kube-apiserver Configuration (v1)

Package v1 is the v1 version of the API.

Resource Types

AdmissionConfiguration

AdmissionConfiguration provides versioned configuration for admission controllers.

FieldDescription
apiVersion
string		apiserver.config.k8s.io/v1
kind
string		AdmissionConfiguration
plugins
[]AdmissionPluginConfiguration

Plugins allows specifying a configuration per admission control plugin.

AuthorizationConfiguration

FieldDescription
apiVersion
string		apiserver.config.k8s.io/v1
kind
string		AuthorizationConfiguration
authorizers [Required]
[]AuthorizerConfiguration

Authorizers is an ordered list of authorizers to authorize requests against. This is similar to the —authorization-modes kube-apiserver flag Must be at least one.

EncryptionConfiguration

EncryptionConfiguration stores the complete configuration for encryption providers. It also allows the use of wildcards to specify the resources that should be encrypted. Use ‘.’ to encrypt all resources within a group or ‘.‘ to encrypt all resources. ‘.’ can be used to encrypt all resource in the core group. ‘.‘ will encrypt all resources, even custom resources that are added after API server start. Use of wildcards that overlap within the same resource list or across multiple entries are not allowed since part of the configuration would be ineffective. Resource lists are processed in order, with earlier lists taking precedence.

Example:

  1. kind: EncryptionConfiguration
  2. apiVersion: apiserver.config.k8s.io/v1
  3. resources:
  4. - resources:
  5.   - events
  6.   providers:
  7.   - identity: {}  # do not encrypt events even though *.* is specified below
  8. - resources:
  9.   - secrets
  10.   - configmaps
  11.   - pandas.awesome.bears.example
  12.   providers:
  13.   - aescbc:
  14.       keys:
  15.       - name: key1
  16.         secret: c2VjcmV0IGlzIHNlY3VyZQ==
  17. - resources:
  18.   - '*.apps'
  19.   providers:
  20.   - aescbc:
  21.       keys:
  22.       - name: key2
  23.         secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
  24. - resources:
  25.   - '*.*'
  26.   providers:
  27.   - aescbc:
  28.       keys:
  29.       - name: key3
  30.         secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==
FieldDescription
apiVersion
string		apiserver.config.k8s.io/v1
kind
string		EncryptionConfiguration
resources [Required]
[]ResourceConfiguration

resources is a list containing resources, and their corresponding encryption providers.

AESConfiguration

Appears in:

AESConfiguration contains the API configuration for an AES transformer.

FieldDescription
keys [Required]
[]Key

keys is a list of keys to be used for creating the AES transformer. Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.

AdmissionPluginConfiguration

Appears in:

AdmissionPluginConfiguration provides the configuration for a single plug-in.

FieldDescription
name [Required]
string

Name is the name of the admission controller. It must match the registered admission plugin name.

path
string

Path is the path to a configuration file that contains the plugin’s configuration

configuration
k8s.io/apimachinery/pkg/runtime.Unknown

Configuration is an embedded configuration object to be used as the plugin’s configuration. If present, it will be used instead of the path to the configuration file.

AuthorizerConfiguration

Appears in:

FieldDescription
type [Required]
string

Type refers to the type of the authorizer “Webhook” is supported in the generic API server Other API servers may support additional authorizer types like Node, RBAC, ABAC, etc.

name [Required]
string

Name used to describe the webhook This is explicitly used in monitoring machinery for metrics Note: Names must be DNS1123 labels like myauthorizername or subdomains like myauthorizer.example.domain Required, with no default

webhook [Required]
WebhookConfiguration

Webhook defines the configuration for a Webhook authorizer Must be defined when Type=Webhook Must not be defined when Type!=Webhook

IdentityConfiguration

Appears in:

IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.

KMSConfiguration

Appears in:

KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.

FieldDescription
apiVersion
string

apiVersion of KeyManagementService

name [Required]
string

name is the name of the KMS plugin to be used.

cachesize
int32

cachesize is the maximum number of secrets which are cached in memory. The default value is 1000. Set to a negative value to disable caching. This field is only allowed for KMS v1 providers.

endpoint [Required]
string

endpoint is the gRPC server listening address, for example “unix:///var/run/kms-provider.sock”.

timeout
meta/v1.Duration

timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.

Key

Appears in:

Key contains name and secret of the provided key for a transformer.

FieldDescription
name [Required]
string

name is the name of the key to be used while storing data to disk.

secret [Required]
string

secret is the actual key, encoded in base64.

ProviderConfiguration

Appears in:

ProviderConfiguration stores the provided configuration for an encryption provider.

