webhook

package
v1.21.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	GcsFuseVolumeEnableAnnotation        = "gke-gcsfuse/volumes"
	GcsFuseNativeSidecarEnableAnnotation = "gke-gcsfuse/enable-native-sidecar"

	GCPWorkloadIdentityCredentialConfigMapAnnotation = "gke-gcsfuse/workload-identity-credential-configmap"
)
View Source 
const (
	GcsFuseSidecarName                                   = "gke-gcsfuse-sidecar"
	MetadataPrefetchSidecarName                          = "gke-gcsfuse-metadata-prefetch"
	SidecarContainerTmpVolumeMountPath                   = "/gcsfuse-tmp"
	SidecarContainerBufferVolumeName                     = "gke-gcsfuse-buffer"
	SidecarContainerBufferVolumeMountPath                = "/gcsfuse-buffer"
	SidecarContainerCacheVolumeName                      = "gke-gcsfuse-cache"
	SidecarContainerCacheVolumeMountPath                 = "/gcsfuse-cache"
	SidecarContainerSATokenVolumeName                    = "gcsfuse-sa-token"            // #nosec G101
	SidecarContainerSATokenVolumeMountPath               = "/gcsfuse-sa-token"           // #nosec G101
	K8STokenPath                                         = "token"                       // #nosec G101
	SidecarContainerWITokenVolumeName                    = "gke-workload-identity-token" // Mount path for this volume should be read from the workload identity credential configuration configmap. Typically the mounth path is /var/run/service-account.
	SidecarContainerWICredentialConfigMapVolumeName      = "gke-workload-identity-credential-configmap"
	SidecarContainerWICredentialConfigMapVolumeMountPath = "/etc/workload-identity"

	// gcsfuse profiles constants
	GcsfuseProfilesManagedLabel                           = "gke-gcsfuse/profile-managed"
	GcsfuseCacheCreatedByUserLabel                        = "gke-gcsfuse/cache-created-by-user"
	BucketScanPendingSchedulingGate                       = "gke-gcsfuse/bucket-scan-pending"
	SidecarContainerFileCacheEphemeralDiskVolumeName      = "gcsfuse-file-cache-ephemeral-disk"
	SidecarContainerFileCacheEphemeralDiskVolumeMountPath = "/gcsfuse-file-cache-ephemeral-disk"
	SidecarContainerFileCacheRamDiskVolumeName            = "gcsfuse-file-cache-ram-disk"
	SidecarContainerFileCacheRamDiskVolumeMountPath       = "/gcsfuse-file-cache-ram-disk"

	// See the nonroot user discussion: https://github.com/GoogleContainerTools/distroless/issues/443
	NobodyUID = 65534
	NobodyGID = 65534
)
View Source 
const IstioSidecarName = "istio-proxy"

Variables

View Source 
var (

	// gke-gcsfuse-sidecar volumeMounts.
	TmpVolumeMount = corev1.VolumeMount{
		Name:      util.SidecarContainerTmpVolumeName,
		MountPath: SidecarContainerTmpVolumeMountPath,
	}
)

Functions

func ExtractImageAndDeleteContainer added in v1.8.0 

func ExtractImageAndDeleteContainer(podSpec *corev1.PodSpec, containerName string) (string, error)

ExtractImageAndDeleteContainer supports the injection of custom sidecar images. We iterate the container list and find a container named "containerName" If we find "containerName":

  • extract the container image
  • removes the container definition from the container list.
  • verifies if the image is valid
  • return image

We support custom sidecar images because:

  • Requirement for Privately Hosted Sidecar Image feature, for clusters running with limited internet access.
  • Allow fast testing of new sidecar image on a production environment, usually related to a new gcsfuse binary.

func GetNativeSidecarContainerSpec added in v1.2.0 

func GetNativeSidecarContainerSpec(c *Config, credentialConfig *SidecarContainerCredentialConfiguration) corev1.Container

func GetSATokenVolume added in v1.11.0 

func GetSATokenVolume(audience string) corev1.Volume

func GetSecurityContext added in v1.8.0 

func GetSecurityContext() *corev1.SecurityContext

GetSecurityContext ensures the sidecar that uses it follows Restricted Pod Security Standard. See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

func GetSidecarContainerSpec 

func GetSidecarContainerSpec(c *Config, credentialConfig *SidecarContainerCredentialConfiguration) corev1.Container

func GetSidecarContainerVolumeSpec 

func GetSidecarContainerVolumeSpec(existingVolumes ...corev1.Volume) []corev1.Volume

GetSidecarContainerVolumeSpec returns volumes required by the sidecar container, skipping the existing custom volumes.

func LogPodMutation added in v1.3.0 

func LogPodMutation(pod *corev1.Pod, sidecarConfig *Config)

func ModifyPodSpecForGCSFuseProfiles added in v1.18.0 

func ModifyPodSpecForGCSFuseProfiles(pod *corev1.Pod, cacheCreatedByUser bool) error

Modifies the pod spec to add gcsfuse profile related features. This includes adding a label, scheduling gate, and placeholder file cache volumes

func ParseBool added in v1.8.0 

func ParseBool(str string) (bool, error)

func ValidatePodHasSidecarContainerInjected 

func ValidatePodHasSidecarContainerInjected(pod *corev1.Pod) (bool, bool)

ValidatePodHasSidecarContainerInjected validates the following:

  1. One of the container or init container name matches the sidecar container name.
  2. The container uses NobodyUID and NobodyGID.
  3. The container uses the temp volume.
  4. The temp volume have correct volume mount paths.
  5. The Pod has the temp volume and the volume is an emptyDir volumes.

