k8s-ingress-claim

command module

v0.0.0-...-ca10516 Latest Latest Go to latest Published: Jul 9, 2018 License: BSD-3-Clause Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/yahoo/k8s-ingress-claim

Links

Open Source Insights

README ¶

k8s-ingress-claim

Description

k8s-ingress-claim provides an admission control policy that safeguards against accidental duplicate claiming of Hosts/Domains by ingresses that have already been claimed by existing ingresses.

Implementation

This is implemented as an External Admission Webhook with the k8s-ingress-claim service running as a deployment on each cluster.

The webhook is configured to send admission review requests for CREATE and UPDATE operations on ingress resources to the k8s-ingress-claim service. The k8s-ingress-claim service listens on a HTTPS port and on receiving such requests, it resolves the ingress claim provider for the new ingress resource and the provider implementation validates that no other existing ingresses own the hosts/domains being claimed. Every ingress claim provider may implement the validation to make sure the domain claims conform to its routing policies.

This repository includes the domain claim validation check implementations for two ingress claim providers:

Apache Traffic Server
Istio

The example implementations on this repository assume that the ingresses claim domains on a FCFS basis.

The admission webhook service also provides a ValidateSemantics interface for the ingress claim provider to perform provider specific semantic validation checks to ensure the ingress resources spec conform to policy specifications.

Basic Dev Setup

Git clone to your local directory.
Build binary:
- Mac os: go build -i -o k8s-ingress-claim
- Rhel: env GOOS=linux GOARCH=386 go build -i -o k8s-ingress-claim
Run binary: ./k8s-ingress-claim.
Follow standard Go code format: gofmt -w *.go

Command Line Parameters

Usage of k8s-ingress-claim:
  -admitAll
    	True to admit all ingress without validation.
  -alsologtostderr
    	log to standard error as well as files
  -certFile string
    	The cert file for the https server. (default "/etc/ssl/certs/ingress-claim/server.crt")
  -clientAuth
    	True to verify client cert/auth during TLS handshake.
  -clientCAFile string
    	The cluster root CA that signs the apiserver cert (default "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
  -keyFile string
    	The key file for the https server. (default "/etc/ssl/certs/ingress-claim/server-key.pem")
  -logFile string
    	Log file name and full path. (default "/var/log/ingress-claim.log")
  -logLevel string
    	The log level. (default "info")
  -port string
    	HTTPS server port. (default "443")

Documentation ¶

Overview ¶

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
pkg
provider
util

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL