From 359c6e262371d6699b45c6b5c37378035e4a683b Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Tue, 10 Nov 2020 13:44:06 -0500 Subject: [PATCH] kubelet: add CredentialProviderConfig API Signed-off-by: Andrew Sy Kim --- api/api-rules/violation_exceptions.list | 4 + build/kazel_generated.bzl | 2 + pkg/kubelet/apis/config/BUILD | 1 + pkg/kubelet/apis/config/register.go | 1 + pkg/kubelet/apis/config/types.go | 75 +++++++++ pkg/kubelet/apis/config/v1alpha1/BUILD | 36 +++++ pkg/kubelet/apis/config/v1alpha1/doc.go | 24 +++ pkg/kubelet/apis/config/v1alpha1/register.go | 36 +++++ .../v1alpha1/zz_generated.conversion.go | 143 ++++++++++++++++++ .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++ .../config/v1alpha1/zz_generated.defaults.go | 32 ++++ .../apis/config/zz_generated.deepcopy.go | 85 +++++++++++ staging/src/k8s.io/kubelet/BUILD | 1 + .../src/k8s.io/kubelet/config/v1alpha1/BUILD | 33 ++++ .../src/k8s.io/kubelet/config/v1alpha1/doc.go | 21 +++ .../kubelet/config/v1alpha1/register.go | 43 ++++++ .../k8s.io/kubelet/config/v1alpha1/types.go | 96 ++++++++++++ .../config/v1alpha1/zz_generated.deepcopy.go | 110 ++++++++++++++ vendor/modules.txt | 1 + 19 files changed, 765 insertions(+) create mode 100644 pkg/kubelet/apis/config/v1alpha1/BUILD create mode 100644 pkg/kubelet/apis/config/v1alpha1/doc.go create mode 100644 pkg/kubelet/apis/config/v1alpha1/register.go create mode 100644 pkg/kubelet/apis/config/v1alpha1/zz_generated.conversion.go create mode 100644 pkg/kubelet/apis/config/v1alpha1/zz_generated.deepcopy.go create mode 100644 pkg/kubelet/apis/config/v1alpha1/zz_generated.defaults.go create mode 100644 staging/src/k8s.io/kubelet/config/v1alpha1/BUILD create mode 100644 staging/src/k8s.io/kubelet/config/v1alpha1/doc.go create mode 100644 staging/src/k8s.io/kubelet/config/v1alpha1/register.go create mode 100644 staging/src/k8s.io/kubelet/config/v1alpha1/types.go create mode 100644 staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.deepcopy.go diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 2a66aff049d..e8711528271 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -385,6 +385,10 @@ API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1,Policy,Pri API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1,RequestedToCapacityRatioArguments,Resources API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1,RequestedToCapacityRatioArguments,Shape API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1,ServiceAffinity,Labels +API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Args +API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Env +API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,MatchImages +API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProviderConfig,Providers API rule violation: list_type_missing,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,AllowedUnsafeSysctls API rule violation: list_type_missing,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,ClusterDNS API rule violation: list_type_missing,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,EnforceNodeAllocatable diff --git a/build/kazel_generated.bzl b/build/kazel_generated.bzl index 2414ce7c651..504ec608ea8 100644 --- a/build/kazel_generated.bzl +++ b/build/kazel_generated.bzl @@ -101,6 +101,7 @@ tags_values_pkgs = {"openapi-gen": { "staging/src/k8s.io/kube-proxy/config/v1alpha1", "staging/src/k8s.io/kube-scheduler/config/v1", "staging/src/k8s.io/kube-scheduler/config/v1beta1", + "staging/src/k8s.io/kubelet/config/v1alpha1", "staging/src/k8s.io/kubelet/config/v1beta1", "staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1", "staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2", @@ -188,6 +189,7 @@ tags_pkgs_values = {"openapi-gen": { "staging/src/k8s.io/kube-proxy/config/v1alpha1": ["true"], "staging/src/k8s.io/kube-scheduler/config/v1": ["true"], "staging/src/k8s.io/kube-scheduler/config/v1beta1": ["true"], + "staging/src/k8s.io/kubelet/config/v1alpha1": ["true"], "staging/src/k8s.io/kubelet/config/v1beta1": ["true"], "staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1": ["true"], "staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2": ["true"], diff --git a/pkg/kubelet/apis/config/BUILD b/pkg/kubelet/apis/config/BUILD index 