287 lines
15 KiB
Go
287 lines
15 KiB
Go
/*
|
|
Copyright The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
|
|
|
package v1beta1
|
|
|
|
import (
|
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
|
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
|
v1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1"
|
|
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
|
|
)
|
|
|
|
// MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
|
|
// with apply.
|
|
//
|
|
// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
|
|
type MutatingWebhookApplyConfiguration struct {
|
|
// The name of the admission webhook.
|
|
// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
|
|
// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
|
|
// of the organization.
|
|
// Required.
|
|
Name *string `json:"name,omitempty"`
|
|
// ClientConfig defines how to communicate with the hook.
|
|
// Required
|
|
ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
|
|
// Rules describes what operations on what resources/subresources the webhook cares about.
|
|
// The webhook cares about an operation if it matches _any_ Rule.
|
|
// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
|
|
// from putting the cluster in a state which cannot be recovered from without completely
|
|
// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
|
|
// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
|
|
Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
|
|
// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
|
|
// allowed values are Ignore or Fail. Defaults to Ignore.
|
|
FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
|
|
// matchPolicy defines how the "rules" list is used to match incoming requests.
|
|
// Allowed values are "Exact" or "Equivalent".
|
|
//
|
|
// - Exact: match a request only if it exactly matches a specified rule.
|
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
|
// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
|
// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
|
|
//
|
|
// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
|
// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
|
// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
|
// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
|
|
//
|
|
// Defaults to "Exact"
|
|
MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
|
|
// NamespaceSelector decides whether to run the webhook on an object based
|
|
// on whether the namespace for that object matches the selector. If the
|
|
// object itself is a namespace, the matching is performed on
|
|
// object.metadata.labels. If the object is another cluster scoped resource,
|
|
// it never skips the webhook.
|
|
//
|
|
// For example, to run the webhook on any objects whose namespace is not
|
|
// associated with "runlevel" of "0" or "1"; you will set the selector as
|
|
// follows:
|
|
// "namespaceSelector": {
|
|
// "matchExpressions": [
|
|
// {
|
|
// "key": "runlevel",
|
|
// "operator": "NotIn",
|
|
// "values": [
|
|
// "0",
|
|
// "1"
|
|
// ]
|
|
// }
|
|
// ]
|
|
// }
|
|
//
|
|
// If instead you want to only run the webhook on any objects whose
|
|
// namespace is associated with the "environment" of "prod" or "staging";
|
|
// you will set the selector as follows:
|
|
// "namespaceSelector": {
|
|
// "matchExpressions": [
|
|
// {
|
|
// "key": "environment",
|
|
// "operator": "In",
|
|
// "values": [
|
|
// "prod",
|
|
// "staging"
|
|
// ]
|
|
// }
|
|
// ]
|
|
// }
|
|
//
|
|
// See
|
|
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
// for more examples of label selectors.
|
|
//
|
|
// Default to the empty LabelSelector, which matches everything.
|
|
NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
|
|
// ObjectSelector decides whether to run the webhook based on if the
|
|
// object has matching labels. objectSelector is evaluated against both
|
|
// the oldObject and newObject that would be sent to the webhook, and
|
|
// is considered to match if either object matches the selector. A null
|
|
// object (oldObject in the case of create, or newObject in the case of
|
|
// delete) or an object that cannot have labels (like a
|
|
// DeploymentRollback or a PodProxyOptions object) is not considered to
|
|
// match.
|
|
// Use the object selector only if the webhook is opt-in, because end
|
|
// users may skip the admission webhook by setting the labels.
|
|
// Default to the empty LabelSelector, which matches everything.
|
|
ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
|
|
// SideEffects states whether this webhook has side effects.
|
|
// Acceptable values are: Unknown, None, Some, NoneOnDryRun
|
|
// Webhooks with side effects MUST implement a reconciliation system, since a request may be
|
|
// rejected by a future step in the admission chain and the side effects therefore need to be undone.
|
|
// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
|
|
// sideEffects == Unknown or Some. Defaults to Unknown.
|
|
SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
|
|
// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
|
|
// the webhook call will be ignored or the API call will fail based on the
|
|
// failure policy.
|
|
// The timeout value must be between 1 and 30 seconds.
|
|
// Default to 30 seconds.
|
|
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
|
|
// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
|
|
// versions the Webhook expects. API server will try to use first version in
|
|
// the list which it supports. If none of the versions specified in this list
|
|
// supported by API server, validation will fail for this object.
|
|
// If a persisted webhook configuration specifies allowed versions and does not
|
|
// include any versions known to the API Server, calls to the webhook will fail
|
|
// and be subject to the failure policy.
|
|
// Default to `['v1beta1']`.
|
|
AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
|
|
// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
|
|
// Allowed values are "Never" and "IfNeeded".
|
|
//
|
|
// Never: the webhook will not be called more than once in a single admission evaluation.
|
|
//
|
|
// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
|
|
// if the object being admitted is modified by other admission plugins after the initial webhook call.
|
|
// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
|
|
// Note:
|
|
// * the number of additional invocations is not guaranteed to be exactly one.
|
|
// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
|
|
// * webhooks that use this option may be reordered to minimize the number of additional invocations.
