options

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2024 License: Apache-2.0 Imports: 84 Imported by: 2

Documentation

Overview

Copyright Contributors to the Open Cluster Management project

Index

Constants

This section is empty.

Variables

View Source 
var AllOrderedPlugins = []string{
	autoprovision.PluginName,
	lifecycle.PluginName,
	exists.PluginName,
	serviceaccount.PluginName,
	eventratelimit.PluginName,
	gc.PluginName,
	certapproval.PluginName,
	certsigning.PluginName,
	certsubjectrestriction.PluginName,

	managedclustermutating.PluginName,
	managedclustervalidating.PluginName,
	managedclustersetbindingvalidating.PluginName,
	manifestworkvalidating.PluginName,

	mutatingwebhook.PluginName,
	validatingadmissionpolicy.PluginName,
	validatingwebhook.PluginName,
	resourcequota.PluginName,
}

AllOrderedPlugins is the list of all the plugins in order.

Functions

func DefaultOffAdmissionPlugins 

func DefaultOffAdmissionPlugins() sets.Set[string]

DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.

func RegisterAllAdmissionPlugins 

func RegisterAllAdmissionPlugins(plugins *admission.Plugins)

RegisterAllAdmissionPlugins registers all admission plugins. The order of registration is irrelevant, see AllOrderedPlugins for execution order.

Types

type AdmissionOptions 

type AdmissionOptions struct {
	// GenericAdmission holds the generic admission options.
	GenericAdmission *genericoptions.AdmissionOptions
}

AdmissionOptions holds the admission options. It is a wrap of generic AdmissionOptions.

func NewAdmissionOptions 

func NewAdmissionOptions() *AdmissionOptions

NewAdmissionOptions creates a new instance of AdmissionOptions Note: 

In addition it calls RegisterAllAdmissionPlugins to register
all kube-apiserver admission plugins.

Provides the list of RecommendedPluginOrder that holds sane values
that can be used by servers that don't care about admission chain.
Servers that do care can overwrite/append that field after creation.

func (*AdmissionOptions) AddFlags 

func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet)

AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet

func (*AdmissionOptions) ApplyTo 

func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeClient kubernetes.Interface,
	dynamicClient dynamic.Interface,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error

ApplyTo adds the admission chain to the server configuration. Kube-apiserver just call generic AdmissionOptions.ApplyTo.

func (*AdmissionOptions) Validate 

func (a *AdmissionOptions) Validate() []error

Validate verifies flags passed to kube-apiserver AdmissionOptions. Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.

type AnonymousAuthenticationOptions 

type AnonymousAuthenticationOptions struct {
	Allow bool
}

AnonymousAuthenticationOptions contains anonymous authentication options for API Server

type BootstrapTokenAuthenticationOptions 

type BootstrapTokenAuthenticationOptions struct {
	Enable bool
}

BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server

type BuiltInAuthenticationOptions 

type BuiltInAuthenticationOptions struct {
	APIAudiences    []string
	Anonymous       *AnonymousAuthenticationOptions
	BootstrapToken  *BootstrapTokenAuthenticationOptions
	ClientCert      *genericoptions.ClientCertAuthenticationOptions
	OIDC            *OIDCAuthenticationOptions
	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
	ServiceAccounts *ServiceAccountAuthenticationOptions
	TokenFile       *TokenFileAuthenticationOptions
	WebHook         *WebHookAuthenticationOptions

	TokenSuccessCacheTTL time.Duration
	TokenFailureCacheTTL time.Duration

	DelegatingAuthenticatorConfig *DelegatingAuthenticatorConfig
}

BuiltInAuthenticationOptions contains all build-in authentication options for API Server

func NewBuiltInAuthenticationOptions 

func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions

NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL

func (*BuiltInAuthenticationOptions) AddFlags 

func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authentication for a API Server

func (*BuiltInAuthenticationOptions) ApplyAuthorization 

func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions)

ApplyAuthorization will conditionally modify the authentication options based on the authorization options

func (*BuiltInAuthenticationOptions) ApplyTo 

func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, openAPIV3Config *openapicommon.OpenAPIV3Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error

ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.

