Version: v0.10.2 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2021 License: Apache-2.0 Imports: 23 Imported by: 880



Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

See examples/mutatingwebhook.go and examples/validatingwebhook.go for examples of admission webhooks.



This section is empty.


This section is empty.


func InjectDecoderInto added in v0.2.0

func InjectDecoderInto(decoder *Decoder, i interface{}) (bool, error)

InjectDecoderInto will set decoder on i and return the result if it implements Decoder. Returns false if i does not implement Decoder.

func StandaloneWebhook added in v0.9.0

func StandaloneWebhook(hook *Webhook, opts StandaloneOptions) (http.Handler, error)

StandaloneWebhook prepares a webhook for use without a webhook.Server, passing in the information normally populated by webhook.Server and instrumenting the webhook with metrics.

Use this to attach your webhook to an arbitrary HTTP server or mux.

Note that you are responsible for terminating TLS if you use StandaloneWebhook in your own server/mux. In order to be accessed by a kubernetes cluster, all webhook servers require TLS.


type CustomDefaulter added in v0.10.2

type CustomDefaulter interface {
	Default(ctx context.Context, obj runtime.Object) error

CustomDefaulter defines functions for setting defaults on resources.

type CustomValidator added in v0.10.2

type CustomValidator interface {
	ValidateCreate(ctx context.Context, obj runtime.Object) error
	ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) error
	ValidateDelete(ctx context.Context, obj runtime.Object) error

CustomValidator defines functions for validating an operation.

type Decoder added in v0.2.0

type Decoder struct {
	// contains filtered or unexported fields

Decoder knows how to decode the contents of an admission request into a concrete object.

func NewDecoder

func NewDecoder(scheme *runtime.Scheme) (*Decoder, error)

NewDecoder creates a Decoder given the runtime.Scheme.

func (*Decoder) Decode added in v0.2.0

func (d *Decoder) Decode(req Request, into runtime.Object) error

Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object. If you want decode the OldObject in the AdmissionRequest, use DecodeRaw. It errors out if req.Object.Raw is empty i.e. containing 0 raw bytes.

func (*Decoder) DecodeRaw added in v0.2.0

func (d *Decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error

DecodeRaw decodes a RawExtension object into the passed-in runtime.Object. It errors out if rawObj is empty i.e. containing 0 raw bytes.

type DecoderInjector added in v0.2.0

type DecoderInjector interface {
	InjectDecoder(*Decoder) error

DecoderInjector is used by the ControllerManager to inject decoder into webhook handlers.

type Defaulter added in v0.2.0

type Defaulter interface {

Defaulter defines functions for setting defaults on resources.

type Handler

type Handler interface {
	// Handle yields a response to an AdmissionRequest.
	// The supplied context is extracted from the received http.Request, allowing wrapping
	// http.Handlers to inject values into and control cancelation of downstream request processing.
	Handle(context.Context, Request) Response

Handler can handle an AdmissionRequest.

func MultiMutatingHandler added in v0.2.0

func MultiMutatingHandler(handlers ...Handler) Handler

MultiMutatingHandler combines multiple mutating webhook handlers into a single mutating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest. Users must take care to ensure patches are disjoint.

func MultiValidatingHandler added in v0.2.0

func MultiValidatingHandler(handlers ...Handler) Handler

MultiValidatingHandler combines multiple validating webhook handlers into a single validating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest.

type HandlerFunc

type HandlerFunc func(context.Context, Request) Response

HandlerFunc implements Handler interface using a single function.

func (HandlerFunc) Handle

func (f HandlerFunc) Handle(ctx context.Context, req Request) Response

Handle process the AdmissionRequest by invoking the underlying function.

type Request added in v0.2.0

type Request struct {

Request defines the input for an admission handler. It contains information to identify the object in question (group, version, kind, resource, subresource, name, namespace), as well as the operation in question (e.g. Get, Create, etc), and the object itself.

type Response added in v0.2.0

type Response struct {
	// Patches are the JSON patches for mutating webhooks.
	// Using this instead of setting Response.Patch to minimize
	// overhead of serialization and deserialization.
	// Patches set here will override any patches in the response,
	// so leave this empty if you want to set the patch response directly.
	Patches []jsonpatch.JsonPatchOperation
	// AdmissionResponse is the raw admission response.
	// The Patch field in it will be overwritten by the listed patches.

