admission

package
v0.1.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 14, 2019 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package admission provides libraries for creating admission webhooks.

Example
package main

import (
	"fmt"

	"k8s.io/api/admission/v1beta1"
	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	})
	admission.ListenAndServeTLS("")
}
Output:

Index

Examples

Constants

This section is empty.

Variables

View Source
var DefaultAdmissionFns = &Manager{
	SMux: http.DefaultServeMux,
}

DefaultAdmissionFns is the default admission control functions registry

Functions

func AllowResponse

func AllowResponse() *v1beta1.AdmissionResponse

AllowResponse returns a new response for admitting a request

Example
package main

import (
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	admission.AllowResponse()
}
Output:

func Decode

Decode reads the Raw data from review and deserializes it into object returning a non-nil response if there was an error

Example
package main

import (
	"k8s.io/api/admission/v1beta1"
	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	var review v1beta1.AdmissionReview
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	pod := corev1.Pod{}
	if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
		// Send error resp
	}
}
Output:

func DenyResponse

func DenyResponse(msg string) *v1beta1.AdmissionResponse

DenyResponse returns a new response for denying a request

Example
package main

import (
	"fmt"

	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	admission.DenyResponse(fmt.Sprintf("some deny explanation"))
}
Output:

func ErrorResponse

func ErrorResponse(err error) *v1beta1.AdmissionResponse

ErrorResponse creates a new AdmissionResponse for an error handling the request

Example
package main

import (
	"fmt"

	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	admission.ErrorResponse(fmt.Errorf("some error explanation"))
}
Output:

func HandleFunc

func HandleFunc(path string, gvr metav1.GroupVersionResource, fn Func)

HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified

Example
package main

import (
	"fmt"

	"k8s.io/api/admission/v1beta1"
	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	})
}
Output:

func ListenAndServeTLS

func ListenAndServeTLS(addr string) error

ListenAndServeTLS starts the admission HttpServer.

Types

type Func

Func implements an AdmissionReview operation for a GroupVersionResource

Example
package main

import (
	"fmt"

	"k8s.io/api/admission/v1beta1"
	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	var _ admission.Func = func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	}
}
Output:

type Manager

type Manager struct {
	Entries map[string]admissionHandler
	SMux    *http.ServeMux
}

Manager manages admission controllers

func (*Manager) HandleFunc

func (e *Manager) HandleFunc(path string, gvr metav1.GroupVersionResource, fn Func)

HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified

Example
package main

import (
	"fmt"

	"k8s.io/api/admission/v1beta1"
	corev1 "k8s.io/api/core/v1"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)

func main() {
	resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
	ah := admission.Manager{}
	ah.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
		pod := corev1.Pod{}
		if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
			return errResp
		}
		// Business logic for admission decision
		if len(pod.Spec.Containers) != 1 {
			return admission.DenyResponse(fmt.Sprintf(
				"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
		}
		return admission.AllowResponse()
	})
}
Output:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL