1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
#[derive(Clone, Debug, Default, PartialEq)]
pub struct ValidatingWebhook {
pub admission_review_versions: Vec<String>,
pub client_config: crate::api::admissionregistration::v1::WebhookClientConfig,
pub failure_policy: Option<String>,
pub match_policy: Option<String>,
pub name: String,
pub namespace_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>,
pub object_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>,
pub rules: Option<Vec<crate::api::admissionregistration::v1::RuleWithOperations>>,
pub side_effects: String,
pub timeout_seconds: Option<i32>,
}
impl crate::DeepMerge for ValidatingWebhook {
fn merge_from(&mut self, other: Self) {
crate::merge_strategies::list::atomic(&mut self.admission_review_versions, other.admission_review_versions);
crate::DeepMerge::merge_from(&mut self.client_config, other.client_config);
crate::DeepMerge::merge_from(&mut self.failure_policy, other.failure_policy);
crate::DeepMerge::merge_from(&mut self.match_policy, other.match_policy);
crate::DeepMerge::merge_from(&mut self.name, other.name);
crate::DeepMerge::merge_from(&mut self.namespace_selector, other.namespace_selector);
crate::DeepMerge::merge_from(&mut self.object_selector, other.object_selector);
crate::merge_strategies::list::atomic(&mut self.rules, other.rules);
crate::DeepMerge::merge_from(&mut self.side_effects, other.side_effects);
crate::DeepMerge::merge_from(&mut self.timeout_seconds, other.timeout_seconds);
}
}
impl<'de> crate::serde::Deserialize<'de> for ValidatingWebhook {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error> where D: crate::serde::Deserializer<'de> {
#[allow(non_camel_case_types)]
enum Field {
Key_admission_review_versions,
Key_client_config,
Key_failure_policy,
Key_match_policy,
Key_name,
Key_namespace_selector,
Key_object_selector,
Key_rules,
Key_side_effects,
Key_timeout_seconds,
Other,
}
impl<'de> crate::serde::Deserialize<'de> for Field {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error> where D: crate::serde::Deserializer<'de> {
struct Visitor;
impl<'de> crate::serde::de::Visitor<'de> for Visitor {
type Value = Field;
fn expecting(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.write_str("field identifier")
}
fn visit_str<E>(self, v: &str) -> Result<Self::Value, E> where E: crate::serde::de::Error {
Ok(match v {
"admissionReviewVersions" => Field::Key_admission_review_versions,
"clientConfig" => Field::Key_client_config,
"failurePolicy" => Field::Key_failure_policy,
"matchPolicy" => Field::Key_match_policy,
"name" => Field::Key_name,
"namespaceSelector" => Field::Key_namespace_selector,
"objectSelector" => Field::Key_object_selector,
"rules" => Field::Key_rules,
"sideEffects" => Field::Key_side_effects,
"timeoutSeconds" => Field::Key_timeout_seconds,
_ => Field::Other,
})
}
}
deserializer.deserialize_identifier(Visitor)
}
}
struct Visitor;
impl<'de> crate::serde::de::Visitor<'de> for Visitor {
type Value = ValidatingWebhook;
fn expecting(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.write_str("ValidatingWebhook")
}
fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error> where A: crate::serde::de::MapAccess<'de> {
let mut value_admission_review_versions: Option<Vec<String>> = None;
let mut value_client_config: Option<crate::api::admissionregistration::v1::WebhookClientConfig> = None;
let mut value_failure_policy: Option<String> = None;
let mut value_match_policy: Option<String> = None;
let mut value_name: Option<String> = None;
let mut value_namespace_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector> = None;
let mut value_object_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector> = None;
let mut value_rules: Option<Vec<crate::api::admissionregistration::v1::RuleWithOperations>> = None;
let mut value_side_effects: Option<String> = None;
let mut value_timeout_seconds: Option<i32> = None;
while let Some(key) = crate::serde::de::MapAccess::next_key::<Field>(&mut map)? {
match key {
Field::Key_admission_review_versions => value_admission_review_versions = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_client_config => value_client_config = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_failure_policy => value_failure_policy = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_match_policy => value_match_policy = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_name => value_name = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_namespace_selector => value_namespace_selector = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_object_selector => value_object_selector = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_rules => value_rules = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_side_effects => value_side_effects = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Key_timeout_seconds => value_timeout_seconds = crate::serde::de::MapAccess::next_value(&mut map)?,
Field::Other => { let _: crate::serde::de::IgnoredAny = crate::serde::de::MapAccess::next_value(&mut map)?; },
}
}
Ok(ValidatingWebhook {
admission_review_versions: value_admission_review_versions.unwrap_or_default(),
client_config: value_client_config.unwrap_or_default(),
failure_policy: value_failure_policy,
match_policy: value_match_policy,
name: value_name.unwrap_or_default(),
namespace_selector: value_namespace_selector,
object_selector: value_object_selector,
rules: value_rules,
side_effects: value_side_effects.unwrap_or_default(),
timeout_seconds: value_timeout_seconds,
})
}
}
deserializer.deserialize_struct(
"ValidatingWebhook",
&[
"admissionReviewVersions",
"clientConfig",
"failurePolicy",
"matchPolicy",
"name",
"namespaceSelector",
"objectSelector",
"rules",
"sideEffects",
"timeoutSeconds",
],
Visitor,
)
}
}
impl crate::serde::Serialize for ValidatingWebhook {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error> where S: crate::serde::Serializer {
let mut state = serializer.serialize_struct(
"ValidatingWebhook",
4 +
self.failure_policy.as_ref().map_or(0, |_| 1) +
self.match_policy.as_ref().map_or(0, |_| 1) +
self.namespace_selector.as_ref().map_or(0, |_| 1) +
self.object_selector.as_ref().map_or(0, |_| 1) +
self.rules.as_ref().map_or(0, |_| 1) +
self.timeout_seconds.as_ref().map_or(0, |_| 1),
)?;
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "admissionReviewVersions", &self.admission_review_versions)?;
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "clientConfig", &self.client_config)?;
if let Some(value) = &self.failure_policy {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "failurePolicy", value)?;
}
if let Some(value) = &self.match_policy {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "matchPolicy", value)?;
}
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "name", &self.name)?;
if let Some(value) = &self.namespace_selector {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "namespaceSelector", value)?;
}
if let Some(value) = &self.object_selector {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "objectSelector", value)?;
}
if let Some(value) = &self.rules {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "rules", value)?;
}
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "sideEffects", &self.side_effects)?;
if let Some(value) = &self.timeout_seconds {
crate::serde::ser::SerializeStruct::serialize_field(&mut state, "timeoutSeconds", value)?;
}
crate::serde::ser::SerializeStruct::end(state)
}
}
#[cfg(feature = "schemars")]
impl crate::schemars::JsonSchema for ValidatingWebhook {
fn schema_name() -> String {
"io.k8s.api.admissionregistration.v1.ValidatingWebhook".to_owned()
}
fn json_schema(__gen: &mut crate::schemars::gen::SchemaGenerator) -> crate::schemars::schema::Schema {
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("ValidatingWebhook describes an admission webhook and the resources and operations it applies to.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Object))),
object: Some(Box::new(crate::schemars::schema::ObjectValidation {
properties: [
(
"admissionReviewVersions".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Array))),
array: Some(Box::new(crate::schemars::schema::ArrayValidation {
items: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
..Default::default()
})
))),
..Default::default()
})),
..Default::default()
}),
),
(
"clientConfig".to_owned(),
{
let mut schema_obj = __gen.subschema_for::<crate::api::admissionregistration::v1::WebhookClientConfig>().into_object();
schema_obj.metadata = Some(Box::new(crate::schemars::schema::Metadata {
description: Some("ClientConfig defines how to communicate with the hook. Required".to_owned()),
..Default::default()
}));
crate::schemars::schema::Schema::Object(schema_obj)
},
),
(
"failurePolicy".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
..Default::default()
}),
),
(
"matchPolicy".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
..Default::default()
}),
),
(
"name".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
..Default::default()
}),
),
(
"namespaceSelector".to_owned(),
{
let mut schema_obj = __gen.subschema_for::<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>().into_object();
schema_obj.metadata = Some(Box::new(crate::schemars::schema::Metadata {
description: Some("NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.".to_owned()),
..Default::default()
}));
crate::schemars::schema::Schema::Object(schema_obj)
},
),
(
"objectSelector".to_owned(),
{
let mut schema_obj = __gen.subschema_for::<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>().into_object();
schema_obj.metadata = Some(Box::new(crate::schemars::schema::Metadata {
description: Some("ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.".to_owned()),
..Default::default()
}));
crate::schemars::schema::Schema::Object(schema_obj)
},
),
(
"rules".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Array))),
array: Some(Box::new(crate::schemars::schema::ArrayValidation {
items: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(__gen.subschema_for::<crate::api::admissionregistration::v1::RuleWithOperations>()))),
..Default::default()
})),
..Default::default()
}),
),
(
"sideEffects".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
..Default::default()
}),
),
(
"timeoutSeconds".to_owned(),
crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
metadata: Some(Box::new(crate::schemars::schema::Metadata {
description: Some("TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.".to_owned()),
..Default::default()
})),
instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Integer))),
format: Some("int32".to_owned()),
..Default::default()
}),
),
].into(),
required: [
"admissionReviewVersions".to_owned(),
"clientConfig".to_owned(),
"name".to_owned(),
"sideEffects".to_owned(),
].into(),
..Default::default()
})),
..Default::default()
})
}
}