func init() {
admission.RegisterPlugin("DenyEscalatingExec", func(client client.Interface, config io.Reader) (admission.Interface, error) {
return NewDenyEscalatingExec(client), nil
})
// This is for legacy support of the DenyExecOnPrivileged admission controller. Most
// of the time DenyEscalatingExec should be preferred.
admission.RegisterPlugin("DenyExecOnPrivileged", func(client client.Interface, config io.Reader) (admission.Interface, error) {
return NewDenyExecOnPrivileged(client), nil
})
}
func init() {
admission.RegisterPlugin("OwnerReferencesPermissionEnforcement", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
return &gcPermissionsEnforcement{
Handler: admission.NewHandler(admission.Create, admission.Update),
}, nil
})
}
func init() {
admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
serviceAccountAdmission := NewServiceAccount(client)
serviceAccountAdmission.Run()
return serviceAccountAdmission, nil
})
}
func init() {
admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
plugin := NewPlugin(client, psp.NewSimpleStrategyFactory(), getMatchingPolicies, false)
plugin.Run()
return plugin, nil
})
}
func init() {
admission.RegisterPlugin("PodNodeSelector", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig := readConfig(config)
plugin := NewPodNodeSelector(client, pluginConfig.PodNodeSelectorPluginConfig)
return plugin, nil
})
}
func init() {
admission.RegisterPlugin("openshift.io/RestrictSubjectBindings",
func(kclient kclientset.Interface, config io.Reader) (admission.Interface,
error) {
return NewRestrictUsersAdmission(kclient)
})
}
func init() {
admission.RegisterPlugin("ResourceQuota",
func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
registry := install.NewRegistry(client)
return NewResourceQuota(client, registry, 5)
})
}
func init() {
admission.RegisterPlugin("SCCExecRestrictions", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
execAdmitter := NewSCCExecRestrictions(client)
execAdmitter.constraintAdmission.Run()
return execAdmitter, nil
})
}
func registerAdmissionPlugins(t *testing.T, names ...string) {
for _, name := range names {
pluginName := name
admission.RegisterPlugin(pluginName, func(client kclientset.Interface, config io.Reader) (admission.Interface, error) {
plugin := &testAdmissionPlugin{
name: pluginName,
}
if config != nil && !reflect.ValueOf(config).IsNil() {
configData, err := ioutil.ReadAll(config)
if err != nil {
return nil, err
}
configData, err = kyaml.ToJSON(configData)
if err != nil {
return nil, err
}
configObj := &TestPluginConfig{}
err = runtime.DecodeInto(kapi.Codecs.UniversalDecoder(), configData, configObj)
if err != nil {
return nil, err
}
plugin.labelValue = configObj.Data
}
return plugin, nil
})
}
}
func init() {
admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
plugin := newPlugin(client)
plugin.Run()
return plugin, nil
})
}
func init() {
kadmission.RegisterPlugin("SecurityContextConstraint", func(client client.Interface, config io.Reader) (kadmission.Interface, error) {
constraintAdmitter := NewConstraint(client)
constraintAdmitter.Run()
return constraintAdmitter, nil
})
}
func init() {
admission.RegisterPlugin("ResourceQuota",
func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
registry := install.NewRegistry(client)
// TODO: expose a stop channel in admission factory
return NewResourceQuota(client, registry, 5, make(chan struct{}))
})
}
// WARNING: this feature is experimental and will definitely change.
