Search

Chapter 4. FlowSchema [flowcontrol.apiserver.k8s.io/v1]

download PDF
Description
FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
Type
object

4.1. Specification

PropertyTypeDescription

apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata

ObjectMeta

metadata is the standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

spec

object

FlowSchemaSpec describes how the FlowSchema’s specification looks like.

status

object

FlowSchemaStatus represents the current state of a FlowSchema.

4.1.1. .spec

Description
FlowSchemaSpec describes how the FlowSchema’s specification looks like.
Type
object
Required
  • priorityLevelConfiguration
PropertyTypeDescription

distinguisherMethod

object

FlowDistinguisherMethod specifies the method of a flow distinguisher.

matchingPrecedence

integer

matchingPrecedence is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.

priorityLevelConfiguration

object

PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.

rules

array

rules describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.

rules[]

object

PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.

4.1.2. .spec.distinguisherMethod

Description
FlowDistinguisherMethod specifies the method of a flow distinguisher.
Type
object
Required
  • type
PropertyTypeDescription

type

string

type is the type of flow distinguisher method The supported types are "ByUser" and "ByNamespace". Required.

4.1.3. .spec.priorityLevelConfiguration

Description
PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
Type
object
Required
  • name
PropertyTypeDescription

name

string

name is the name of the priority level configuration being referenced Required.

4.1.4. .spec.rules

Description
rules describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.
Type
array

4.1.5. .spec.rules[]

Description
PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.
Type
object
Required
  • subjects
PropertyTypeDescription

nonResourceRules

array

nonResourceRules is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.

nonResourceRules[]

object

NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.

resourceRules

array

resourceRules is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of resourceRules and nonResourceRules has to be non-empty.

resourceRules[]

object

ResourcePolicyRule is a predicate that matches some resource requests, testing the request’s verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., Namespace=="") and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request’s namespace.

subjects

array

subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.

subjects[]

object

Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.

4.1.6. .spec.rules[].nonResourceRules

Description
nonResourceRules is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.
Type
array

4.1.7. .spec.rules[].nonResourceRules[]

Description
NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
Type
object
Required
  • verbs
  • nonResourceURLs
PropertyTypeDescription

nonResourceURLs

array (string)

nonResourceURLs is a set of url prefixes that a user should have access to and may not be empty. For example: - "/healthz" is legal - "/hea*" is illegal - "/hea" is legal but matches nothing - "/hea/" also matches nothing - "/healthz/" matches all per-component health checks. "*" matches all non-resource urls. if it is present, it must be the only entry. Required.

verbs

array (string)

verbs is a list of matching verbs and may not be empty. "*" matches all verbs. If it is present, it must be the only entry. Required.

4.1.8. .spec.rules[].resourceRules

Description
resourceRules is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of resourceRules and nonResourceRules has to be non-empty.
Type
array

4.1.9. .spec.rules[].resourceRules[]

Description
ResourcePolicyRule is a predicate that matches some resource requests, testing the request’s verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., Namespace=="") and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request’s namespace.
Type
object
Required
  • verbs
  • apiGroups
  • resources
PropertyTypeDescription

apiGroups

array (string)

apiGroups is a list of matching API groups and may not be empty. "*" matches all API groups and, if present, must be the only entry. Required.

clusterScope

boolean

clusterScope indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the namespaces field must contain a non-empty list.

namespaces

array (string)

namespaces is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains "". Note that "" matches any specified namespace but does not match a request that does not specify a namespace (see the clusterScope field for that). This list may be empty, but only if clusterScope is true.

resources

array (string)

resources is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ "services", "nodes/status" ]. This list may not be empty. "*" matches all resources and, if present, must be the only entry. Required.

verbs

array (string)

verbs is a list of matching verbs and may not be empty. "*" matches all verbs and, if present, must be the only entry. Required.

4.1.10. .spec.rules[].subjects

Description
subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.
Type
array

4.1.11. .spec.rules[].subjects[]

Description
Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.
Type
object
Required
  • kind
PropertyTypeDescription

group

object

GroupSubject holds detailed information for group-kind subject.

kind

string

kind indicates which one of the other fields is non-empty. Required

serviceAccount

object

ServiceAccountSubject holds detailed information for service-account-kind subject.

user

object

UserSubject holds detailed information for user-kind subject.

4.1.12. .spec.rules[].subjects[].group

Description
GroupSubject holds detailed information for group-kind subject.
Type
object
Required
  • name
PropertyTypeDescription

name

string

name is the user group that matches, or "*" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.

4.1.13. .spec.rules[].subjects[].serviceAccount

Description
ServiceAccountSubject holds detailed information for service-account-kind subject.
Type
object
Required
  • namespace
  • name
PropertyTypeDescription

name

string

name is the name of matching ServiceAccount objects, or "*" to match regardless of name. Required.

namespace

string

namespace is the namespace of matching ServiceAccount objects. Required.

4.1.14. .spec.rules[].subjects[].user

Description
UserSubject holds detailed information for user-kind subject.
Type
object
Required
  • name
PropertyTypeDescription

name

string

name is the username that matches, or "*" to match all usernames. Required.

4.1.15. .status

Description
FlowSchemaStatus represents the current state of a FlowSchema.
Type
object
PropertyTypeDescription

conditions

array

conditions is a list of the current states of FlowSchema.

conditions[]

object

FlowSchemaCondition describes conditions for a FlowSchema.

4.1.16. .status.conditions

Description
conditions is a list of the current states of FlowSchema.
Type
array

4.1.17. .status.conditions[]

Description
FlowSchemaCondition describes conditions for a FlowSchema.
Type
object
PropertyTypeDescription

lastTransitionTime

Time

lastTransitionTime is the last time the condition transitioned from one status to another.

message

string

message is a human-readable message indicating details about last transition.

reason

string

reason is a unique, one-word, CamelCase reason for the condition’s last transition.

status

string

status is the status of the condition. Can be True, False, Unknown. Required.

type

string

type is the type of the condition. Required.

4.2. API endpoints

The following API endpoints are available:

  • /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas

    • DELETE: delete collection of FlowSchema
    • GET: list or watch objects of kind FlowSchema
    • POST: create a FlowSchema
  • /apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas

    • GET: watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.
  • /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

    • DELETE: delete a FlowSchema
    • GET: read the specified FlowSchema
    • PATCH: partially update the specified FlowSchema
    • PUT: replace the specified FlowSchema
  • /apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas/{name}

    • GET: watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
  • /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status

    • GET: read status of the specified FlowSchema
    • PATCH: partially update status of the specified FlowSchema
    • PUT: replace status of the specified FlowSchema

4.2.1. /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas

HTTP method
DELETE
Description
delete collection of FlowSchema
Table 4.1. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

Table 4.2. HTTP responses
HTTP codeReponse body

200 - OK

Status schema

401 - Unauthorized

Empty

HTTP method
GET
Description
list or watch objects of kind FlowSchema
Table 4.3. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchemaList schema

401 - Unauthorized

Empty

HTTP method
POST
Description
create a FlowSchema
Table 4.4. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 4.5. Body parameters
ParameterTypeDescription

body

FlowSchema schema

 
Table 4.6. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

201 - Created

FlowSchema schema

202 - Accepted

FlowSchema schema

401 - Unauthorized

Empty

4.2.2. /apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas

HTTP method
GET
Description
watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.
Table 4.7. HTTP responses
HTTP codeReponse body

200 - OK

WatchEvent schema

401 - Unauthorized

Empty

4.2.3. /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

Table 4.8. Global path parameters
ParameterTypeDescription

name

string

name of the FlowSchema

HTTP method
DELETE
Description
delete a FlowSchema
Table 4.9. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

Table 4.10. HTTP responses
HTTP codeReponse body

200 - OK

Status schema

202 - Accepted

Status schema

401 - Unauthorized

Empty

HTTP method
GET
Description
read the specified FlowSchema
Table 4.11. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

401 - Unauthorized

Empty

HTTP method
PATCH
Description
partially update the specified FlowSchema
Table 4.12. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 4.13. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

201 - Created

FlowSchema schema

401 - Unauthorized

Empty

HTTP method
PUT
Description
replace the specified FlowSchema
Table 4.14. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 4.15. Body parameters
ParameterTypeDescription

body

FlowSchema schema

 
Table 4.16. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

201 - Created

FlowSchema schema

401 - Unauthorized

Empty

4.2.4. /apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas/{name}

Table 4.17. Global path parameters
ParameterTypeDescription

name

string

name of the FlowSchema

HTTP method
GET
Description
watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
Table 4.18. HTTP responses
HTTP codeReponse body

200 - OK

WatchEvent schema

401 - Unauthorized

Empty

4.2.5. /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status

Table 4.19. Global path parameters
ParameterTypeDescription

name

string

name of the FlowSchema

HTTP method
GET
Description
read status of the specified FlowSchema
Table 4.20. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

401 - Unauthorized

Empty

HTTP method
PATCH
Description
partially update status of the specified FlowSchema
Table 4.21. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 4.22. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

201 - Created

FlowSchema schema

401 - Unauthorized

Empty

HTTP method
PUT
Description
replace status of the specified FlowSchema
Table 4.23. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldValidation

string

fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.

Table 4.24. Body parameters
ParameterTypeDescription

body

FlowSchema schema

 
Table 4.25. HTTP responses
HTTP codeReponse body

200 - OK

FlowSchema schema

201 - Created

FlowSchema schema

401 - Unauthorized

Empty

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.