From 7ed2f1d94d694c6c4fdb4629638c38b1cbda7288 Mon Sep 17 00:00:00 2001 From: Fangyuan Li Date: Sun, 15 Nov 2020 23:59:58 -0800 Subject: [PATCH] Implements Service Internal Traffic Policy 1. Add API definitions; 2. Add feature gate and drops the field when feature gate is not on; 3. Set default values for the field; 4. Add API Validation 5. add kube-proxy iptables and ipvs implementations 6. add tests --- api/openapi-spec/swagger.json | 2561 +++++++++++++++++ pkg/api/v1/service/util.go | 11 +- pkg/api/v1/service/util_test.go | 29 +- pkg/apis/core/types.go | 25 +- pkg/apis/core/v1/defaults.go | 5 + pkg/apis/core/v1/defaults_test.go | 64 + pkg/apis/core/v1/zz_generated.conversion.go | 2 + pkg/apis/core/validation/validation.go | 24 + pkg/apis/core/validation/validation_test.go | 27 +- pkg/apis/core/zz_generated.deepcopy.go | 5 + pkg/features/kube_features.go | 7 + pkg/proxy/iptables/proxier.go | 7 + pkg/proxy/iptables/proxier_test.go | 219 ++ pkg/proxy/ipvs/proxier.go | 19 +- pkg/proxy/ipvs/proxier_test.go | 183 ++ pkg/proxy/service.go | 60 +- pkg/proxy/topology.go | 42 +- pkg/proxy/topology_test.go | 97 + pkg/proxy/types.go | 4 + pkg/registry/core/service/strategy.go | 16 +- pkg/registry/core/service/strategy_test.go | 50 +- staging/src/k8s.io/api/core/v1/types.go | 25 +- .../core/v1/types_swagger_doc_generated.go | 1 + .../api/core/v1/zz_generated.deepcopy.go | 5 + .../api/testdata/HEAD/core.v1.Service.json | 13 +- .../api/testdata/HEAD/core.v1.Service.pb | Bin 516 -> 522 bytes .../api/testdata/HEAD/core.v1.Service.yaml | 11 +- .../core/v1/servicespec.go | 9 + 28 files changed, 3463 insertions(+), 58 deletions(-) diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index 7fb60793d54..ffa5ffd80ab 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -10382,6 +10382,10 @@ "format": "int32", "type": "integer" }, + "internalTrafficPolicy": { + "description": "InternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. \"Cluster\" routes internal traffic to a Service to all endpoints. \"Local\" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. featureGate=ServiceInternalTrafficPolicy", + "type": "string" + }, "ipFamilies": { "description": "IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service, and is gated by the \"IPv6DualStack\" feature gate. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. Valid values are \"IPv4\" and \"IPv6\". This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to \"headless\" services. This field will be wiped when updating a Service to type ExternalName.\n\nThis field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.", "items": { @@ -11791,6 +11795,552 @@ }, "type": "object" }, + "io.k8s.api.flowcontrol.v1alpha1.FlowDistinguisherMethod": { + "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", + "properties": { + "type": { + "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.FlowSchema": { + "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchemaSpec", + "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + }, + "status": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchemaStatus", + "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.FlowSchemaCondition": { + "description": "FlowSchemaCondition describes conditions for a FlowSchema.", + "properties": { + "lastTransitionTime": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", + "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + }, + "message": { + "description": "`message` is a human-readable message indicating details about last transition.", + "type": "string" + }, + "reason": { + "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", + "type": "string" + }, + "status": { + "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", + "type": "string" + }, + "type": { + "description": "`type` is the type of the condition. Required.", + "type": "string" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.FlowSchemaList": { + "description": "FlowSchemaList is a list of FlowSchema objects.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "`items` is a list of FlowSchemas.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchemaList", + "version": "v1alpha1" + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.FlowSchemaSpec": { + "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "properties": { + "distinguisherMethod": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowDistinguisherMethod", + "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." + }, + "matchingPrecedence": { + "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", + "format": "int32", + "type": "integer" + }, + "priorityLevelConfiguration": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationReference", + "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." + }, + "rules": { + "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PolicyRulesWithSubjects" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "priorityLevelConfiguration" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.FlowSchemaStatus": { + "description": "FlowSchemaStatus represents the current state of a FlowSchema.", + "properties": { + "conditions": { + "description": "`conditions` is a list of the current states of FlowSchema.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchemaCondition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.GroupSubject": { + "description": "GroupSubject holds detailed information for group-kind subject.", + "properties": { + "name": { + "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.LimitResponse": { + "description": "LimitResponse defines how to handle requests that can not be executed right now.", + "properties": { + "queuing": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.QueuingConfiguration", + "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." + }, + "type": { + "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "queuing": "Queuing" + } + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.LimitedPriorityLevelConfiguration": { + "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n * How are requests for this priority level limited?\n * What should be done with requests that exceed the limit?", + "properties": { + "assuredConcurrencyShares": { + "description": "`assuredConcurrencyShares` (ACS) configures the execution limit, which is a limit on the number of requests of this priority level that may be exeucting at a given time. ACS must be a positive number. The server's concurrency limit (SCL) is divided among the concurrency-controlled priority levels in proportion to their assured concurrency shares. This produces the assured concurrency value (ACV) --- the number of requests that may be executing at a time --- for each such priority level:\n\n ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )\n\nbigger numbers of ACS mean more reserved concurrent requests (at the expense of every other PL). This field has a default value of 30.", + "format": "int32", + "type": "integer" + }, + "limitResponse": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.LimitResponse", + "description": "`limitResponse` indicates what to do with requests that can not be executed right now" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.NonResourcePolicyRule": { + "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", + "properties": { + "nonResourceURLs": { + "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "verbs": { + "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + } + }, + "required": [ + "verbs", + "nonResourceURLs" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.PolicyRulesWithSubjects": { + "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "properties": { + "nonResourceRules": { + "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.NonResourcePolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resourceRules": { + "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.ResourcePolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "subjects": { + "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "subjects" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration": { + "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationSpec", + "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + }, + "status": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationStatus", + "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationCondition": { + "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", + "properties": { + "lastTransitionTime": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", + "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + }, + "message": { + "description": "`message` is a human-readable message indicating details about last transition.", + "type": "string" + }, + "reason": { + "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", + "type": "string" + }, + "status": { + "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", + "type": "string" + }, + "type": { + "description": "`type` is the type of the condition. Required.", + "type": "string" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationList": { + "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "`items` is a list of request-priorities.", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfigurationList", + "version": "v1alpha1" + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationReference": { + "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", + "properties": { + "name": { + "description": "`name` is the name of the priority level configuration being referenced Required.