extensions.Kind("DaemonSet"),
}
func shouldCheckResource(resource unversioned.GroupResource, kind unversioned.GroupKind) (bool, error) {
expectedKind, shouldCheck := resourcesToCheck[resource]
if !shouldCheck {
return false, nil
}
if expectedKind != kind {
return false, fmt.Errorf("Unexpected resource kind %v for resource %v", &kind, &resource)
}
return true, nil
}
var _ = oadmission.Validator(&podNodeConstraints{})
var _ = oadmission.WantsAuthorizer(&podNodeConstraints{})
func readConfig(reader io.Reader) (*api.PodNodeConstraintsConfig, error) {
if reader == nil || reflect.ValueOf(reader).IsNil() {
return nil, nil
}
obj, err := configlatest.ReadYAML(reader)
if err != nil {
return nil, err
}
if obj == nil {
return nil, nil
}
config, ok := obj.(*api.PodNodeConstraintsConfig)
if !ok {
return nil, fmt.Errorf("unexpected config object: %#v", obj)
func init() {
kadmission.RegisterPlugin(RestrictedEndpointsPluginName, func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
return NewRestrictedEndpointsAdmission(nil), nil
})
}
type restrictedEndpointsAdmission struct {
*kadmission.Handler
client client.Interface
authorizer authorizer.Authorizer
restrictedNetworks []*net.IPNet
}
var _ = oadmission.WantsAuthorizer(&restrictedEndpointsAdmission{})
// ParseSimpleCIDRRules parses a list of CIDR strings
func ParseSimpleCIDRRules(rules []string) (networks []*net.IPNet, err error) {
for _, s := range rules {
_, cidr, err := net.ParseCIDR(s)
if err != nil {
return nil, err
}
networks = append(networks, cidr)
}
return networks, nil
}
// NewRestrictedEndpointsAdmission creates a new endpoints admission plugin.
func NewRestrictedEndpointsAdmission(restrictedNetworks []*net.IPNet) *restrictedEndpointsAdmission {