func (*BuiltInAuthenticationOptions) ToAuthenticationConfig 

func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error)

ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config

func (*BuiltInAuthenticationOptions) Validate 

func (o *BuiltInAuthenticationOptions) Validate() []error

Validate checks invalid config combination

func (*BuiltInAuthenticationOptions) WithAll 

func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions

WithAll set default value for every build-in authentication option

func (*BuiltInAuthenticationOptions) WithAnonymous 

func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions

WithAnonymous set default value for anonymous authentication

func (*BuiltInAuthenticationOptions) WithBootstrapToken 

func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions

WithBootstrapToken set default value for bootstrap token authentication

func (*BuiltInAuthenticationOptions) WithClientCert 

func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions

WithClientCert set default value for client cert

func (*BuiltInAuthenticationOptions) WithOIDC 

func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions

WithOIDC set default value for OIDC authentication

func (*BuiltInAuthenticationOptions) WithRequestHeader 

func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions

WithRequestHeader set default value for request header authentication

func (*BuiltInAuthenticationOptions) WithServiceAccounts 

func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions

WithServiceAccounts set default value for service account authentication

func (*BuiltInAuthenticationOptions) WithTokenFile 

func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions

WithTokenFile set default value for token file authentication

func (*BuiltInAuthenticationOptions) WithWebHook 

func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions

WithWebHook set default value for web hook authentication

type BuiltInAuthorizationOptions 

type BuiltInAuthorizationOptions struct {
	Modes                       []string
	PolicyFile                  string
	WebhookConfigFile           string
	WebhookVersion              string
	WebhookCacheAuthorizedTTL   time.Duration
	WebhookCacheUnauthorizedTTL time.Duration
	// WebhookRetryBackoff specifies the backoff parameters for the authorization webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff
}

BuiltInAuthorizationOptions contains all build-in authorization options for API Server

func NewBuiltInAuthorizationOptions 

func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions

NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value

func (*BuiltInAuthorizationOptions) AddFlags 

func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet)

AddFlags returns flags of authorization for a API Server

func (*BuiltInAuthorizationOptions) ToAuthorizationConfig 

func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config

ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config

func (*BuiltInAuthorizationOptions) Validate 

func (o *BuiltInAuthorizationOptions) Validate() []error

Validate checks invalid config combination

type DelegatingAuthenticatorConfig 

type DelegatingAuthenticatorConfig struct {
	// TokenAccessReviewTimeout specifies a time limit for requests made by the authorization webhook client.
	TokenAccessReviewTimeout time.Duration

	// WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	WebhookRetryBackoff *wait.Backoff

	// CacheTTL is the length of time that a token authentication answer will be cached.
	CacheTTL time.Duration

	APIAudiences authenticator.Audiences
	// contains filtered or unexported fields
}

func (*DelegatingAuthenticatorConfig) New 

func (d *DelegatingAuthenticatorConfig) New() (authenticator.Request, error)

func (*DelegatingAuthenticatorConfig) Start 

func (d *DelegatingAuthenticatorConfig) Start(ctx context.Context)

type EmbeddedEtcd 

type EmbeddedEtcd struct {
	Enabled bool

	Directory    string
	PeerPort     string
	ClientPort   string
	WalSizeBytes int64
}

func NewEmbeddedEtcd 

func NewEmbeddedEtcd() *EmbeddedEtcd

func (*EmbeddedEtcd) AddFlags 

func (e *EmbeddedEtcd) AddFlags(fs *pflag.FlagSet)

func (*EmbeddedEtcd) Validate 

func (e *EmbeddedEtcd) Validate() []error

type ExtraOptions 

type ExtraOptions struct {
	EmbeddedEtcd  *EmbeddedEtcd
	ClientKeyFile string
}

type OIDCAuthenticationOptions 

type OIDCAuthenticationOptions struct {
	CAFile         string
	ClientID       string
	IssuerURL      string
	UsernameClaim  string
	UsernamePrefix string
	GroupsClaim    string
	GroupsPrefix   string
	SigningAlgs    []string
	RequiredClaims map[string]string
}