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationSpec": { + "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "properties": { + "limited": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.LimitedPriorityLevelConfiguration", + "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." + }, + "type": { + "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object", + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "limited": "Limited" + } + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationStatus": { + "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", + "properties": { + "conditions": { + "description": "`conditions` is the current state of \"request-priority\".", + "items": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationCondition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.QueuingConfiguration": { + "description": "QueuingConfiguration holds the configuration parameters for queuing", + "properties": { + "handSize": { + "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", + "format": "int32", + "type": "integer" + }, + "queueLengthLimit": { + "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", + "format": "int32", + "type": "integer" + }, + "queues": { + "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", + "format": "int32", + "type": "integer" + } + }, + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.ResourcePolicyRule": { + "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) least one member of namespaces matches the request.", + "properties": { + "apiGroups": { + "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "clusterScope": { + "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", + "type": "boolean" + }, + "namespaces": { + "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "resources": { + "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + }, + "verbs": { + "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "set" + } + }, + "required": [ + "verbs", + "apiGroups", + "resources" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.ServiceAccountSubject": { + "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "properties": { + "name": { + "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "type": "string" + }, + "namespace": { + "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", + "type": "string" + } + }, + "required": [ + "namespace", + "name" + ], + "type": "object" + }, + "io.k8s.api.flowcontrol.v1alpha1.Subject": { + "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", + "properties": { + "group": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.GroupSubject" + }, + "kind": { + "description": "Required", + "type": "string" + }, + "serviceAccount": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.ServiceAccountSubject" + }, + "user": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.UserSubject" + } + }, + "required": [ + "kind" + ], + "type": "object", + "x-kubernetes-unions": [ + { + "discriminator": "kind", + "fields-to-discriminateBy": { + "group": "Group", + "serviceAccount": "ServiceAccount", + "user": "User" + } + } + ] + }, + "io.k8s.api.flowcontrol.v1alpha1.UserSubject": { + "description": "UserSubject holds detailed information for user-kind subject.", + "properties": { + "name": { + "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, "io.k8s.api.flowcontrol.v1beta1.FlowDistinguisherMethod": { "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", "properties": { @@ -72477,6 +73027,2017 @@ ] } }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/": { + "get": { + "consumes": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "description": "get available resources", + "operationId": "getFlowcontrolApiserverV1alpha1APIResources", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ] + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas": { + "delete": { + "consumes": [ + "*/*" + ], + "description": "delete collection of FlowSchema", + "operationId": "deleteFlowcontrolApiserverV1alpha1CollectionFlowSchema", + "parameters": [ + { + "in": "body", + "name": "body", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" + } + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "in": "query", + "name": "gracePeriodSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "in": "query", + "name": "orphanDependents", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "in": "query", + "name": "propagationPolicy", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "get": { + "consumes": [ + "*/*" + ], + "description": "list or watch objects of kind FlowSchema", + "operationId": "listFlowcontrolApiserverV1alpha1FlowSchema", + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchemaList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "post": { + "consumes": [ + "*/*" + ], + "description": "create a FlowSchema", + "operationId": "createFlowcontrolApiserverV1alpha1FlowSchema", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/{name}": { + "delete": { + "consumes": [ + "*/*" + ], + "description": "delete a FlowSchema", + "operationId": "deleteFlowcontrolApiserverV1alpha1FlowSchema", + "parameters": [ + { + "in": "body", + "name": "body", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "in": "query", + "name": "gracePeriodSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "in": "query", + "name": "orphanDependents", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "in": "query", + "name": "propagationPolicy", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "get": { + "consumes": [ + "*/*" + ], + "description": "read the specified FlowSchema", + "operationId": "readFlowcontrolApiserverV1alpha1FlowSchema", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "name of the FlowSchema", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "patch": { + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "description": "partially update the specified FlowSchema", + "operationId": "patchFlowcontrolApiserverV1alpha1FlowSchema", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + }, + { + "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.", + "in": "query", + "name": "force", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "put": { + "consumes": [ + "*/*" + ], + "description": "replace the specified FlowSchema", + "operationId": "replaceFlowcontrolApiserverV1alpha1FlowSchema", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/{name}/status": { + "get": { + "consumes": [ + "*/*" + ], + "description": "read status of the specified FlowSchema", + "operationId": "readFlowcontrolApiserverV1alpha1FlowSchemaStatus", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "name of the FlowSchema", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "patch": { + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "description": "partially update status of the specified FlowSchema", + "operationId": "patchFlowcontrolApiserverV1alpha1FlowSchemaStatus", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + }, + { + "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.", + "in": "query", + "name": "force", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "put": { + "consumes": [ + "*/*" + ], + "description": "replace status of the specified FlowSchema", + "operationId": "replaceFlowcontrolApiserverV1alpha1FlowSchemaStatus", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.FlowSchema" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/prioritylevelconfigurations": { + "delete": { + "consumes": [ + "*/*" + ], + "description": "delete collection of PriorityLevelConfiguration", + "operationId": "deleteFlowcontrolApiserverV1alpha1CollectionPriorityLevelConfiguration", + "parameters": [ + { + "in": "body", + "name": "body", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" + } + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "in": "query", + "name": "gracePeriodSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "in": "query", + "name": "orphanDependents", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "in": "query", + "name": "propagationPolicy", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "deletecollection", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "get": { + "consumes": [ + "*/*" + ], + "description": "list or watch objects of kind PriorityLevelConfiguration", + "operationId": "listFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfigurationList" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "list", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "post": { + "consumes": [ + "*/*" + ], + "description": "create a PriorityLevelConfiguration", + "operationId": "createFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/prioritylevelconfigurations/{name}": { + "delete": { + "consumes": [ + "*/*" + ], + "description": "delete a PriorityLevelConfiguration", + "operationId": "deleteFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "parameters": [ + { + "in": "body", + "name": "body", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "in": "query", + "name": "gracePeriodSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "in": "query", + "name": "orphanDependents", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "in": "query", + "name": "propagationPolicy", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "delete", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "get": { + "consumes": [ + "*/*" + ], + "description": "read the specified PriorityLevelConfiguration", + "operationId": "readFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "name of the PriorityLevelConfiguration", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "patch": { + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "description": "partially update the specified PriorityLevelConfiguration", + "operationId": "patchFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + }, + { + "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.", + "in": "query", + "name": "force", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "put": { + "consumes": [ + "*/*" + ], + "description": "replace the specified PriorityLevelConfiguration", + "operationId": "replaceFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/prioritylevelconfigurations/{name}/status": { + "get": { + "consumes": [ + "*/*" + ], + "description": "read status of the specified PriorityLevelConfiguration", + "operationId": "readFlowcontrolApiserverV1alpha1PriorityLevelConfigurationStatus", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "get", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "name of the PriorityLevelConfiguration", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "patch": { + "consumes": [ + "application/json-patch+json", + "application/merge-patch+json", + "application/strategic-merge-patch+json", + "application/apply-patch+yaml" + ], + "description": "partially update status of the specified PriorityLevelConfiguration", + "operationId": "patchFlowcontrolApiserverV1alpha1PriorityLevelConfigurationStatus", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + }, + { + "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.", + "in": "query", + "name": "force", + "type": "boolean", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "patch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "put": { + "consumes": [ + "*/*" + ], + "description": "replace status of the specified PriorityLevelConfiguration", + "operationId": "replaceFlowcontrolApiserverV1alpha1PriorityLevelConfigurationStatus", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.flowcontrol.v1alpha1.PriorityLevelConfiguration" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "put", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + } + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/watch/flowschemas": { + "get": { + "consumes": [ + "*/*" + ], + "description": "watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.", + "operationId": "watchFlowcontrolApiserverV1alpha1FlowSchemaList", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "watchlist", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ] + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/watch/flowschemas/{name}": { + "get": { + "consumes": [ + "*/*" + ], + "description": "watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.", + "operationId": "watchFlowcontrolApiserverV1alpha1FlowSchema", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "watch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "FlowSchema", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "name of the FlowSchema", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ] + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/watch/prioritylevelconfigurations": { + "get": { + "consumes": [ + "*/*" + ], + "description": "watch individual changes to a list of PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead.", + "operationId": "watchFlowcontrolApiserverV1alpha1PriorityLevelConfigurationList", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "watchlist", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ] + }, + "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/watch/prioritylevelconfigurations/{name}": { + "get": { + "consumes": [ + "*/*" + ], + "description": "watch changes to an object of kind PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.", + "operationId": "watchFlowcontrolApiserverV1alpha1PriorityLevelConfiguration", + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf", + "application/json;stream=watch", + "application/vnd.kubernetes.protobuf;stream=watch" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "flowcontrolApiserver_v1alpha1" + ], + "x-kubernetes-action": "watch", + "x-kubernetes-group-version-kind": { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "PriorityLevelConfiguration", + "version": "v1alpha1" + } + }, + "parameters": [ + { + "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.", + "in": "query", + "name": "allowWatchBookmarks", + "type": "boolean", + "uniqueItems": true + }, + { + "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.", + "in": "query", + "name": "continue", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.", + "in": "query", + "name": "fieldSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.", + "in": "query", + "name": "labelSelector", + "type": "string", + "uniqueItems": true + }, + { + "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.", + "in": "query", + "name": "limit", + "type": "integer", + "uniqueItems": true + }, + { + "description": "name of the PriorityLevelConfiguration", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersion", + "type": "string", + "uniqueItems": true + }, + { + "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset", + "in": "query", + "name": "resourceVersionMatch", + "type": "string", + "uniqueItems": true + }, + { + "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.", + "in": "query", + "name": "timeoutSeconds", + "type": "integer", + "uniqueItems": true + }, + { + "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.", + "in": "query", + "name": "watch", + "type": "boolean", + "uniqueItems": true + } + ] + }, "/apis/flowcontrol.apiserver.k8s.io/v1beta1/": { "get": { "consumes": [ diff --git a/pkg/api/v1/service/util.go b/pkg/api/v1/service/util.go index d1c6713888e..68913287c13 100644 --- a/pkg/api/v1/service/util.go +++ b/pkg/api/v1/service/util.go @@ -20,7 +20,7 @@ import ( "fmt" "strings" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" utilnet "k8s.io/utils/net" ) @@ -76,6 +76,15 @@ func RequestsOnlyLocalTraffic(service *v1.Service) bool { return service.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeLocal } +// RequestsOnlyLocalTrafficForInternal checks if service prefers Node Local +// endpoints for internal traffic +func RequestsOnlyLocalTrafficForInternal(service *v1.Service) bool { + if service.Spec.InternalTrafficPolicy == nil { + return false + } + return *service.Spec.InternalTrafficPolicy == v1.ServiceInternalTrafficPolicyLocal +} + // NeedsHealthCheck checks if service needs health check. func NeedsHealthCheck(service *v1.Service) bool { if service.Spec.Type != v1.ServiceTypeLoadBalancer { diff --git a/pkg/api/v1/service/util_test.go b/pkg/api/v1/service/util_test.go index 9813017c491..f7a3c2dadb9 100644 --- a/pkg/api/v1/service/util_test.go +++ b/pkg/api/v1/service/util_test.go @@ -20,7 +20,7 @@ import ( "strings" "testing" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" utilnet "k8s.io/utils/net" ) @@ -214,3 +214,30 @@ func TestNeedsHealthCheck(t *testing.T) { }, }) } + +func TestRequestsOnlyLocalTrafficForInternal(t *testing.T) { + checkRequestsOnlyLocalTrafficForInternal := func(expected bool, service *v1.Service) { + res := RequestsOnlyLocalTrafficForInternal(service) + if res != expected { + t.Errorf("Expected internal local traffic = %v, got %v", + expected, res) + } + } + + // default InternalTrafficPolicy is nil + checkRequestsOnlyLocalTrafficForInternal(false, &v1.Service{}) + + local := v1.ServiceInternalTrafficPolicyLocal + checkRequestsOnlyLocalTrafficForInternal(true, &v1.Service{ + Spec: v1.ServiceSpec{ + InternalTrafficPolicy: &local, + }, + }) + + cluster := v1.ServiceInternalTrafficPolicyCluster + checkRequestsOnlyLocalTrafficForInternal(false, &v1.Service{ + Spec: v1.ServiceSpec{ + InternalTrafficPolicy: &cluster, + }, + }) +} diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index f130a6c13b0..e40d798b8fb 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -3475,6 +3475,19 @@ const ( ServiceTypeExternalName ServiceType = "ExternalName" ) +// ServiceInternalTrafficPolicyType describes the type of traffic routing for +// internal traffic +type ServiceInternalTrafficPolicyType string + +const ( + // ServiceInternalTrafficPolicyCluster routes traffic to all endpoints + ServiceInternalTrafficPolicyCluster ServiceInternalTrafficPolicyType = "Cluster" + + // ServiceInternalTrafficPolicyLocal only routes to node-local + // endpoints, otherwise drops the traffic + ServiceInternalTrafficPolicyLocal ServiceInternalTrafficPolicyType = "Local" +) + // ServiceExternalTrafficPolicyType string type ServiceExternalTrafficPolicyType string @@ -3739,9 +3752,19 @@ type ServiceSpec struct { // implementation (e.g. cloud providers) should ignore Services that set this field. // This field can only be set when creating or updating a Service to type 'LoadBalancer'. // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - // featureGate=LoadBalancerClass + // +featureGate=LoadBalancerClass // +optional LoadBalancerClass *string + + // InternalTrafficPolicy specifies if the cluster internal traffic + // should be routed to all endpoints or node-local endpoints only. + // "Cluster" routes internal traffic to a Service to all endpoints. + // "Local" routes traffic to node-local endpoints only, traffic is + // dropped if no node-local endpoints are ready. + // The default value is "Cluster". + // +featureGate=ServiceInternalTrafficPolicy + // +optional + InternalTrafficPolicy *ServiceInternalTrafficPolicyType } // ServicePort represents the port on which the service is exposed diff --git a/pkg/apis/core/v1/defaults.go b/pkg/apis/core/v1/defaults.go index 96c8753ca8b..3381f652c0e 100644 --- a/pkg/apis/core/v1/defaults.go +++ b/pkg/apis/core/v1/defaults.go @@ -131,6 +131,11 @@ func SetDefaults_Service(obj *v1.Service) { obj.