apiserver – k8s.io/apiserver Index | Files | Directories

package apiserver

import "k8s.io/apiserver"

Package apiserver provides the machinery for building Kubernetes-style API servers.

This library is the foundation for the Kubernetes API server (`kube-apiserver`), and is also the primary framework for developers building custom API servers to extend the Kubernetes API.

An extension API server is a user-provided, standalone web server that registers itself with the main kube-apiserver to handle specific API groups. This allows developers to extend Kubernetes with their own APIs that behave like core Kubernetes APIs, complete with typed clients, authentication, authorization, and discovery.

Key Packages

The `apiserver` library is composed of several key packages:

Instantiating a GenericAPIServer

The `GenericAPIServer` struct is the heart of any extension server. It is responsible for assembling and running the HTTP serving stack. See the runnable example for a demonstration of how to instantiate a `GenericAPIServer`.

Building an Extension API Server (API Aggregation)

The mechanism that enables extension API servers is API aggregation. The primary apiserver (typically the kube-apiserver) acts as a proxy, forwarding requests for a specific API group (e.g., /apis/myextension.io/v1) to a registered extension server. The apiserver is configured using APIService objects.

For most use cases, custom resources (CustomResourceDefinitions) are the preferred way to extend the Kubernetes API.

Building an Admission Plugin

The `pkg/admission` package provides a way to add admission policies directly into an apiserver. Admission plugins can be used to validate or mutate objects during write operations. The kube-apiserver uses admission plugins to provide a variety of core system capabilities.

For most extension use cases dynamic admission control using policies (ValidatingAdmissionPolicies or MutatingAdmissionPolicies) or webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration) are the preferred way to extend admission control.