Returns two booleans:

  1. True when either native or regular sidecar is present.
  2. True iff the sidecar present is a native sidecar container.

Types

type Config 

type Config struct {
	ShouldInjectSAVolume  bool   `json:"-"`
	EnableGcsfuseProfiles bool   `json:"-"`
	PodHostNetworkSetting bool   `json:"-"`
	ContainerImage        string `json:"-"`
	ImagePullPolicy       string `json:"-"`
	//nolint:tagliatelle
	CPURequest resource.Quantity `json:"cpu-request,omitempty"`
	//nolint:tagliatelle
	CPULimit resource.Quantity `json:"cpu-limit,omitempty"`
	//nolint:tagliatelle
	MemoryRequest resource.Quantity `json:"memory-request,omitempty"`
	//nolint:tagliatelle
	MemoryLimit resource.Quantity `json:"memory-limit,omitempty"`
	//nolint:tagliatelle
	EphemeralStorageRequest resource.Quantity `json:"ephemeral-storage-request,omitempty"`
	//nolint:tagliatelle
	EphemeralStorageLimit resource.Quantity `json:"ephemeral-storage-limit,omitempty"`
}

func FakeConfig 

func FakeConfig() *Config

func FakePrefetchConfig added in v1.13.0 

func FakePrefetchConfig() *Config

func LoadConfig 

func LoadConfig(containerImage, imagePullPolicy, cpuRequest, cpuLimit, memoryRequest, memoryLimit, ephemeralStorageRequest, ephemeralStorageLimit string) *Config

type CredentialConfig added in v1.20.0 

type CredentialConfig struct {
	Audience         string `json:"audience"`
	CredentialSource struct {
		File string `json:"file"`
	} `json:"credential_source"`
}

type SidecarContainerCredentialConfiguration added in v1.20.0 

type SidecarContainerCredentialConfiguration struct {
	GacEnv                 *corev1.EnvVar       // This is the environment variable for GOOGLE_APPLICATION_CREDENTIALS that will be injected into the sidecar container.
	CredentialVolumeMounts []corev1.VolumeMount // These are the volume mounts for the credential files that will be injected into the sidecar container.
}

type SidecarInjector 

type SidecarInjector struct {
	Client client.Client
	// default sidecar container config values, can be overwritten by the pod annotations
	Config                 *Config
	MetadataPrefetchConfig *Config
	Decoder                admission.Decoder
	NodeLister             listersv1.NodeLister
	PvcLister              listersv1.PersistentVolumeClaimLister
	PvLister               listersv1.PersistentVolumeLister
	ScLister               listerstoragev1.StorageClassLister
	ServerVersion          *version.Version
	K8SClient              kubernetes.Interface
}

func (*SidecarInjector) GetMetadataPrefetchSidecarContainerSpec added in v1.8.0 

func (si *SidecarInjector) GetMetadataPrefetchSidecarContainerSpec(pod *corev1.Pod, c *Config) corev1.Container

func (*SidecarInjector) GetPV added in v1.8.0 

func (si *SidecarInjector) GetPV(name string) (*corev1.PersistentVolume, error)

func (*SidecarInjector) GetPVC added in v1.8.0 

func (si *SidecarInjector) GetPVC(namespace, name string) (*corev1.PersistentVolumeClaim, error)

func (*SidecarInjector) GetPreprovisionCSIVolume added in v1.8.0 

func (si *SidecarInjector) GetPreprovisionCSIVolume(csiDriver string, pvc *corev1.PersistentVolumeClaim) (*corev1.PersistentVolume, bool, error)

GetPreprovisionCSIVolume gets the pre-provisioned persistentVolume when backed by the desired csiDriver.

func (*SidecarInjector) GetVolumesStorageClass added in v1.20.0 

func (si *SidecarInjector) GetVolumesStorageClass(volume *corev1.PersistentVolume) (*storagev1.StorageClass, error)

GetVolumesStorageClass returns nil if pv has no sc, error if its unable to retrieve the sc, or for happy path returns the sc

func (*SidecarInjector) Handle 

func (si *SidecarInjector) Handle(ctx context.Context, req admission.Request) admission.Response

Handle injects a gcsfuse sidecar container and a emptyDir to incoming qualified pods.

func (*SidecarInjector) IsGCSFuseProfilesEnabled added in v1.21.11 

func (si *SidecarInjector) IsGCSFuseProfilesEnabled(pod *corev1.Pod) (bool, error)

Checks if any volume is using the gcsfuse profiles feature. Returns an error in the case of a failure.

func (*SidecarInjector) IsPreprovisionCSIVolume added in v1.8.0 

func (si *SidecarInjector) IsPreprovisionCSIVolume(csiDriver string, pvc *corev1.PersistentVolumeClaim) (bool, error)

IsPreprovisionCSIVolume checks whether the volume is a pre-provisioned volume for the desired csiDriver.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.