package admission

import "sigs.k8s.io/controller-runtime/pkg/webhook/admission"

Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

See examples/mutatingwebhook.go and examples/validatingwebhook.go for examples of admission webhooks.

Index ¶

• func InjectDecoderInto(decoder *Decoder, i interface{}) (bool, error)
• type Decoder
• func NewDecoder(scheme *runtime.Scheme) (*Decoder, error)
• func (d *Decoder) Decode(req Request, into runtime.Object) error
• func (d *Decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error
• type DecoderInjector
• type Defaulter
• type Handler
• func MultiMutatingHandler(handlers ...Handler) Handler
• func MultiValidatingHandler(handlers ...Handler) Handler
• type HandlerFunc
• func (f HandlerFunc) Handle(ctx context.Context, req Request) Response
• type Request
• type Response
• func Allowed(reason string) Response
• func Denied(reason string) Response
• func Errored(code int32, err error) Response
• func PatchResponseFromRaw(original, current []byte) Response
• func Patched(reason string, patches ...jsonpatch.JsonPatchOperation) Response
• func ValidationResponse(allowed bool, reason string) Response
• func (r *Response) Complete(req Request) error
• func (r Response) WithWarnings(warnings ...string) Response
• type Validator
• type Webhook
• func DefaultingWebhookFor(defaulter Defaulter) *Webhook
• func ValidatingWebhookFor(validator Validator) *Webhook
• func (w *Webhook) GetDecoder() *Decoder
• func (w *Webhook) Handle(ctx context.Context, req Request) Response
• func (w *Webhook) InjectFunc(f inject.Func) error
• func (w *Webhook) InjectLogger(l logr.Logger) error
• func (w *Webhook) InjectScheme(s *runtime.Scheme) error
• func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)

Package Files ¶

decode.go defaulter.go doc.go http.go inject.go multi.go response.go validator.go webhook.go

func InjectDecoderInto ¶ Uses

func InjectDecoderInto(decoder *Decoder, i interface{}) (bool, error)

InjectDecoderInto will set decoder on i and return the result if it implements Decoder. Returns false if i does not implement Decoder.

type Decoder ¶ Uses

type Decoder struct {
    // contains filtered or unexported fields
}

Decoder knows how to decode the contents of an admission request into a concrete object.

func NewDecoder ¶ Uses

func NewDecoder(scheme *runtime.Scheme) (*Decoder, error)

NewDecoder creates a Decoder given the runtime.Scheme

func (*Decoder) Decode ¶ Uses

func (d *Decoder) Decode(req Request, into runtime.Object) error

Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object. If you want decode the OldObject in the AdmissionRequest, use DecodeRaw. It errors out if req.Object.Raw is empty i.e. containing 0 raw bytes.

func (*Decoder) DecodeRaw ¶ Uses

func (d *Decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error

DecodeRaw decodes a RawExtension object into the passed-in runtime.Object. It errors out if rawObj is empty i.e. containing 0 raw bytes.

type DecoderInjector ¶ Uses

type DecoderInjector interface {
    InjectDecoder(*Decoder) error
}

DecoderInjector is used by the ControllerManager to inject decoder into webhook handlers.

type Defaulter ¶ Uses

type Defaulter interface {
    runtime.Object
    Default()
}

Defaulter defines functions for setting defaults on resources

type Handler ¶ Uses

type Handler interface {
    // Handle yields a response to an AdmissionRequest.
    //
    // The supplied context is extracted from the received http.Request, allowing wrapping
    // http.Handlers to inject values into and control cancelation of downstream request processing.
    Handle(context.Context, Request) Response
}

Handler can handle an AdmissionRequest.

func MultiMutatingHandler ¶ Uses

func MultiMutatingHandler(handlers ...Handler) Handler

MultiMutatingHandler combines multiple mutating webhook handlers into a single mutating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest. Users must take care to ensure patches are disjoint.

func MultiValidatingHandler ¶ Uses

func MultiValidatingHandler(handlers ...Handler) Handler

MultiValidatingHandler combines multiple validating webhook handlers into a single validating webhook handler. Handlers are called in sequential order, and the first `allowed: false` response may short-circuit the rest.

type HandlerFunc ¶ Uses

type HandlerFunc func(context.Context, Request) Response

HandlerFunc implements Handler interface using a single function.

func (HandlerFunc) Handle ¶ Uses

func (f HandlerFunc) Handle(ctx context.Context, req Request) Response

Handle process the AdmissionRequest by invoking the underlying function.

type Request ¶ Uses

type Request struct {
    admissionv1beta1.AdmissionRequest
}

Request defines the input for an admission handler. It contains information to identify the object in question (group, version, kind, resource, subresource, name, namespace), as well as the operation in question (e.g. Get, Create, etc), and the object itself.

type Response ¶ Uses

type Response struct {
    // Patches are the JSON patches for mutating webhooks.
    // Using this instead of setting Response.Patch to minimize
    // overhead of serialization and deserialization.
    // Patches set here will override any patches in the response,
    // so leave this empty if you want to set the patch response directly.
    Patches []jsonpatch.JsonPatchOperation
    // AdmissionResponse is the raw admission response.
    // The Patch field in it will be overwritten by the listed patches.
    admissionv1beta1.AdmissionResponse
}

Response is the output of an admission handler. It contains a response indicating if a given operation is allowed, as well as a set of patches to mutate the object in the case of a mutating admission handler.

func Allowed ¶ Uses

func Allowed(reason string) Response

Allowed constructs a response indicating that the given operation is allowed (without any patches).

func Denied ¶ Uses

func Denied(reason string) Response

Denied constructs a response indicating that the given operation is not allowed.

func Errored ¶ Uses

func Errored(code int32, err error) Response

Errored creates a new Response for error-handling a request.

func PatchResponseFromRaw ¶ Uses

func PatchResponseFromRaw(original, current []byte) Response

PatchResponseFromRaw takes 2 byte arrays and returns a new response with json patch. The original object should be passed in as raw bytes to avoid the roundtripping problem described in https://github.com/kubernetes-sigs/kubebuilder/issues/510.

func Patched ¶ Uses

func Patched(reason string, patches ...jsonpatch.JsonPatchOperation) Response

Patched constructs a response indicating that the given operation is allowed, and that the target object should be modified by the given JSONPatch operations.

func ValidationResponse ¶ Uses

func ValidationResponse(allowed bool, reason string) Response

ValidationResponse returns a response for admitting a request.

func (*Response) Complete ¶ Uses

func (r *Response) Complete(req Request) error

Complete populates any fields that are yet to be set in the underlying AdmissionResponse, It mutates the response.

func (Response) WithWarnings ¶ Uses

func (r Response) WithWarnings(warnings ...string) Response

WithWarnings adds the given warnings to the Response. If any warnings were already given, they will not be overwritten.

type Validator ¶ Uses

type Validator interface {
    runtime.Object
    ValidateCreate() error
    ValidateUpdate(old runtime.Object) error
    ValidateDelete() error
}

Validator defines functions for validating an operation

type Webhook ¶ Uses

type Webhook struct {
    // Handler actually processes an admission request returning whether it was allowed or denied,
    // and potentially patches to apply to the handler.
    Handler Handler
    // contains filtered or unexported fields
}

Webhook represents each individual webhook.

func DefaultingWebhookFor ¶ Uses

func DefaultingWebhookFor(defaulter Defaulter) *Webhook

DefaultingWebhookFor creates a new Webhook for Defaulting the provided type.

func ValidatingWebhookFor ¶ Uses

func ValidatingWebhookFor(validator Validator) *Webhook

ValidatingWebhookFor creates a new Webhook for validating the provided type.

func (*Webhook) GetDecoder ¶ Uses

func (w *Webhook) GetDecoder() *Decoder

GetDecoder returns a decoder to decode the objects embedded in admission requests. It may be nil if we haven't received a scheme to use to determine object types yet.

func (*Webhook) Handle ¶ Uses

func (w *Webhook) Handle(ctx context.Context, req Request) Response

Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

func (*Webhook) InjectFunc ¶ Uses

func (w *Webhook) InjectFunc(f inject.Func) error

InjectFunc injects the field setter into the webhook.

func (*Webhook) InjectLogger ¶ Uses

func (w *Webhook) InjectLogger(l logr.Logger) error

InjectLogger gets a handle to a logging instance, hopefully with more info about this particular webhook.

func (*Webhook) InjectScheme ¶ Uses

func (w *Webhook) InjectScheme(s *runtime.Scheme) error

InjectScheme injects a scheme into the webhook, in order to construct a Decoder.

func (*Webhook) ServeHTTP ¶ Uses

func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)