53d67a8ee21..6ad87d3a15b 100644 --- a/pkg/kubelet/apis/config/BUILD +++ b/pkg/kubelet/apis/config/BUILD @@ -38,6 +38,7 @@ filegroup( ":package-srcs", "//pkg/kubelet/apis/config/fuzzer:all-srcs", "//pkg/kubelet/apis/config/scheme:all-srcs", + "//pkg/kubelet/apis/config/v1alpha1:all-srcs", "//pkg/kubelet/apis/config/v1beta1:all-srcs", "//pkg/kubelet/apis/config/validation:all-srcs", ], diff --git a/pkg/kubelet/apis/config/register.go b/pkg/kubelet/apis/config/register.go index cbebd990ab9..d13cc6bdb63 100644 --- a/pkg/kubelet/apis/config/register.go +++ b/pkg/kubelet/apis/config/register.go @@ -39,6 +39,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &KubeletConfiguration{}, &SerializedNodeConfigSource{}, + &CredentialProviderConfig{}, ) return nil } diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go index a7e2d5e1b23..c7e5057257e 100644 --- a/pkg/kubelet/apis/config/types.go +++ b/pkg/kubelet/apis/config/types.go @@ -440,3 +440,78 @@ type SerializedNodeConfigSource struct { // +optional Source v1.NodeConfigSource } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderConfig is the configuration containing information about +// each exec credential provider. Kubelet reads this configuration from disk and enables +// each provider as specified by the CredentialProvider type. +type CredentialProviderConfig struct { + metav1.TypeMeta + + // providers is a list of credential provider plugins that will be enabled by the kubelet. + // Multiple providers may match against a single image, in which case credentials + // from all providers will be returned to the kubelet. If multiple providers are called + // for a single image, the results are combined. If providers return overlapping + // auth keys, the value from the provider earlier in this list is used. + Providers []CredentialProvider +} + +// CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +// invoked when an image being pulled matches the images handled by the plugin (see matchImages). +type CredentialProvider struct { + // name is the required name of the credential provider. It must match the name of the + // provider executable as seen by the kubelet. The executable must be in the kubelet's + // bin directory (set by the --credential-provider-bin-dir flag). + Name string + + // matchImages is a required list of strings used to match against images in order to + // determine if this provider should be invoked. If one of the strings matches the + // requested image from the kubelet, the plugin will be invoked and given a chance + // to provide credentials. Images are expected to contain the registry domain + // and URL path. + // + // Each entry in matchImages is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // A match exists between an image and a matchImage when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // Example values of matchImages: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + MatchImages []string + + // defaultCacheDuration is the default duration the plugin will cache credentials in-memory + // if a cache duration is not provided in the plugin response. This field is required. + DefaultCacheDuration *metav1.Duration + + // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse + // MUST use the same encoding version as the input. + APIVersion string + + // Arguments to pass to the command when executing it. + // +optional + Args []string + + // Env defines additional environment variables to expose to the process. These + // are unioned with the host's environment, as well as variables client-go uses + // to pass argument to the plugin. + // +optional + Env []ExecEnvVar +} + +// ExecEnvVar is used for setting environment variables when executing an exec-based +// credential plugin. +type ExecEnvVar struct { + Name string + Value string +} diff --git a/pkg/kubelet/apis/config/v1alpha1/BUILD b/pkg/kubelet/apis/config/v1alpha1/BUILD new file mode 100644 index 00000000000..aa8a4973438 --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/BUILD @@ -0,0 +1,36 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = [ + "doc.go", + "register.go", + "zz_generated.conversion.go", + "zz_generated.deepcopy.go", + "zz_generated.defaults.go", + ], + importpath = "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1", + visibility = ["//visibility:public"], + deps = [ + "//pkg/kubelet/apis/config:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/kubelet/config/v1alpha1:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/pkg/kubelet/apis/config/v1alpha1/doc.go b/pkg/kubelet/apis/config/v1alpha1/doc.go new file mode 100644 index 00000000000..84ed2ea1220 --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/doc.go @@ -0,0 +1,24 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=k8s.io/kubernetes/pkg/kubelet/apis/config +// +k8s:conversion-gen-external-types=k8s.io/kubelet/config/v1alpha1 +// +k8s:defaulter-gen=TypeMeta +// +k8s:defaulter-gen-input=../../../../../vendor/k8s.io/kubelet/config/v1alpha1 +// +groupName=kubelet.config.k8s.io + +package v1alpha1 // import "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1" diff --git a/pkg/kubelet/apis/config/v1alpha1/register.go b/pkg/kubelet/apis/config/v1alpha1/register.go new file mode 100644 index 00000000000..c673b524511 --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/register.go @@ -0,0 +1,36 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + kubeletconfigv1alpha1 "k8s.io/kubelet/config/v1alpha1" +) + +// GroupName is the group name used in this package +const GroupName = "kubelet.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + // localSchemeBuilder extends the SchemeBuilder instance with the external types. In this package, + // defaulting and conversion init funcs are registered as well. + localSchemeBuilder = &kubeletconfigv1alpha1.SchemeBuilder + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = localSchemeBuilder.AddToScheme +) diff --git a/pkg/kubelet/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/kubelet/apis/config/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000000..b1be1643e13 --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,143 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + unsafe "unsafe" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + v1alpha1 "k8s.io/kubelet/config/v1alpha1" + config "k8s.io/kubernetes/pkg/kubelet/apis/config" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*v1alpha1.CredentialProvider)(nil), (*config.CredentialProvider)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_CredentialProvider_To_config_CredentialProvider(a.(*v1alpha1.CredentialProvider), b.(*config.CredentialProvider), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.CredentialProvider)(nil), (*v1alpha1.CredentialProvider)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_CredentialProvider_To_v1alpha1_CredentialProvider(a.(*config.CredentialProvider), b.(*v1alpha1.CredentialProvider), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1alpha1.CredentialProviderConfig)(nil), (*config.CredentialProviderConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_CredentialProviderConfig_To_config_CredentialProviderConfig(a.(*v1alpha1.CredentialProviderConfig), b.(*config.CredentialProviderConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.CredentialProviderConfig)(nil), (*v1alpha1.CredentialProviderConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_CredentialProviderConfig_To_v1alpha1_CredentialProviderConfig(a.(*config.CredentialProviderConfig), b.(*v1alpha1.CredentialProviderConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1alpha1.ExecEnvVar)(nil), (*config.ExecEnvVar)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_ExecEnvVar_To_config_ExecEnvVar(a.(*v1alpha1.ExecEnvVar), b.(*config.ExecEnvVar), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.ExecEnvVar)(nil), (*v1alpha1.ExecEnvVar)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_ExecEnvVar_To_v1alpha1_ExecEnvVar(a.(*config.ExecEnvVar), b.