package admission

import "sigs.k8s.io/controller-runtime/pkg/webhook/admission"

Package admission provides implementation for admission webhook and methods to implement admission webhook handlers.

The following snippet is an example implementation of mutating handler.

type Mutator struct {
	client  client.Client
	decoder types.Decoder
}

func (m *Mutator) mutatePodsFn(ctx context.Context, pod *corev1.Pod) error {
	// your logic to mutate the passed-in pod.
}

func (m *Mutator) Handle(ctx context.Context, req types.Request) types.Response {
	pod := &corev1.Pod{}
	err := m.decoder.Decode(req, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusBadRequest, err)
	}
	// Do deepcopy before actually mutate the object.
	copy := pod.DeepCopy()
	err = m.mutatePodsFn(ctx, copy)
	if err != nil {
		return admission.ErrorResponse(http.StatusInternalServerError, err)
	}
	return admission.PatchResponse(pod, copy)
}

// InjectClient is called by the Manager and provides a client.Client to the Mutator instance.
func (m *Mutator) InjectClient(c client.Client) error {
	h.client = c
	return nil
}

// InjectDecoder is called by the Manager and provides a types.Decoder to the Mutator instance.
func (m *Mutator) InjectDecoder(d types.Decoder) error {
	h.decoder = d
	return nil
}

The following snippet is an example implementation of validating handler.

type Handler struct {
	client  client.Client
	decoder types.Decoder
}

func (v *Validator) validatePodsFn(ctx context.Context, pod *corev1.Pod) (bool, string, error) {
	// your business logic
}

func (v *Validator) Handle(ctx context.Context, req types.Request) types.Response {
	pod := &corev1.Pod{}
	err := h.decoder.Decode(req, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusBadRequest, err)
	}

	allowed, reason, err := h.validatePodsFn(ctx, pod)
	if err != nil {
		return admission.ErrorResponse(http.StatusInternalServerError, err)
	}
	return admission.ValidationResponse(allowed, reason)
}

// InjectClient is called by the Manager and provides a client.Client to the Validator instance.
func (v *Validator) InjectClient(c client.Client) error {
	h.client = c
	return nil
}

// InjectDecoder is called by the Manager and provides a types.Decoder to the Validator instance.
func (v *Validator) InjectDecoder(d types.Decoder) error {
	h.decoder = d
	return nil
}

Index ¶

• func ErrorResponse(code int32, err error) types.Response
• func NewDecoder(scheme *runtime.Scheme) (types.Decoder, error)
• func PatchResponse(original, current runtime.Object) types.Response
• func ValidationResponse(allowed bool, reason string) types.Response
• type DecodeFunc
• func (f DecodeFunc) Decode(req types.Request, obj runtime.Object) error
• type Handler
• type HandlerFunc
• func (f HandlerFunc) Handle(ctx context.Context, req atypes.Request) atypes.Response
• type Webhook
• func (w *Webhook) Add(handlers ...Handler)
• func (w *Webhook) GetName() string
• func (w *Webhook) GetPath() string
• func (w *Webhook) GetType() types.WebhookType
• func (w *Webhook) Handle(ctx context.Context, req atypes.Request) atypes.Response
• func (w *Webhook) Handler() http.Handler
• func (w *Webhook) InjectClient(c client.Client) error
• func (w *Webhook) InjectDecoder(d atypes.Decoder) error
• func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)
• func (w *Webhook) Validate() error

Package Files ¶

decode.go doc.go http.go response.go webhook.go

func ErrorResponse ¶ Uses

func ErrorResponse(code int32, err error) types.Response

ErrorResponse creates a new Response for error-handling a request.

func NewDecoder ¶ Uses

func NewDecoder(scheme *runtime.Scheme) (types.Decoder, error)

NewDecoder creates a Decoder given the runtime.Scheme

func PatchResponse ¶ Uses

func PatchResponse(original, current runtime.Object) types.Response

PatchResponse returns a new response with json patch.

