to the Validator instance.
func (v *Validator) InjectDecoder(d types.Decoder) error {
	h.decoder = d
	return nil
}

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ErrorResponse

func ErrorResponse(code int32, err error) types.Response

ErrorResponse creates a new Response for error-handling a request.

func NewDecoder

func NewDecoder(scheme *runtime.Scheme) (types.Decoder, error)

NewDecoder creates a Decoder given the runtime.Scheme

func PatchResponse

func PatchResponse(original, current runtime.Object) types.Response

PatchResponse returns a new response with json patch.

func ValidationResponse

func ValidationResponse(allowed bool, reason string) types.Response

ValidationResponse returns a response for admitting a request.

Types

type DecodeFunc

type DecodeFunc func(types.Request, runtime.Object) error

DecodeFunc is a function that implements the Decoder interface.

func (DecodeFunc) Decode

func (f DecodeFunc) Decode(req types.Request, obj runtime.Object) error

Decode implements the Decoder interface.

type Handler

type Handler interface {
	Handle(context.Context, atypes.Request) atypes.Response
}

Handler can handle an AdmissionRequest.

type HandlerFunc

type HandlerFunc func(context.Context, atypes.Request) atypes.Response

HandlerFunc implements Handler interface using a single function.

func (HandlerFunc) Handle

Handle process the AdmissionRequest by invoking the underlying function.

type Webhook

type Webhook struct {
	// Name is the name of the webhook
	Name string
	// Type is the webhook type, i.e. mutating, validating
	Type types.WebhookType
	// Path is the path this webhook will serve.
	Path string
	// Rules maps to the Rules field in admissionregistrationv1beta1.Webhook
	Rules []admissionregistrationv1beta1.RuleWithOperations
	// FailurePolicy maps to the FailurePolicy field in admissionregistrationv1beta1.Webhook
	// This optional. If not set, will be defaulted to Ignore (fail-open) by the server.
	// More details: https://github.com/kubernetes/api/blob/f5c295feaba2cbc946f0bbb8b535fc5f6a0345ee/admissionregistration/v1beta1/types.go#L144-L147
	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType
	// NamespaceSelector maps to the NamespaceSelector field in admissionregistrationv1beta1.Webhook
	// This optional.
	NamespaceSelector *metav1.LabelSelector
	// Handlers contains a list of handlers. Each handler may only contains the business logic for its own feature.
	// For example, feature foo and bar can be in the same webhook if all the other configurations are the same.
	// The handler will be invoked sequentially as the order in the list.
	// Note: if you are using mutating webhook with multiple handlers, it's your responsibility to
	// ensure the handlers are not generating conflicting JSON patches.
	Handlers []Handler
	// contains filtered or unexported fields
}

Webhook represents each individual webhook.

func (*Webhook) Add

func (w *Webhook) Add(handlers ...Handler)

Add adds additional handler(s) in the webhook

func (*Webhook) GetName

func (w *Webhook) GetName() string

GetName returns the name of the webhook.

func (*Webhook) GetPath

func (w *Webhook) GetPath() string

GetPath returns the path that the webhook registered.

func (*Webhook) GetType

func (w *Webhook) GetType() types.WebhookType

GetType returns the type of the webhook.

func (*Webhook) Handle

func (w *Webhook) Handle(ctx context.Context, req atypes.Request) atypes.Response

Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

func (*Webhook) Handler

func (w *Webhook) Handler() http.Handler

Handler returns a http.Handler for the webhook

func (*Webhook) InjectClient

func (w *Webhook) InjectClient(c client.Client) error

InjectClient injects the client into the handlers

func (*Webhook) InjectDecoder

func (w *Webhook) InjectDecoder(d atypes.Decoder) error

InjectDecoder injects the decoder into the handlers

func (*Webhook) ServeHTTP

func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)

func (*Webhook) Validate

func (w *Webhook) Validate() error

Validate validates if the webhook is valid.

Directories

Path Synopsis
Package builder provides methods to build admission webhooks.
Package builder provides methods to build admission webhooks.