Documentation
¶
Overview ¶
Package admission provides libraries for creating admission webhooks.
Example ¶
package main
import (
"fmt"
"k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
pod := corev1.Pod{}
if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
return errResp
}
// Business logic for admission decision
if len(pod.Spec.Containers) != 1 {
return admission.DenyResponse(fmt.Sprintf(
"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
}
return admission.AllowResponse()
})
admission.ListenAndServeTLS("")
}
Index ¶
- Variables
- func AllowResponse() *v1beta1.AdmissionResponse
- func Decode(review v1beta1.AdmissionReview, object runtime.Object, ...) *v1beta1.AdmissionResponse
- func DenyResponse(msg string) *v1beta1.AdmissionResponse
- func ErrorResponse(err error) *v1beta1.AdmissionResponse
- func HandleFunc(path string, gvr metav1.GroupVersionResource, fn Func)
- func ListenAndServeTLS(addr string) error
- type Func
- type Manager
Examples ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultAdmissionFns = &Manager{ SMux: http.DefaultServeMux, }
DefaultAdmissionFns is the default admission control functions registry
Functions ¶
func AllowResponse ¶
func AllowResponse() *v1beta1.AdmissionResponse
AllowResponse returns a new response for admitting a request
Example ¶
package main
import (
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
admission.AllowResponse()
}
func Decode ¶
func Decode(review v1beta1.AdmissionReview, object runtime.Object, resourceType metav1.GroupVersionResource) *v1beta1.AdmissionResponse
Decode reads the Raw data from review and deserializes it into object returning a non-nil response if there was an error
Example ¶
package main
import (
"k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
var review v1beta1.AdmissionReview
resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
pod := corev1.Pod{}
if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
// Send error resp
}
}
func DenyResponse ¶
func DenyResponse(msg string) *v1beta1.AdmissionResponse
DenyResponse returns a new response for denying a request
Example ¶
package main
import (
"fmt"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
admission.DenyResponse(fmt.Sprintf("some deny explanation"))
}
func ErrorResponse ¶
func ErrorResponse(err error) *v1beta1.AdmissionResponse
ErrorResponse creates a new AdmissionResponse for an error handling the request
Example ¶
package main
import (
"fmt"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
admission.ErrorResponse(fmt.Errorf("some error explanation"))
}
func HandleFunc ¶
func HandleFunc(path string, gvr metav1.GroupVersionResource, fn Func)
HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified
Example ¶
package main
import (
"fmt"
"k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
admission.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
pod := corev1.Pod{}
if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
return errResp
}
// Business logic for admission decision
if len(pod.Spec.Containers) != 1 {
return admission.DenyResponse(fmt.Sprintf(
"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
}
return admission.AllowResponse()
})
}
func ListenAndServeTLS ¶
ListenAndServeTLS starts the admission HttpServer.
Types ¶
type Func ¶
type Func func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse
Func implements an AdmissionReview operation for a GroupVersionResource
Example ¶
package main
import (
"fmt"
"k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
var _ admission.Func = func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
pod := corev1.Pod{}
resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
return errResp
}
// Business logic for admission decision
if len(pod.Spec.Containers) != 1 {
return admission.DenyResponse(fmt.Sprintf(
"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
}
return admission.AllowResponse()
}
}
type Manager ¶
Manager manages admission controllers
func (*Manager) HandleFunc ¶
func (e *Manager) HandleFunc(path string, gvr metav1.GroupVersionResource, fn Func)
HandleFunc registers fn as an admission control webhook callback for the group,version,resources specified
Example ¶
package main
import (
"fmt"
"k8s.io/api/admission/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/internal/admission"
)
func main() {
resourceType := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
ah := admission.Manager{}
ah.HandleFunc("/pod", resourceType, func(review v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
pod := corev1.Pod{}
if errResp := admission.Decode(review, &pod, resourceType); errResp != nil {
return errResp
}
// Business logic for admission decision
if len(pod.Spec.Containers) != 1 {
return admission.DenyResponse(fmt.Sprintf(
"pod %s/%s may only have 1 container.", pod.Namespace, pod.Name))
}
return admission.AllowResponse()
})
}
Source Files
Click to show internal directories.
Click to hide internal directories.