Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2017 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1beta1 |
| 18 | |
| 19 | import ( |
| 20 | authenticationv1 "k8s.io/api/authentication/v1" |
| 21 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 22 | "k8s.io/apimachinery/pkg/runtime" |
| 23 | "k8s.io/apimachinery/pkg/types" |
| 24 | ) |
| 25 | |
| 26 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 27 | |
| 28 | // AdmissionReview describes an admission review request/response. |
| 29 | type AdmissionReview struct { |
| 30 | metav1.TypeMeta `json:",inline"` |
| 31 | // Request describes the attributes for the admission request. |
| 32 | // +optional |
| 33 | Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"` |
| 34 | // Response describes the attributes for the admission response. |
| 35 | // +optional |
| 36 | Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"` |
| 37 | } |
| 38 | |
| 39 | // AdmissionRequest describes the admission.Attributes for the admission request. |
| 40 | type AdmissionRequest struct { |
| 41 | // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are |
| 42 | // otherwise identical (parallel requests, requests when earlier requests did not modify etc) |
| 43 | // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. |
| 44 | // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. |
| 45 | UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"` |
| 46 | // Kind is the type of object being manipulated. For example: Pod |
| 47 | Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"` |
| 48 | // Resource is the name of the resource being requested. This is not the kind. For example: pods |
| 49 | Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"` |
| 50 | // SubResource is the name of the subresource being requested. This is a different resource, scoped to the parent |
| 51 | // resource, but it may have a different kind. For instance, /pods has the resource "pods" and the kind "Pod", while |
| 52 | // /pods/foo/status has the resource "pods", the sub resource "status", and the kind "Pod" (because status operates on |
| 53 | // pods). The binding resource for a pod though may be /pods/foo/binding, which has resource "pods", subresource |
| 54 | // "binding", and kind "Binding". |
| 55 | // +optional |
| 56 | SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"` |
| 57 | // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and |
| 58 | // rely on the server to generate the name. If that is the case, this method will return the empty string. |
| 59 | // +optional |
| 60 | Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"` |
| 61 | // Namespace is the namespace associated with the request (if any). |
| 62 | // +optional |
| 63 | Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"` |
| 64 | // Operation is the operation being performed |
| 65 | Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"` |
| 66 | // UserInfo is information about the requesting user |
| 67 | UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"` |
| 68 | // Object is the object from the incoming request prior to default values being applied |
| 69 | // +optional |
| 70 | Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"` |
| 71 | // OldObject is the existing object. Only populated for UPDATE requests. |
| 72 | // +optional |
| 73 | OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"` |
| 74 | } |
| 75 | |
| 76 | // AdmissionResponse describes an admission response. |
| 77 | type AdmissionResponse struct { |
| 78 | // UID is an identifier for the individual request/response. |
| 79 | // This should be copied over from the corresponding AdmissionRequest. |
| 80 | UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"` |
| 81 | |
| 82 | // Allowed indicates whether or not the admission request was permitted. |
| 83 | Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"` |
| 84 | |
| 85 | // Result contains extra details into why an admission request was denied. |
| 86 | // This field IS NOT consulted in any way if "Allowed" is "true". |
| 87 | // +optional |
| 88 | Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| 89 | |
| 90 | // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. |
| 91 | // +optional |
| 92 | Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"` |
| 93 | |
| 94 | // The type of Patch. Currently we only allow "JSONPatch". |
| 95 | // +optional |
| 96 | PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"` |
| 97 | } |
| 98 | |
| 99 | // PatchType is the type of patch being used to represent the mutated object |
| 100 | type PatchType string |
| 101 | |
| 102 | // PatchType constants. |
| 103 | const ( |
| 104 | PatchTypeJSONPatch PatchType = "JSONPatch" |
| 105 | ) |
| 106 | |
| 107 | // Operation is the type of resource operation being checked for admission control |
| 108 | type Operation string |
| 109 | |
| 110 | // Operation constants |
| 111 | const ( |
| 112 | Create Operation = "CREATE" |
| 113 | Update Operation = "UPDATE" |
| 114 | Delete Operation = "DELETE" |
| 115 | Connect Operation = "CONNECT" |
| 116 | ) |