[zh-cn]sync extend-resources/mutating-webhook-configuration-v1.md (#41121)
Signed-off-by: xin.li <xin.li@daocloud.io>
This commit is contained in:
my-git9
GitHub
parent
c018463d50
commit
8d4d81eaa9
|
|
@ -234,6 +234,115 @@ MutatingWebhookConfiguration 描述准入 Webhook 的配置,该 Webhook 可接
|
|||
|
||||
failurePolicy 定义如何处理来自准入端点的无法识别的错误 - 允许的值是 Ignore 或 Fail。默认为 Fail。
|
||||
|
||||
<!--
|
||||
- **webhooks.matchConditions** ([]MatchCondition)
|
||||
|
||||
*Patch strategy: merge on key `name`*
|
||||
|
||||
*Map: unique values on key name will be kept during a merge*
|
||||
-->
|
||||
|
||||
- **webhooks.matchConditions** ([]MatchCondition)
|
||||
|
||||
**补丁策略:根据 `name` 键执行合并操作**
|
||||
|
||||
**映射:键 `name` 的唯一值将在合并过程中保留**
|
||||
|
||||
<!--
|
||||
MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
|
||||
-->
|
||||
|
||||
matchConditions 是将请求发送到此 webhook 之前必须满足的条件列表。
|
||||
匹配条件过滤已经被 rules、namespaceSelector、objectSelector 匹配的请求。
|
||||
matchConditions 取值为空列表时匹配所有请求。最多允许 64 个匹配条件。
|
||||
|
||||
<!--
|
||||
The exact matching logic is (in order):
|
||||
1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
|
||||
2. If ALL matchConditions evaluate to TRUE, the webhook is called.
|
||||
3. If any matchCondition evaluates to an error (but none are FALSE):
|
||||
- If failurePolicy=Fail, reject the request
|
||||
- If failurePolicy=Ignore, the error is ignored and the webhook is skipped
|
||||
-->
|
||||
|
||||
精确匹配逻辑是(按顺序):
|
||||
1. 如果任一 matchCondition 的计算结果为 FALSE,则跳过该 webhook。
|
||||
2. 如果所有 matchConditions 的计算结果为 TRUE,则调用该 webhook。
|
||||
3. 如果任一 matchCondition 的计算结果为错误(但都不是 FALSE):
|
||||
- 如果 failurePolicy=Fail,拒绝该请求;
|
||||
- 如果 failurePolicy=Ignore,忽略错误并跳过该 webhook。
|
||||
|
||||
<!--
|
||||
This is an alpha feature and managed by the AdmissionWebhookMatchConditions feature gate.
|
||||
|
||||
<a name="MatchCondition"></a>
|
||||
*MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.*
|
||||
-->
|
||||
|
||||
这是一个 Alpha 功能特性,由 AdmissionWebhookMatchConditions 特性门控管理。
|
||||
|
||||
<a name="MatchCondition"></a>
|
||||
**MatchCondition 表示将请求发送到 Webhook 之前必须满足的条件。**
|
||||
|
||||
<!--
|
||||
- **webhooks.matchConditions.expression** (string), required
|
||||
|
||||
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
||||
-->
|
||||
|
||||
- **webhooks.matchConditions.expression** (string), 必需
|
||||
|
||||
expression 表示将由 CEL 求值的表达式。求值结果必须是 bool 值。CEL 表达式可以访问
|
||||
以 CEL 变量的形式给出的 AdmissionRequest 和 Authorizer 的内容:
|
||||
|
||||
<!--
|
||||
'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
||||
-->
|
||||
|
||||
- 'object' - 来自传入请求的对象。对于 DELETE 请求,该值为 null。
|
||||
- 'oldObject' - 现有对象。对于 CREATE 请求,该值为 null。
|
||||
- 'request' - 准入请求的属性(/pkg/apis/admission/types.go#AdmissionRequest)。
|
||||
- 'authorizer' - CEL 授权者。可用于对请求的主体(用户或服务帐户)执行授权检查。
|
||||
|
||||
<!--
|
||||
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
-->
|
||||
|
||||
参阅: https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
||||
<!--
|
||||
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
||||
request resource.
|
||||
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||
|
||||
Required.
|
||||
-->
|
||||
|
||||
- 'authorizer.requestResource' - CEL ResourceCheck 从"授权方"构建并配置请求资源。
|
||||
|
||||
CEL 文档: https://kubernetes.io/zh-cn/docs/reference/using-api/cel/
|
||||
|
||||
此字段为必需字段。
|
||||
|
||||
<!--
|
||||
- **webhooks.matchConditions.name** (string), required
|
||||
|
||||
Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||
|
||||
Required.
|
||||
-->
|
||||
|
||||
- **webhooks.matchConditions.name** (string), 必需
|
||||
|
||||
name 是此匹配条件的标识符,用于 MatchConditions 的策略性合并,
|
||||
以及提供用于日志目的的标识符。一个好的 name 应该是对相关表达式的描述。
|
||||
name 必须是由字母数字字符 `-`、`_` 或 `.` 组成的限定名称,
|
||||
并且必须以字母、数字字符开头和结尾(例如 `MyName`、`my.name` 或 `123-abc`,
|
||||
用于验证 name 的正则表达式是 `([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]`)。
|
||||
带有可选的 DNS 子域前缀和 `/`(例如 `example.com/MyName`)
|
||||
|
||||
此字段为必需字段。
|
||||
|
||||
<!--
|
||||
- **webhooks.matchPolicy** (string)
|
||||
|
||||
|
|
@ -661,6 +770,15 @@ GET /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations
|
|||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
|
||||
|
||||
<!--
|
||||
- **sendInitialEvents** (*in query*): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
-->
|
||||
- **sendInitialEvents** (**查询参数**): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
|
||||
<!--
|
||||
- **timeoutSeconds** (*in query*): integer
|
||||
|
||||
|
|
@ -1131,6 +1249,15 @@ DELETE /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations
|
|||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
|
||||
|
||||
<!--
|
||||
- **sendInitialEvents** (*in query*): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
-->
|
||||
- **sendInitialEvents** (**查询参数**): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
|
||||
<!--
|
||||
- **timeoutSeconds** (*in query*): integer
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue