1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 6 "fmt" 7 8 configv1 "github.com/openshift/api/config/v1" 9 osinv1 "github.com/openshift/api/osin/v1" 10 ) 11 12 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 13 14 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 15 // +openshift:compatibility-gen:level=4 16 // +openshift:compatibility-gen:internal 17 type KubeAPIServerConfig struct { 18 metav1.TypeMeta `json:",inline"` 19 20 // provides the standard apiserver configuration 21 configv1.GenericAPIServerConfig `json:",inline"` 22 23 // authConfig configures authentication options in addition to the standard 24 // oauth token and client certificate authenticators 25 AuthConfig MasterAuthConfig `json:"authConfig"` 26 27 // aggregatorConfig has options for configuring the aggregator component of the API server. 28 AggregatorConfig AggregatorConfig `json:"aggregatorConfig"` 29 30 // kubeletClientInfo contains information about how to connect to kubelets 31 KubeletClientInfo KubeletConnectionInfo `json:"kubeletClientInfo"` 32 33 // servicesSubnet is the subnet to use for assigning service IPs 34 ServicesSubnet string `json:"servicesSubnet"` 35 // servicesNodePortRange is the range to use for assigning service public ports on a host. 36 ServicesNodePortRange string `json:"servicesNodePortRange"` 37 38 // DEPRECATED: consolePublicURL has been deprecated and setting it has no effect. 39 ConsolePublicURL string `json:"consolePublicURL"` 40 41 // UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS! 42 // TODO I think we should just drop this feature. 43 UserAgentMatchingConfig UserAgentMatchingConfig `json:"userAgentMatchingConfig"` 44 45 // imagePolicyConfig feeds the image policy admission plugin 46 // TODO make it an admission plugin config 47 ImagePolicyConfig KubeAPIServerImagePolicyConfig `json:"imagePolicyConfig"` 48 49 // projectConfig feeds an admission plugin 50 // TODO make it an admission plugin config 51 ProjectConfig KubeAPIServerProjectConfig `json:"projectConfig"` 52 53 // serviceAccountPublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. 54 // (If any file contains a private key, the public portion of the key is used) 55 // The list of public keys is used to verify presented service account tokens. 56 // Each key is tried in order until the list is exhausted or verification succeeds. 57 // If no keys are specified, no service account authentication will be available. 58 ServiceAccountPublicKeyFiles []string `json:"serviceAccountPublicKeyFiles"` 59 60 // oauthConfig, if present start the /oauth endpoint in this process 61 OAuthConfig *osinv1.OAuthConfig `json:"oauthConfig"` 62 63 // TODO this needs to be removed. 64 APIServerArguments map[string]Arguments `json:"apiServerArguments"` 65 } 66 67 // Arguments masks the value so protobuf can generate 68 // +protobuf.nullable=true 69 // +protobuf.options.(gogoproto.goproto_stringer)=false 70 type Arguments []string 71 72 func (t Arguments) String() string { 73 return fmt.Sprintf("%v", []string(t)) 74 } 75 76 type KubeAPIServerImagePolicyConfig struct { 77 // internalRegistryHostname sets the hostname for the default internal image 78 // registry. The value must be in "hostname[:port]" format. 79 // For backward compatibility, users can still use OPENSHIFT_DEFAULT_REGISTRY 80 // environment variable but this setting overrides the environment variable. 81 InternalRegistryHostname string `json:"internalRegistryHostname"` 82 // externalRegistryHostnames provides the hostnames for the default external image 83 // registry. The external hostname should be set only when the image registry 84 // is exposed externally. The first value is used in 'publicDockerImageRepository' 85 // field in ImageStreams. The value must be in "hostname[:port]" format. 86 ExternalRegistryHostnames []string `json:"externalRegistryHostnames"` 87 } 88 89 type KubeAPIServerProjectConfig struct { 90 // defaultNodeSelector holds default project node label selector 91 DefaultNodeSelector string `json:"defaultNodeSelector"` 92 } 93 94 // KubeletConnectionInfo holds information necessary for connecting to a kubelet 95 type KubeletConnectionInfo struct { 96 // port is the port to connect to kubelets on 97 Port uint32 `json:"port"` 98 // ca is the CA for verifying TLS connections to kubelets 99 CA string `json:"ca"` 100 // CertInfo is the TLS client cert information for securing communication to kubelets 101 // this is anonymous so that we can inline it for serialization 102 configv1.CertInfo `json:",inline"` 103 } 104 105 // UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS! 106 type UserAgentMatchingConfig struct { 107 // requiredClients if this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed 108 RequiredClients []UserAgentMatchRule `json:"requiredClients"` 109 110 // deniedClients if this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes 111 DeniedClients []UserAgentDenyRule `json:"deniedClients"` 112 113 // defaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given. 