Index

Source Files

doc.go

Directories

PathSynopsis
pkg
pkg/admission
pkg/admission/configuration
pkg/admission/initializer
pkg/admission/metrics
pkg/admission/plugin
pkg/admission/plugin/authorizer
pkg/admission/plugin/cel
pkg/admission/plugin/manifestPackage manifest provides shared utilities for loading admission configurations from static manifest files.
pkg/admission/plugin/manifest/metricsPackage metrics provides metrics for manifest-based admission configuration.
pkg/admission/plugin/namespace
pkg/admission/plugin/namespace/lifecycle
pkg/admission/plugin/policy
pkg/admission/plugin/policy/config
pkg/admission/plugin/policy/config/apis
pkg/admission/plugin/policy/config/apis/policyconfigPackage policyconfig defines the configuration for the validating and mutating admission policy plugins.
pkg/admission/plugin/policy/config/apis/policyconfig/installPackage install installs the policyconfig API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/admission/plugin/policy/config/apis/policyconfig/v1Package v1 is the v1 version of the API.
pkg/admission/plugin/policy/generic
pkg/admission/plugin/policy/internal
pkg/admission/plugin/policy/manifest
pkg/admission/plugin/policy/manifest/loaderPackage loader provides generic functionality to load policy and binding configurations from manifest files.
pkg/admission/plugin/policy/manifest/sourcePackage source provides a Source implementation that loads policy configurations from manifest files.
pkg/admission/plugin/policy/matching
pkg/admission/plugin/policy/mutating
pkg/admission/plugin/policy/mutating/metrics
pkg/admission/plugin/policy/mutating/patch
pkg/admission/plugin/policy/validating
pkg/admission/plugin/policy/validating/metrics
pkg/admission/plugin/resourcequotaPackage resourcequota enforces all incoming requests against any applied quota in the namespace context of the request
pkg/admission/plugin/resourcequota/apis
pkg/admission/plugin/resourcequota/apis/resourcequota
pkg/admission/plugin/resourcequota/apis/resourcequota/installPackage install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/admission/plugin/resourcequota/apis/resourcequota/v1Package v1 is the v1 version of the API.
pkg/admission/plugin/resourcequota/apis/resourcequota/v1alpha1Package v1alpha1 is the v1alpha1 version of the API.
pkg/admission/plugin/resourcequota/apis/resourcequota/v1beta1Package v1beta1 is the v1beta1 version of the API.
pkg/admission/plugin/resourcequota/apis/resourcequota/validation
pkg/admission/plugin/webhook
pkg/admission/plugin/webhook/config
pkg/admission/plugin/webhook/config/apis
pkg/admission/plugin/webhook/config/apis/webhookadmission
pkg/admission/plugin/webhook/config/apis/webhookadmission/installPackage install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/admission/plugin/webhook/config/apis/webhookadmission/v1Package v1 is the v1 version of the API.
pkg/admission/plugin/webhook/errorsPackage errors contains utilities for admission webhook specific errors
pkg/admission/plugin/webhook/generic
pkg/admission/plugin/webhook/initializer
pkg/admission/plugin/webhook/manifest
pkg/admission/plugin/webhook/manifest/loaderPackage loader provides generic functionality to load webhook configurations from manifest files.
pkg/admission/plugin/webhook/manifest/sourcePackage source provides a Source implementation that loads webhook configurations from manifest files.
pkg/admission/plugin/webhook/matchconditions
pkg/admission/plugin/webhook/mutatingPackage mutating delegates admission checks to dynamically configured mutating webhooks.
pkg/admission/plugin/webhook/predicates
pkg/admission/plugin/webhook/predicates/namespacePackage namespace defines the utilities that are used by the webhook plugin to decide if a webhook should be applied to an object based on its namespace.
pkg/admission/plugin/webhook/predicates/objectPackage object defines the utilities that are used by the webhook plugin to decide if a webhook should run, as long as either the old object or the new object has labels matching the webhook config's objectSelector.
pkg/admission/plugin/webhook/predicates/rules
pkg/admission/plugin/webhook/requestPackage request creates admissionReview request based on admission attributes.
pkg/admission/plugin/webhook/testcertsPackage testcerts contains generated key pairs used by the unit tests of mutating and validating webhooks.
pkg/admission/plugin/webhook/testing
pkg/admission/plugin/webhook/testing/main
pkg/admission/plugin/webhook/util
pkg/admission/plugin/webhook/validatingPackage validating makes calls to validating (i.e., non-mutating) webhooks during the admission process.
pkg/admission/testing
pkg/apis
pkg/apis/apidiscovery
pkg/apis/apidiscovery/v2Once the v2beta1 types are removed (intended for Kubernetes v1.33), this file will be removed.
pkg/apis/apidiscovery/v2beta1
pkg/apis/apiserverPackage apiserver is the internal version of the API.
pkg/apis/apiserver/install
pkg/apis/apiserver/load
pkg/apis/apiserver/v1Package v1 is the v1 version of the API.
pkg/apis/apiserver/v1alpha1Package v1alpha1 is the v1alpha1 version of the API.