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeCluster } + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) && obj.Spec.InternalTrafficPolicy == nil { + serviceInternalTrafficPolicyCluster := v1.ServiceInternalTrafficPolicyCluster + obj.Spec.InternalTrafficPolicy = &serviceInternalTrafficPolicyCluster + } + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceLBNodePortControl) { if obj.Spec.Type == v1.ServiceTypeLoadBalancer { if obj.Spec.AllocateLoadBalancerNodePorts == nil { diff --git a/pkg/apis/core/v1/defaults_test.go b/pkg/apis/core/v1/defaults_test.go index d0ea41f9af8..b167110c0a8 100644 --- a/pkg/apis/core/v1/defaults_test.go +++ b/pkg/apis/core/v1/defaults_test.go @@ -29,8 +29,11 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/intstr" + utilfeature "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" corev1 "k8s.io/kubernetes/pkg/apis/core/v1" + "k8s.io/kubernetes/pkg/features" utilpointer "k8s.io/utils/pointer" // ensure types are installed @@ -1798,3 +1801,64 @@ func TestSetDefaultEnableServiceLinks(t *testing.T) { t.Errorf("Expected enableServiceLinks value: %+v\ngot: %+v\n", v1.DefaultEnableServiceLinks, *output.Spec.EnableServiceLinks) } } + +func TestSetDefaultServiceInternalTrafficPolicy(t *testing.T) { + cluster := v1.ServiceInternalTrafficPolicyCluster + local := v1.ServiceInternalTrafficPolicyLocal + testCases := []struct { + name string + expectedInternalTrafficPolicy v1.ServiceInternalTrafficPolicyType + svc v1.Service + featureGateOn bool + }{ + { + name: "must set default internalTrafficPolicy", + expectedInternalTrafficPolicy: v1.ServiceInternalTrafficPolicyCluster, + svc: v1.Service{}, + featureGateOn: true, + }, + { + name: "must not set default internalTrafficPolicy when it's cluster", + expectedInternalTrafficPolicy: v1.ServiceInternalTrafficPolicyCluster, + svc: v1.Service{ + Spec: v1.ServiceSpec{ + InternalTrafficPolicy: &cluster, + }, + }, + featureGateOn: true, + }, + { + name: "must not set default internalTrafficPolicy when it's local", + expectedInternalTrafficPolicy: v1.ServiceInternalTrafficPolicyLocal, + svc: v1.Service{ + Spec: v1.ServiceSpec{ + InternalTrafficPolicy: &local, + }, + }, + featureGateOn: true, + }, + { + name: "must not set default internalTrafficPolicy when gate is disabled", + expectedInternalTrafficPolicy: "", + svc: v1.Service{}, + featureGateOn: false, + }, + } + for _, test := range testCases { + t.Run(test.name, func(t *testing.T) { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceInternalTrafficPolicy, test.featureGateOn)() + obj := roundTrip(t, runtime.Object(&test.svc)) + svc := obj.(*v1.Service) + + if test.expectedInternalTrafficPolicy == "" { + if svc.Spec.InternalTrafficPolicy != nil { + t.Fatalf("expected .spec.internalTrafficPolicy: null, got %v", *svc.Spec.InternalTrafficPolicy) + } + } else { + if *svc.Spec.InternalTrafficPolicy != test.expectedInternalTrafficPolicy { + t.Fatalf("expected .spec.internalTrafficPolicy: %v got %v", test.expectedInternalTrafficPolicy, *svc.Spec.InternalTrafficPolicy) + } + } + }) + } +} diff --git a/pkg/apis/core/v1/zz_generated.conversion.go b/pkg/apis/core/v1/zz_generated.conversion.go index 4abda6e93bc..9cceb8cd0ef 100644 --- a/pkg/apis/core/v1/zz_generated.conversion.go +++ b/pkg/apis/core/v1/zz_generated.conversion.go @@ -7636,6 +7636,7 @@ func autoConvert_v1_ServiceSpec_To_core_ServiceSpec(in *v1.ServiceSpec, out *cor out.IPFamilyPolicy = (*core.IPFamilyPolicyType)(unsafe.Pointer(in.IPFamilyPolicy)) out.AllocateLoadBalancerNodePorts = (*bool)(unsafe.Pointer(in.AllocateLoadBalancerNodePorts)) out.LoadBalancerClass = (*string)(unsafe.Pointer(in.LoadBalancerClass)) + out.InternalTrafficPolicy = (*core.ServiceInternalTrafficPolicyType)(unsafe.Pointer(in.InternalTrafficPolicy)) return nil } @@ -7664,6 +7665,7 @@ func autoConvert_core_ServiceSpec_To_v1_ServiceSpec(in *core.ServiceSpec, out *v out.TopologyKeys = *(*[]string)(unsafe.Pointer(&in.TopologyKeys)) out.AllocateLoadBalancerNodePorts = (*bool)(unsafe.Pointer(in.AllocateLoadBalancerNodePorts)) out.LoadBalancerClass = (*string)(unsafe.Pointer(in.LoadBalancerClass)) + out.InternalTrafficPolicy = (*v1.ServiceInternalTrafficPolicyType)(unsafe.Pointer(in.InternalTrafficPolicy)) return nil } diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index f7ee68664ec..1b668083b3b 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -4171,6 +4171,8 @@ var supportedSessionAffinityType = sets.NewString(string(core.ServiceAffinityCli var supportedServiceType = sets.NewString(string(core.ServiceTypeClusterIP), string(core.ServiceTypeNodePort), string(core.ServiceTypeLoadBalancer), string(core.ServiceTypeExternalName)) +var supportedServiceInternalTrafficPolicy = sets.NewString(string(core.ServiceInternalTrafficPolicyCluster), string(core.ServiceExternalTrafficPolicyTypeLocal)) + var supportedServiceIPFamily = sets.NewString(string(core.IPv4Protocol), string(core.IPv6Protocol)) var supportedServiceIPFamilyPolicy = sets.NewString(string(core.IPFamilyPolicySingleStack), string(core.IPFamilyPolicyPreferDualStack), string(core.IPFamilyPolicyRequireDualStack)) @@ -4378,6 +4380,10 @@ func ValidateService(service *core.Service) field.ErrorList { // external traffic fields allErrs = append(allErrs, validateServiceExternalTrafficFieldsValue(service)...) + + // internal traffic policy field + allErrs = append(allErrs, validateServiceInternalTrafficFieldsValue(service)...) + return allErrs } @@ -4446,6 +4452,24 @@ func validateServiceExternalTrafficFieldsValue(service *core.Service) field.Erro return allErrs } +// validateServiceInternalTrafficFieldsValue validates InternalTraffic related +// spec have legal value. +func validateServiceInternalTrafficFieldsValue(service *core.Service) field.ErrorList { + allErrs := field.ErrorList{} + + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) { + if service.Spec.InternalTrafficPolicy == nil { + allErrs = append(allErrs, field.Required(field.NewPath("spec").Child("internalTrafficPolicy"), "")) + } + } + + if service.Spec.InternalTrafficPolicy != nil && !supportedServiceInternalTrafficPolicy.Has(string(*service.Spec.InternalTrafficPolicy)) { + allErrs = append(allErrs, field.NotSupported(field.NewPath("spec").Child("internalTrafficPolicy"), *service.Spec.InternalTrafficPolicy, supportedServiceInternalTrafficPolicy.List())) + } + + return allErrs +} + // ValidateServiceExternalTrafficFieldsCombination validates if ExternalTrafficPolicy, // HealthCheckNodePort and Type combination are legal. For update, it should be called // after clearing externalTraffic related fields for the ease of transitioning between diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index c4000c27b7f..6ea9b35aa33 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/capabilities" @@ -10135,9 +10136,10 @@ func TestValidateServiceCreate(t *testing.T) { preferDualStack := core.IPFamilyPolicyPreferDualStack testCases := []struct { - name string - tweakSvc func(svc *core.Service) // given a basic valid service, each test case can customize it - numErrs int + name string + tweakSvc func(svc *core.Service) // given a basic valid service, each test case can customize it + numErrs int + featureGates []featuregate.Feature }{ { name: "missing namespace", @@ -10750,6 +10752,22 @@ func TestValidateServiceCreate(t *testing.T) { }, numErrs: 1, }, + { + name: "nil internalTraffic field when feature gate is on", + tweakSvc: func(s *core.Service) { + s.Spec.InternalTrafficPolicy = nil + }, + featureGates: []featuregate.Feature{features.ServiceInternalTrafficPolicy}, + numErrs: 1, + }, + { + name: "invalid internalTraffic field", + tweakSvc: func(s *core.Service) { + invalid := core.ServiceInternalTrafficPolicyType("invalid") + s.Spec.InternalTrafficPolicy = &invalid + }, + numErrs: 1, + }, { name: "nagative healthCheckNodePort field", tweakSvc: func(s *core.Service) { @@ -11323,6 +11341,9 @@ func TestValidateServiceCreate(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { + for i := range tc.featureGates { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, tc.featureGates[i], true)() + } svc := makeValidService() tc.tweakSvc(&svc) errs := ValidateServiceCreate(&svc) diff --git a/pkg/apis/core/zz_generated.deepcopy.go b/pkg/apis/core/zz_generated.deepcopy.go index c1ae7ebae42..14a77ee1248 100644 --- a/pkg/apis/core/zz_generated.deepcopy.go +++ b/pkg/apis/core/zz_generated.deepcopy.go @@ -5335,6 +5335,11 @@ func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) { *out = new(string) **out = **in } + if in.InternalTrafficPolicy != nil { + in, out := &in.InternalTrafficPolicy, &out.InternalTrafficPolicy + *out = new(ServiceInternalTrafficPolicyType) + **out = **in + } return } diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 15596c3806b..a03458b982a 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -708,6 +708,12 @@ const ( // // Enable Scope and Namespace fields on IngressClassParametersReference. IngressClassNamespacedParams featuregate.Feature = "IngressClassNamespacedParams" + + // owner: @maplain @andrewsykim + // alpha: v1.21 + // + // Enables node-local routing for Service internal traffic + ServiceInternalTrafficPolicy featuregate.Feature = "ServiceInternalTrafficPolicy" ) func init() { @@ -815,6 +821,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS ServiceLoadBalancerClass: {Default: false, PreRelease: featuregate.Alpha}, LogarithmicScaleDown: {Default: false, PreRelease: featuregate.Alpha}, IngressClassNamespacedParams: {Default: false, PreRelease: featuregate.Alpha}, + ServiceInternalTrafficPolicy: {Default: false, PreRelease: featuregate.Alpha}, // inherited features from generic apiserver, relisted here to get a conflict if it is changed // unintentionally on either side: diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 7464b837da7..4dafa162167 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -1029,6 +1029,13 @@ func (proxier *Proxier) syncProxyRules() { allEndpoints = proxy.FilterTopologyEndpoint(proxier.nodeLabels, svcInfo.TopologyKeys(), allEndpoints) } + // Service InternalTrafficPolicy is only enabled when all of the + // following are true: + // 1. InternalTrafficPolicy is Local + // 2. ServiceInternalTrafficPolicy feature gate is on + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) && svcInfo.OnlyNodeLocalEndpointsForInternal() { + allEndpoints = proxy.FilterLocalEndpoint(svcInfo.InternalTrafficPolicy(), allEndpoints) + } readyEndpoints := make([]proxy.Endpoint, 0, len(allEndpoints)) for _, endpoint := range allEndpoints { if !endpoint.IsReady() { diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go index 6d1b8f1bf28..4df8c65efbb 