1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package admission 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime" 22 "k8s.io/apimachinery/pkg/types" 23 "k8s.io/kubernetes/pkg/apis/authentication" 24 ) 25 26 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 27 28 // AdmissionReview describes an admission review request/response. 29 type AdmissionReview struct { 30 metav1.TypeMeta 31 32 // Request describes the attributes for the admission request. 33 // +optional 34 Request *AdmissionRequest 35 36 // Response describes the attributes for the admission response. 37 // +optional 38 Response *AdmissionResponse 39 } 40 41 // AdmissionRequest describes the admission.Attributes for the admission request. 42 type AdmissionRequest struct { 43 // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are 44 // otherwise identical (parallel requests, requests when earlier requests did not modify etc) 45 // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. 46 // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. 47 UID types.UID 48 // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) 49 Kind metav1.GroupVersionKind 50 // Resource is the fully-qualified resource being requested (for example, v1.pods) 51 Resource metav1.GroupVersionResource 52 // SubResource is the subresource being requested, if any (for example, "status" or "scale") 53 // +optional 54 SubResource string 55 56 // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). 57 // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. 58 // 59 // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of 60 // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, 61 // an API request to apps/v1beta1 deployments would be converted and sent to the webhook 62 // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), 63 // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). 64 // 65 // See documentation for the "matchPolicy" field in the webhook configuration type for more details. 66 // +optional 67 RequestKind *metav1.GroupVersionKind 68 // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). 69 // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. 70 // 71 // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of 72 // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, 73 // an API request to apps/v1beta1 deployments would be converted and sent to the webhook 74 // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), 75 // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). 76 // 77 // See documentation for the "matchPolicy" field in the webhook configuration type. 78 // +optional 79 RequestResource *metav1.GroupVersionResource 80 // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") 81 // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. 82 // See documentation for the "matchPolicy" field in the webhook configuration type. 83 // +optional 84 RequestSubResource string 85 86 // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and 87 // rely on the server to generate the name. If that is the case, this method will return the empty string. 88 // +optional 89 Name string 90 // Namespace is the namespace associated with the request (if any). 91 // +optional 92 Namespace string 93 // Operation is the operation being performed. This may be different than the operation 94 // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. 95 Operation Operation 96 // UserInfo is information about the requesting user 97 UserInfo authentication.UserInfo 98 // Object is the object from the incoming request. 99 // +optional 100 Object runtime.Object 101 // OldObject is the existing object. Only populated for DELETE and UPDATE requests. 102 // +optional 103 OldObject runtime.Object 104 // DryRun indicates that modifications will definitely not be persisted for this request. 105 // Calls to webhooks must have no side effects if DryRun is true. 106 // Defaults to false. 107 // +optional 108 DryRun *bool 109 // Options is the operation option structure of the operation being performed. 110 // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be 111 // different than the options the caller provided. e.g. for a patch request the performed 112 // Operation might be a CREATE, in which case the Options will a 113 // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. 114 // +optional 115 Options runtime.Object 116 } 117 118 // AdmissionResponse describes an admission response. 119 type AdmissionResponse struct { 120 // UID is an identifier for the individual request/response. 121 // This should be copied over from the corresponding AdmissionRequest. 122 UID types.UID 123 // Allowed indicates whether or not the admission request was permitted. 124 Allowed bool 125 // Result contains extra details into why an admission request was denied. 126 // This field IS NOT consulted in any way if "Allowed" is "true". 127 // +optional 128 Result *metav1.Status 129 // Patch contains the actual patch. Currently we only support a response in the form of JSONPatch, RFC 6902. 130 // +optional 131 Patch []byte 132 // PatchType indicates the form the Patch will take. Currently we only support "JSONPatch". 133 // +optional 134 PatchType *PatchType 135 // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). 136 // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with 137 // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by 138 // the admission webhook to add additional context to the audit log for this request. 139 // +optional 140 AuditAnnotations map[string]string 141 // warnings is a list of warning messages to return to the requesting API client. 142 // Warning messages describe a problem the client making the API request should correct or be aware of. 143 // Limit warnings to 120 characters if possible. 144 // Warnings over 256 characters and large numbers of warnings may be truncated. 145 // +optional 146 Warnings []string 147 } 148 149 // PatchType is the type of patch being used to represent the mutated object 150 type PatchType string 151 152 // PatchType constants. 153 const ( 154 PatchTypeJSONPatch PatchType = "JSONPatch" 155 ) 156 157 // Operation is the type of resource operation being checked for admission control 158 type Operation string 159 160 // Operation constants 161 const ( 162 Create Operation = "CREATE" 163 Update Operation = "UPDATE" 164 Delete Operation = "DELETE" 165 Connect Operation = "CONNECT" 166 ) 167