|
|
// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
|
|
//
|
|
// Defaults to "Never".
|
|
ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
|
|
// MatchConditions is a list of conditions that must be met for a request to be sent to this
|
|
// webhook. Match conditions filter requests that have already been matched by the rules,
|
|
// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
|
|
// There are a maximum of 64 match conditions allowed.
|
|
//
|
|
// The exact matching logic is (in order):
|
|
// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
|
|
// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
|
|
// 3. If any matchCondition evaluates to an error (but none are FALSE):
|
|
// - If failurePolicy=Fail, reject the request
|
|
// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
|
|
MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
|
|
}
|
|
|
|
// MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with
|
|
// apply.
|
|
func MutatingWebhook() *MutatingWebhookApplyConfiguration {
|
|
return &MutatingWebhookApplyConfiguration{}
|
|
}
|
|
|
|
// WithName sets the Name field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the Name field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithName(value string) *MutatingWebhookApplyConfiguration {
|
|
b.Name = &value
|
|
return b
|
|
}
|
|
|
|
// WithClientConfig sets the ClientConfig field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the ClientConfig field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithClientConfig(value *WebhookClientConfigApplyConfiguration) *MutatingWebhookApplyConfiguration {
|
|
b.ClientConfig = value
|
|
return b
|
|
}
|
|
|
|
// WithRules adds the given value to the Rules field in the declarative configuration
|
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
|
// If called multiple times, values provided by each call will be appended to the Rules field.
|
|
func (b *MutatingWebhookApplyConfiguration) WithRules(values ...*v1.RuleWithOperationsApplyConfiguration) *MutatingWebhookApplyConfiguration {
|
|
for i := range values {
|
|
if values[i] == nil {
|
|
panic("nil value passed to WithRules")
|
|
}
|
|
b.Rules = append(b.Rules, *values[i])
|
|
}
|
|
return b
|
|
}
|
|
|
|
// WithFailurePolicy sets the FailurePolicy field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the FailurePolicy field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithFailurePolicy(value admissionregistrationv1beta1.FailurePolicyType) *MutatingWebhookApplyConfiguration {
|
|
b.FailurePolicy = &value
|
|
return b
|
|
}
|
|
|
|
// WithMatchPolicy sets the MatchPolicy field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the MatchPolicy field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithMatchPolicy(value admissionregistrationv1beta1.MatchPolicyType) *MutatingWebhookApplyConfiguration {
|
|
b.MatchPolicy = &value
|
|
return b
|
|
}
|
|
|
|
// WithNamespaceSelector sets the NamespaceSelector field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the NamespaceSelector field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithNamespaceSelector(value *metav1.LabelSelectorApplyConfiguration) *MutatingWebhookApplyConfiguration {
|
|
b.NamespaceSelector = value
|
|
return b
|
|
}
|
|
|
|
// WithObjectSelector sets the ObjectSelector field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the ObjectSelector field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithObjectSelector(value *metav1.LabelSelectorApplyConfiguration) *MutatingWebhookApplyConfiguration {
|
|
b.ObjectSelector = value
|
|
return b
|
|
}
|
|
|
|
// WithSideEffects sets the SideEffects field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the SideEffects field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithSideEffects(value admissionregistrationv1beta1.SideEffectClass) *MutatingWebhookApplyConfiguration {
|
|
b.SideEffects = &value
|
|
return b
|
|
}
|
|
|
|
// WithTimeoutSeconds sets the TimeoutSeconds field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the TimeoutSeconds field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithTimeoutSeconds(value int32) *MutatingWebhookApplyConfiguration {
|
|
b.TimeoutSeconds = &value
|
|
return b
|
|
}
|
|
|
|
// WithAdmissionReviewVersions adds the given value to the AdmissionReviewVersions field in the declarative configuration
|
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
|
// If called multiple times, values provided by each call will be appended to the AdmissionReviewVersions field.
|
|
func (b *MutatingWebhookApplyConfiguration) WithAdmissionReviewVersions(values ...string) *MutatingWebhookApplyConfiguration {
|
|
for i := range values {
|
|
b.AdmissionReviewVersions = append(b.AdmissionReviewVersions, values[i])
|
|
}
|
|
return b
|
|
}
|
|
|
|
// WithReinvocationPolicy sets the ReinvocationPolicy field in the declarative configuration to the given value
|
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
|
// If called multiple times, the ReinvocationPolicy field is set to the value of the last call.
|
|
func (b *MutatingWebhookApplyConfiguration) WithReinvocationPolicy(value admissionregistrationv1.ReinvocationPolicyType) *MutatingWebhookApplyConfiguration {
|
|
b.ReinvocationPolicy = &value
|
|
return b
|
|
}
|
|
|
|
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
|
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
|
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
|
|
func (b *MutatingWebhookApplyConfiguration) WithMatchConditions(values ...*MatchConditionApplyConfiguration) *MutatingWebhookApplyConfiguration {
|
|
for i := range values {
|
|
if values[i] == nil {
|
|
panic("nil value passed to WithMatchConditions")
|
|
}
|
|
b.MatchConditions = append(b.MatchConditions, *values[i])
|
|
}
|
|
return b
|
|
}
|