webhook

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: MIT Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateClientAuthCertificateForTest 

func GenerateClientAuthCertificateForTest(commonName string) ([]byte, []byte, []byte, error)

GenerateClientAuthCertificateForTest generates a client auth certificate signed by a self-signed CA for use in tests outside the webhook package.

Types

type CIDRAllocator 

type CIDRAllocator interface {
	// TryAllocateForNode attempts to allocate pod CIDRs for a node.
	// Returns (podCIDR, podCIDRs, siteName, true) on success or
	// ("", nil, "", false) if allocation is not possible.
	TryAllocateForNode(nodeName string, internalIPs []string) (string, []string, string, bool)
}

CIDRAllocator provides pod CIDR allocation for the mutating webhook.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is a handler registrar for validating and mutating admission webhooks plus aggregated API discovery endpoints. It does not own an HTTP server or manage TLS certificates -- callers register its handlers on an externally-managed mux and serve it with their own TLS configuration.

func NewServer 

func NewServer(clientset kubernetes.Interface, restConfig *rest.Config, namespace string) (*Server, error)

NewServer creates a webhook handler registrar. It does not start any HTTP server; call RegisterHandlers to wire routes onto the internal mux and then serve the mux externally.

func NewTestServer 

func NewTestServer(clientset kubernetes.Interface, namespace string) *Server

NewTestServer creates a minimal Server for use in tests outside the webhook package. It does not require a rest.Config and wires no validator.

func (*Server) GetClientCAs 

func (s *Server) GetClientCAs() *x509.CertPool

GetClientCAs returns the front-proxy client CA pool so callers can set it on the unified TLS server's ClientCAs. The returned pool may be nil if the extension-apiserver-authentication ConfigMap has not been loaded yet.

func (*Server) IsTrustedAggregatedRequest 

func (s *Server) IsTrustedAggregatedRequest(r *http.Request) bool

IsTrustedAggregatedRequest validates that aggregated API requests arrive with a verified client certificate signed by the cluster front-proxy CA.

func (*Server) Mux 

func (s *Server) Mux() *http.ServeMux

Mux returns the HTTP mux so external code can register handlers on the webhook TLS server before it starts.

func (*Server) RefreshAggregatedClientCAs 

func (s *Server) RefreshAggregatedClientCAs(ctx context.Context)

RefreshAggregatedClientCAs reloads the front-proxy client CA bundle from the extension-apiserver-authentication ConfigMap in kube-system.

func (*Server) RegisterHandlers 

func (s *Server) RegisterHandlers(ctx context.Context)

RegisterHandlers registers the webhook and aggregated discovery handlers on the internal mux and starts a background goroutine that periodically refreshes the front-proxy client CA bundle. It does not start an HTTP server.

func (*Server) SetCIDRAllocator 

func (s *Server) SetCIDRAllocator(a CIDRAllocator)

SetCIDRAllocator sets the CIDR allocator used by the mutating webhook.

type Validator 

type Validator struct {
	// contains filtered or unexported fields
}

Validator validates admission requests for unbounded CNI custom resources.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.