k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/kubeapiserver/admission/exclusion/resources.go

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/kubeapiserver/admission/exclusion/resources.go (about)

     1  /*
     2  Copyright 2024 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package exclusion
    18  
    19  import (
    20  	"slices"
    21  
    22  	"k8s.io/apimachinery/pkg/runtime/schema"
    23  )
    24  
    25  // include is the list of resources that the expression-based admission controllers
    26  // should intercept.
    27  // The version is omitted, all versions of the same GroupResource are treated the same.
    28  // If a resource is transient, i.e., not persisted in the storage, the resource must be
    29  // in either include or excluded list.
    30  var included = []schema.GroupResource{
    31  	{Group: "", Resource: "bindings"},
    32  	{Group: "", Resource: "pods/attach"},
    33  	{Group: "", Resource: "pods/binding"},
    34  	{Group: "", Resource: "pods/eviction"},
    35  	{Group: "", Resource: "pods/exec"},
    36  	{Group: "", Resource: "pods/portforward"},
    37  
    38  	// ref: https://github.com/kubernetes/kubernetes/issues/122205#issuecomment-1927390823
    39  	{Group: "", Resource: "serviceaccounts/token"},
    40  }
    41  
    42  // excluded is the list of resources that the expression-based admission controllers
    43  // should ignore.
    44  // The version is omitted, all versions of the same GroupResource are treated the same.
    45  var excluded = []schema.GroupResource{
    46  	// BEGIN interception of these non-persisted resources may break the cluster
    47  	{Group: "authentication.k8s.io", Resource: "selfsubjectreviews"},
    48  	{Group: "authentication.k8s.io", Resource: "tokenreviews"},
    49  	{Group: "authorization.k8s.io", Resource: "localsubjectaccessreviews"},
    50  	{Group: "authorization.k8s.io", Resource: "selfsubjectaccessreviews"},
    51  	{Group: "authorization.k8s.io", Resource: "selfsubjectrulesreviews"},
    52  	{Group: "authorization.k8s.io", Resource: "subjectaccessreviews"},
    53  	// END interception of these non-persisted resources may break the cluster
    54  }
    55  
    56  // Included returns a copy of the list of resources that the expression-based admission controllers
    57  // should intercept.
    58  func Included() []schema.GroupResource {
    59  	return slices.Clone(included)
    60  }
    61  
    62  // Excluded returns a copy of the list of resources that the expression-based admission controllers
    63  // should ignore.
    64  func Excluded() []schema.GroupResource {
    65  	return slices.Clone(excluded)
    66  }