100644 --- a/pkg/proxy/iptables/proxier_test.go +++ b/pkg/proxy/iptables/proxier_test.go @@ -32,8 +32,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" + utilfeature "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/component-base/metrics/testutil" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/proxy" "k8s.io/kubernetes/pkg/proxy/metrics" @@ -3056,3 +3059,219 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) { } // TODO(thockin): add *more* tests for syncProxyRules() or break it down further and test the pieces. + +// This test ensures that the iptables proxier supports translating Endpoints to +// iptables output when internalTrafficPolicy is specified +func TestInternalTrafficPolicyE2E(t *testing.T) { + type endpoint struct { + ip string + hostname string + } + + cluster := v1.ServiceInternalTrafficPolicyCluster + local := v1.ServiceInternalTrafficPolicyLocal + + clusterExpectedIPTables := `*filter +:KUBE-SERVICES - [0:0] +:KUBE-EXTERNAL-SERVICES - [0:0] +:KUBE-FORWARD - [0:0] +:KUBE-NODEPORTS - [0:0] +-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*nat +:KUBE-SERVICES - [0:0] +:KUBE-NODEPORTS - [0:0] +:KUBE-POSTROUTING - [0:0] +:KUBE-MARK-MASQ - [0:0] +:KUBE-SVC-AQI2S6QIMU7PVVRP - [0:0] +:KUBE-SEP-3JOIVZTXZZRGORX4 - [0:0] +:KUBE-SEP-IO5XOSKPAXIFQXAJ - [0:0] +:KUBE-SEP-XGJFVO3L2O5SRFNT - [0:0] +-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN +-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 +-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE +-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 +-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 80 ! -s 10.0.0.0/24 -j KUBE-MARK-MASQ +-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 80 -j KUBE-SVC-AQI2S6QIMU7PVVRP +-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -m statistic --mode random --probability 0.3333333333 -j KUBE-SEP-3JOIVZTXZZRGORX4 +-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -s 10.0.1.1/32 -j KUBE-MARK-MASQ +-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80 +-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -m statistic --mode random --probability 0.5000000000 -j KUBE-SEP-IO5XOSKPAXIFQXAJ +-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -s 10.0.1.2/32 -j KUBE-MARK-MASQ +-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.2:80 +-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -j KUBE-SEP-XGJFVO3L2O5SRFNT +-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -s 10.0.1.3/32 -j KUBE-MARK-MASQ +-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.3:80 +-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS +COMMIT +` + + testCases := []struct { + name string + internalTrafficPolicy *v1.ServiceInternalTrafficPolicyType + featureGateOn bool + endpoints []endpoint + expectEndpointRule bool + expectedIPTablesWithSlice string + }{ + { + name: "internalTrafficPolicy is cluster", + internalTrafficPolicy: &cluster, + featureGateOn: true, + endpoints: []endpoint{ + {"10.0.1.1", testHostname}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectEndpointRule: true, + expectedIPTablesWithSlice: clusterExpectedIPTables, + }, + { + name: "internalTrafficPolicy is local and there is non-zero local endpoints", + internalTrafficPolicy: &local, + featureGateOn: true, + endpoints: []endpoint{ + {"10.0.1.1", testHostname}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectEndpointRule: true, + expectedIPTablesWithSlice: `*filter +:KUBE-SERVICES - [0:0] +:KUBE-EXTERNAL-SERVICES - [0:0] +:KUBE-FORWARD - [0:0] +:KUBE-NODEPORTS - [0:0] +-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*nat +:KUBE-SERVICES - [0:0] +:KUBE-NODEPORTS - [0:0] +:KUBE-POSTROUTING - [0:0] +:KUBE-MARK-MASQ - [0:0] +:KUBE-SVC-AQI2S6QIMU7PVVRP - [0:0] +:KUBE-SEP-3JOIVZTXZZRGORX4 - [0:0] +-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN +-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 +-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE +-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 +-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 80 ! -s 10.0.0.0/24 -j KUBE-MARK-MASQ +-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.20.1.1/32 --dport 80 -j KUBE-SVC-AQI2S6QIMU7PVVRP +-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment ns1/svc1 -j KUBE-SEP-3JOIVZTXZZRGORX4 +-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -s 10.0.1.1/32 -j KUBE-MARK-MASQ +-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80 +-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS +COMMIT +`, + }, + { + name: "internalTrafficPolicy is local and there is zero local endpoint", + internalTrafficPolicy: &local, + featureGateOn: true, + endpoints: []endpoint{ + {"10.0.1.1", "host0"}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectEndpointRule: false, + expectedIPTablesWithSlice: `*filter +:KUBE-SERVICES - [0:0] +:KUBE-EXTERNAL-SERVICES - [0:0] +:KUBE-FORWARD - [0:0] +:KUBE-NODEPORTS - [0:0] +-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no endpoints" -m tcp -p tcp -d 172.20.1.1/32 --dport 80 -j REJECT +-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*nat +:KUBE-SERVICES - [0:0] +:KUBE-NODEPORTS - [0:0] +:KUBE-POSTROUTING - [0:0] +:KUBE-MARK-MASQ - [0:0] +-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN +-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 +-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE +-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 +-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS +COMMIT +`, + }, + { + name: "internalTrafficPolicy is local and there is non-zero local endpoint with feature gate off", + internalTrafficPolicy: &local, + featureGateOn: false, + endpoints: []endpoint{ + {"10.0.1.1", testHostname}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectEndpointRule: false, + expectedIPTablesWithSlice: clusterExpectedIPTables, + }, + } + + for _, tc := range testCases { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceInternalTrafficPolicy, tc.featureGateOn)() + ipt := iptablestest.NewFake() + fp := NewFakeProxier(ipt, true) + fp.OnServiceSynced() + fp.OnEndpointsSynced() + fp.OnEndpointSlicesSynced() + + serviceName := "svc1" + namespaceName := "ns1" + + svc := &v1.Service{ + ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespaceName}, + Spec: v1.ServiceSpec{ + ClusterIP: "172.20.1.1", + Selector: map[string]string{"foo": "bar"}, + Ports: []v1.ServicePort{{Name: "", Port: 80, Protocol: v1.ProtocolTCP}}, + }, + } + if tc.internalTrafficPolicy != nil { + svc.Spec.InternalTrafficPolicy = tc.internalTrafficPolicy + } + + fp.OnServiceAdd(svc) + + tcpProtocol := v1.ProtocolTCP + endpointSlice := &discovery.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-1", serviceName), + Namespace: namespaceName, + Labels: map[string]string{discovery.LabelServiceName: serviceName}, + }, + Ports: []discovery.EndpointPort{{ + Name: utilpointer.StringPtr(""), + Port: utilpointer.Int32Ptr(80), + Protocol: &tcpProtocol, + }}, + AddressType: discovery.AddressTypeIPv4, + } + for _, ep := range tc.endpoints { + endpointSlice.Endpoints = append(endpointSlice.Endpoints, discovery.Endpoint{ + Addresses: []string{ep.ip}, + Conditions: discovery.EndpointConditions{Ready: utilpointer.BoolPtr(true)}, + Topology: map[string]string{"kubernetes.io/hostname": ep.hostname}, + }) + } + + fp.OnEndpointSliceAdd(endpointSlice) + fp.syncProxyRules() + assert.Equal(t, tc.expectedIPTablesWithSlice, fp.iptablesData.String()) + + if tc.expectEndpointRule { + fp.OnEndpointSliceDelete(endpointSlice) + fp.syncProxyRules() + assert.NotEqual(t, tc.expectedIPTablesWithSlice, fp.iptablesData.String()) + } + } +} diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 7bb97a303cb..e084458db2d 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -1236,7 +1236,7 @@ func (proxier *Proxier) syncProxyRules() { activeBindAddrs[serv.Address.String()] = true // ExternalTrafficPolicy only works for NodePort and external LB traffic, does not affect ClusterIP // So we still need clusterIP rules in onlyNodeLocalEndpoints mode. - if err := proxier.syncEndpoint(svcName, false, serv); err != nil { + if err := proxier.syncEndpoint(svcName, false, svcInfo.OnlyNodeLocalEndpointsForInternal(), serv); err != nil { klog.Errorf("Failed to sync endpoint for service: %v, err: %v", serv, err) } } else { @@ -1319,7 +1319,8 @@ func (proxier *Proxier) syncProxyRules() { activeBindAddrs[serv.Address.String()] = true onlyNodeLocalEndpoints := svcInfo.OnlyNodeLocalEndpoints() - if err := proxier.syncEndpoint(svcName, onlyNodeLocalEndpoints, serv); err != nil { + onlyNodeLocalEndpointsForInternal := svcInfo.OnlyNodeLocalEndpointsForInternal() + if err := proxier.syncEndpoint(svcName, onlyNodeLocalEndpoints, onlyNodeLocalEndpointsForInternal, serv); err != nil { klog.Errorf("Failed to sync endpoint for service: %v, err: %v", serv, err) } } else { @@ -1420,7 +1421,7 @@ func (proxier *Proxier) syncProxyRules() { if err := proxier.syncService(svcNameString, serv, true, bindedAddresses); err == nil { activeIPVSServices[serv.String()] = true activeBindAddrs[serv.Address.String()] = true - if err := proxier.syncEndpoint(svcName, svcInfo.OnlyNodeLocalEndpoints(), serv); err != nil { + if err := proxier.syncEndpoint(svcName, svcInfo.OnlyNodeLocalEndpoints(), svcInfo.OnlyNodeLocalEndpointsForInternal(), serv); err != nil { klog.Errorf("Failed to sync endpoint for service: %v, err: %v", serv, err) } } else { @@ -1579,7 +1580,7 @@ func (proxier *Proxier) syncProxyRules() { // There is no need to bind Node IP to dummy interface, so set parameter `bindAddr` to `false`. if err := proxier.syncService(svcNameString, serv, false, bindedAddresses); err == nil { activeIPVSServices[serv.String()] = true - if err := proxier.syncEndpoint(svcName, svcInfo.OnlyNodeLocalEndpoints(), serv); err != nil { + if err := proxier.syncEndpoint(svcName, svcInfo.OnlyNodeLocalEndpoints(), svcInfo.OnlyNodeLocalEndpointsForInternal(), serv); err != nil { klog.Errorf("Failed to sync endpoint for service: %v, err: %v", serv, err) } } else { @@ -2030,7 +2031,7 @@ func (proxier *Proxier) syncService(svcName string, vs *utilipvs.VirtualServer, return nil } -func (proxier *Proxier) syncEndpoint(svcPortName proxy.ServicePortName, onlyNodeLocalEndpoints bool, vs *utilipvs.VirtualServer) error { +func (proxier *Proxier) syncEndpoint(svcPortName proxy.ServicePortName, onlyNodeLocalEndpoints bool, onlyNodeLocalEndpointsForInternal bool, vs *utilipvs.VirtualServer) error { appliedVirtualServer, err := proxier.ipvs.GetVirtualServer(vs) if err != nil { klog.Errorf("Failed to get IPVS service, error: %v", err) @@ -2065,6 +2066,14 @@ func (proxier *Proxier) syncEndpoint(svcPortName proxy.ServicePortName, onlyNode endpoints = proxy.FilterTopologyEndpoint(proxier.nodeLabels, proxier.serviceMap[svcPortName].TopologyKeys(), endpoints) } + // Service InternalTrafficPolicy is only enabled when all of the + // following are true: + // 1. InternalTrafficPolicy is PreferLocal or Local + // 2. ServiceInternalTrafficPolicy feature gate is on + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) && onlyNodeLocalEndpointsForInternal { + endpoints = proxy.FilterLocalEndpoint(proxier.serviceMap[svcPortName].InternalTrafficPolicy(), endpoints) + } + for _, epInfo := range endpoints { if !epInfo.IsReady() { continue diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go index 9912244ff2a..a60cee03c2e 100644 --- a/pkg/proxy/ipvs/proxier_test.go +++ b/pkg/proxy/ipvs/proxier_test.go @@ -33,6 +33,9 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" + utilfeature "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" + "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/proxy" "k8s.io/kubernetes/pkg/proxy/healthcheck" netlinktest "k8s.io/kubernetes/pkg/proxy/ipvs/testing" @@ -4467,3 +4470,183 @@ func TestCreateAndLinkKubeChain(t *testing.T) { assert.Equal(t, expectedNATChains, fp.natChains.String()) assert.Equal(t, expectedFilterChains, fp.filterChains.String()) } + +// This test ensures that the iptables proxier supports translating Endpoints to +// iptables output when internalTrafficPolicy is specified +func TestTestInternalTrafficPolicyE2E(t *testing.T) { + type endpoint struct { + ip string + hostname string + } + + cluster := v1.ServiceInternalTrafficPolicyCluster + local := v1.ServiceInternalTrafficPolicyLocal + + testCases := []struct { + name string + internalTrafficPolicy *v1.ServiceInternalTrafficPolicyType + endpoints []endpoint + expectVirtualServer bool + expectLocalEntries bool + expectLocalRealServerNum int + expectLocalRealServers []string + }{ + { + name: "internalTrafficPolicy is cluster with non-zero local endpoints", + internalTrafficPolicy: &cluster, + endpoints: []endpoint{ + {"10.0.1.1", testHostname}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectVirtualServer: true, + expectLocalEntries: true, + expectLocalRealServerNum: 3, + expectLocalRealServers: []string{ + "10.0.1.1:80", + "10.0.1.2:80", + "10.0.1.3:80", + }, + }, + { + name: "internalTrafficPolicy is cluster with zero local endpoints", + internalTrafficPolicy: &cluster, + endpoints: []endpoint{ + {"10.0.1.1", "host0"}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectVirtualServer: false, + expectLocalEntries: false, + expectLocalRealServerNum: 3, + expectLocalRealServers: []string{ + "10.0.1.1:80", + "10.0.1.2:80", + "10.0.1.3:80", + }, + }, + { + name: "internalTrafficPolicy is local with non-zero local endpoints", + internalTrafficPolicy: &local, + endpoints: []endpoint{ + {"10.0.1.1", testHostname}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectVirtualServer: true, + expectLocalEntries: true, + expectLocalRealServerNum: 1, + expectLocalRealServers: []string{ + "10.0.1.1:80", + }, + }, + { + name: "internalTrafficPolicy is local with zero local endpoints", + internalTrafficPolicy: &local, + endpoints: []endpoint{ + {"10.0.1.1", "host0"}, + {"10.0.1.2", "host1"}, + {"10.0.1.3", "host2"}, + }, + expectVirtualServer: false, + expectLocalEntries: false, + expectLocalRealServerNum: 0, + expectLocalRealServers: []string{}, + }, + } + for _, tc := range testCases { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceInternalTrafficPolicy, true)() + + ipt := iptablestest.NewFake() + ipvs := ipvstest.NewFake() + ipset := ipsettest.NewFake(testIPSetVersion) + fp := NewFakeProxier(ipt, ipvs, ipset, nil, nil, true, v1.IPv4Protocol) + fp.servicesSynced = true + fp.endpointsSynced = true + fp.endpointSlicesSynced = true + + // Add initial service + serviceName := "svc1" + namespaceName := "ns1" + + svc := &v1.Service{ + ObjectMeta: metav1.ObjectMeta{Name: serviceName, Namespace: namespaceName}, + Spec: v1.ServiceSpec{ + ClusterIP: "172.20.1.1", + Selector: map[string]string{"foo": "bar"}, + Ports: []v1.ServicePort{{Name: "", TargetPort: intstr.FromInt(80), Protocol: v1.ProtocolTCP}}, + }, + } + if tc.internalTrafficPolicy != nil { + svc.Spec.InternalTrafficPolicy = tc.internalTrafficPolicy + } + + fp.OnServiceAdd(svc) + + // Add initial endpoint slice + tcpProtocol := v1.ProtocolTCP + endpointSlice := &discovery.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-1", serviceName), + Namespace: namespaceName, + Labels: map[string]string{discovery.LabelServiceName: serviceName}, + }, + Ports: []discovery.EndpointPort{{ + Name: utilpointer.StringPtr(""), + Port: utilpointer.Int32Ptr(80), + Protocol: &tcpProtocol, + }}, + AddressType: discovery.AddressTypeIPv4, + } + + for _, ep := range tc.endpoints { + endpointSlice.Endpoints = append(endpointSlice.Endpoints, discovery.Endpoint{ + Addresses: []string{ep.ip}, + Conditions: discovery.EndpointConditions{Ready: utilpointer.BoolPtr(true)}, + Topology: map[string]string{"kubernetes.io/hostname": ep.hostname}, + }) + } + + fp.OnEndpointSliceAdd(endpointSlice) + fp.syncProxyRules() + + // Ensure that Proxier updates ipvs appropriately after EndpointSlice update + assert.NotNil(t, fp.ipsetList["KUBE-LOOP-BACK"]) + + activeEntries1 := fp.ipsetList["KUBE-LOOP-BACK"].activeEntries + + if tc.expectLocalEntries { + assert.Equal(t, 1, activeEntries1.Len(), "Expected 1 active entry in KUBE-LOOP-BACK") + } else { + assert.Equal(t, 0, activeEntries1.Len(), "Expected no active entry in KUBE-LOOP-BACK") + } + + if tc.expectVirtualServer { + virtualServers1, vsErr1 := ipvs.GetVirtualServers() + assert.Nil(t, vsErr1, "Expected no error getting virtual servers") + + assert.Len(t, virtualServers1, 1, "Expected 1 virtual server") + realServers1, rsErr1 := ipvs.GetRealServers(virtualServers1[0]) + assert.Nil(t, rsErr1, "Expected no error getting real servers") + + assert.Len(t, realServers1, tc.expectLocalRealServerNum, fmt.Sprintf("Expected %d real servers", tc.expectLocalRealServerNum)) + for i := 0; i < tc.expectLocalRealServerNum; i++ { + assert.Equal(t, realServers1[i].String(), tc.expectLocalRealServers[i]) + } + } + + fp.OnEndpointSliceDelete(endpointSlice) + fp.syncProxyRules() + + // Ensure that Proxier updates ipvs appropriately after EndpointSlice delete + assert.NotNil(t, fp.ipsetList["KUBE-LOOP-BACK"]) + activeEntries3 := fp.ipsetList["KUBE-LOOP-BACK"].activeEntries + assert.Equal(t, 0, activeEntries3.Len(), "Expected 0 active entries in KUBE-LOOP-BACK") + virtualServers2, vsErr2 := ipvs.GetVirtualServers() + assert.Nil(t, vsErr2, "Expected no error getting virtual servers") + assert.Len(t, virtualServers2, 1, "Expected 1 virtual server") + realServers2, rsErr2 := ipvs.GetRealServers(virtualServers2[0]) + assert.Nil(t, rsErr2, "Expected no error getting real servers") + assert.Len(t, realServers2, 0, "Expected 0 real servers") + } +} diff --git a/pkg/proxy/service.go b/pkg/proxy/service.go index 32b1d0a74eb..a25ecc17041 100644 --- a/pkg/proxy/service.go +++ b/pkg/proxy/service.go @@ -28,8 +28,10 @@ import ( v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/tools/record" apiservice "k8s.io/kubernetes/pkg/api/v1/service" + "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/proxy/metrics" utilproxy "k8s.io/kubernetes/pkg/proxy/util" ) @@ -39,18 +41,20 @@ import ( // or can be used for constructing a more specific ServiceInfo struct // defined by the proxier if needed. type BaseServiceInfo struct { - clusterIP net.IP - port int - protocol v1.Protocol - nodePort int - loadBalancerStatus v1.LoadBalancerStatus - sessionAffinityType v1.ServiceAffinity - stickyMaxAgeSeconds int - externalIPs []string - loadBalancerSourceRanges []string - healthCheckNodePort int - onlyNodeLocalEndpoints bool - topologyKeys []string + clusterIP net.IP + port int + protocol v1.Protocol + nodePort int + loadBalancerStatus v1.LoadBalancerStatus + sessionAffinityType v1.ServiceAffinity + stickyMaxAgeSeconds int + externalIPs []string + loadBalancerSourceRanges []string + healthCheckNodePort int + onlyNodeLocalEndpoints bool + onlyNodeLocalEndpointsForInternal bool + internalTrafficPolicy *v1.ServiceInternalTrafficPolicyType + topologyKeys []string } var _ ServicePort = &BaseServiceInfo{} @@ -119,6 +123,16 @@ func (info *BaseServiceInfo) OnlyNodeLocalEndpoints() bool { return info.onlyNodeLocalEndpoints } +// OnlyNodeLocalEndpointsForInternal is part of ServicePort interface +func (info *BaseServiceInfo) OnlyNodeLocalEndpointsForInternal() bool { + return info.onlyNodeLocalEndpointsForInternal +} + +// InternalTrafficPolicy is part of ServicePort interface +func (info *BaseServiceInfo) InternalTrafficPolicy() *v1.ServiceInternalTrafficPolicyType { + return info.internalTrafficPolicy +} + // TopologyKeys is part of ServicePort interface. func (info *BaseServiceInfo) TopologyKeys() []string { return info.topologyKeys @@ -129,6 +143,10 @@ func (sct *ServiceChangeTracker) newBaseServiceInfo(port *v1.ServicePort, servic if apiservice.RequestsOnlyLocalTraffic(service) { onlyNodeLocalEndpoints = true } + onlyNodeLocalEndpointsForInternal := false + if utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) { + onlyNodeLocalEndpointsForInternal = apiservice.RequestsOnlyLocalTrafficForInternal(service) + } var stickyMaxAgeSeconds int if service.Spec.SessionAffinity == v1.ServiceAffinityClientIP { // Kube-apiserver side guarantees SessionAffinityConfig won't be nil when session affinity type is ClientIP @@ -137,14 +155,16 @@ func (sct *ServiceChangeTracker) newBaseServiceInfo(port *v1.ServicePort, servic clusterIP := utilproxy.GetClusterIPByFamily(sct.ipFamily, service) info := &BaseServiceInfo{ - clusterIP: net.ParseIP(clusterIP), - port: int(port.Port), - protocol: port.Protocol, - nodePort: int(port.NodePort), - sessionAffinityType: service.Spec.SessionAffinity, - stickyMaxAgeSeconds: stickyMaxAgeSeconds, - onlyNodeLocalEndpoints: onlyNodeLocalEndpoints, - topologyKeys: service.Spec.TopologyKeys, + clusterIP: net.ParseIP(clusterIP), + port: int(port.Port), + protocol: port.Protocol, + nodePort: int(port.NodePort), + sessionAffinityType: service.Spec.SessionAffinity, + stickyMaxAgeSeconds: stickyMaxAgeSeconds, + onlyNodeLocalEndpoints: onlyNodeLocalEndpoints, + onlyNodeLocalEndpointsForInternal: onlyNodeLocalEndpointsForInternal, + internalTrafficPolicy: service.Spec.InternalTrafficPolicy, + topologyKeys: service.Spec.TopologyKeys, } loadBalancerSourceRanges := make([]string, len(service.Spec.LoadBalancerSourceRanges)) diff --git a/pkg/proxy/topology.go b/pkg/proxy/topology.go index 9694774e700..b272f365257 100644 --- a/pkg/proxy/topology.go +++ b/pkg/proxy/topology.go @@ -18,6 +18,8 @@ package proxy import ( v1 "k8s.io/api/core/v1" + utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/kubernetes/pkg/features" ) // FilterTopologyEndpoint returns the appropriate endpoints based on the cluster @@ -44,7 +46,7 @@ func FilterTopologyEndpoint(nodeLabels map[string]string, topologyKeys []string, return endpoints } - filteredEndpoint := []Endpoint{} + filteredEndpoints := []Endpoint{} if len(nodeLabels) == 0 { if topologyKeys[len(topologyKeys)-1] == v1.TopologyKeyAny { @@ -54,7 +56,7 @@ func FilterTopologyEndpoint(nodeLabels map[string]string, topologyKeys []string, } // edge case: do not include any endpoints if topology key "Any" is // not specified when we cannot determine current node's topology. - return filteredEndpoint + return filteredEndpoints } for _, key := range topologyKeys { @@ -69,12 +71,40 @@ func FilterTopologyEndpoint(nodeLabels map[string]string, topologyKeys []string, for _, ep := range endpoints { topology := ep.GetTopology() if value, found := topology[key]; found && value == topologyValue { - filteredEndpoint = append(filteredEndpoint, ep) + filteredEndpoints = append(filteredEndpoints, ep) } } - if len(filteredEndpoint) > 0 { - return filteredEndpoint + if len(filteredEndpoints) > 0 { + return filteredEndpoints } } - return filteredEndpoint + return filteredEndpoints +} + +// FilterLocalEndpoint returns the node local endpoints based on configured +// InternalTrafficPolicy. +// +// If ServiceInternalTrafficPolicy feature gate is off, returns the original +// endpoints slice. +// Otherwise, if InternalTrafficPolicy is Local, only return the node local endpoints. +func FilterLocalEndpoint(internalTrafficPolicy *v1.ServiceInternalTrafficPolicyType, endpoints []Endpoint) []Endpoint { + if !utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) { + return endpoints + } + if internalTrafficPolicy == nil || *internalTrafficPolicy == v1.ServiceInternalTrafficPolicyCluster { + return endpoints + } + + var filteredEndpoints []Endpoint + + // Get all the local endpoints + for _, ep := range endpoints { + if ep.GetIsLocal() { + filteredEndpoints = append(filteredEndpoints, ep) + } + } + + // When internalTrafficPolicy is Local, only return the node local + // endpoints + return filteredEndpoints } diff --git a/pkg/proxy/topology_test.go b/pkg/proxy/topology_test.go index c874e0217c1..9f501152f3a 100644 --- a/pkg/proxy/topology_test.go +++ b/pkg/proxy/topology_test.go @@ -22,6 +22,9 @@ import ( v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" + utilfeature "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" + "k8s.io/kubernetes/pkg/features" ) func TestFilterTopologyEndpoint(t *testing.T) { @@ -476,3 +479,97 @@ func TestFilterTopologyEndpoint(t *testing.T) { }) } } + +func TestFilterLocalEndpoint(t *testing.T) { + cluster := v1.ServiceInternalTrafficPolicyCluster + local := v1.ServiceInternalTrafficPolicyLocal + + testCases := []struct { + name string + internalTrafficPolicy *v1.ServiceInternalTrafficPolicyType + endpoints []Endpoint + expected []Endpoint + featureGateOn bool + }{ + { + name: "no internalTrafficPolicy with empty endpoints", + internalTrafficPolicy: nil, + endpoints: []Endpoint{}, + expected: []Endpoint{}, + featureGateOn: true, + }, + { + name: "no internalTrafficPolicy with non-empty endpoints", + internalTrafficPolicy: nil, + endpoints: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + }, + expected: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + }, + featureGateOn: true, + }, + { + name: "internalTrafficPolicy is cluster", + internalTrafficPolicy: &cluster, + endpoints: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + }, + expected: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + }, + featureGateOn: true, + }, + { + name: "internalTrafficPolicy is local with non-zero local endpoints", + internalTrafficPolicy: &local, + endpoints: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + }, + expected: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + }, + featureGateOn: true, + }, + { + name: "internalTrafficPolicy is local with zero local endpoints", + internalTrafficPolicy: &local, + endpoints: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: false}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + &BaseEndpointInfo{Endpoint: "10.0.0.2:80", IsLocal: false}, + }, + expected: nil, + featureGateOn: true, + }, + { + name: "feature gate is off, internalTrafficPolicy is local with non-empty endpoints", + internalTrafficPolicy: &local, + endpoints: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + &BaseEndpointInfo{Endpoint: "10.0.0.2:80", IsLocal: false}, + }, + expected: []Endpoint{ + &BaseEndpointInfo{Endpoint: "10.0.0.0:80", IsLocal: true}, + &BaseEndpointInfo{Endpoint: "10.0.0.1:80", IsLocal: false}, + &BaseEndpointInfo{Endpoint: "10.0.0.2:80", IsLocal: false}, + }, + featureGateOn: false, + }, + } + for _, tc := range testCases { + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceInternalTrafficPolicy, tc.featureGateOn)() + t.Run(tc.name, func(t *testing.T) { + filteredEndpoint := FilterLocalEndpoint(tc.internalTrafficPolicy, tc.endpoints) + if !reflect.DeepEqual(filteredEndpoint, tc.expected) { + t.Errorf("expected %v, got %v", tc.expected, filteredEndpoint) + } + }) + } +} diff --git a/pkg/proxy/types.go b/pkg/proxy/types.go index 96ccb403295..d88f2f826ff 100644 --- a/pkg/proxy/types.go +++ b/pkg/proxy/types.go @@ -85,6 +85,10 @@ type ServicePort interface { NodePort() int // GetOnlyNodeLocalEndpoints returns if a service has only node local endpoints OnlyNodeLocalEndpoints() bool + // OnlyNodeLocalEndpointsForInternal returns if a service prefers routing to node local endpoints for internal traffic + OnlyNodeLocalEndpointsForInternal() bool + // InternalTrafficPolicy returns service InternalTrafficPolicy + InternalTrafficPolicy() *v1.ServiceInternalTrafficPolicyType // TopologyKeys returns service TopologyKeys as a string array. TopologyKeys() []string } diff --git a/pkg/registry/core/service/strategy.go b/pkg/registry/core/service/strategy.go index 6ff69cb5a32..e3c31dee967 100644 --- a/pkg/registry/core/service/strategy.go +++ b/pkg/registry/core/service/strategy.go @@ -156,7 +156,7 @@ func dropServiceDisabledFields(newSvc *api.Service, oldSvc *api.Service) { newSvc.Spec.TopologyKeys = nil } - // Clear AllocateLoadBalancerNodePorts if ServiceLBNodePortControl if not enabled + // Clear AllocateLoadBalancerNodePorts if ServiceLBNodePortControl is not enabled if !utilfeature.DefaultFeatureGate.Enabled(features.ServiceLBNodePortControl) { if !allocateLoadBalancerNodePortsInUse(oldSvc) { newSvc.Spec.AllocateLoadBalancerNodePorts = nil @@ -180,6 +180,13 @@ func dropServiceDisabledFields(newSvc *api.Service, oldSvc *api.Service) { newSvc.Spec.LoadBalancerClass = nil } } + + // Clear InternalTrafficPolicy if not enabled + if !utilfeature.