func init() {
admission.RegisterPlugin("InitialResources", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
s, err := newDataSource(*source)
if err != nil {
return nil, err
}
return newInitialResources(s, *percentile, *nsOnly), nil
})
}
func init() {
kadmission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
plugin, err := NewImageLimitRangerPlugin(client, config)
if err != nil {
return nil, err
}
return plugin, nil
})
}
func init() {
admission.RegisterPlugin("BuildByStrategy", func(c kclient.Interface, config io.Reader) (admission.Interface, error) {
osClient, ok := c.(client.Interface)
if !ok {
return nil, errors.New("client is not an Origin client")
}
return NewBuildByStrategy(osClient), nil
})
}
func init() {
admission.RegisterPlugin("ImagePolicyWebhook", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
newImagePolicyWebhook, err := NewImagePolicyWebhook(client, config)
if err != nil {
return nil, err
}
return newImagePolicyWebhook, nil
})
}
func init() {
admission.RegisterPlugin("RunOnceDuration", func(client kclient.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
return NewRunOnceDuration(pluginConfig), nil
})
}
func init() {
admission.RegisterPlugin("ProjectRequestLimit", func(client kclient.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
return NewProjectRequestLimit(pluginConfig)
})
}
func init() {
admission.RegisterPlugin("PodNodeConstraints", func(c clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
return NewPodNodeConstraints(pluginConfig), nil
})
}
func init() {
admission.RegisterPlugin("ResourceQuota",
func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
// NOTE: we do not provide informers to the registry because admission level decisions
// does not require us to open watches for all items tracked by quota.
registry := install.NewRegistry(nil, nil)
return NewResourceQuota(client, registry, 5, make(chan struct{}))
})
}
func init() {
admission.RegisterPlugin("BuildOverrides", func(c clientset.Interface, config io.Reader) (admission.Interface, error) {
overridesConfig, err := getConfig(config)
if err != nil {
return nil, err
}
glog.V(4).Infof("Initializing BuildOverrides plugin with config: %#v", overridesConfig)
return NewBuildOverrides(overridesConfig), nil
})
}
func init() {
admission.RegisterPlugin("BuildDefaults", func(c kclient.Interface, config io.Reader) (admission.Interface, error) {
defaultsConfig, err := getConfig(config)
if err != nil {
return nil, err
}
glog.V(4).Infof("Initializing BuildDefaults plugin with config: %#v", defaultsConfig)
return NewBuildDefaults(defaultsConfig), nil
})
}
func init() {
admission.RegisterPlugin("ProjectRequestLimit", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
if pluginConfig == nil {
glog.Infof("Admission plugin %q is not configured so it will be disabled.", "ProjectRequestLimit")
return nil, nil
}
return NewProjectRequestLimit(pluginConfig)
})
}
func init() {
admission.RegisterPlugin(api.PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := ReadConfig(config)
if err != nil {
return nil, err
}
if pluginConfig == nil {
glog.Infof("Admission plugin %q is not configured so it will be disabled.", api.PluginName)
return nil, nil
}
return newClusterResourceOverride(client, pluginConfig)
})
}
func init() {
admission.RegisterPlugin("PodNodeConstraints", func(c clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
if pluginConfig == nil {
glog.Infof("Admission plugin %q is not configured so it will be disabled.", "PodNodeConstraints")
return nil, nil
}
return NewPodNodeConstraints(pluginConfig), nil
})
}
func init() {
admission.RegisterPlugin("RunOnceDuration", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
pluginConfig, err := readConfig(config)
if err != nil {
return nil, err
}
if pluginConfig == nil {
glog.Infof("Admission plugin %q is not configured so it will be disabled.", "RunOnceDuration")
return nil, nil
}
return NewRunOnceDuration(pluginConfig), nil
})
}
func init() {
admission.RegisterPlugin(api.PluginName, func(client clientset.Interface, input io.Reader) (admission.Interface, error) {
obj, err := configlatest.ReadYAML(input)
if err != nil {
return nil, err
}
if obj == nil {
return nil, nil
}
config, ok := obj.(*api.ImagePolicyConfig)
if !ok {
return nil, fmt.Errorf("unexpected config object: %#v", obj)
}
if errs := validation.Validate(config); len(errs) > 0 {
return nil, errs.ToAggregate()
}
glog.V(5).Infof("%s admission controller loaded with config: %#v", api.PluginName, config)
return newImagePolicyPlugin(client, config)
})
}
func init() {
admission.RegisterPlugin("NamespaceExists", func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
return NewExists(client), nil
})
}
func init() {
admission.RegisterPlugin(PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
return NewLifecycle(client, sets.NewString(api.NamespaceDefault, api.NamespaceSystem)), nil
})
}
func init() {
admission.RegisterPlugin(api.PluginName, func(client clientset.Interface, config io.Reader) (admission.Interface, error) {
return newClusterResourceOverride(client, config)
})
}
