146 lines
5.6 KiB
Go
146 lines
5.6 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package options
|
|
|
|
import (
|
|
"github.com/spf13/pflag"
|
|
"k8s.io/apiserver/pkg/util/feature"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apiserver/pkg/admission"
|
|
"k8s.io/apiserver/pkg/server"
|
|
"k8s.io/apiserver/pkg/storage/storagebackend"
|
|
"k8s.io/component-base/featuregate"
|
|
)
|
|
|
|
// RecommendedOptions contains the recommended options for running an API server.
|
|
// If you add something to this list, it should be in a logical grouping.
|
|
// Each of them can be nil to leave the feature unconfigured on ApplyTo.
|
|
type RecommendedOptions struct {
|
|
Etcd *EtcdOptions
|
|
SecureServing *SecureServingOptionsWithLoopback
|
|
Authentication *DelegatingAuthenticationOptions
|
|
Authorization *DelegatingAuthorizationOptions
|
|
Audit *AuditOptions
|
|
Features *FeatureOptions
|
|
CoreAPI *CoreAPIOptions
|
|
|
|
// FeatureGate is a way to plumb feature gate through if you have them.
|
|
FeatureGate featuregate.FeatureGate
|
|
// ExtraAdmissionInitializers is called once after all ApplyTo from the options above, to pass the returned
|
|
// admission plugin initializers to Admission.ApplyTo.
|
|
ExtraAdmissionInitializers func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error)
|
|
Admission *AdmissionOptions
|
|
// ProcessInfo is used to identify events created by the server.
|
|
ProcessInfo *ProcessInfo
|
|
Webhook *WebhookOptions
|
|
// API Server Egress Selector is used to control outbound traffic from the API Server
|
|
EgressSelector *EgressSelectorOptions
|
|
}
|
|
|
|
func NewRecommendedOptions(prefix string, codec runtime.Codec, processInfo *ProcessInfo) *RecommendedOptions {
|
|
sso := NewSecureServingOptions()
|
|
|
|
// We are composing recommended options for an aggregated api-server,
|
|
// whose client is typically a proxy multiplexing many operations ---
|
|
// notably including long-running ones --- into one HTTP/2 connection
|
|
// into this server. So allow many concurrent operations.
|
|
sso.HTTP2MaxStreamsPerConnection = 1000
|
|
|
|
return &RecommendedOptions{
|
|
Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
|
|
SecureServing: sso.WithLoopback(),
|
|
Authentication: NewDelegatingAuthenticationOptions(),
|
|
Authorization: NewDelegatingAuthorizationOptions(),
|
|
Audit: NewAuditOptions(),
|
|
Features: NewFeatureOptions(),
|
|
CoreAPI: NewCoreAPIOptions(),
|
|
// Wired a global by default that sadly people will abuse to have different meanings in different repos.
|
|
// Please consider creating your own FeatureGate so you can have a consistent meaning for what a variable contains
|
|
// across different repos. Future you will thank you.
|
|
FeatureGate: feature.DefaultFeatureGate,
|
|
ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil },
|
|
Admission: NewAdmissionOptions(),
|
|
ProcessInfo: processInfo,
|
|
Webhook: NewWebhookOptions(),
|
|
EgressSelector: NewEgressSelectorOptions(),
|
|
}
|
|
}
|
|
|
|
func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) {
|
|
o.Etcd.AddFlags(fs)
|
|
o.SecureServing.AddFlags(fs)
|
|
o.Authentication.AddFlags(fs)
|
|
o.Authorization.AddFlags(fs)
|
|
o.Audit.AddFlags(fs)
|
|
o.Features.AddFlags(fs)
|
|
o.CoreAPI.AddFlags(fs)
|
|
o.Admission.AddFlags(fs)
|
|
o.EgressSelector.AddFlags(fs)
|
|
}
|
|
|
|
// ApplyTo adds RecommendedOptions to the server configuration.
|
|
// pluginInitializers can be empty, it is only need for additional initializers.
|
|
func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error {
|
|
if err := o.Etcd.ApplyTo(&config.Config); err != nil {
|
|
return err
|
|
}
|
|
if err := o.SecureServing.ApplyTo(&config.Config.SecureServing, &config.Config.LoopbackClientConfig); err != nil {
|
|
return err
|
|
}
|
|
if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil {
|
|
return err
|
|
}
|
|
if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil {
|
|
return err
|
|
}
|
|
if err := o.Audit.ApplyTo(&config.Config, config.ClientConfig, config.SharedInformerFactory, o.ProcessInfo, o.Webhook); err != nil {
|
|
return err
|
|
}
|
|
if err := o.Features.ApplyTo(&config.Config); err != nil {
|
|
return err
|
|
}
|
|
if err := o.CoreAPI.ApplyTo(config); err != nil {
|
|
return err
|
|
}
|
|
if initializers, err := o.ExtraAdmissionInitializers(config); err != nil {
|
|
return err
|
|
} else if err := o.Admission.ApplyTo(&config.Config, config.SharedInformerFactory, config.ClientConfig, o.FeatureGate, initializers...); err != nil {
|
|
return err
|
|
}
|
|
if err := o.EgressSelector.ApplyTo(&config.Config); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (o *RecommendedOptions) Validate() []error {
|
|
errors := []error{}
|
|
errors = append(errors, o.Etcd.Validate()...)
|
|
errors = append(errors, o.SecureServing.Validate()...)
|
|
errors = append(errors, o.Authentication.Validate()...)
|
|
errors = append(errors, o.Authorization.Validate()...)
|
|
errors = append(errors, o.Audit.Validate()...)
|
|
errors = append(errors, o.Features.Validate()...)
|
|
errors = append(errors, o.CoreAPI.Validate()...)
|
|
errors = append(errors, o.Admission.Validate()...)
|
|
errors = append(errors, o.EgressSelector.Validate()...)
|
|
|
|
return errors
|
|
}
|