admission-control: Index | Files

package admissioncontrol

import ""


Package Files

admit_funcs.go handler.go request_logger.go server.go

func LoggingMiddleware Uses

func LoggingMiddleware(logger log.Logger) func(http.Handler) http.Handler

LoggingMiddleware logs the incoming HTTP request & its duration.

type AdmissionError Uses

type AdmissionError struct {
    Allowed bool
    Message string
    Debug   string

AdmissionError represents an error (rejection, serialization error, etc) from an AdmissionHandler endpoint/handler.

func (AdmissionError) Error Uses

func (e AdmissionError) Error() string

type AdmissionHandler Uses

type AdmissionHandler struct {
    // The AdmitFunc to invoke for this handler.
    AdmitFunc AdmitFunc
    // A kitlog.Logger compatible interface
    Logger log.Logger
    // LimitBytes limits the size of objects the webhook will handle.
    LimitBytes int64
    // contains filtered or unexported fields

AdmissionHandler represents the configuration & associated endpoint for an k8s ValidatingAdmissionController (or MutatingAdmissionController) webhook.

Multiple instances can be created with distinct AdmitFuncs to handle different admission requirements.

func (*AdmissionHandler) ServeHTTP Uses

func (ah *AdmissionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type AdmissionServer Uses

type AdmissionServer struct {

    // GracePeriod is defines how long the server allows for in-flight connections
    // to complete before exiting.
    GracePeriod time.Duration
    // contains filtered or unexported fields

AdmissionServer represents a HTTP server configuration for serving an Admission Controller.

Use NewServer to create a new AdmissionServer.

func NewServer Uses

func NewServer(srv *http.Server, logger log.Logger) (*AdmissionServer, error)

NewServer creates an unstarted AdmissionServer, ready to be started (via the 'Run' method).

The provided *http.Server must have its Handler field set, as well as a valid and non-nil TLSConfig. Kubernetes requires that Admission Controllers are only reachable over HTTPS (TLS), whether running in-cluster or externally.

func (*AdmissionServer) Run Uses

func (as *AdmissionServer) Run(ctx context.Context) error

Run the AdmissionServer; starting the configured *http.Server, and blocking indefinitely.

Run will return under three explicit cases:

1. An interrupt (SIGINT; "Ctrl+C") or termination (SIGTERM) signal, such as the SIGTERM most process managers send: e.g. as Kubernetes sends to a Pod:

2. When an error is returned from the listener on our server (fails to bind to a port, terminal network issue, etc.)

3. When we receive a cancellation signal from the parent context; e.g. by calling the returned CancelFunc from calling context.WithCancel(ctx)

This allows us to stop accepting connections, allow in-flight connections to finish gracefully (up to the configured grace period), and then close the server. You may also call the .Stop() method on the server to trigger a shutdown.

func (*AdmissionServer) Stop Uses

func (as *AdmissionServer) Stop() error

Stop stops the AdmissionServer, if running, waiting for configured grace period.

type AdmitFunc Uses

type AdmitFunc func(reviewRequest *admission.AdmissionReview) (*admission.AdmissionResponse, error)

AdmitFunc is a type for building Kubernetes admission webhooks. An AdmitFunc should check whether an admission request is valid, and shall return an admission response that sets AdmissionResponse.Allowed to true or false as needed.

Users wishing to build their own admission handlers should satisfy the AdmitFunc type, and pass it to an AdmissionHandler for serving over HTTP.

Note: this mirrors the type in k8s source:

func DenyIngresses Uses

func DenyIngresses(ignoredNamespaces []string) AdmitFunc

DenyIngresses denies any kind: Ingress from being deployed to the cluster, except for any explicitly allowed namespaces (e.g. istio-system).

Providing an empty/nil list of ignoredNamespaces will reject Ingress objects across all namespaces.

Kinds other than Ingress will be allowed.

func DenyPublicLoadBalancers Uses

func DenyPublicLoadBalancers(ignoredNamespaces []string, provider CloudProvider) AdmitFunc

DenyPublicLoadBalancers denies any non-internal public cloud load balancers (kind: Service of type: LoadBalancer) by looking for their "internal" load balancer annotations. This prevents accidentally exposing Services to the Internet for Kubernetes clusters designed to be internal-facing only.

The required annotations are documented at

Services with a .spec.type other than LoadBalancer will NOT be rejected by this handler.

Providing an empty/nil list of ignoredNamespaces will reject LoadBalancers across all namespaces.

func EnforcePodAnnotations Uses

func EnforcePodAnnotations(ignoredNamespaces []string, requiredAnnotations map[string]func(string) bool) AdmitFunc

EnforcePodAnnotations ensures that Pods have the required annotations by looking for a strict (case-sensitive) key-match, and then running the matchFunc (a func(string) bool) over the value.

This allows the caller to perform flexible matching - checking for valid DNS names or a list of accepted values - rather than having to iterate over all possible values, which may not be possible.

EnforcePodAnnotations can inspect Pods, Deployments, StatefulSets, DaemonSets & Jobs.

Unknown object kinds are rejected. You can create multiple versions of this AdmitFunc for a given ValidatingAdmissionWebhook configuration if you wish to apply different configurations per kind or namespace.

type CloudProvider Uses

type CloudProvider int

CloudProvider represents supported cloud platforms for provider-specific configuration.

const (
    // GCP is a constant for Google Cloud Platform specific logic.
    GCP CloudProvider = iota
    // Azure is a constant for cloud-specific logic.
    // AWS is a constant for Amazon Web Services specific logic.
    // OpenStack is a constant for cloud-specific logic.

Package admissioncontrol imports 21 packages (graph). Updated 2020-09-15. Refresh now. Tools for package owners.