package webhook

import "sigs.k8s.io/controller-runtime/pkg/webhook"

Package webhook provides methods to build and bootstrap a webhook server.

Currently, it only supports admission webhooks. It will support CRD conversion webhooks in the near future.

{
	// Create a manager
	// Note: GetConfigOrDie will os.Exit(1) w/o any message if no kube-config can be found
	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{})
	if err != nil {
		panic(err)
	}

	// Create a webhook server.
	hookServer := NewServer(Options{
		Port: 8443,
	})
	if err := mgr.Add(hookServer); err != nil {
		panic(err)
	}

	// Register the webhooks in the server.
	hookServer.Register("/mutating", mutatingHook)
	hookServer.Register("/validating", validatingHook)

	// Start the server by starting a previously-set-up manager
	err = mgr.Start(ctrl.SetupSignalHandler())
	if err != nil {
		// handle error
		panic(err)
	}
}

Index ¶

• Variables
• type Admission
• type AdmissionDecoder
• type AdmissionHandler
• type AdmissionRequest
• type AdmissionResponse
• type CustomDefaulter
• type CustomValidator
• type DefaultServer
• func (*DefaultServer) NeedLeaderElection() bool
• func (s *DefaultServer) Register(path string, hook http.Handler)
• func (s *DefaultServer) Start(ctx context.Context) error
• func (s *DefaultServer) StartedChecker() healthz.Checker
• func (s *DefaultServer) WebhookMux() *http.ServeMux
• type JSONPatchOp
• type Options
• type Server
• func NewServer(o Options) Server

Examples ¶

• package

Variables ¶

var (
	// Allowed indicates that the admission request should be allowed for the given reason.
	Allowed = admission.Allowed

	// Denied indicates that the admission request should be denied for the given reason.
	Denied = admission.Denied

	// Patched indicates that the admission request should be allowed for the given reason,
	// and that the contained object should be mutated using the given patches.
	Patched = admission.Patched

	// Errored indicates that an error occurred in the admission request.
	Errored = admission.Errored
)

var DefaultPort = 9443

DefaultPort is the default port that the webhook server serves.

Types ¶

type Admission ¶

type Admission = admission.Webhook

Admission is webhook suitable for registration with the server an admission webhook that validates API operations and potentially mutates their contents.

type AdmissionDecoder ¶

type AdmissionDecoder = admission.Decoder

AdmissionDecoder knows how to decode objects from admission requests.

type AdmissionHandler ¶

type AdmissionHandler = admission.Handler

AdmissionHandler knows how to process admission requests, validating them, and potentially mutating the objects they contain.

type AdmissionRequest ¶

type AdmissionRequest = admission.Request

AdmissionRequest defines the input for an admission handler. It contains information to identify the object in question (group, version, kind, resource, subresource, name, namespace), as well as the operation in question (e.g. Get, Create, etc), and the object itself.

type AdmissionResponse ¶

type AdmissionResponse = admission.Response

AdmissionResponse is the output of an admission handler. It contains a response indicating if a given operation is allowed, as well as a set of patches to mutate the object in the case of a mutating admission handler.

type CustomDefaulter ¶

type CustomDefaulter = admission.CustomDefaulter

CustomDefaulter defines functions for setting defaults on resources.

type CustomValidator ¶

type CustomValidator = admission.CustomValidator

CustomValidator defines functions for validating an operation.

type DefaultServer ¶

type DefaultServer struct {
	Options Options
	// contains filtered or unexported fields
}

DefaultServer is the default implementation used for Server.

func (*DefaultServer) NeedLeaderElection ¶

func (*DefaultServer) NeedLeaderElection() bool

NeedLeaderElection implements the LeaderElectionRunnable interface, which indicates the webhook server doesn't need leader election.

func (*DefaultServer) Register ¶

func (s *DefaultServer) Register(path string, hook http.Handler)

Register marks the given webhook as being served at the given path. It panics if two hooks are registered on the same path.

func (*DefaultServer) Start ¶

func (s *DefaultServer) Start(ctx context.Context) error

Start runs the server. It will install the webhook related resources depend on the server configuration.

func (*DefaultServer) StartedChecker ¶

func (s *DefaultServer) StartedChecker() healthz.Checker

StartedChecker returns an healthz.Checker which is healthy after the server has been started.

func (*DefaultServer) WebhookMux ¶

func (s *DefaultServer) WebhookMux() *http.ServeMux

WebhookMux returns the servers WebhookMux

type JSONPatchOp ¶

type JSONPatchOp = jsonpatch.Operation

JSONPatchOp represents a single JSONPatch patch operation.

type Options ¶

type Options struct {
	// Host is the address that the server will listen on.
	// Defaults to "" - all addresses.
	Host string

	// Port is the port number that the server will serve.
	// It will be defaulted to 9443 if unspecified.
	Port int

	// CertDir is the directory that contains the server key and certificate. Defaults to
	// <temp-dir>/k8s-webhook-server/serving-certs.
	CertDir string

	// CertName is the server certificate name. Defaults to tls.crt.
	//
	// Note: This option is only used when TLSOpts does not set GetCertificate.
	CertName string

	// KeyName is the server key name. Defaults to tls.key.
	//
	// Note: This option is only used when TLSOpts does not set GetCertificate.
	KeyName string

	// ClientCAName is the CA certificate name which server used to verify remote(client)'s certificate.
	// Defaults to "", which means server does not verify client's certificate.
	ClientCAName string

	// TLSOpts is used to allow configuring the TLS config used for the server.
	// This also allows providing a certificate via GetCertificate.
	TLSOpts []func(*tls.Config)

	// WebhookMux is the multiplexer that handles different webhooks.
	WebhookMux *http.ServeMux
}

Options are all the available options for a webhook.Server

type Server ¶

type Server interface {
	// NeedLeaderElection implements the LeaderElectionRunnable interface, which indicates
	// the webhook server doesn't need leader election.
	NeedLeaderElection() bool

	// Register marks the given webhook as being served at the given path.
	// It panics if two hooks are registered on the same path.
	Register(path string, hook http.Handler)

	// Start runs the server.
	// It will install the webhook related resources depend on the server configuration.
	Start(ctx context.Context) error

	// StartedChecker returns an healthz.Checker which is healthy after the
	// server has been started.
	StartedChecker() healthz.Checker

	// WebhookMux returns the servers WebhookMux
	WebhookMux() *http.ServeMux
}

Server is an admission webhook server that can serve traffic and generates related k8s resources for deploying.

TLS is required for a webhook to be accessed by kubernetes, so you must provide a CertName and KeyName or have valid cert/key at the default locations (tls.crt and tls.key). If you do not want to configure TLS (i.e for testing purposes) run an admission.StandaloneWebhook in your own server.

func NewServer ¶

func NewServer(o Options) Server

NewServer constructs a new webhook.Server from the provided options.

Source Files ¶

alias.go doc.go server.go

Directories ¶