filters

package
v0.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2026 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClusterPathFromAndStrip added in v0.11.0

func ClusterPathFromAndStrip(req *http.Request) (logicalcluster.Path, *url.URL, bool, error)

ClusterPathFromAndStrip parses the request for a logical cluster path, returns it if found and strips it from the request URL path.

func IdentityFromContext added in v0.27.0

func IdentityFromContext(ctx context.Context) string

IdentityFromContext retrieves the APIExport identity from the context, if any.

func IsPartialMetadataRequest

func IsPartialMetadataRequest(ctx context.Context) bool

IsPartialMetadataRequest determines if it is PartialObjectMetadata request based on the value stored in the context.

A PartialObjectMetadata request gets only object metadata.

func UserAgentFrom added in v0.27.0

func UserAgentFrom(ctx context.Context) string

func WithAcceptHeader

func WithAcceptHeader(apiHandler http.Handler) http.Handler

WithAcceptHeader makes the Accept header available for code in the handler chain. It is needed for Wildcard requests, when finding the CRD with a common schema. For PartialObjectMeta requests we cand weaken the schema requirement and allow different schemas across workspaces.

func WithAuditEventClusterAnnotation

func WithAuditEventClusterAnnotation(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc

WithAuditEventClusterAnnotation adds the cluster name into the annotation of an audit event. Needs initialized annotations.

func WithBlockInactiveLogicalClusters added in v0.25.0

func WithBlockInactiveLogicalClusters(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc

WithBlockInactiveLogicalClusters ensures that any requests to logical clusters marked inactive are rejected.

The filter intentionally acts on the inactive annotation to deny access as early as possible, as opposed to the Inactive LC phase which is only set after the LC reconciler fires.

func WithBlockMigratingLogicalClusters added in v0.32.0

func WithBlockMigratingLogicalClusters(handler http.Handler, isMigrating func(logicalcluster.Name) bool) http.HandlerFunc

WithBlockMigratingLogicalClusters rejects requests to logical clusters that are currently being migrated.

This is very similar to WithBlockInactiveLogicalClusters, however the migration requires that no client except other shards can access the logical cluster, otherwise operators running with admin rights might modify objects after they were migrated, producing an inconsistent state.

func WithClusterNameShapeInvariant added in v0.31.0

func WithClusterNameShapeInvariant(apiHandler http.Handler) http.Handler

WithClusterNameShapeInvariant verifies that, once some upstream handler has populated the cluster on the request context, the cluster name is a bare logical-cluster name and not a workspace path. A path-shaped cluster name (e.g. "root:internal-cluster") reaching the storage layer would be concatenated verbatim into the etcd key by NoNamespaceKeyRootFunc, producing orphaned rows invisible to the normal read path but still consuming etcd space and leaking via wildcard partial-metadata lists.

This is a defense-in-depth check: upstream handlers (WithLocalProxy, WithClusterScope) are expected to either resolve the path to a logical cluster name via the index or reject the request. This filter refuses to forward a request whose invariant was violated, so any future regression fails loudly here instead of silently corrupting etcd.

The "system:" prefix is allowed: "system:..." names are legal single-name logical clusters in kcp (see logicalcluster.Path.Name).

func WithClusterScope

func WithClusterScope(apiHandler http.Handler) http.HandlerFunc

WithClusterScope reads a cluster name from the URL path and puts it into the context. It also trims "/clusters/" prefix from the URL.

func WithIdentity added in v0.27.0

func WithIdentity(ctx context.Context, identity string) context.Context

WithIdentity adds an APIExport identity to the context.

func WithImpersonationGatekeeper added in v0.27.0

func WithImpersonationGatekeeper(handler http.Handler) http.Handler

WithImpersonationGatekeeper checks the request for impersonations and validates them, if they are valid. If they are not, will return a 403. We check for impersonation in the request headers, early to avoid it being propagated to the backend services.

func WithImpersonationScoping added in v0.27.0

func WithImpersonationScoping(handler http.Handler) http.Handler

WithImpersonationScoping scopes the request to the cluster it is intended for.

func WithInClusterServiceAccountRequestRewrite added in v0.27.0

func WithInClusterServiceAccountRequestRewrite(handler http.Handler) http.Handler

WithInClusterServiceAccountRequestRewrite adds the /clusters/<clusterName> prefix to the request path if the request comes from an InCluster service account requests (InCluster clients don't support prefixes).

func WithMigrationDumpHandler added in v0.32.0

func WithMigrationDumpHandler(next http.Handler, dump http.Handler) http.HandlerFunc

WithMigrationDumpHandler intercepts POSTs to the LogicalClusterDump path before the kube REST chain rejects the unknown migration.kcp.io API group with a 503. All other requests fall through to next.

func WithPerClusterContext added in v0.32.0

func WithPerClusterContext(handler http.Handler, mgr *contextmanager.Manager[logicalcluster.Path]) http.HandlerFunc

WithPerClusterContext injects a multiple-parent context for each request that is bound by the requests' context and the cluster-specific context.

This handler must run only after the client-provided information has been normalized to a logical cluster id.

This is used e.g. to cancel active connections when a logical cluster is being migrated.

func WithResourceIdentity added in v0.27.0

func WithResourceIdentity(handler http.Handler) http.Handler

WithResourceIdentity checks list/watch requests for an APIExport identity for the resource in the path. If it finds one (e.g. /api/v1/services:identityabcd1234/default/my-service), it places the identity from the path to the context, updates the request to remove the identity from the path, and updates requestInfo.Resource to also remove the identity. Finally, it hands off to the passed in handler to handle the request.

func WithShardLevelPaths added in v0.32.0

func WithShardLevelPaths(handler http.Handler) http.HandlerFunc

WithShardLevelPaths enforces that shard-level URLs (see pkg/authorization/shardpaths) are only served at the top of the shard's HTTP path tree.

It must run AFTER WithLocalProxy so the cluster context reflects whether the request was made through a /clusters/<ws>/ prefix.

  • any workspace-scoped form, including /clusters/root/<path>, is rejected with 501 Not Implemented. The data exposed is shard-wide and has no per-workspace meaning; rejecting the /clusters/root/ form too keeps the contract simple ("only the bare URL is valid") and avoids two ways of spelling the same thing.
  • top-level requests (no cluster context) are rewritten to evaluate authorization against the root workspace. A kcp-admin can therefore grant scrape access via a ClusterRoleBinding in :root referring to the system:kcp:metrics-reader role (bootstrapped) without exposing any other root-workspace privileges.

func WithUserAgent added in v0.27.0

func WithUserAgent(handler http.Handler) http.Handler

func WithWildcardListWatchGuard added in v0.27.0

func WithWildcardListWatchGuard(apiHandler http.Handler) http.HandlerFunc

WithWildcardListWatchGuard fails wildcard requests on everything but list and watch verbs.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL