Documentation
¶
Index ¶
- Constants
- func ClusterPathFromAndStrip(req *http.Request) (logicalcluster.Path, *url.URL, bool, error)
- func IdentityFromContext(ctx context.Context) string
- func IsPartialMetadataRequest(ctx context.Context) bool
- func UserAgentFrom(ctx context.Context) string
- func WithAcceptHeader(apiHandler http.Handler) http.Handler
- func WithAuditEventClusterAnnotation(handler http.Handler, ...) http.HandlerFunc
- func WithBlockInactiveLogicalClusters(handler http.Handler, ...) http.HandlerFunc
- func WithClusterNameShapeInvariant(apiHandler http.Handler) http.Handler
- func WithClusterScope(apiHandler http.Handler) http.HandlerFunc
- func WithIdentity(ctx context.Context, identity string) context.Context
- func WithImpersonationGatekeeper(handler http.Handler) http.Handler
- func WithImpersonationScoping(handler http.Handler) http.Handler
- func WithInClusterServiceAccountRequestRewrite(handler http.Handler) http.Handler
- func WithResourceIdentity(handler http.Handler) http.Handler
- func WithUserAgent(handler http.Handler) http.Handler
- func WithWildcardListWatchGuard(apiHandler http.Handler) http.HandlerFunc
Constants ¶
const ( // InactiveAnnotation is the annotation denoting a logical cluster should be // deemed unreachable. InactiveAnnotation = "internal.kcp.io/inactive" )
Variables ¶
This section is empty.
Functions ¶
func ClusterPathFromAndStrip ¶ added in v0.11.0
ClusterPathFromAndStrip parses the request for a logical cluster path, returns it if found and strips it from the request URL path.
func IdentityFromContext ¶ added in v0.27.0
IdentityFromContext retrieves the APIExport identity from the context, if any.
func IsPartialMetadataRequest ¶
IsPartialMetadataRequest determines if it is PartialObjectMetadata request based on the value stored in the context.
A PartialObjectMetadata request gets only object metadata.
func UserAgentFrom ¶ added in v0.27.0
func WithAcceptHeader ¶
WithAcceptHeader makes the Accept header available for code in the handler chain. It is needed for Wildcard requests, when finding the CRD with a common schema. For PartialObjectMeta requests we cand weaken the schema requirement and allow different schemas across workspaces.
func WithAuditEventClusterAnnotation ¶
func WithAuditEventClusterAnnotation(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc
WithAuditEventClusterAnnotation adds the cluster name into the annotation of an audit event. Needs initialized annotations.
func WithBlockInactiveLogicalClusters ¶ added in v0.25.0
func WithBlockInactiveLogicalClusters(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc
WithBlockInactiveLogicalClusters ensures that any requests to logical clusters marked inactive are rejected.
func WithClusterNameShapeInvariant ¶ added in v0.31.0
WithClusterNameShapeInvariant verifies that, once some upstream handler has populated the cluster on the request context, the cluster name is a bare logical-cluster name and not a workspace path. A path-shaped cluster name (e.g. "root:internal-cluster") reaching the storage layer would be concatenated verbatim into the etcd key by NoNamespaceKeyRootFunc, producing orphaned rows invisible to the normal read path but still consuming etcd space and leaking via wildcard partial-metadata lists.
This is a defense-in-depth check: upstream handlers (WithLocalProxy, WithClusterScope) are expected to either resolve the path to a logical cluster name via the index or reject the request. This filter refuses to forward a request whose invariant was violated, so any future regression fails loudly here instead of silently corrupting etcd.
The "system:" prefix is allowed: "system:..." names are legal single-name logical clusters in kcp (see logicalcluster.Path.Name).
func WithClusterScope ¶
func WithClusterScope(apiHandler http.Handler) http.HandlerFunc
WithClusterScope reads a cluster name from the URL path and puts it into the context. It also trims "/clusters/" prefix from the URL.
func WithIdentity ¶ added in v0.27.0
WithIdentity adds an APIExport identity to the context.
func WithImpersonationGatekeeper ¶ added in v0.27.0
WithImpersonationGatekeeper checks the request for impersonations and validates them, if they are valid. If they are not, will return a 403. We check for impersonation in the request headers, early to avoid it being propagated to the backend services.
func WithImpersonationScoping ¶ added in v0.27.0
WithImpersonationScoping scopes the request to the cluster it is intended for.
func WithInClusterServiceAccountRequestRewrite ¶ added in v0.27.0
WithInClusterServiceAccountRequestRewrite adds the /clusters/<clusterName> prefix to the request path if the request comes from an InCluster service account requests (InCluster clients don't support prefixes).
func WithResourceIdentity ¶ added in v0.27.0
WithResourceIdentity checks list/watch requests for an APIExport identity for the resource in the path. If it finds one (e.g. /api/v1/services:identityabcd1234/default/my-service), it places the identity from the path to the context, updates the request to remove the identity from the path, and updates requestInfo.Resource to also remove the identity. Finally, it hands off to the passed in handler to handle the request.
func WithWildcardListWatchGuard ¶ added in v0.27.0
func WithWildcardListWatchGuard(apiHandler http.Handler) http.HandlerFunc
WithWildcardListWatchGuard fails wildcard requests on everything but list and watch verbs.
Types ¶
This section is empty.
Source Files