FieldDescription
aesgcm [Required]
AESConfiguration

aesgcm is the configuration for the AES-GCM transformer.

aescbc [Required]
AESConfiguration

aescbc is the configuration for the AES-CBC transformer.

secretbox [Required]
SecretboxConfiguration

secretbox is the configuration for the Secretbox based transformer.

identity [Required]
IdentityConfiguration

identity is the (empty) configuration for the identity transformer.

kms [Required]
KMSConfiguration

kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.

ResourceConfiguration

Appears in:

ResourceConfiguration stores per resource configuration.

FieldDescription
resources [Required]
[]string

resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from resource or resource.group of the group/version/resource. eg: pandas.awesome.bears.example is a custom resource with ‘group’: awesome.bears.example, ‘resource’: pandas. Use ‘.‘ to encrypt all resources and ‘.’ to encrypt all resources in a specific group. eg: ‘.awesome.bears.example’ will encrypt all resources in the group ‘awesome.bears.example’. eg: ‘*.’ will encrypt all resources in the core group (such as pods, configmaps, etc).

providers [Required]
[]ProviderConfiguration

providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity, kms.

SecretboxConfiguration

Appears in:

SecretboxConfiguration contains the API configuration for an Secretbox transformer.

FieldDescription
keys [Required]
[]Key

keys is a list of keys to be used for creating the Secretbox transformer. Each key has to be 32 bytes long.

WebhookConfiguration

Appears in:

FieldDescription
authorizedTTL [Required]
meta/v1.Duration

The duration to cache ‘authorized’ responses from the webhook authorizer. Same as setting —authorization-webhook-cache-authorized-ttl flag Default: 5m0s

unauthorizedTTL [Required]
meta/v1.Duration

The duration to cache ‘unauthorized’ responses from the webhook authorizer. Same as setting —authorization-webhook-cache-unauthorized-ttl flag Default: 30s

timeout [Required]
meta/v1.Duration

Timeout for the webhook request Maximum allowed value is 30s. Required, no default value.

subjectAccessReviewVersion [Required]
string

The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook. Same as setting —authorization-webhook-version flag Valid values: v1beta1, v1 Required, no default value

matchConditionSubjectAccessReviewVersion [Required]
string

MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview version the CEL expressions are evaluated against Valid values: v1 Required, no default value

failurePolicy [Required]
string

Controls the authorization decision when a webhook request fails to complete or returns a malformed response or errors evaluating matchConditions. Valid values:

  • NoOpinion: continue to subsequent authorizers to see if one of them allows the request
  • Deny: reject the request without consulting subsequent authorizers Required, with no default.
connectionInfo [Required]
WebhookConnectionInfo

ConnectionInfo defines how we talk to the webhook

matchConditions [Required]
[]WebhookMatchCondition

matchConditions is a list of conditions that must be met for a request to be sent to this webhook. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

The exact matching logic is (in order):

  1. If at least one matchCondition evaluates to FALSE, then the webhook is skipped.
  2. If ALL matchConditions evaluate to TRUE, then the webhook is called.
  3. If at least one matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Deny, then the webhook rejects the request
    • If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped

WebhookConnectionInfo

Appears in:

FieldDescription
type [Required]
string

Controls how the webhook should communicate with the server. Valid values:

  • KubeConfigFile: use the file specified in kubeConfigFile to locate the server.
  • InClusterConfig: use the in-cluster configuration to call the SubjectAccessReview API hosted by kube-apiserver. This mode is not allowed for kube-apiserver.
kubeConfigFile [Required]
string

Path to KubeConfigFile for connection info Required, if connectionInfo.Type is KubeConfig

WebhookMatchCondition

Appears in:

FieldDescription
expression [Required]
string

expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the SubjectAccessReview in v1 version. If version specified by subjectAccessReviewVersion in the request variable is v1beta1, the contents would be converted to the v1 version before evaluating the CEL expression.

  • ‘resourceAttributes’ describes information for a resource access request and is unset for non-resource requests. e.g. has(request.resourceAttributes) && request.resourceAttributes.namespace == ‘default’
  • ‘nonResourceAttributes’ describes information for a non-resource access request and is unset for resource requests. e.g. has(request.nonResourceAttributes) && request.nonResourceAttributes.path == ‘/healthz’.
  • ‘user’ is the user to test for. e.g. request.user == ‘alice’
  • ‘groups’ is the groups to test for. e.g. (‘group1’ in request.groups)
  • ‘extra’ corresponds to the user.Info.GetExtra() method from the authenticator.
  • ‘uid’ is the information about the requesting user. e.g. request.uid == ‘1’

Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/