Response is the output of an admission handler. It contains a response indicating if a given operation is allowed, as well as a set of patches to mutate the object in the case of a mutating admission handler.

func Allowed added in v0.2.0

func Allowed(reason string) Response

Allowed constructs a response indicating that the given operation is allowed (without any patches).

func Denied added in v0.2.0

func Denied(reason string) Response

Denied constructs a response indicating that the given operation is not allowed.

func Errored added in v0.2.0

func Errored(code int32, err error) Response

Errored creates a new Response for error-handling a request.

func PatchResponseFromRaw added in v0.2.0

func PatchResponseFromRaw(original, current []byte) Response

PatchResponseFromRaw takes 2 byte arrays and returns a new response with json patch. The original object should be passed in as raw bytes to avoid the roundtripping problem described in

func Patched added in v0.2.0

func Patched(reason string, patches ...jsonpatch.JsonPatchOperation) Response

Patched constructs a response indicating that the given operation is allowed, and that the target object should be modified by the given JSONPatch operations.

func ValidationResponse

func ValidationResponse(allowed bool, reason string) Response

ValidationResponse returns a response for admitting a request.

func (*Response) Complete added in v0.2.0

func (r *Response) Complete(req Request) error

Complete populates any fields that are yet to be set in the underlying AdmissionResponse, It mutates the response.

func (Response) WithWarnings added in v0.7.0

func (r Response) WithWarnings(warnings ...string) Response

WithWarnings adds the given warnings to the Response. If any warnings were already given, they will not be overwritten.

type StandaloneOptions added in v0.9.0

type StandaloneOptions struct {
	// Scheme is the scheme used to resolve runtime.Objects to GroupVersionKinds / Resources
	// Defaults to the kubernetes/client-go scheme.Scheme, but it's almost always better
	// idea to pass your own scheme in.  See the documentation in pkg/scheme for more information.
	Scheme *runtime.Scheme
	// Logger to be used by the webhook.
	// If none is set, it defaults to log.Log global logger.
	Logger logr.Logger
	// MetricsPath is used for labelling prometheus metrics
	// by the path is served on.
	// If none is set, prometheus metrics will not be generated.
	MetricsPath string

StandaloneOptions let you configure a StandaloneWebhook.

type Validator added in v0.2.0

type Validator interface {
	ValidateCreate() error
	ValidateUpdate(old runtime.Object) error
	ValidateDelete() error

Validator defines functions for validating an operation.

type Webhook

type Webhook struct {
	// Handler actually processes an admission request returning whether it was allowed or denied,
	// and potentially patches to apply to the handler.
	Handler Handler

	// WithContextFunc will allow you to take the http.Request.Context() and
	// add any additional information such as passing the request path or
	// headers thus allowing you to read them from within the handler
	WithContextFunc func(context.Context, *http.Request) context.Context
	// contains filtered or unexported fields

Webhook represents each individual webhook.

It must be registered with a webhook.Server or populated by StandaloneWebhook to be ran on an arbitrary HTTP server.

func DefaultingWebhookFor added in v0.2.0

func DefaultingWebhookFor(defaulter Defaulter) *Webhook

DefaultingWebhookFor creates a new Webhook for Defaulting the provided type.

func ValidatingWebhookFor added in v0.2.0

func ValidatingWebhookFor(validator Validator) *Webhook

ValidatingWebhookFor creates a new Webhook for validating the provided type.

func WithCustomDefaulter added in v0.10.2

func WithCustomDefaulter(obj runtime.Object, defaulter CustomDefaulter) *Webhook

WithCustomDefaulter creates a new Webhook for a CustomDefaulter interface.

func WithCustomValidator added in v0.10.2

func WithCustomValidator(obj runtime.Object, validator CustomValidator) *Webhook

WithCustomValidator creates a new Webhook for validating the provided type.

func (*Webhook) GetDecoder added in v0.2.0

func (wh *Webhook) GetDecoder() *Decoder

GetDecoder returns a decoder to decode the objects embedded in admission requests. It may be nil if we haven't received a scheme to use to determine object types yet.

func (*Webhook) Handle

func (wh *Webhook) Handle(ctx context.Context, req Request) Response

Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

func (*Webhook) InjectFunc added in v0.2.0

func (wh *Webhook) InjectFunc(f inject.Func) error

InjectFunc injects the field setter into the webhook.

func (*Webhook) InjectLogger added in v0.2.0

func (wh *Webhook) InjectLogger(l logr.Logger) error

InjectLogger gets a handle to a logging instance, hopefully with more info about this particular webhook.

func (*Webhook) InjectScheme added in v0.2.0

func (wh *Webhook) InjectScheme(s *runtime.Scheme) error

InjectScheme injects a scheme into the webhook, in order to construct a Decoder.

func (*Webhook) ServeHTTP

func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)


Path Synopsis
Package admissiontest contains fake webhooks for validating admission webhooks
Package admissiontest contains fake webhooks for validating admission webhooks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL