Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

    See examples/mutatingwebhook.go and examples/validatingwebhook.go for examples of admission webhooks.



    This section is empty.


    This section is empty.


    func InjectDecoderInto

    func InjectDecoderInto(decoder *Decoder, i interface{}) (bool, error)

      InjectDecoderInto will set decoder on i and return the result if it implements Decoder. Returns false if i does not implement Decoder.


      type Decoder

      type Decoder struct {
      	// contains filtered or unexported fields

        Decoder knows how to decode the contents of an admission request into a concrete object.

        func NewDecoder

        func NewDecoder(scheme *runtime.Scheme) (*Decoder, error)

          NewDecoder creates a Decoder given the runtime.Scheme

          func (*Decoder) Decode

          func (d *Decoder) Decode(req Request, into runtime.Object) error

            Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object. If you want decode the OldObject in the AdmissionRequest, use DecodeRaw. It errors out if req.Object.Raw is empty i.e. containing 0 raw bytes.

            func (*Decoder) DecodeRaw

            func (d *Decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error

              DecodeRaw decodes a RawExtension object into the passed-in runtime.Object. It errors out if rawObj is empty i.e. containing 0 raw bytes.

              type DecoderInjector

              type DecoderInjector interface {
              	InjectDecoder(*Decoder) error

                DecoderInjector is used by the ControllerManager to inject decoder into webhook handlers.

                type Defaulter

                type Defaulter interface {

                  Defaulter defines functions for setting defaults on resources

                  type Handler

                  type Handler interface {
                  	// Handle yields a response to an AdmissionRequest.
                  	// The supplied context is extracted from the received http.Request, allowing wrapping
                  	// http.Handlers to inject values into and control cancelation of downstream request processing.
                  	Handle(context.Context, Request) Response

                    Handler can handle an AdmissionRequest.

                    func MultiMutatingHandler

                    func MultiMutatingHandler(handlers ...Handler) Handler

                      MultiMutatingHandler combines multiple mutating webhook handlers into a single mutating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest. Users must take care to ensure patches are disjoint.

                      func MultiValidatingHandler

                      func MultiValidatingHandler(handlers ...Handler) Handler

                        MultiValidatingHandler combines multiple validating webhook handlers into a single validating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest.

                        type HandlerFunc

                        type HandlerFunc func(context.Context, Request) Response

                          HandlerFunc implements Handler interface using a single function.

                          func (HandlerFunc) Handle

                          func (f HandlerFunc) Handle(ctx context.Context, req Request) Response

                            Handle process the AdmissionRequest by invoking the underlying function.

                            type Request

                            type Request struct {

                              Request defines the input for an admission handler. It contains information to identify the object in question (group, version, kind, resource, subresource, name, namespace), as well as the operation in question (e.g. Get, Create, etc), and the object itself.

                              type Response

                              type Response struct {
                              	// Patches are the JSON patches for mutating webhooks.
                              	// Using this instead of setting Response.Patch to minimize
                              	// overhead of serialization and deserialization.
                              	// Patches set here will override any patches in the response,
                              	// so leave this empty if you want to set the patch response directly.
                              	Patches []jsonpatch.JsonPatchOperation
                              	// AdmissionResponse is the raw admission response.
                              	// The Patch field in it will be overwritten by the listed patches.

                                Response is the output of an admission handler. It contains a response indicating if a given operation is allowed, as well as a set of patches to mutate the object in the case of a mutating admission handler.

                                func Allowed

                                func Allowed(reason string) Response

                                  Allowed constructs a response indicating that the given operation is allowed (without any patches).

                                  func Denied

                                  func Denied(reason string) Response

                                    Denied constructs a response indicating that the given operation is not allowed.

                                    func Errored

                                    func Errored(code int32, err error) Response

                                      Errored creates a new Response for error-handling a request.

                                      func PatchResponseFromRaw

                                      func PatchResponseFromRaw(original, current []byte) Response

                                        PatchResponseFromRaw takes 2 byte arrays and returns a new response with json patch. The original object should be passed in as raw bytes to avoid the roundtripping problem described in

                                        func Patched

                                        func Patched(reason string, patches ...jsonpatch.JsonPatchOperation) Response

                                          Patched constructs a response indicating that the given operation is allowed, and that the target object should be modified by the given JSONPatch operations.

                                          func ValidationResponse

                                          func ValidationResponse(allowed bool, reason string) Response

                                            ValidationResponse returns a response for admitting a request.

                                            func (*Response) Complete

                                            func (r *Response) Complete(req Request) error

                                              Complete populates any fields that are yet to be set in the underlying AdmissionResponse, It mutates the response.

                                              func (Response) WithWarnings

                                              func (r Response) WithWarnings(warnings ...string) Response

                                                WithWarnings adds the given warnings to the Response. If any warnings were already given, they will not be overwritten.

                                                type Validator

                                                type Validator interface {
                                                	ValidateCreate() error
                                                	ValidateUpdate(old runtime.Object) error
                                                	ValidateDelete() error

                                                  Validator defines functions for validating an operation

                                                  type Webhook

                                                  type Webhook struct {
                                                  	// Handler actually processes an admission request returning whether it was allowed or denied,
                                                  	// and potentially patches to apply to the handler.
                                                  	Handler Handler
                                                  	// WithContextFunc will allow you to take the http.Request.Context() and
                                                  	// add any additional information such as passing the request path or
                                                  	// headers thus allowing you to read them from within the handler
                                                  	WithContextFunc func(context.Context, *http.Request) context.Context
                                                  	// contains filtered or unexported fields

                                                    Webhook represents each individual webhook.

                                                    func DefaultingWebhookFor

                                                    func DefaultingWebhookFor(defaulter Defaulter) *Webhook

                                                      DefaultingWebhookFor creates a new Webhook for Defaulting the provided type.

                                                      func ValidatingWebhookFor

                                                      func ValidatingWebhookFor(validator Validator) *Webhook

                                                        ValidatingWebhookFor creates a new Webhook for validating the provided type.

                                                        func (*Webhook) GetDecoder

                                                        func (w *Webhook) GetDecoder() *Decoder

                                                          GetDecoder returns a decoder to decode the objects embedded in admission requests. It may be nil if we haven't received a scheme to use to determine object types yet.

                                                          func (*Webhook) Handle

                                                          func (w *Webhook) Handle(ctx context.Context, req Request) Response

                                                            Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

                                                            func (*Webhook) InjectFunc

                                                            func (w *Webhook) InjectFunc(f inject.Func) error

                                                              InjectFunc injects the field setter into the webhook.

                                                              func (*Webhook) InjectLogger

                                                              func (w *Webhook) InjectLogger(l logr.Logger) error

                                                                InjectLogger gets a handle to a logging instance, hopefully with more info about this particular webhook.

                                                                func (*Webhook) InjectScheme

                                                                func (w *Webhook) InjectScheme(s *runtime.Scheme) error

                                                                  InjectScheme injects a scheme into the webhook, in order to construct a Decoder.

                                                                  func (*Webhook) ServeHTTP

                                                                  func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)