Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AdmissionError ¶
AdmissionError represents an error (rejection, serialization error, etc) from an AdmissionHandler endpoint/handler.
func (AdmissionError) Error ¶
func (e AdmissionError) Error() string
type AdmissionHandler ¶
type AdmissionHandler struct {
// The AdmitFunc to invoke for this handler.
AdmitFunc AdmitFunc
// A kitlog.Logger compatible interface
Logger logkit.Logger
// LimitBytes limits the size of objects the webhook will handle.
LimitBytes int64
// contains filtered or unexported fields
}
AdmissionHandler represents the configuration & associated endpoint for an k8s ValidatingAdmissionController (or MutatingAdmissionController) webhook.
Multiple instances can be created with distinct AdmitFuncs to handle different admission requirements.
func (*AdmissionHandler) ServeHTTP ¶
func (ah *AdmissionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type AdmissionServer ¶
type AdmissionServer struct {
// GracePeriod is defines how long the server allows for in-flight connections
// to complete before exiting.
GracePeriod time.Duration
// contains filtered or unexported fields
}
AdmissionServer represents a HTTP server configuration for serving an Admission Controller.
Use NewServer to create a new AdmissionServer.
func NewServer ¶
NewServer creates an unstarted AdmissionServer, ready to be started (via the 'Run' method).
The provided *http.Server must have its Handler field set, as well as a valid and non-nil TLSConfig. Kubernetes requires that Admission Controllers are only reachable over HTTPS (TLS), whether running in-cluster or externally.
func (*AdmissionServer) Run ¶
func (as *AdmissionServer) Run(ctx context.Context) error
Run the AdmissionServer; starting the configured *http.Server, and blocking indefinitely.
Run will return under three explicit cases:
1. An interrupt (SIGINT; "Ctrl+C") or termination (SIGTERM) signal, such as the SIGTERM most process managers send: e.g. as Kubernetes sends to a Pod: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
2. When an error is returned from the listener on our server (fails to bind to a port, terminal network issue, etc.)
3. When we receive a cancellation signal from the parent context; e.g. by calling the returned CancelFunc from calling context.WithCancel(ctx)
This allows us to stop accepting connections, allow in-flight connections to finish gracefully (up to the configured grace period), and then close the server. You may also call the .Stop() method on the server to trigger a shutdown.
func (*AdmissionServer) Stop ¶
func (as *AdmissionServer) Stop() error
Stop stops the AdmissionServer, if running, waiting for configured grace period.
type AdmitFunc ¶
type AdmitFunc func(reviewRequest *admission.AdmissionReview) (*admission.AdmissionResponse, error)
AdmitFunc is a type for building Kubernetes admission webhooks. An AdmitFunc should check whether an admission request is valid, and shall return an admission response that sets AdmissionResponse.Allowed to true or false as needed.
Users wishing to build their own admission handlers should satisfy the AdmitFunc type, and pass it to an AdmissionHandler for serving over HTTP.
Note: this mirrors the type in k8s source: https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go#L43-L44
func DenyIngresses ¶
DenyIngresses denies any kind: Ingress from being deployed to the cluster, except for any explicitly allowed namespaces (e.g. istio-system).
Providing an empty/nil list of ignoredNamespaces will reject Ingress objects across all namespaces.
Kinds other than Ingress will be allowed.
func DenyPublicLoadBalancers ¶
func DenyPublicLoadBalancers(ignoredNamespaces []string, provider CloudProvider) AdmitFunc
DenyPublicLoadBalancers denies any non-internal public cloud load balancers (kind: Service of type: LoadBalancer) by looking for their "internal" load balancer annotations. This prevents accidentally exposing Services to the Internet for Kubernetes clusters designed to be internal-facing only.
The required annotations are documented at https://kubernetes.io/docs/concepts/services-networking/#internal-load-balancer
Services with a .spec.type other than LoadBalancer will NOT be rejected by this handler.
Providing an empty/nil list of ignoredNamespaces will reject LoadBalancers across all namespaces.
func EnforcePodAnnotations ¶
func EnforcePodAnnotations(ignoredNamespaces []string, requiredAnnotations map[string]func(string) bool) AdmitFunc
EnforcePodAnnotations ensures that Pods have the required annotations by looking for a strict (case-sensitive) key-match, and then running the matchFunc (a func(string) bool) over the value.
This allows the caller to perform flexible matching - checking for valid DNS names or a list of accepted values - rather than having to iterate over all possible values, which may not be possible.
EnforcePodAnnotations can inspect Pods, Deployments, StatefulSets, DaemonSets & Jobs.
Unknown object kinds are rejected. You can create multiple versions of this AdmitFunc for a given ValidatingAdmissionWebhook configuration if you wish to apply different configurations per kind or namespace.
type CloudProvider ¶
type CloudProvider int
CloudProvider represents supported cloud platforms for provider-specific configuration.
const ( // GCP is a constant for Google Cloud Platform specific logic. GCP CloudProvider = iota // Azure is a constant for cloud-specific logic. Azure // AWS is a constant for Amazon Web Services specific logic. AWS // OpenStack is a constant for cloud-specific logic. OpenStack )
Source Files