k8s.io/apiserver@v0.31.1/pkg/apis/apiserver/types.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package apiserver 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime" 22 tracingapi "k8s.io/component-base/tracing/api/v1" 23 ) 24 25 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 26 27 // AdmissionConfiguration provides versioned configuration for admission controllers. 28 type AdmissionConfiguration struct { 29 metav1.TypeMeta 30 31 // Plugins allows specifying a configuration per admission control plugin. 32 // +optional 33 Plugins []AdmissionPluginConfiguration 34 } 35 36 // AdmissionPluginConfiguration provides the configuration for a single plug-in. 37 type AdmissionPluginConfiguration struct { 38 // Name is the name of the admission controller. 39 // It must match the registered admission plugin name. 40 Name string 41 42 // Path is the path to a configuration file that contains the plugin's 43 // configuration 44 // +optional 45 Path string 46 47 // Configuration is an embedded configuration object to be used as the plugin's 48 // configuration. If present, it will be used instead of the path to the configuration file. 49 // +optional 50 Configuration *runtime.Unknown 51 } 52 53 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 54 55 // EgressSelectorConfiguration provides versioned configuration for egress selector clients. 56 type EgressSelectorConfiguration struct { 57 metav1.TypeMeta 58 59 // EgressSelections contains a list of egress selection client configurations 60 EgressSelections []EgressSelection 61 } 62 63 // EgressSelection provides the configuration for a single egress selection client. 64 type EgressSelection struct { 65 // Name is the name of the egress selection. 66 // Currently supported values are "controlplane", "etcd" and "cluster" 67 Name string 68 69 // Connection is the exact information used to configure the egress selection 70 Connection Connection 71 } 72 73 // Connection provides the configuration for a single egress selection client. 74 type Connection struct { 75 // Protocol is the protocol used to connect from client to the konnectivity server. 76 ProxyProtocol ProtocolType 77 78 // Transport defines the transport configurations we use to dial to the konnectivity server. 79 // This is required if ProxyProtocol is HTTPConnect or GRPC. 80 // +optional 81 Transport *Transport 82 } 83 84 // ProtocolType is a set of valid values for Connection.ProtocolType 85 type ProtocolType string 86 87 // Valid types for ProtocolType for konnectivity server 88 const ( 89 // Use HTTPConnect to connect to konnectivity server 90 ProtocolHTTPConnect ProtocolType = "HTTPConnect" 91 // Use grpc to connect to konnectivity server 92 ProtocolGRPC ProtocolType = "GRPC" 93 // Connect directly (skip konnectivity server) 94 ProtocolDirect ProtocolType = "Direct" 95 ) 96 97 // Transport defines the transport configurations we use to dial to the konnectivity server 98 type Transport struct { 99 // TCP is the TCP configuration for communicating with the konnectivity server via TCP 100 // ProxyProtocol of GRPC is not supported with TCP transport at the moment 101 // Requires at least one of TCP or UDS to be set 102 // +optional 103 TCP *TCPTransport 104 105 // UDS is the UDS configuration for communicating with the konnectivity server via UDS 106 // Requires at least one of TCP or UDS to be set 107 // +optional 108 UDS *UDSTransport 109 } 110 111 // TCPTransport provides the information to connect to konnectivity server via TCP 112 type TCPTransport struct { 113 // URL is the location of the konnectivity server to connect to. 114 // As an example it might be "https://127.0.0.1:8131" 115 URL string 116 117 // TLSConfig is the config needed to use TLS when connecting to konnectivity server 118 // +optional 119 TLSConfig *TLSConfig 120 } 121 122 // UDSTransport provides the information to connect to konnectivity server via UDS 123 type UDSTransport struct { 124 // UDSName is the name of the unix domain socket to connect to konnectivity server 125 // This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket) 126 UDSName string 127 } 128 129 // TLSConfig provides the authentication information to connect to konnectivity server 130 // Only used with TCPTransport 131 type TLSConfig struct { 132 // caBundle is the file location of the CA to be used to determine trust with the konnectivity server. 133 // Must be absent/empty if TCPTransport.URL is prefixed with http:// 134 // If absent while TCPTransport.URL is prefixed with https://, default to system trust roots. 135 // +optional 136 CABundle string 137 138 // clientKey is the file location of the client key to authenticate with the konnectivity server 139 // Must be absent/empty if TCPTransport.URL is prefixed with http:// 140 // Must be configured if TCPTransport.URL is prefixed with https:// 141 // +optional 142 ClientKey string 143 144 // clientCert is the file location of the client certificate to authenticate with the konnectivity server 145 // Must be absent/empty if TCPTransport.URL is prefixed with http:// 146 // Must be configured if TCPTransport.URL is prefixed with https:// 147 // +optional 148 ClientCert string 149 } 150 151 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 152 153 // TracingConfiguration provides versioned configuration for tracing clients. 