admission.go

Documentation: k8s.io/kubernetes/pkg/kubeapiserver/options

     1  /*
     2  Copyright 2018 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  import (
    20  	"fmt"
    21  	"strings"
    22  
    23  	"github.com/spf13/pflag"
    24  	"k8s.io/client-go/dynamic"
    25  	"k8s.io/client-go/kubernetes"
    26  
    27  	"k8s.io/apimachinery/pkg/util/sets"
    28  	"k8s.io/apiserver/pkg/admission"
    29  	"k8s.io/apiserver/pkg/server"
    30  	genericoptions "k8s.io/apiserver/pkg/server/options"
    31  	"k8s.io/client-go/informers"
    32  	"k8s.io/component-base/featuregate"
    33  )
    34  
    35  // AdmissionOptions holds the admission options.
    36  // It is a wrap of generic AdmissionOptions.
    37  type AdmissionOptions struct {
    38  	// GenericAdmission holds the generic admission options.
    39  	GenericAdmission *genericoptions.AdmissionOptions
    40  	// DEPRECATED flag, should use EnabledAdmissionPlugins and DisabledAdmissionPlugins.
    41  	// They are mutually exclusive, specify both will lead to an error.
    42  	PluginNames []string
    43  }
    44  
    45  // NewAdmissionOptions creates a new instance of AdmissionOptions
    46  // Note:
    47  //
    48  //	In addition it calls RegisterAllAdmissionPlugins to register
    49  //	all kube-apiserver admission plugins.
    50  //
    51  //	Provides the list of RecommendedPluginOrder that holds sane values
    52  //	that can be used by servers that don't care about admission chain.
    53  //	Servers that do care can overwrite/append that field after creation.
    54  func NewAdmissionOptions() *AdmissionOptions {
    55  	options := genericoptions.NewAdmissionOptions()
    56  	// register all admission plugins
    57  	RegisterAllAdmissionPlugins(options.Plugins)
    58  	// set RecommendedPluginOrder
    59  	options.RecommendedPluginOrder = AllOrderedPlugins
    60  	// set DefaultOffPlugins
    61  	options.DefaultOffPlugins = DefaultOffAdmissionPlugins()
    62  
    63  	return &AdmissionOptions{
    64  		GenericAdmission: options,
    65  	}
    66  }
    67  
    68  // AddFlags adds flags related to admission for kube-apiserver to the specified FlagSet
    69  func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet) {
    70  	if a == nil {
    71  		return
    72  	}
    73  	fs.StringSliceVar(&a.PluginNames, "admission-control", a.PluginNames, ""+
    74  		"Admission is divided into two phases. "+
    75  		"In the first phase, only mutating admission plugins run. "+
    76  		"In the second phase, only validating admission plugins run. "+
    77  		"The names in the below list may represent a validating plugin, a mutating plugin, or both. "+
    78  		"The order of plugins in which they are passed to this flag does not matter. "+
    79  		"Comma-delimited list of: "+strings.Join(a.GenericAdmission.Plugins.Registered(), ", ")+".")
    80  	fs.MarkDeprecated("admission-control", "Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.")
    81  	fs.Lookup("admission-control").Hidden = false
    82  
    83  	a.GenericAdmission.AddFlags(fs)
    84  }
    85  
    86  // Validate verifies flags passed to kube-apiserver AdmissionOptions.
    87  // Kube-apiserver verifies PluginNames and then call generic AdmissionOptions.Validate.
    88  func (a *AdmissionOptions) Validate() []error {
    89  	if a == nil {
    90  		return nil
    91  	}
    92  	var errs []error
    93  	if a.PluginNames != nil &&
    94  		(a.GenericAdmission.EnablePlugins != nil || a.GenericAdmission.DisablePlugins != nil) {
    95  		errs = append(errs, fmt.Errorf("admission-control and enable-admission-plugins/disable-admission-plugins flags are mutually exclusive"))
    96  	}
    97  
    98  	registeredPlugins := sets.NewString(a.GenericAdmission.Plugins.Registered()...)
    99  	for _, name := range a.PluginNames {
   100  		if !registeredPlugins.Has(name) {
   101  			errs = append(errs, fmt.Errorf("admission-control plugin %q is unknown", name))
   102  		}
   103  	}
   104  
   105  	errs = append(errs, a.GenericAdmission.Validate()...)
   106  
   107  	return errs
   108  }
   109  
   110  // ApplyTo adds the admission chain to the server configuration.
   111  // Kube-apiserver just call generic AdmissionOptions.ApplyTo.
   112  func (a *AdmissionOptions) ApplyTo(
   113  	c *server.Config,
   114  	informers informers.SharedInformerFactory,
   115  	kubeClient kubernetes.Interface,
   116  	dynamicClient dynamic.Interface,
   117  	features featuregate.FeatureGate,
   118  	pluginInitializers ...admission.PluginInitializer,
   119  ) error {
   120  	if a == nil {
   121  		return nil
   122  	}
   123  
   124  	if a.PluginNames != nil {
   125  		// pass PluginNames to generic AdmissionOptions
   126  		a.GenericAdmission.EnablePlugins, a.GenericAdmission.DisablePlugins = computePluginNames(a.PluginNames, a.GenericAdmission.RecommendedPluginOrder)
   127  	}
   128  
   129  	return a.GenericAdmission.ApplyTo(c, informers, kubeClient, dynamicClient, features, pluginInitializers...)
   130  }
   131  
   132  // explicitly disable all plugins that are not in the enabled list
   133  func computePluginNames(explicitlyEnabled []string, all []string) (enabled []string, disabled []string) {
   134  	return explicitlyEnabled, sets.NewString(all...).Difference(sets.NewString(explicitlyEnabled...)).List()
   135  }
   136
View as plain text