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy) { + if !serviceInternalTrafficPolicyInUse(oldSvc) { + newSvc.Spec.InternalTrafficPolicy = nil + } + } } // returns true if svc.Spec.AllocateLoadBalancerNodePorts field is in use @@ -240,6 +247,13 @@ func loadBalancerClassInUse(svc *api.Service) bool { return svc.Spec.LoadBalancerClass != nil } +func serviceInternalTrafficPolicyInUse(svc *api.Service) bool { + if svc == nil { + return false + } + return svc.Spec.InternalTrafficPolicy != nil +} + type serviceStatusStrategy struct { Strategy } diff --git a/pkg/registry/core/service/strategy_test.go b/pkg/registry/core/service/strategy_test.go index c3917210090..84c8ba2668b 100644 --- a/pkg/registry/core/service/strategy_test.go +++ b/pkg/registry/core/service/strategy_test.go @@ -257,19 +257,30 @@ func makeServiceWithLoadBalancerClass(loadBalancerClass *string) *api.Service { } } +func makeServiceWithInternalTrafficPolicy(policy *api.ServiceInternalTrafficPolicyType) *api.Service { + return &api.Service{ + Spec: api.ServiceSpec{ + InternalTrafficPolicy: policy, + }, + } +} + func TestDropDisabledField(t *testing.T) { requireDualStack := api.IPFamilyPolicyRequireDualStack preferDualStack := api.IPFamilyPolicyPreferDualStack singleStack := api.IPFamilyPolicySingleStack + localInternalTrafficPolicy := api.ServiceInternalTrafficPolicyLocal + testCases := []struct { - name string - enableDualStack bool - enableMixedProtocol bool - enableLoadBalancerClass bool - svc *api.Service - oldSvc *api.Service - compareSvc *api.Service + name string + enableDualStack bool + enableMixedProtocol bool + enableLoadBalancerClass bool + enableInternalTrafficPolicy bool + svc *api.Service + oldSvc *api.Service + compareSvc *api.Service }{ { name: "not dual stack, field not used", @@ -500,6 +511,28 @@ func TestDropDisabledField(t *testing.T) { oldSvc: makeServiceWithLoadBalancerClass(utilpointer.StringPtr("test.com/test")), compareSvc: makeServiceWithLoadBalancerClass(nil), }, + /* svc.spec.internalTrafficPolicy */ + { + name: "internal traffic policy not enabled, field used in old, not used in new", + enableInternalTrafficPolicy: false, + svc: makeServiceWithInternalTrafficPolicy(nil), + oldSvc: makeServiceWithInternalTrafficPolicy(&localInternalTrafficPolicy), + compareSvc: makeServiceWithInternalTrafficPolicy(nil), + }, + { + name: "internal traffic policy not enabled, field not used in old, used in new", + enableInternalTrafficPolicy: false, + svc: makeServiceWithInternalTrafficPolicy(&localInternalTrafficPolicy), + oldSvc: makeServiceWithInternalTrafficPolicy(nil), + compareSvc: makeServiceWithInternalTrafficPolicy(nil), + }, + { + name: "internal traffic policy enabled, field not used in old, used in new", + enableInternalTrafficPolicy: true, + svc: makeServiceWithInternalTrafficPolicy(&localInternalTrafficPolicy), + oldSvc: makeServiceWithInternalTrafficPolicy(nil), + compareSvc: makeServiceWithInternalTrafficPolicy(&localInternalTrafficPolicy), + }, /* add more tests for other dropped fields as needed */ } for _, tc := range testCases { @@ -507,12 +540,13 @@ func TestDropDisabledField(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.IPv6DualStack, tc.enableDualStack)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MixedProtocolLBService, tc.enableMixedProtocol)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceLoadBalancerClass, tc.enableLoadBalancerClass)() + defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceInternalTrafficPolicy, tc.enableInternalTrafficPolicy)() old := tc.oldSvc.DeepCopy() // to test against user using IPFamily not set on cluster dropServiceDisabledFields(tc.svc, tc.oldSvc) - // old node should never be changed + // old node should never be changed if !reflect.DeepEqual(tc.oldSvc, old) { t.Errorf("%v: old svc changed: %v", tc.name, diff.ObjectReflectDiff(tc.oldSvc, old)) } diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index 563217a4292..e759f00b8cd 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3940,6 +3940,19 @@ const ( ServiceTypeExternalName ServiceType = "ExternalName" ) +// ServiceInternalTrafficPolicyType describes the type of traffic routing for +// internal traffic +type ServiceInternalTrafficPolicyType string + +const ( + // ServiceInternalTrafficPolicyCluster routes traffic to all endpoints + ServiceInternalTrafficPolicyCluster ServiceInternalTrafficPolicyType = "Cluster" + + // ServiceInternalTrafficPolicyLocal only routes to node-local + // endpoints, otherwise drops the traffic + ServiceInternalTrafficPolicyLocal ServiceInternalTrafficPolicyType = "Local" +) + // Service External Traffic Policy Type string type ServiceExternalTrafficPolicyType string @@ -4272,9 +4285,19 @@ type ServiceSpec struct { // implementation (e.g. cloud providers) should ignore Services that set this field. // This field can only be set when creating or updating a Service to type 'LoadBalancer'. // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - // featureGate=LoadBalancerClass + // +featureGate=LoadBalancerClass // +optional LoadBalancerClass *string `json:"loadBalancerClass,omitempty" protobuf:"bytes,21,opt,name=loadBalancerClass"` + + // InternalTrafficPolicy specifies if the cluster internal traffic + // should be routed to all endpoints or node-local endpoints only. + // "Cluster" routes internal traffic to a Service to all endpoints. + // "Local" routes traffic to node-local endpoints only, traffic is + // dropped if no node-local endpoints are ready. + // The default value is "Cluster". + // +featureGate=ServiceInternalTrafficPolicy + // +optional + InternalTrafficPolicy *ServiceInternalTrafficPolicyType `json:"internalTrafficPolicy,omitempty" protobuf:"bytes,22,opt,name=internalTrafficPolicy"` } // ServicePort contains information on service's port. diff --git a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go index 5ccdaffd0fa..9cef7c2100f 100644 --- a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go @@ -2258,6 +2258,7 @@ var map_ServiceSpec = map[string]string{ "ipFamilyPolicy": "IPFamilyPolicy represents the dual-stack-ness requested or required by this Service, and is gated by the \"IPv6DualStack\" feature gate. If there is no value provided, then this field will be set to SingleStack. Services can be \"SingleStack\" (a single IP family), \"PreferDualStack\" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or \"RequireDualStack\" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field. This field will be wiped when updating a service to type ExternalName.", "allocateLoadBalancerNodePorts": "allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is \"true\". It may be set to \"false\" if the cluster load-balancer does not rely on NodePorts. allocateLoadBalancerNodePorts may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is alpha-level and is only honored by servers that enable the ServiceLBNodePortControl feature.", "loadBalancerClass": "loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. \"internal-vip\" or \"example.com/internal-vip\". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. featureGate=LoadBalancerClass", + "internalTrafficPolicy": "InternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. \"Cluster\" routes internal traffic to a Service to all endpoints. \"Local\" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. featureGate=ServiceInternalTrafficPolicy", } func (ServiceSpec) SwaggerDoc() map[string]string { diff --git a/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go index 79e3c7af00a..6cb291b71be 100644 --- a/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go @@ -5350,6 +5350,11 @@ func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) { *out = new(string) **out = **in } + if in.InternalTrafficPolicy != nil { + in, out := &in.InternalTrafficPolicy, &out.InternalTrafficPolicy + *out = new(ServiceInternalTrafficPolicyType) + **out = **in + } return } diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.json index 8d1a56da22a..52ea73086ef 100644 --- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.json +++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.json @@ -84,7 +84,8 @@ ], "ipFamilyPolicy": "9ȫŚ", "allocateLoadBalancerNodePorts": true, - "loadBalancerClass": "31" + "loadBalancerClass": "31", + "internalTrafficPolicy": "" }, "status": { "loadBalancer": { @@ -94,8 +95,8 @@ "hostname": "33", "ports": [ { - "port": -907310967, - "protocol": "喂ƈ斎AO6", + "port": 684408190, + "protocol": "ƈ斎AO6ĴC浔Ű", "error": "34" } ] @@ -105,9 +106,9 @@ "conditions": [ { "type": "35", - "status": "C", - "observedGeneration": -2492120148461555858, - "lastTransitionTime": "2392-12-09T15:37:55Z", + "status": "ž(-譵", + "observedGeneration": -8651056334266075769, + "lastTransitionTime": "2404-01-10T11:35:42Z", "reason": "36", "message": "37" } diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.pb index 9d52060f2a15dccdb989f71a325f956dbde07821..eff2532121d40eca4385ba202101ab64ebe63343 100644 GIT binary patch delta 104 zcmV-u0GI!S1d0TZ6anzD6`BECRthKzCJF*GG7$Sm_!_oMM0U`(pj{1OuGY|kO0y8!; K0y8%n03rZj%_HLg delta 98 zcmeBTXV=q$$204@zKH7+J&BOxYZVJ|M?FDj6&Q`r!^hxcs8xi z(cesp$=F0l1*pzch|yW%-M!bV?(FT|dY4g&gX8jznRg5Y7_^v-&5W3g&7~NW7yzaP BA-(_r diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.yaml index 3e51ddd5b70..863435cefd3 100644 --- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.yaml +++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Service.yaml @@ -39,6 +39,7 @@ spec: externalName: "29" externalTrafficPolicy: ƏS$+½H牗洝尿 healthCheckNodePort: -1965738697 + internalTrafficPolicy: "" ipFamilies: - 斬³;Ơ歿:狞夌碕ʂɭîcP$Iņɖ ipFamilyPolicy: 9ȫŚ @@ -65,11 +66,11 @@ spec: type: 鮽ort昍řČ扷5ƗǸƢ6/ʕVŚ(Ŀ status: conditions: - - lastTransitionTime: "2392-12-09T15:37:55Z" + - lastTransitionTime: "2404-01-10T11:35:42Z" message: "37" - observedGeneration: -2492120148461555858 + observedGeneration: -8651056334266075769 reason: "36" - status: C + status: ž(-譵 type: "35" loadBalancer: ingress: @@ -77,5 +78,5 @@ status: ip: "32" ports: - error: "34" - port: -907310967 - protocol: 喂ƈ斎AO6 + port: 684408190 + protocol: ƈ斎AO6ĴC浔Ű diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go index 69162286009..99361cecf06 100644 --- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go +++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go @@ -44,6 +44,7 @@ type ServiceSpecApplyConfiguration struct { IPFamilyPolicy *corev1.IPFamilyPolicyType `json:"ipFamilyPolicy,omitempty"` AllocateLoadBalancerNodePorts *bool `json:"allocateLoadBalancerNodePorts,omitempty"` LoadBalancerClass *string `json:"loadBalancerClass,omitempty"` + InternalTrafficPolicy *corev1.ServiceInternalTrafficPolicyType `json:"internalTrafficPolicy,omitempty"` } // ServiceSpecApplyConfiguration constructs an declarative configuration of the ServiceSpec type for use with @@ -224,3 +225,11 @@ func (b *ServiceSpecApplyConfiguration) WithLoadBalancerClass(value string) *Ser b.LoadBalancerClass = &value return b } + +// WithInternalTrafficPolicy sets the InternalTrafficPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the InternalTrafficPolicy field is set to the value of the last call. +func (b *ServiceSpecApplyConfiguration) WithInternalTrafficPolicy(value corev1.ServiceInternalTrafficPolicyType) *ServiceSpecApplyConfiguration { + b.InternalTrafficPolicy = &value + return b +}