mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-14 14:23:37 +00:00
Update API docs that are shared between VAP and MAP
Co-authored-by: Tim Bannister <tim@scalefactory.com>
This commit is contained in:
Joe Betz
parent
c9024e7ae6
commit
93d66a216f
@ -92,9 +92,9 @@ const (
|
|||||||
type FailurePolicyType string
|
type FailurePolicyType string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// Ignore means that an error calling the webhook is ignored.
|
// Ignore means that an error calling the admission webhook or admission policy is ignored.
|
||||||
Ignore FailurePolicyType = "Ignore"
|
Ignore FailurePolicyType = "Ignore"
|
||||||
// Fail means that an error calling the webhook causes the admission to fail.
|
// Fail means that an error calling the admission webhook or admission policy causes resource admission to fail.
|
||||||
Fail FailurePolicyType = "Fail"
|
Fail FailurePolicyType = "Fail"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -102,9 +102,10 @@ const (
|
|||||||
type MatchPolicyType string
|
type MatchPolicyType string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// Exact means requests should only be sent to the webhook if they exactly match a given rule
|
// Exact means requests should only be sent to the admission webhook or admission policy if they exactly match a given rule.
|
||||||
Exact MatchPolicyType = "Exact"
|
Exact MatchPolicyType = "Exact"
|
||||||
// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
|
// Equivalent means requests should be sent to the admission webhook or admission policy if they modify a resource listed
|
||||||
|
// in rules via another API group or version.
|
||||||
Equivalent MatchPolicyType = "Equivalent"
|
Equivalent MatchPolicyType = "Equivalent"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -617,9 +618,9 @@ type MatchResources struct {
|
|||||||
// Default to the empty LabelSelector, which matches everything.
|
// Default to the empty LabelSelector, which matches everything.
|
||||||
// +optional
|
// +optional
|
||||||
NamespaceSelector *metav1.LabelSelector
|
NamespaceSelector *metav1.LabelSelector
|
||||||
// ObjectSelector decides whether to run the validation based on if the
|
// ObjectSelector decides whether to run the policy based on if the
|
||||||
// object has matching labels. objectSelector is evaluated against both
|
// object has matching labels. objectSelector is evaluated against both
|
||||||
// the oldObject and newObject that would be sent to the cel validation, and
|
// the oldObject and newObject that would be sent to the cel policy, and
|
||||||
// is considered to match if either object matches the selector. A null
|
// is considered to match if either object matches the selector. A null
|
||||||
// object (oldObject in the case of create, or newObject in the case of
|
// object (oldObject in the case of create, or newObject in the case of
|
||||||
// delete) or an object that cannot have labels (like a
|
// delete) or an object that cannot have labels (like a
|
||||||
@ -630,12 +631,14 @@ type MatchResources struct {
|
|||||||
// Default to the empty LabelSelector, which matches everything.
|
// Default to the empty LabelSelector, which matches everything.
|
||||||
// +optional
|
// +optional
|
||||||
ObjectSelector *metav1.LabelSelector
|
ObjectSelector *metav1.LabelSelector
|
||||||
// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
|
// ResourceRules describes what operations on what resources/subresources the policy matches.
|
||||||
// The policy cares about an operation if it matches _any_ Rule.
|
// The policy cares about an operation if it matches _any_ Rule.
|
||||||
|
// +listType=atomic
|
||||||
// +optional
|
// +optional
|
||||||
ResourceRules []NamedRuleWithOperations
|
ResourceRules []NamedRuleWithOperations
|
||||||
// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
|
// ExcludeResourceRules describes what operations on what resources/subresources the policy should not care about.
|
||||||
// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
|
// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
|
||||||
|
// +listType=atomic
|
||||||
// +optional
|
// +optional
|
||||||
ExcludeResourceRules []NamedRuleWithOperations
|
ExcludeResourceRules []NamedRuleWithOperations
|
||||||
// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
|
// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
|
||||||
@ -644,12 +647,12 @@ type MatchResources struct {
|
|||||||
// - Exact: match a request only if it exactly matches a specified rule.
|
// - Exact: match a request only if it exactly matches a specified rule.
|
||||||
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
|
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the policy.
|
||||||
//
|
//
|
||||||
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
||||||
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
|
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the policy.
|
||||||
//
|
//
|
||||||
// Defaults to "Equivalent"
|
// Defaults to "Equivalent"
|
||||||
// +optional
|
// +optional
|
||||||
|
|||||||
@ -56,9 +56,9 @@ const (
|
|||||||
type FailurePolicyType string
|
type FailurePolicyType string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// Ignore means that an error calling the webhook is ignored.