func ValidationResponse ¶ Uses

func ValidationResponse(allowed bool, reason string) types.Response

ValidationResponse returns a response for admitting a request.

type DecodeFunc ¶ Uses

type DecodeFunc func(types.Request, runtime.Object) error

DecodeFunc is a function that implements the Decoder interface.

func (DecodeFunc) Decode ¶ Uses

func (f DecodeFunc) Decode(req types.Request, obj runtime.Object) error

Decode implements the Decoder interface.

type Handler ¶ Uses

type Handler interface {
    Handle(context.Context, atypes.Request) atypes.Response
}

Handler can handle an AdmissionRequest.

type HandlerFunc ¶ Uses

type HandlerFunc func(context.Context, atypes.Request) atypes.Response

HandlerFunc implements Handler interface using a single function.

func (HandlerFunc) Handle ¶ Uses

func (f HandlerFunc) Handle(ctx context.Context, req atypes.Request) atypes.Response

Handle process the AdmissionRequest by invoking the underlying function.

type Webhook ¶ Uses

type Webhook struct {
    // Name is the name of the webhook
    Name string
    // Type is the webhook type, i.e. mutating, validating
    Type types.WebhookType
    // Path is the path this webhook will serve.
    Path string
    // Rules maps to the Rules field in admissionregistrationv1beta1.Webhook
    Rules []admissionregistrationv1beta1.RuleWithOperations
    // FailurePolicy maps to the FailurePolicy field in admissionregistrationv1beta1.Webhook
    // This optional. If not set, will be defaulted to Ignore (fail-open) by the server.
    // More details: https://github.com/kubernetes/api/blob/f5c295feaba2cbc946f0bbb8b535fc5f6a0345ee/admissionregistration/v1beta1/types.go#L144-L147
    FailurePolicy *admissionregistrationv1beta1.FailurePolicyType
    // NamespaceSelector maps to the NamespaceSelector field in admissionregistrationv1beta1.Webhook
    // This optional.
    NamespaceSelector *metav1.LabelSelector
    // Handlers contains a list of handlers. Each handler may only contains the business logic for its own feature.
    // For example, feature foo and bar can be in the same webhook if all the other configurations are the same.
    // The handler will be invoked sequentially as the order in the list.
    // Note: if you are using mutating webhook with multiple handlers, it's your responsibility to
    // ensure the handlers are not generating conflicting JSON patches.
    Handlers []Handler
    // contains filtered or unexported fields
}

Webhook represents each individual webhook.

func (*Webhook) Add ¶ Uses

func (w *Webhook) Add(handlers ...Handler)

Add adds additional handler(s) in the webhook

func (*Webhook) GetName ¶ Uses

func (w *Webhook) GetName() string

GetName returns the name of the webhook.

func (*Webhook) GetPath ¶ Uses

func (w *Webhook) GetPath() string

GetPath returns the path that the webhook registered.

func (*Webhook) GetType ¶ Uses

func (w *Webhook) GetType() types.WebhookType

GetType returns the type of the webhook.

func (*Webhook) Handle ¶ Uses

func (w *Webhook) Handle(ctx context.Context, req atypes.Request) atypes.Response

Handle processes AdmissionRequest. If the webhook is mutating type, it delegates the AdmissionRequest to each handler and merge the patches. If the webhook is validating type, it delegates the AdmissionRequest to each handler and deny the request if anyone denies.

func (*Webhook) Handler ¶ Uses

func (w *Webhook) Handler() http.Handler

Handler returns a http.Handler for the webhook

func (*Webhook) InjectClient ¶ Uses

func (w *Webhook) InjectClient(c client.Client) error

InjectClient injects the client into the handlers

func (*Webhook) InjectDecoder ¶ Uses

func (w *Webhook) InjectDecoder(d atypes.Decoder) error

InjectDecoder injects the decoder into the handlers

func (*Webhook) ServeHTTP ¶ Uses

func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)

func (*Webhook) Validate ¶ Uses

func (w *Webhook) Validate() error

Validate validates if the webhook is valid.

Directories ¶