(*v1alpha1.ExecEnvVar), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_CredentialProvider_To_config_CredentialProvider(in *v1alpha1.CredentialProvider, out *config.CredentialProvider, s conversion.Scope) error { + out.Name = in.Name + out.MatchImages = *(*[]string)(unsafe.Pointer(&in.MatchImages)) + out.DefaultCacheDuration = (*v1.Duration)(unsafe.Pointer(in.DefaultCacheDuration)) + out.APIVersion = in.APIVersion + out.Args = *(*[]string)(unsafe.Pointer(&in.Args)) + out.Env = *(*[]config.ExecEnvVar)(unsafe.Pointer(&in.Env)) + return nil +} + +// Convert_v1alpha1_CredentialProvider_To_config_CredentialProvider is an autogenerated conversion function. +func Convert_v1alpha1_CredentialProvider_To_config_CredentialProvider(in *v1alpha1.CredentialProvider, out *config.CredentialProvider, s conversion.Scope) error { + return autoConvert_v1alpha1_CredentialProvider_To_config_CredentialProvider(in, out, s) +} + +func autoConvert_config_CredentialProvider_To_v1alpha1_CredentialProvider(in *config.CredentialProvider, out *v1alpha1.CredentialProvider, s conversion.Scope) error { + out.Name = in.Name + out.MatchImages = *(*[]string)(unsafe.Pointer(&in.MatchImages)) + out.DefaultCacheDuration = (*v1.Duration)(unsafe.Pointer(in.DefaultCacheDuration)) + out.APIVersion = in.APIVersion + out.Args = *(*[]string)(unsafe.Pointer(&in.Args)) + out.Env = *(*[]v1alpha1.ExecEnvVar)(unsafe.Pointer(&in.Env)) + return nil +} + +// Convert_config_CredentialProvider_To_v1alpha1_CredentialProvider is an autogenerated conversion function. +func Convert_config_CredentialProvider_To_v1alpha1_CredentialProvider(in *config.CredentialProvider, out *v1alpha1.CredentialProvider, s conversion.Scope) error { + return autoConvert_config_CredentialProvider_To_v1alpha1_CredentialProvider(in, out, s) +} + +func autoConvert_v1alpha1_CredentialProviderConfig_To_config_CredentialProviderConfig(in *v1alpha1.CredentialProviderConfig, out *config.CredentialProviderConfig, s conversion.Scope) error { + out.Providers = *(*[]config.CredentialProvider)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_v1alpha1_CredentialProviderConfig_To_config_CredentialProviderConfig is an autogenerated conversion function. +func Convert_v1alpha1_CredentialProviderConfig_To_config_CredentialProviderConfig(in *v1alpha1.CredentialProviderConfig, out *config.CredentialProviderConfig, s conversion.Scope) error { + return autoConvert_v1alpha1_CredentialProviderConfig_To_config_CredentialProviderConfig(in, out, s) +} + +func autoConvert_config_CredentialProviderConfig_To_v1alpha1_CredentialProviderConfig(in *config.CredentialProviderConfig, out *v1alpha1.CredentialProviderConfig, s conversion.Scope) error { + out.Providers = *(*[]v1alpha1.CredentialProvider)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_config_CredentialProviderConfig_To_v1alpha1_CredentialProviderConfig is an autogenerated conversion function. +func Convert_config_CredentialProviderConfig_To_v1alpha1_CredentialProviderConfig(in *config.CredentialProviderConfig, out *v1alpha1.CredentialProviderConfig, s conversion.Scope) error { + return autoConvert_config_CredentialProviderConfig_To_v1alpha1_CredentialProviderConfig(in, out, s) +} + +func autoConvert_v1alpha1_ExecEnvVar_To_config_ExecEnvVar(in *v1alpha1.ExecEnvVar, out *config.ExecEnvVar, s conversion.Scope) error { + out.Name = in.Name + out.Value = in.Value + return nil +} + +// Convert_v1alpha1_ExecEnvVar_To_config_ExecEnvVar is an autogenerated conversion function. +func Convert_v1alpha1_ExecEnvVar_To_config_ExecEnvVar(in *v1alpha1.ExecEnvVar, out *config.ExecEnvVar, s conversion.Scope) error { + return autoConvert_v1alpha1_ExecEnvVar_To_config_ExecEnvVar(in, out, s) +} + +func autoConvert_config_ExecEnvVar_To_v1alpha1_ExecEnvVar(in *config.ExecEnvVar, out *v1alpha1.ExecEnvVar, s conversion.Scope) error { + out.Name = in.Name + out.Value = in.Value + return nil +} + +// Convert_config_ExecEnvVar_To_v1alpha1_ExecEnvVar is an autogenerated conversion function. +func Convert_config_ExecEnvVar_To_v1alpha1_ExecEnvVar(in *config.ExecEnvVar, out *v1alpha1.ExecEnvVar, s conversion.Scope) error { + return autoConvert_config_ExecEnvVar_To_v1alpha1_ExecEnvVar(in, out, s) +} diff --git a/pkg/kubelet/apis/config/v1alpha1/zz_generated.deepcopy.go b/pkg/kubelet/apis/config/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..0ec19467c40 --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 diff --git a/pkg/kubelet/apis/config/v1alpha1/zz_generated.defaults.go b/pkg/kubelet/apis/config/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000000..dd621a3acda --- /dev/null +++ b/pkg/kubelet/apis/config/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,32 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/pkg/kubelet/apis/config/zz_generated.deepcopy.go b/pkg/kubelet/apis/config/zz_generated.deepcopy.go index 87b3969325c..b54cad7e5e3 100644 --- a/pkg/kubelet/apis/config/zz_generated.deepcopy.go +++ b/pkg/kubelet/apis/config/zz_generated.deepcopy.go @@ -21,9 +21,94 @@ limitations under the License. package config import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) { + *out = *in + if in.MatchImages != nil { + in, out := &in.MatchImages, &out.MatchImages + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DefaultCacheDuration != nil { + in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = make([]ExecEnvVar, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProvider. +func (in *CredentialProvider) DeepCopy() *CredentialProvider { + if in == nil { + return nil + } + out := new(CredentialProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderConfig) DeepCopyInto(out *CredentialProviderConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]CredentialProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderConfig. +func (in *CredentialProviderConfig) DeepCopy() *CredentialProviderConfig { + if in == nil { + return nil + } + out := new(CredentialProviderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar. +func (in *ExecEnvVar) DeepCopy() *ExecEnvVar { + if in == nil { + return nil + } + out := new(ExecEnvVar) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeletAnonymousAuthentication) DeepCopyInto(out *KubeletAnonymousAuthentication) { *out = *in diff --git a/staging/src/k8s.io/kubelet/BUILD b/staging/src/k8s.io/kubelet/BUILD index 3cabbc615f7..e84c3d6bac7 100644 --- a/staging/src/k8s.io/kubelet/BUILD +++ b/staging/src/k8s.io/kubelet/BUILD @@ -9,6 +9,7 @@ filegroup( name = "all-srcs", srcs = [ ":package-srcs", + "//staging/src/k8s.io/kubelet/config/v1alpha1:all-srcs", "//staging/src/k8s.io/kubelet/config/v1beta1:all-srcs", "//staging/src/k8s.io/kubelet/pkg/apis/deviceplugin/v1alpha:all-srcs", "//staging/src/k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1:all-srcs", diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/BUILD b/staging/src/k8s.io/kubelet/config/v1alpha1/BUILD new file mode 100644 index 00000000000..8a0db88e5a8 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1alpha1/BUILD @@ -0,0 +1,33 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = [ + "doc.go", + "register.go", + "types.go", + "zz_generated.deepcopy.go", + ], + importmap = "k8s.io/kubernetes/vendor/k8s.io/kubelet/config/v1alpha1", + importpath = "k8s.io/kubelet/config/v1alpha1", + visibility = ["//visibility:public"], + deps = [ + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go b/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go new file mode 100644 index 00000000000..0c2d9f1a247 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:openapi-gen=true +// +groupName=kubelet.config.k8s.io + +package v1alpha1 // import "k8s.io/kubelet/config/v1alpha1" diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/register.go b/staging/src/k8s.io/kubelet/config/v1alpha1/register.go new file mode 100644 index 00000000000..b12ce03ec03 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1alpha1/register.go @@ -0,0 +1,43 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name used in this package +const GroupName = "kubelet.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + // SchemeBuilder is the scheme builder with scheme init functions to run for this API package + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = SchemeBuilder.AddToScheme +) + +// addKnownTypes registers known types to the given scheme +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &CredentialProviderConfig{}, + ) + return nil +} diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/types.go b/staging/src/k8s.io/kubelet/config/v1alpha1/types.go new file mode 100644 index 00000000000..d9b2f67efc1 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1alpha1/types.go @@ -0,0 +1,96 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderConfig is the configuration containing information about +// each exec credential provider. Kubelet reads this configuration from disk and enables +// each provider as specified by the CredentialProvider type. +type CredentialProviderConfig struct { + metav1.TypeMeta `json:",inline"` + + // providers