Chapter 4. FlowSchema [flowcontrol.apiserver.k8s.io/v1beta3]
- Description
- FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
- Type
-
object
4.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| |
|
| FlowSchemaSpec describes how the FlowSchema’s specification looks like. |
|
| FlowSchemaStatus represents the current state of a FlowSchema. |
4.1.1. .spec
- Description
- FlowSchemaSpec describes how the FlowSchema’s specification looks like.
- Type
-
object
- Required
-
priorityLevelConfiguration
-
Property | Type | Description |
---|---|---|
|
| FlowDistinguisherMethod specifies the method of a flow distinguisher. |
|
|
|
|
| PriorityLevelConfigurationReference contains information that points to the "request-priority" being used. |
|
|
|
|
| PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request. |
4.1.2. .spec.distinguisherMethod
- Description
- FlowDistinguisherMethod specifies the method of a flow distinguisher.
- Type
-
object
- Required
-
type
-
Property | Type | Description |
---|---|---|
|
|
|
4.1.3. .spec.priorityLevelConfiguration
- Description
- PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
- Type
-
object
- Required
-
name
-
Property | Type | Description |
---|---|---|
|
|
|
4.1.4. .spec.rules
- Description
-
rules
describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema. - Type
-
array
4.1.5. .spec.rules[]
- Description
- PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.
- Type
-
object
- Required
-
subjects
-
Property | Type | Description |
---|---|---|
|
|
|
|
| NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request. |
|
|
|
|
|
ResourcePolicyRule is a predicate that matches some resource requests, testing the request’s verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., |
|
| subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required. |
|
| Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account. |
4.1.6. .spec.rules[].nonResourceRules
- Description
-
nonResourceRules
is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL. - Type
-
array
4.1.7. .spec.rules[].nonResourceRules[]
- Description
- NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
- Type
-
object
- Required
-
verbs
-
nonResourceURLs
-
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
4.1.8. .spec.rules[].resourceRules
- Description
-
resourceRules
is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one ofresourceRules
andnonResourceRules
has to be non-empty. - Type
-
array
4.1.9. .spec.rules[].resourceRules[]
- Description
-
ResourcePolicyRule is a predicate that matches some resource requests, testing the request’s verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e.,
Namespace==""
) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request’s namespace. - Type
-
object
- Required
-
verbs
-
apiGroups
-
resources
-
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.1.10. .spec.rules[].subjects
- Description
- subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.
- Type
-
array
4.1.11. .spec.rules[].subjects[]
- Description
- Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.
- Type
-
object
- Required
-
kind
-
Property | Type | Description |
---|---|---|
|
| GroupSubject holds detailed information for group-kind subject. |
|
|
|
|
| ServiceAccountSubject holds detailed information for service-account-kind subject. |
|
| UserSubject holds detailed information for user-kind subject. |
4.1.12. .spec.rules[].subjects[].group
- Description
- GroupSubject holds detailed information for group-kind subject.
- Type
-
object
- Required
-
name
-
Property | Type | Description |
---|---|---|
|
| name is the user group that matches, or "*" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required. |
4.1.13. .spec.rules[].subjects[].serviceAccount
- Description
- ServiceAccountSubject holds detailed information for service-account-kind subject.
- Type
-
object
- Required
-
namespace
-
name
-
Property | Type | Description |
---|---|---|
|
|
|
|
|
|
4.1.14. .spec.rules[].subjects[].user
- Description
- UserSubject holds detailed information for user-kind subject.
- Type
-
object
- Required
-
name
-
Property | Type | Description |
---|---|---|
|
|
|
4.1.15. .status
- Description
- FlowSchemaStatus represents the current state of a FlowSchema.
- Type
-
object
Property | Type | Description |
---|---|---|
|
|
|
|
| FlowSchemaCondition describes conditions for a FlowSchema. |
4.1.16. .status.conditions
- Description
-
conditions
is a list of the current states of FlowSchema. - Type
-
array
4.1.17. .status.conditions[]
- Description
- FlowSchemaCondition describes conditions for a FlowSchema.
- Type
-
object
Property | Type | Description |
---|---|---|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
4.2. API endpoints
The following API endpoints are available:
/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas
-
DELETE
: delete collection of FlowSchema -
GET
: list or watch objects of kind FlowSchema -
POST
: create a FlowSchema
-
/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas
-
GET
: watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.
-
/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}
-
DELETE
: delete a FlowSchema -
GET
: read the specified FlowSchema -
PATCH
: partially update the specified FlowSchema -
PUT
: replace the specified FlowSchema
-
/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas/{name}
-
GET
: watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}/status
-
GET
: read status of the specified FlowSchema -
PATCH
: partially update status of the specified FlowSchema -
PUT
: replace status of the specified FlowSchema
-
4.2.1. /apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas
- HTTP method
-
DELETE
- Description
- delete collection of FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list or watch objects of kind FlowSchema
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
4.2.2. /apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas
- HTTP method
-
GET
- Description
- watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
4.2.3. /apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the FlowSchema |
- HTTP method
-
DELETE
- Description
- delete a FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified FlowSchema
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
4.2.4. /apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the FlowSchema |
- HTTP method
-
GET
- Description
- watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
4.2.5. /apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}/status
Parameter | Type | Description |
---|---|---|
|
| name of the FlowSchema |
- HTTP method
-
GET
- Description
- read status of the specified FlowSchema
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update status of the specified FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace status of the specified FlowSchema
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |