Add imagepolicy.v1alpha1 API

2022-05-18 14:20:20 +08:00 · 2022-05-18 14:20:20 +08:00 · c992c4c04f
parent dab4e5d146
commit c992c4c04f
3 changed files with 183 additions and 14 deletions
--- a/content/en/docs/reference/_index.md
+++ b/content/en/docs/reference/_index.md
@ -77,6 +77,7 @@ operator to use or manage a cluster.
 * [kube-apiserver configuration (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/)
 * [kube-apiserver configuration (v1)](/docs/reference/config-api/apiserver-config.v1/)
 * [kube-apiserver encryption (v1)](/docs/reference/config-api/apiserver-encryption.v1/)
+* [kube-apiserver event rate limit (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1/)
 * [kubelet configuration (v1alpha1)](/docs/reference/config-api/kubelet-config.v1alpha1/) and
  [kubelet configuration (v1beta1)](/docs/reference/config-api/kubelet-config.v1beta1/)
 * [kubelet credential providers (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)
@ -88,6 +89,7 @@ operator to use or manage a cluster.
 * [Client authentication API (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/) and 
  [Client authentication API (v1)](/docs/reference/config-api/client-authentication.v1/)
 * [WebhookAdmission configuration (v1)](/docs/reference/config-api/apiserver-webhookadmission.v1/)
+* [ImagePolicy API (v1alpha1)](/docs/reference/config-api/imagepolicy.v1alpha1/)

 ## Config API for kubeadm

--- a/content/en/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@ -356,19 +356,21 @@ users:
 For additional HTTP configuration, refer to the
 [kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) documentation.

-#### Request Payloads
+#### Request payloads

 When faced with an admission decision, the API Server POSTs a JSON serialized
 `imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action.
 This object contains fields describing the containers being admitted, as well as
 any pod annotations that match `*.image-policy.k8s.io/*`.

-Note that webhook API objects are subject to the same versioning compatibility rules
+{{ note }}
+The webhook API objects are subject to the same versioning compatibility rules
 as other Kubernetes API objects. Implementers should be aware of looser compatibility
-promises for alpha objects and check the "apiVersion" field of the request to
+promises for alpha objects and check the `apiVersion` field of the request to
 ensure correct deserialization.
 Additionally, the API Server must enable the `imagepolicy.k8s.io/v1alpha1` API extensions
 group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
+{{ /note }}

 An example request body:

@ -420,8 +422,8 @@ To disallow access, the service would return:
 }
 ```

-For further documentation refer to the `imagepolicy.v1alpha1` API objects and
-`plugin/pkg/admission/imagepolicy/admission.go`.
+For further documentation refer to the
+[`imagepolicy.v1alpha1` API](/docs/reference/config-api/imagepolicy.v1alpha1/).

 #### Extending with Annotations

@ -432,9 +434,9 @@ accept different information.

 Examples of information you might put here are:

- * request to "break glass" to override a policy, in case of emergency.
- * a ticket number from a ticket system that documents the break-glass request
- * provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
+* request to "break glass" to override a policy, in case of emergency.
+* a ticket number from a ticket system that documents the break-glass request
+* provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup

 In any case, the annotations are provided by the user and are not validated by Kubernetes in any way.

@ -469,8 +471,7 @@ webhooks or validating admission controllers will permit the request to finish.

 If you disable the MutatingAdmissionWebhook, you must also disable the
 `MutatingWebhookConfiguration` object in the `admissionregistration.k8s.io/v1`
-group/version via the `--runtime-config` flag (both are on by default in
-versions >= 1.9).
+group/version via the `--runtime-config` flag, both are on by default.

 #### Use caution when authoring and installing mutating webhooks

@ -599,7 +600,7 @@ Starting from 1.11, this admission controller is disabled by default.
 This admission controller defaults and limits what node selectors may be used within a namespace
 by reading a namespace annotation and a global configuration.

-#### Configuration File Format
+#### Configuration file format

 `PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
 Note that the configuration file format will move to a versioned file in a future release.
@ -649,9 +650,7 @@ This admission controller has the following behavior:
 3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts
   result in rejection.
 4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the
-   plugin configuration file.
-
-Conflicts result in rejection.
+   plugin configuration file. Conflicts result in rejection.

 {{< note >}}
 PodNodeSelector allows forcing pods to run on specifically labeled nodes. Also see the PodTolerationRestriction
--- a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@ -0,0 +1,168 @@
+---
+title: Image Policy API (v1alpha1)
+content_type: tool-reference
+package: imagepolicy.k8s.io/v1alpha1
+auto_generated: true
+---
+
+
+## Resource Types 
+
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+  
+    
+
+## `ImageReview`     {#imagepolicy-k8s-io-v1alpha1-ImageReview}
+    
+
+
+<p>ImageReview checks if the set of images in a pod are allowed.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>imagepolicy.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>ImageReview</code></td></tr>
+    
+  
+<tr><td><code>metadata</code><br/>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
+</td>
+<td>
+   <p>Standard object's metadata.
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p>
+Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.</td>
+</tr>
+<tr><td><code>spec</code> <B>[Required]</B><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec"><code>ImageReviewSpec</code></a>
+</td>
+<td>
+   <p>Spec holds information about the pod being evaluated</p>
+</td>
+</tr>
+<tr><td><code>status</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus"><code>ImageReviewStatus</code></a>
+</td>
+<td>
+   <p>Status is filled in by the backend and indicates whether the pod should be allowed.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewContainerSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec}
+    
+
+**Appears in:**
+
+- [ImageReviewSpec](#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec)
+
+
+<p>ImageReviewContainerSpec is a description of a container within the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>image</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>This can be in the form image:tag or image@SHA:012345679abcdef.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewSpec`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec}
+    
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+<p>ImageReviewSpec is a description of the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>containers</code><br/>
+<a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec"><code>[]ImageReviewContainerSpec</code></a>
+</td>
+<td>
+   <p>Containers is a list of a subset of the information in each container of the Pod being created.</p>
+</td>
+</tr>
+<tr><td><code>annotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+   <p>Annotations is a list of key-value pairs extracted from the Pod's annotations.
+It only includes keys which match the pattern <code>*.image-policy.k8s.io/*</code>.
+It is up to each webhook backend to determine how to interpret these annotations, if at all.</p>
+</td>
+</tr>
+<tr><td><code>namespace</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>Namespace is the namespace the pod is being created in.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImageReviewStatus`     {#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus}
+    
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+<p>ImageReviewStatus is the result of the review for the pod creation request.</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>allowed</code> <B>[Required]</B><br/>
+<code>bool</code>
+</td>
+<td>
+   <p>Allowed indicates that all images were allowed to be run.</p>
+</td>
+</tr>
+<tr><td><code>reason</code><br/>
+<code>string</code>
+</td>
+<td>
+   <p>Reason should be empty unless Allowed is false in which case it
+may contain a short description of what is wrong.  Kubernetes
+may truncate excessively long errors when displaying to the user.</p>
+</td>
+</tr>
+<tr><td><code>auditAnnotations</code><br/>
+<code>map[string]string</code>
+</td>
+<td>
+   <p>AuditAnnotations will be added to the attributes object of the
+admission controller request using 'AddAnnotation'.  The keys should
+be prefix-less (i.e., the admission controller will add an
+appropriate prefix).</p>
+</td>
+</tr>
+</tbody>
+</table>
+