is a list of credential provider plugins that will be enabled by the kubelet. + // Multiple providers may match against a single image, in which case credentials + // from all providers will be returned to the kubelet. If multiple providers are called + // for a single image, the results are combined. If providers return overlapping + // auth keys, the value from the provider earlier in this list is used. + Providers []CredentialProvider `json:"providers"` +} + +// CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +// invoked when an image being pulled matches the images handled by the plugin (see matchImages). +type CredentialProvider struct { + // name is the required name of the credential provider. It must match the name of the + // provider executable as seen by the kubelet. The executable must be in the kubelet's + // bin directory (set by the --image-credential-provider-bin-dir flag). + Name string `json:"name"` + + // matchImages is a required list of strings used to match against images in order to + // determine if this provider should be invoked. If one of the strings matches the + // requested image from the kubelet, the plugin will be invoked and given a chance + // to provide credentials. Images are expected to contain the registry domain + // and URL path. + // + // Each entry in matchImages is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // A match exists between an image and a matchImage when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // Example values of matchImages: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + MatchImages []string `json:"matchImages"` + + // defaultCacheDuration is the default duration the plugin will cache credentials in-memory + // if a cache duration is not provided in the plugin response. This field is required. + DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"` + + // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse + // MUST use the same encoding version as the input. + APIVersion string `json:"apiVersion"` + + // Arguments to pass to the command when executing it. + // +optional + Args []string `json:"args,omitempty"` + + // Env defines additional environment variables to expose to the process. These + // are unioned with the host's environment, as well as variables client-go uses + // to pass argument to the plugin. + // +optional + Env []ExecEnvVar `json:"env,omitempty"` +} + +// ExecEnvVar is used for setting environment variables when executing an exec-based +// credential plugin. +type ExecEnvVar struct { + Name string `json:"name"` + Value string `json:"value"` +} diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..43642020247 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,110 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) { + *out = *in + if in.MatchImages != nil { + in, out := &in.MatchImages, &out.MatchImages + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DefaultCacheDuration != nil { + in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = make([]ExecEnvVar, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProvider. +func (in *CredentialProvider) DeepCopy() *CredentialProvider { + if in == nil { + return nil + } + out := new(CredentialProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderConfig) DeepCopyInto(out *CredentialProviderConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]CredentialProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderConfig. +func (in *CredentialProviderConfig) DeepCopy() *CredentialProviderConfig { + if in == nil { + return nil + } + out := new(CredentialProviderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar. +func (in *ExecEnvVar) DeepCopy() *ExecEnvVar { + if in == nil { + return nil + } + out := new(ExecEnvVar) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/modules.txt b/vendor/modules.txt index c596c25ba89..4cd47a1552e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2426,6 +2426,7 @@ k8s.io/kubectl/pkg/validation # k8s.io/kubelet v0.0.0 => ./staging/src/k8s.io/kubelet ## explicit # k8s.io/kubelet => ./staging/src/k8s.io/kubelet +k8s.io/kubelet/config/v1alpha1 k8s.io/kubelet/config/v1beta1 k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1 k8s.io/kubelet/pkg/apis/pluginregistration/v1