114 DefaultRejectionMessage string `json:"defaultRejectionMessage"` 115 } 116 117 // UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb 118 type UserAgentMatchRule struct { 119 // regex is a regex that is checked against the User-Agent. 120 // Known variants of oc clients 121 // 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 122 // 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 123 // 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 124 // 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 125 // 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 126 // 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 127 // 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 128 // 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 129 Regex string `json:"regex"` 130 131 // httpVerbs specifies which HTTP verbs should be matched. An empty list means "match all verbs". 132 HTTPVerbs []string `json:"httpVerbs"` 133 } 134 135 // UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client 136 type UserAgentDenyRule struct { 137 UserAgentMatchRule `json:",inline"` 138 139 // RejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used. 140 RejectionMessage string `json:"rejectionMessage"` 141 } 142 143 // MasterAuthConfig configures authentication options in addition to the standard 144 // oauth token and client certificate authenticators 145 type MasterAuthConfig struct { 146 // requestHeader holds options for setting up a front proxy against the API. It is optional. 147 RequestHeader *RequestHeaderAuthenticationOptions `json:"requestHeader"` 148 // webhookTokenAuthenticators, if present configures remote token reviewers 149 WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators"` 150 // oauthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization 151 // Server Metadata for an external OAuth server. 152 // See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 153 // This option is mutually exclusive with OAuthConfig 154 OAuthMetadataFile string `json:"oauthMetadataFile"` 155 } 156 157 // WebhookTokenAuthenticators holds the necessary configuation options for 158 // external token authenticators 159 type WebhookTokenAuthenticator struct { 160 // configFile is a path to a Kubeconfig file with the webhook configuration 161 ConfigFile string `json:"configFile"` 162 // cacheTTL indicates how long an authentication result should be cached. 163 // It takes a valid time duration string (e.g. "5m"). 164 // If empty, you get a default timeout of 2 minutes. 165 // If zero (e.g. "0m"), caching is disabled 166 CacheTTL string `json:"cacheTTL"` 167 } 168 169 // RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire 170 // API instead of against the /oauth endpoint. 171 type RequestHeaderAuthenticationOptions struct { 172 // clientCA is a file with the trusted signer certs. It is required. 173 ClientCA string `json:"clientCA"` 174 // clientCommonNames is a required list of common names to require a match from. 175 ClientCommonNames []string `json:"clientCommonNames"` 176 177 // usernameHeaders is the list of headers to check for user information. First hit wins. 178 UsernameHeaders []string `json:"usernameHeaders"` 179 // groupHeaders is the set of headers to check for group information. All are unioned. 180 GroupHeaders []string `json:"groupHeaders"` 181 // extraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested. 182 ExtraHeaderPrefixes []string `json:"extraHeaderPrefixes"` 183 } 184 185 // AggregatorConfig holds information required to make the aggregator function. 186 type AggregatorConfig struct { 187 // proxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers 188 ProxyClientInfo configv1.CertInfo `json:"proxyClientInfo"` 189 } 190 191 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 192 193 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 194 // +openshift:compatibility-gen:level=4 195 // +openshift:compatibility-gen:internal 196 type KubeControllerManagerConfig struct { 197 metav1.TypeMeta `json:",inline"` 198 199 // serviceServingCert provides support for the old alpha service serving cert signer CA bundle 200 ServiceServingCert ServiceServingCert `json:"serviceServingCert"` 201 202 // projectConfig is an optimization for the daemonset controller 203 ProjectConfig KubeControllerManagerProjectConfig `json:"projectConfig"` 204 205 // extendedArguments is used to configure the kube-controller-manager 206 ExtendedArguments map[string]Arguments `json:"extendedArguments"` 207 } 208 209 type KubeControllerManagerProjectConfig struct { 210 // defaultNodeSelector holds default project node label selector 211 DefaultNodeSelector string `json:"defaultNodeSelector"` 212 } 213 214 // ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for 215 // pods fulfilling a service to serve with. 216 type ServiceServingCert struct { 217 // CertFile is a file containing a PEM-encoded certificate 218 CertFile string `json:"certFile"` 219 } 220