|
// Ignore means that an error calling the admission webhook or admission policy is ignored.
|
||||||
Ignore FailurePolicyType = "Ignore"
|
Ignore FailurePolicyType = "Ignore"
|
||||||
// Fail means that an error calling the webhook causes the admission to fail.
|
// Fail means that an error calling the admission webhook or admission policy causes resource admission to fail.
|
||||||
Fail FailurePolicyType = "Fail"
|
Fail FailurePolicyType = "Fail"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -67,9 +67,11 @@ const (
|
|||||||
type MatchPolicyType string
|
type MatchPolicyType string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// Exact means requests should only be sent to the webhook if they exactly match a given rule.
|
// Exact means requests should only be sent to the admission webhook or admission policy if they exactly match a given rule.
|
||||||
Exact MatchPolicyType = "Exact"
|
Exact MatchPolicyType = "Exact"
|
||||||
// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
|
// Equivalent means requests should be sent to the admission webhook or admission policy if they modify a resource listed
|
||||||
|
// in rules via an equivalent API group or version. For example, `autoscaling/v1` and `autoscaling/v2`
|
||||||
|
// HorizontalPodAutoscalers are equivalent: the same set of resources appear via both APIs.
|
||||||
Equivalent MatchPolicyType = "Equivalent"
|
Equivalent MatchPolicyType = "Equivalent"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -577,9 +579,9 @@ type MatchResources struct {
|
|||||||
// Default to the empty LabelSelector, which matches everything.
|
// Default to the empty LabelSelector, which matches everything.
|
||||||
// +optional
|
// +optional
|
||||||
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,1,opt,name=namespaceSelector"`
|
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,1,opt,name=namespaceSelector"`
|
||||||
// ObjectSelector decides whether to run the validation based on if the
|
// ObjectSelector decides whether to run the policy based on if the
|
||||||
// object has matching labels. objectSelector is evaluated against both
|
// object has matching labels. objectSelector is evaluated against both
|
||||||
// the oldObject and newObject that would be sent to the cel validation, and
|
// the oldObject and newObject that would be sent to the policy's expression (CEL), and
|
||||||
// is considered to match if either object matches the selector. A null
|
// is considered to match if either object matches the selector. A null
|
||||||
// object (oldObject in the case of create, or newObject in the case of
|
// object (oldObject in the case of create, or newObject in the case of
|
||||||
// delete) or an object that cannot have labels (like a
|
// delete) or an object that cannot have labels (like a
|
||||||
@ -590,12 +592,12 @@ type MatchResources struct {
|
|||||||
// Default to the empty LabelSelector, which matches everything.
|
// Default to the empty LabelSelector, which matches everything.
|
||||||
// +optional
|
// +optional
|
||||||
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,2,opt,name=objectSelector"`
|
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,2,opt,name=objectSelector"`
|
||||||
// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
|
// ResourceRules describes what operations on what resources/subresources the admission policy matches.
|
||||||
// The policy cares about an operation if it matches _any_ Rule.
|
// The policy cares about an operation if it matches _any_ Rule.
|
||||||
// +listType=atomic
|
// +listType=atomic
|
||||||
// +optional
|
// +optional
|
||||||
ResourceRules []NamedRuleWithOperations `json:"resourceRules,omitempty" protobuf:"bytes,3,rep,name=resourceRules"`
|
ResourceRules []NamedRuleWithOperations `json:"resourceRules,omitempty" protobuf:"bytes,3,rep,name=resourceRules"`
|
||||||
// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
|
// ExcludeResourceRules describes what operations on what resources/subresources the policy should not care about.
|
||||||
// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
|
// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
|
||||||
// +listType=atomic
|
// +listType=atomic
|
||||||
// +optional
|
// +optional
|
||||||
@ -606,12 +608,13 @@ type MatchResources struct {
|
|||||||
// - Exact: match a request only if it exactly matches a specified rule.
|
// - Exact: match a request only if it exactly matches a specified rule.
|
||||||
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
|
// the admission policy does not consider requests to apps/v1beta1 or extensions/v1beta1 API groups.
|
||||||
//
|
//
|
||||||
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
||||||
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
||||||
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
||||||
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
|
// the admission policy **does** consider requests made to apps/v1beta1 or extensions/v1beta1
|
||||||
|
// API groups. The API server translates the request to a matched resource API if necessary.
|
||||||
//
|
//
|
||||||
// Defaults to "Equivalent"
|
// Defaults to "Equivalent"
|
||||||
// +optional
|
// +optional
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user