Documentation

Index

Constants

const GroupName = "admission.k8s.io"

GroupName is the group name use in this package


Variables

var (
	// SchemeBuilder the schema builder
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme handler to add items to the schema
	AddToScheme = SchemeBuilder.AddToScheme
)

var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects


Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AdmissionRequest

type AdmissionRequest struct {
	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
	UID types.UID
	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
	Kind metav1.GroupVersionKind
	// Resource is the fully-qualified resource being requested (for example, v1.pods)
	Resource metav1.GroupVersionResource
	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
	// +optional
	SubResource string

	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
	//
	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
	//
	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
	// +optional
	RequestKind *metav1.GroupVersionKind
	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
	//
	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
	//
	// See documentation for the "matchPolicy" field in the webhook configuration type.
	// +optional
	RequestResource *metav1.GroupVersionResource
	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
	// See documentation for the "matchPolicy" field in the webhook configuration type.
	// +optional
	RequestSubResource string

	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
	// rely on the server to generate the name.  If that is the case, this method will return the empty string.
	// +optional
	Name string
	// Namespace is the namespace associated with the request (if any).
	// +optional
	Namespace string
	// Operation is the operation being performed. This may be different than the operation
	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
	Operation Operation
	// UserInfo is information about the requesting user
	UserInfo authentication.UserInfo
	// Object is the object from the incoming request.
	// +optional
	Object runtime.Object
	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
	// +optional
	OldObject runtime.Object
	// DryRun indicates that modifications will definitely not be persisted for this request.
	// Calls to webhooks must have no side effects if DryRun is true.
	// Defaults to false.
	// +optional
	DryRun *bool
	// Options is the operation option structure of the operation being performed.
	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
	// different than the options the caller provided. e.g. for a patch request the performed
	// Operation might be a CREATE, in which case the Options will a
	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
	// +optional
	Options runtime.Object
}

AdmissionRequest describes the admission.Attributes for the admission request.

func (*AdmissionRequest) DeepCopy

func (in *AdmissionRequest) DeepCopy() *AdmissionRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequest.

func (*AdmissionRequest) DeepCopyInto

func (in *AdmissionRequest) DeepCopyInto(out *AdmissionRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdmissionResponse

type AdmissionResponse struct {
	// UID is an identifier for the individual request/response.
	// This should be copied over from the corresponding AdmissionRequest.
	UID types.UID
	// Allowed indicates whether or not the admission request was permitted.
	Allowed bool
	// Result contains extra details into why an admission request was denied.
	// This field IS NOT consulted in any way if "Allowed" is "true".
	// +optional
	Result *metav1.Status
	// Patch contains the actual patch. Currently we only support a response in the form of JSONPatch, RFC 6902.
	// +optional
	Patch []byte
	// PatchType indicates the form the Patch will take. Currently we only support "JSONPatch".
	// +optional
	PatchType *PatchType
	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
	// the admission webhook to add additional context to the audit log for this request.
	// +optional
	AuditAnnotations map[string]string
	// warnings is a list of warning messages to return to the requesting API client.
	// Warning messages describe a problem the client making the API request should correct or be aware of.
	// Limit warnings to 120 characters if possible.
	// Warnings over 256 characters and large numbers of warnings may be truncated.
	// +optional
	Warnings []string
}

AdmissionResponse describes an admission response.

func (*AdmissionResponse) DeepCopy

func (in *AdmissionResponse) DeepCopy() *AdmissionResponse

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionResponse.

func (*AdmissionResponse) DeepCopyInto

func (in *AdmissionResponse) DeepCopyInto(out *AdmissionResponse)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdmissionReview

type AdmissionReview struct {
	metav1.TypeMeta

	// Request describes the attributes for the admission request.
	// +optional
	Request *AdmissionRequest

	// Response describes the attributes for the admission response.
	// +optional
	Response *AdmissionResponse
}

AdmissionReview describes an admission review request/response.

func (*AdmissionReview) DeepCopy

func (in *AdmissionReview) DeepCopy() *AdmissionReview

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReview.

func (*AdmissionReview) DeepCopyInto

func (in *AdmissionReview) DeepCopyInto(out *AdmissionReview)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionReview) DeepCopyObject

func (in *AdmissionReview) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type Operation

type Operation string

Operation is the type of resource operation being checked for admission control

const (
	Create  Operation = "CREATE"
	Update  Operation = "UPDATE"
	Delete  Operation = "DELETE"
	Connect Operation = "CONNECT"
)

Operation constants

type PatchType

type PatchType string

PatchType is the type of patch being used to represent the mutated object

const (
	PatchTypeJSONPatch PatchType = "JSONPatch"
)

PatchType constants.

Directories

Path Synopsis
fuzzer
install Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
v1
v1beta1