Documentation
¶
Index ¶
- func ClusterPathFromAndStrip(req *http.Request) (logicalcluster.Path, *url.URL, bool, error)
- func IdentityFromContext(ctx context.Context) string
- func IsPartialMetadataRequest(ctx context.Context) bool
- func UserAgentFrom(ctx context.Context) string
- func WithAcceptHeader(apiHandler http.Handler) http.Handler
- func WithAuditEventClusterAnnotation(handler http.Handler, ...) http.HandlerFunc
- func WithBlockInactiveLogicalClusters(handler http.Handler, ...) http.HandlerFunc
- func WithBlockMigratingLogicalClusters(handler http.Handler, isMigrating func(logicalcluster.Name) bool) http.HandlerFunc
- func WithClusterNameShapeInvariant(apiHandler http.Handler) http.Handler
- func WithClusterScope(apiHandler http.Handler) http.HandlerFunc
- func WithIdentity(ctx context.Context, identity string) context.Context
- func WithImpersonationGatekeeper(handler http.Handler) http.Handler
- func WithImpersonationScoping(handler http.Handler) http.Handler
- func WithInClusterServiceAccountRequestRewrite(handler http.Handler) http.Handler
- func WithMigrationDumpHandler(next http.Handler, dump http.Handler) http.HandlerFunc
- func WithPerClusterContext(handler http.Handler, mgr *contextmanager.Manager[logicalcluster.Path]) http.HandlerFunc
- func WithResourceIdentity(handler http.Handler) http.Handler
- func WithShardLevelPaths(handler http.Handler) http.HandlerFunc
- func WithUserAgent(handler http.Handler) http.Handler
- func WithWildcardListWatchGuard(apiHandler http.Handler) http.HandlerFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClusterPathFromAndStrip ¶ added in v0.11.0
ClusterPathFromAndStrip parses the request for a logical cluster path, returns it if found and strips it from the request URL path.
func IdentityFromContext ¶ added in v0.27.0
IdentityFromContext retrieves the APIExport identity from the context, if any.
func IsPartialMetadataRequest ¶
IsPartialMetadataRequest determines if it is PartialObjectMetadata request based on the value stored in the context.
A PartialObjectMetadata request gets only object metadata.
func UserAgentFrom ¶ added in v0.27.0
func WithAcceptHeader ¶
WithAcceptHeader makes the Accept header available for code in the handler chain. It is needed for Wildcard requests, when finding the CRD with a common schema. For PartialObjectMeta requests we cand weaken the schema requirement and allow different schemas across workspaces.
func WithAuditEventClusterAnnotation ¶
func WithAuditEventClusterAnnotation(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc
WithAuditEventClusterAnnotation adds the cluster name into the annotation of an audit event. Needs initialized annotations.
func WithBlockInactiveLogicalClusters ¶ added in v0.25.0
func WithBlockInactiveLogicalClusters(handler http.Handler, kcpClusterClient corev1alpha1informers.LogicalClusterClusterInformer) http.HandlerFunc
WithBlockInactiveLogicalClusters ensures that any requests to logical clusters marked inactive are rejected.
The filter intentionally acts on the inactive annotation to deny access as early as possible, as opposed to the Inactive LC phase which is only set after the LC reconciler fires.
func WithBlockMigratingLogicalClusters ¶ added in v0.32.0
func WithBlockMigratingLogicalClusters(handler http.Handler, isMigrating func(logicalcluster.Name) bool) http.HandlerFunc
WithBlockMigratingLogicalClusters rejects requests to logical clusters that are currently being migrated.
This is very similar to WithBlockInactiveLogicalClusters, however the migration requires that no client except other shards can access the logical cluster, otherwise operators running with admin rights might modify objects after they were migrated, producing an inconsistent state.
func WithClusterNameShapeInvariant ¶ added in v0.31.0
WithClusterNameShapeInvariant verifies that, once some upstream handler has populated the cluster on the request context, the cluster name is a bare logical-cluster name and not a workspace path. A path-shaped cluster name (e.g. "root:internal-cluster") reaching the storage layer would be concatenated verbatim into the etcd key by NoNamespaceKeyRootFunc, producing orphaned rows invisible to the normal read path but still consuming etcd space and leaking via wildcard partial-metadata lists.
