LoggingMiddleware logs the incoming HTTP request & its duration.
AdmissionError represents an error (rejection, serialization error, etc) from an AdmissionHandler endpoint/handler.
AdmissionHandler represents the configuration & associated endpoint for an k8s ValidatingAdmissionController (or MutatingAdmissionController) webhook.
Multiple instances can be created with distinct AdmitFuncs to handle different admission requirements.
AdmissionServer represents a HTTP server configuration for serving an Admission Controller.
Use NewServer to create a new AdmissionServer.
NewServer creates an unstarted AdmissionServer, ready to be started (via the 'Run' method).
The provided *http.Server must have its Handler field set, as well as a valid and non-nil TLSConfig. Kubernetes requires that Admission Controllers are only reachable over HTTPS (TLS), whether running in-cluster or externally.
Run the AdmissionServer; starting the configured *http.Server, and blocking indefinitely.
Run will return under three explicit cases:
1. An interrupt (SIGINT; "Ctrl+C") or termination (SIGTERM) signal, such as the SIGTERM most process managers send: e.g. as Kubernetes sends to a Pod: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
2. When an error is returned from the listener on our server (fails to bind to a port, terminal network issue, etc.)
3. When we receive a cancellation signal from the parent context; e.g. by calling the returned CancelFunc from calling context.WithCancel(ctx)
This allows us to stop accepting connections, allow in-flight connections to finish gracefully (up to the configured grace period), and then close the server. You may also call the .Stop() method on the server to trigger a shutdown.
Stop stops the AdmissionServer, if running, waiting for configured grace period.
type AdmitFunc func(reviewRequest *admission.AdmissionReview) (*admission.AdmissionResponse, error)
AdmitFunc is a type for building Kubernetes admission webhooks. An AdmitFunc should check whether an admission request is valid, and shall return an admission response that sets AdmissionResponse.Allowed to true or false as needed.
Users wishing to build their own admission handlers should satisfy the AdmitFunc type, and pass it to an AdmissionHandler for serving over HTTP.
Note: this mirrors the type in k8s source: https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go#L43-L44
DenyIngresses denies any kind: Ingress from being deployed to the cluster, except for any explicitly allowed namespaces (e.g. istio-system).
Providing an empty/nil list of ignoredNamespaces will reject Ingress objects across all namespaces.
Kinds other than Ingress will be allowed.
DenyPublicLoadBalancers denies any non-internal public cloud load balancers (kind: Service of type: LoadBalancer) by looking for their "internal" load balancer annotations. This prevents accidentally exposing Services to the Internet for Kubernetes clusters designed to be internal-facing only.
The required annotations are documented at https://kubernetes.io/docs/concepts/services-networking/#internal-load-balancer
Services with a .spec.type other than LoadBalancer will NOT be rejected by this handler.
Providing an empty/nil list of ignoredNamespaces will reject LoadBalancers across all namespaces.
EnforcePodAnnotations ensures that Pods have the required annotations by looking for a strict (case-sensitive) key-match, and then running the matchFunc (a func(string) bool) over the value.
This allows the caller to perform flexible matching - checking for valid DNS names or a list of accepted values - rather than having to iterate over all possible values, which may not be possible.
EnforcePodAnnotations can inspect Pods, Deployments, StatefulSets, DaemonSets & Jobs.
Unknown object kinds are rejected. You can create multiple versions of this AdmitFunc for a given ValidatingAdmissionWebhook configuration if you wish to apply different configurations per kind or namespace.
CloudProvider represents supported cloud platforms for provider-specific configuration.
const ( // GCP is a constant for Google Cloud Platform specific logic. GCP CloudProvider = iota // Azure is a constant for cloud-specific logic. Azure // AWS is a constant for Amazon Web Services specific logic. AWS // OpenStack is a constant for cloud-specific logic. OpenStack )