pkg/apis/apiserver/v1beta1Package v1beta1 is the v1beta1 version of the API.
pkg/apis/apiserver/validationPackage validation validates EncryptionConfiguration.
pkg/apis/audit
pkg/apis/audit/fuzzer
pkg/apis/audit/installPackage install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/apis/audit/v1
pkg/apis/audit/validation
pkg/apis/cel
pkg/apis/examplepackage example contains an example API used to demonstrate how to create api groups.
pkg/apis/example2+k8s:deepcopy-gen=package +groupName=example2.k8s.io
pkg/apis/example2/installPackage install installs the example2 API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/apis/example2/v1
pkg/apis/example/fuzzer
pkg/apis/example/installPackage install installs the example API group, making it available as an option to all of the API encoding/decoding machinery.
pkg/apis/example/v1
pkg/apis/flowcontrol
pkg/apis/flowcontrol/bootstrap
pkg/auditTODO: Delete this file if we generate a clientset.
pkg/audit/policy
pkg/authentication
pkg/authentication/authenticator
pkg/authentication/authenticatorfactory
pkg/authentication/celPackage cel contains the CEL related interfaces and structs for authentication.
pkg/authentication/group
pkg/authentication/request
pkg/authentication/request/anonymous
pkg/authentication/request/bearertoken
pkg/authentication/request/headerrequest
pkg/authentication/request/union
pkg/authentication/request/websocket
pkg/authentication/request/x509Package x509 provides a request authenticator that validates and extracts user information from client certificates
pkg/authentication/serviceaccount
pkg/authentication/token
pkg/authentication/token/cache
pkg/authentication/token/jwt
pkg/authentication/token/tokenfile
pkg/authentication/token/union
pkg/authentication/userPackage user contains utilities for dealing with simple user exchange in the auth packages.
pkg/authorization
pkg/authorization/authorizer
pkg/authorization/authorizerfactory
pkg/authorization/cel
pkg/authorization/metrics
pkg/authorization/pathPackage path contains an authorizer that allows certain paths and path prefixes.
pkg/authorization/unionPackage union implements an authorizer that combines multiple subauthorizer.
pkg/cel
pkg/cel/common
pkg/cel/environment
pkg/cel/lazy
pkg/cel/library
pkg/cel/metrics
pkg/cel/mutation
pkg/cel/mutation/dynamic
pkg/cel/openapi
pkg/cel/openapi/resolver
pkg/endpointsPackage endpoints contains the generic code that provides a RESTful Kubernetes-style API service.
pkg/endpoints/deprecation
pkg/endpoints/discovery
pkg/endpoints/discovery/aggregated
pkg/endpoints/filterlatency
pkg/endpoints/filtersPackage filters contains all the http handler chain filters which _are_ api related, i.e.
pkg/endpoints/filters/impersonation
pkg/endpoints/filters/impersonation/metrics
pkg/endpoints/handlersPackage handlers contains HTTP handlers to implement the apiserver APIs.
pkg/endpoints/handlers/fieldmanager
pkg/endpoints/handlers/finisher
pkg/endpoints/handlers/metrics
pkg/endpoints/handlers/negotiationPackage negotiation contains media type negotiation logic.
pkg/endpoints/handlers/responsewritersPackage responsewriters containers helpers to write responses in HTTP handlers.
pkg/endpoints/metrics
pkg/endpoints/openapi
pkg/endpoints/openapi/testing
pkg/endpoints/requestPackage request contains everything around extracting info from a http request object.
pkg/endpoints/responsewriter
pkg/endpoints/testing
pkg/endpoints/warning
pkg/features
pkg/quota
pkg/quota/v1
pkg/quota/v1/generic
pkg/reconcilers
pkg/registryPackage registry contains the generic implementation of the storage and system logic.
pkg/registry/genericPackage generic provides a generic object store interface and a generic label/field matching type.
pkg/registry/generic/registryPackage etcd has a generic implementation of a registry that stores things in etcd.
pkg/registry/generic/restPackage rest has generic implementations of resources used for REST responses
pkg/registry/generic/testing
pkg/registry/restPackage rest defines common logic around changes to Kubernetes-style resources.
pkg/registry/rest/resttest
pkg/serverPackage server contains the plumbing to create kubernetes-like API server command.
pkg/server/dynamiccertificates
pkg/server/egressselector
pkg/server/egressselector/metrics
pkg/server/filtersPackage filters contains all the http handler chain filters which are not api related.
pkg/server/flagz
pkg/server/flagz/api
pkg/server/flagz/api/v1alpha1Package v1alpha1 contains API Schema definitions for the flagz v1alpha1 API group
pkg/server/flagz/api/v1beta1Package v1beta1 contains API Schema definitions for the flagz v1beta1 API group
pkg/server/flagz/negotiate
pkg/server/flagz/testing
pkg/server/healthzPackage healthz implements basic http server health checking.
pkg/server/httplogPackage httplog contains a helper object and functions to maintain a log along with an http response.
pkg/server/muxPackage mux contains abstractions for http multiplexing of APIs.
pkg/server/optionspackage options is the public flags and options used by a generic api server.
pkg/server/options/authenticationconfig
pkg/server/options/authenticationconfig/metrics
pkg/server/options/authorizationconfig
pkg/server/options/authorizationconfig/metrics
pkg/server/options/encryptionconfig
pkg/server/options/encryptionconfig/controller
pkg/server/options/encryptionconfig/metrics
pkg/server/resourceconfigPackage resourceconfig contains the resource config related helper functions.
pkg/server/routesPackage routes holds a collection of optional genericapiserver http handlers.
pkg/server/routine
pkg/server/statusz
pkg/server/statusz/api
pkg/server/statusz/api/v1alpha1Package v1alpha1 contains API Schema definitions for the statusz v1alpha1 API group
pkg/server/statusz/api/v1beta1Package v1beta1 contains API Schema definitions for the statusz v1beta1 API group
pkg/server/statusz/negotiate
pkg/server/statusz/testing
pkg/server/storagePackage storage contains the plumbing to setup the etcd storage of the apiserver.
pkg/sharding
pkg/storageInterfaces for database-related operations.
pkg/storage/cacher
pkg/storage/cacher/delegator
pkg/storage/cacher/metrics
pkg/storage/cacher/progress
pkg/storage/cacher/store
pkg/storage/cacher/testing
pkg/storage/errorsPackage storage provides conversion of storage errors to API errors.
pkg/storage/etcd3
pkg/storage/etcd3/metrics
pkg/storage/etcd3/preflight
pkg/storage/etcd3/testing
pkg/storage/etcd3/testing/testingcert
pkg/storage/etcd3/testserver
pkg/storage/feature
pkg/storage/names
pkg/storage/storagebackend
pkg/storage/storagebackend/factory
pkg/storage/testing
pkg/storage/testresource
pkg/storage/valuePackage value contains methods for assisting with transformation of values in storage.
pkg/storage/value/encrypt
pkg/storage/value/encrypt/aesPackage aes transforms values for storage at rest using AES-GCM.
pkg/storage/value/encrypt/envelopePackage envelope transforms values for storage at rest using a Envelope provider
pkg/storage/value/encrypt/envelope/kmsv2Package kmsv2 transforms values for storage at rest using a Envelope v2 provider
pkg/storage/value/encrypt/envelope/kmsv2/v2Package v2 contains definition of kms-plugin's serialized types.
pkg/storage/value/encrypt/envelope/metrics
pkg/storage/value/encrypt/envelope/testing
pkg/storage/value/encrypt/envelope/testing/v1beta1
pkg/storage/value/encrypt/envelope/testing/v2
pkg/storage/value/encrypt/identity
pkg/storage/value/encrypt/secretboxPackage secretbox transforms values for storage at rest using XSalsa20 and Poly1305.
pkg/storageversion
pkg/util
pkg/util/apihelpers
pkg/util/compatibility
pkg/util/configmetrics
pkg/util/dryrun
pkg/util/feature
pkg/util/filesystem
pkg/util/flowcontrol
pkg/util/flowcontrol/counter
pkg/util/flowcontrol/debug
pkg/util/flowcontrol/fairqueuing
pkg/util/flowcontrol/fairqueuing/eventclock
pkg/util/flowcontrol/fairqueuing/promise
pkg/util/flowcontrol/fairqueuing/queuesetPackage queueset implements a technique called "fair queuing for server requests".
pkg/util/flowcontrol/fairqueuing/testing
pkg/util/flowcontrol/fairqueuing/testing/eventclock
pkg/util/flowcontrol/fairqueuing/testing/promise
pkg/util/flowcontrol/format
pkg/util/flowcontrol/metrics
pkg/util/flowcontrol/request
pkg/util/flushwriterPackage flushwriter implements a wrapper for a writer that flushes on every write if that writer implements the io.Flusher interface
pkg/util/notfoundhandler
pkg/util/openapi
pkg/util/peerproxy
pkg/util/peerproxy/metrics
pkg/util/proxyAmong other files, this directory contains functionality for two stream proxies: streamtranslator.go and streamtunnel.go.
pkg/util/proxy/metrics
pkg/util/responsewriter
pkg/util/shufflesharding
pkg/util/webhookPackage webhook implements a generic HTTP webhook plugin.
pkg/util/x509metrics
pkg/validation
pkg/warning
plugin
plugin/pkg
plugin/pkg/auditPackage audit contains implementations for pkg/audit/AuditBackend interface
plugin/pkg/audit/bufferedPackage buffered provides an implementation for the audit.Backend interface that batches incoming audit events and sends batches to the delegate audit.Backend.
plugin/pkg/audit/fakePackage fake provides a fake audit.Backend interface implementation for testing.
plugin/pkg/audit/log
plugin/pkg/audit/truncatePackage truncate provides an implementation for the audit.Backend interface that truncates audit events and sends them to the delegate audit.Backend.
plugin/pkg/audit/webhookPackage webhook implements the audit.Backend interface using HTTP webhooks.
plugin/pkg/authenticatorPackage authenticator contains implementations for pkg/auth/authenticator interfaces
plugin/pkg/authenticator/token
plugin/pkg/authenticator/token/oidcoidc implements the authenticator.Token interface using the OpenID Connect protocol.
plugin/pkg/authenticator/token/tokentest
plugin/pkg/authenticator/token/webhookPackage webhook implements the authenticator.Token interface using HTTP webhooks.
plugin/pkg/authorizer
plugin/pkg/authorizer/webhookPackage webhook implements the authorizer.Authorizer interface using HTTP webhooks.
plugin/pkg/authorizer/webhook/metrics
Version
v0.36.0 (latest)
Published
Apr 22, 2026
Platform
linux/amd64
Last checked
4 days ago

Tools for package owners.