This is a defense-in-depth check: upstream handlers (WithLocalProxy, WithClusterScope) are expected to either resolve the path to a logical cluster name via the index or reject the request. This filter refuses to forward a request whose invariant was violated, so any future regression fails loudly here instead of silently corrupting etcd.
The "system:" prefix is allowed: "system:..." names are legal single-name logical clusters in kcp (see logicalcluster.Path.Name).
func WithClusterScope ¶
func WithClusterScope(apiHandler http.Handler) http.HandlerFunc
WithClusterScope reads a cluster name from the URL path and puts it into the context. It also trims "/clusters/" prefix from the URL.
func WithIdentity ¶ added in v0.27.0
WithIdentity adds an APIExport identity to the context.
func WithImpersonationGatekeeper ¶ added in v0.27.0
WithImpersonationGatekeeper checks the request for impersonations and validates them, if they are valid. If they are not, will return a 403. We check for impersonation in the request headers, early to avoid it being propagated to the backend services.
func WithImpersonationScoping ¶ added in v0.27.0
WithImpersonationScoping scopes the request to the cluster it is intended for.
func WithInClusterServiceAccountRequestRewrite ¶ added in v0.27.0
WithInClusterServiceAccountRequestRewrite adds the /clusters/<clusterName> prefix to the request path if the request comes from an InCluster service account requests (InCluster clients don't support prefixes).
func WithMigrationDumpHandler ¶ added in v0.32.0
WithMigrationDumpHandler intercepts POSTs to the LogicalClusterDump path before the kube REST chain rejects the unknown migration.kcp.io API group with a 503. All other requests fall through to next.
func WithPerClusterContext ¶ added in v0.32.0
func WithPerClusterContext(handler http.Handler, mgr *contextmanager.Manager[logicalcluster.Path]) http.HandlerFunc
WithPerClusterContext injects a multiple-parent context for each request that is bound by the requests' context and the cluster-specific context.
This handler must run only after the client-provided information has been normalized to a logical cluster id.
This is used e.g. to cancel active connections when a logical cluster is being migrated.
func WithResourceIdentity ¶ added in v0.27.0
WithResourceIdentity checks list/watch requests for an APIExport identity for the resource in the path. If it finds one (e.g. /api/v1/services:identityabcd1234/default/my-service), it places the identity from the path to the context, updates the request to remove the identity from the path, and updates requestInfo.Resource to also remove the identity. Finally, it hands off to the passed in handler to handle the request.
func WithShardLevelPaths ¶ added in v0.32.0
func WithShardLevelPaths(handler http.Handler) http.HandlerFunc
WithShardLevelPaths enforces that shard-level URLs (see pkg/authorization/shardpaths) are only served at the top of the shard's HTTP path tree.
It must run AFTER WithLocalProxy so the cluster context reflects whether the request was made through a /clusters/<ws>/ prefix.
- any workspace-scoped form, including /clusters/root/<path>, is rejected with 501 Not Implemented. The data exposed is shard-wide and has no per-workspace meaning; rejecting the /clusters/root/ form too keeps the contract simple ("only the bare URL is valid") and avoids two ways of spelling the same thing.
- top-level requests (no cluster context) are rewritten to evaluate authorization against the root workspace. A kcp-admin can therefore grant scrape access via a ClusterRoleBinding in :root referring to the system:kcp:metrics-reader role (bootstrapped) without exposing any other root-workspace privileges.
func WithWildcardListWatchGuard ¶ added in v0.27.0
func WithWildcardListWatchGuard(apiHandler http.Handler) http.HandlerFunc
WithWildcardListWatchGuard fails wildcard requests on everything but list and watch verbs.
Types ¶
This section is empty.