154 type TracingConfiguration struct { 155 metav1.TypeMeta 156 157 // Embed the component config tracing configuration struct 158 tracingapi.TracingConfiguration 159 } 160 161 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 162 163 // AuthenticationConfiguration provides versioned configuration for authentication. 164 type AuthenticationConfiguration struct { 165 metav1.TypeMeta 166 167 JWT []JWTAuthenticator 168 169 // If present --anonymous-auth must not be set 170 Anonymous *AnonymousAuthConfig 171 } 172 173 // AnonymousAuthConfig provides the configuration for the anonymous authenticator. 174 type AnonymousAuthConfig struct { 175 Enabled bool 176 177 // If set, anonymous auth is only allowed if the request meets one of the 178 // conditions. 179 Conditions []AnonymousAuthCondition 180 } 181 182 // AnonymousAuthCondition describes the condition under which anonymous auth 183 // should be enabled. 184 type AnonymousAuthCondition struct { 185 // Path for which anonymous auth is enabled. 186 Path string 187 } 188 189 // JWTAuthenticator provides the configuration for a single JWT authenticator. 190 type JWTAuthenticator struct { 191 Issuer Issuer 192 ClaimValidationRules []ClaimValidationRule 193 ClaimMappings ClaimMappings 194 UserValidationRules []UserValidationRule 195 } 196 197 // Issuer provides the configuration for an external provider's specific settings. 198 type Issuer struct { 199 // url points to the issuer URL in a format https://url or https://url/path. 200 // This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. 201 // Same value as the --oidc-issuer-url flag. 202 // Discovery information is fetched from "{url}/.well-known/openid-configuration" unless overridden by discoveryURL. 203 // Required to be unique across all JWT authenticators. 204 // Note that egress selection configuration is not used for this network connection. 205 // +required 206 URL string 207 // discoveryURL, if specified, overrides the URL used to fetch discovery 208 // information instead of using "{url}/.well-known/openid-configuration". 209 // The exact value specified is used, so "/.well-known/openid-configuration" 210 // must be included in discoveryURL if needed. 211 // 212 // The "issuer" field in the fetched discovery information must match the "issuer.url" field 213 // in the AuthenticationConfiguration and will be used to validate the "iss" claim in the presented JWT. 214 // This is for scenarios where the well-known and jwks endpoints are hosted at a different 215 // location than the issuer (such as locally in the cluster). 216 // 217 // Example: 218 // A discovery url that is exposed using kubernetes service 'oidc' in namespace 'oidc-namespace' 219 // and discovery information is available at '/.well-known/openid-configuration'. 220 // discoveryURL: "https://oidc.oidc-namespace/.well-known/openid-configuration" 221 // certificateAuthority is used to verify the TLS connection and the hostname on the leaf certificate 222 // must be set to 'oidc.oidc-namespace'. 223 // 224 // curl https://oidc.oidc-namespace/.well-known/openid-configuration (.discoveryURL field) 225 // { 226 // issuer: "https://oidc.example.com" (.url field) 227 // } 228 // 229 // discoveryURL must be different from url. 230 // Required to be unique across all JWT authenticators. 231 // Note that egress selection configuration is not used for this network connection. 232 // +optional 233 DiscoveryURL string 234 CertificateAuthority string 235 Audiences []string 236 AudienceMatchPolicy AudienceMatchPolicyType 237 } 238 239 // AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy 240 type AudienceMatchPolicyType string 241 242 // Valid types for AudienceMatchPolicyType 243 const ( 244 AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" 245 ) 246 247 // ClaimValidationRule provides the configuration for a single claim validation rule. 248 type ClaimValidationRule struct { 249 Claim string 250 RequiredValue string 251 252 Expression string 253 Message string 254 } 255 256 // ClaimMappings provides the configuration for claim mapping 257 type ClaimMappings struct { 258 Username PrefixedClaimOrExpression 259 Groups PrefixedClaimOrExpression 260 UID ClaimOrExpression 261 Extra []ExtraMapping 262 } 263 264 // PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression. 265 type PrefixedClaimOrExpression struct { 266 Claim string 267 Prefix *string 268 269 Expression string 270 } 271 272 // ClaimOrExpression provides the configuration for a single claim or expression. 273 type ClaimOrExpression struct { 274 Claim string 275 Expression string 276 } 277 278 // ExtraMapping provides the configuration for a single extra mapping. 