OIDCAuthenticationOptions contains OIDC authentication options for API Server

type ServerRunOptions 

type ServerRunOptions struct {
	GenericServerRunOptions *genericoptions.ServerRunOptions
	Etcd                    *genericoptions.EtcdOptions
	SecureServing           *genericoptions.SecureServingOptionsWithLoopback
	Audit                   *genericoptions.AuditOptions
	Features                *genericoptions.FeatureOptions
	Traces                  *genericoptions.TracingOptions
	APIEnablement           *genericoptions.APIEnablementOptions
	EgressSelector          *genericoptions.EgressSelectorOptions

	Admission      *AdmissionOptions
	Authentication *BuiltInAuthenticationOptions
	Authorization  *BuiltInAuthorizationOptions

	ServiceClusterIPRanges string // ServiceClusterIPRange is mapped to input provided by user
	// PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
	// of parsing ServiceClusterIPRange into actual values
	PrimaryServiceClusterIPRange   net.IPNet
	APIServerServiceIP             net.IP // APIServerServiceIP is the first valid IP from PrimaryServiceClusterIPRange
	SecondaryServiceClusterIPRange net.IPNet

	Metrics                           *metrics.Options
	Logs                              *logs.Options
	EventTTL                          time.Duration
	IdentityLeaseDurationSeconds      int
	IdentityLeaseRenewIntervalSeconds int
	EndpointReconcilerType            string

	EnableAggregatorRouting  bool
	AllowPrivileged          bool
	MaxConnectionBytesPerSec int64

	ServiceAccountSigningKeyFile     string
	ServiceAccountIssuer             serviceaccount.TokenGenerator
	ServiceAccountTokenMaxExpiration time.Duration

	KubeletConfig kubeletclient.KubeletClientConfig
	ExtraOptions  *ExtraOptions

	KubeControllerManagerOptions *kubectrmgroptions.KubeControllerManagerOptions

	// ControlplaneConfigDir contains minimum requried configurations for server
	ControlplaneConfigDir string
	// ControlplaneDataDir is used for saving controlplane data
	ControlplaneDataDir string

	// EnableSelfManagement register the current cluster self as a managed cluster
	EnableSelfManagement bool
	// SelfManagementClusterName is the name of self management cluster, by default, it's local-cluster
	SelfManagementClusterName string

	// options for registration hub controller
	RegistrationOpts *registrationhub.HubManagerOptions

	// EnableDelegatingAuthentication delegate the authentication with controlplane hosing cluster
	EnableDelegatingAuthentication bool

	ProxyClientCertFile string
	ProxyClientKeyFile  string
}

ServerRunOptions runs a kubernetes api server.

func NewServerRunOptions 

func NewServerRunOptions() *ServerRunOptions

NewOptions creates a new Options with default parameters

func (*ServerRunOptions) AddFlags 

func (options *ServerRunOptions) AddFlags(fs *pflag.FlagSet)

func (*ServerRunOptions) Complete 

func (s *ServerRunOptions) Complete(stopCh <-chan struct{}) error

Complete set default Options. Should be called after kube-apiserver flags parsed.

func (*ServerRunOptions) InitServerRunOptions 

func (o *ServerRunOptions) InitServerRunOptions(cfg *configs.ControlplaneRunConfig) error

func (*ServerRunOptions) Validate 

func (s *ServerRunOptions) Validate() error

type ServiceAccountAuthenticationOptions 

type ServiceAccountAuthenticationOptions struct {
	KeyFiles         []string
	Lookup           bool
	Issuers          []string
	JWKSURI          string
	MaxExpiration    time.Duration
	ExtendExpiration bool
}

ServiceAccountAuthenticationOptions contains service account authentication options for API Server

type TokenFileAuthenticationOptions 

type TokenFileAuthenticationOptions struct {
	TokenFile string
}

TokenFileAuthenticationOptions contains token file authentication options for API Server

type WebHookAuthenticationOptions 

type WebHookAuthenticationOptions struct {
	ConfigFile string
	Version    string
	CacheTTL   time.Duration

	// RetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
	// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
	// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
	RetryBackoff *wait.Backoff
}

WebHookAuthenticationOptions contains web hook authentication options for API Server

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.