279 type ExtraMapping struct { 280 Key string 281 ValueExpression string 282 } 283 284 // UserValidationRule provides the configuration for a single user validation rule. 285 type UserValidationRule struct { 286 Expression string 287 Message string 288 } 289 290 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 291 292 type AuthorizationConfiguration struct { 293 metav1.TypeMeta 294 295 // Authorizers is an ordered list of authorizers to 296 // authorize requests against. 297 // This is similar to the --authorization-modes kube-apiserver flag 298 // Must be at least one. 299 Authorizers []AuthorizerConfiguration `json:"authorizers"` 300 } 301 302 const ( 303 TypeWebhook AuthorizerType = "Webhook" 304 FailurePolicyNoOpinion string = "NoOpinion" 305 FailurePolicyDeny string = "Deny" 306 AuthorizationWebhookConnectionInfoTypeKubeConfigFile string = "KubeConfigFile" 307 AuthorizationWebhookConnectionInfoTypeInCluster string = "InClusterConfig" 308 ) 309 310 type AuthorizerType string 311 312 type AuthorizerConfiguration struct { 313 // Type refers to the type of the authorizer 314 // "Webhook" is supported in the generic API server 315 // Other API servers may support additional authorizer 316 // types like Node, RBAC, ABAC, etc. 317 Type AuthorizerType 318 319 // Name used to describe the webhook 320 // This is explicitly used in monitoring machinery for metrics 321 // Note: Names must be DNS1123 labels like `myauthorizername` or 322 // subdomains like `myauthorizer.example.domain` 323 // Required, with no default 324 Name string 325 326 // Webhook defines the configuration for a Webhook authorizer 327 // Must be defined when Type=Webhook 328 Webhook *WebhookConfiguration 329 } 330 331 type WebhookConfiguration struct { 332 // The duration to cache 'authorized' responses from the webhook 333 // authorizer. 334 // Same as setting `--authorization-webhook-cache-authorized-ttl` flag 335 // Default: 5m0s 336 AuthorizedTTL metav1.Duration 337 // The duration to cache 'unauthorized' responses from the webhook 338 // authorizer. 339 // Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag 340 // Default: 30s 341 UnauthorizedTTL metav1.Duration 342 // Timeout for the webhook request 343 // Maximum allowed value is 30s. 344 // Required, no default value. 345 Timeout metav1.Duration 346 // The API version of the authorization.k8s.io SubjectAccessReview to 347 // send to and expect from the webhook. 348 // Same as setting `--authorization-webhook-version` flag 349 // Valid values: v1beta1, v1 350 // Required, no default value 351 SubjectAccessReviewVersion string 352 // MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview 353 // version the CEL expressions are evaluated against 354 // Valid values: v1 355 // Required, no default value 356 MatchConditionSubjectAccessReviewVersion string 357 // Controls the authorization decision when a webhook request fails to 358 // complete or returns a malformed response or errors evaluating 359 // matchConditions. 360 // Valid values: 361 // - NoOpinion: continue to subsequent authorizers to see if one of 362 // them allows the request 363 // - Deny: reject the request without consulting subsequent authorizers 364 // Required, with no default. 365 FailurePolicy string 366 367 // ConnectionInfo defines how we talk to the webhook 368 ConnectionInfo WebhookConnectionInfo 369 370 // matchConditions is a list of conditions that must be met for a request to be sent to this 371 // webhook. An empty list of matchConditions matches all requests. 372 // There are a maximum of 64 match conditions allowed. 373 // 374 // The exact matching logic is (in order): 375 // 1. If at least one matchCondition evaluates to FALSE, then the webhook is skipped. 376 // 2. If ALL matchConditions evaluate to TRUE, then the webhook is called. 377 // 3. If at least one matchCondition evaluates to an error (but none are FALSE): 378 // - If failurePolicy=Deny, then the webhook rejects the request 379 // - If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped 380 MatchConditions []WebhookMatchCondition 381 } 382 383 type WebhookConnectionInfo struct { 384 // Controls how the webhook should communicate with the server. 385 // Valid values: 386 // - KubeConfigFile: use the file specified in kubeConfigFile to locate the 387 // server. 388 // - InClusterConfig: use the in-cluster configuration to call the 389 // SubjectAccessReview API hosted by kube-apiserver. This mode is not 390 // allowed for kube-apiserver. 391 Type string 392 393 // Path to KubeConfigFile for connection info 394 // Required, if connectionInfo.Type is KubeConfig 395 KubeConfigFile *string 396 } 397 398 type WebhookMatchCondition struct { 399 // expression represents the expression which will be evaluated by CEL. Must evaluate to bool. 400 // CEL expressions have access to the contents of the SubjectAccessReview in v1 version. 401 // If version specified by subjectAccessReviewVersion in the request variable is v1beta1, 402 // the contents would be converted to the v1 version before evaluating the CEL expression. 403 // 404 // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ 405 Expression string 406 }