├── .gitignore
├── image
    ├── .gitignore
    └── Dockerfile
├── go.mod
├── examples
    ├── pod-with-defaults.yaml
    ├── pod-with-override.yaml
    └── pod-with-conflict.yaml
├── Makefile
├── deployment
    ├── deployment.yaml.template
    └── generate-keys.sh
├── deploy.sh
├── README.md
├── cmd
    └── webhook-server
    │   ├── main.go
    │   └── admission_controller.go
├── LICENSE
└── go.sum


/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea/
2 | 


--------------------------------------------------------------------------------
/image/.gitignore:
--------------------------------------------------------------------------------
1 | /webhook-server
2 | 


--------------------------------------------------------------------------------
/image/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM scratch
2 | 
3 | COPY ./webhook-server /
4 | ENTRYPOINT ["/webhook-server"]
5 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/stackrox/admission-controller-webhook-demo
2 | 
3 | go 1.16
4 | 
5 | require (
6 | 	k8s.io/api v0.22.0
7 | 	k8s.io/apimachinery v0.22.0
8 | )
9 | 


--------------------------------------------------------------------------------
/examples/pod-with-defaults.yaml:
--------------------------------------------------------------------------------
 1 | # A pod with no securityContext specified.
 2 | # Without the webhook, it would run as user root (0). The webhook mutates it
 3 | # to run as the non-root user with uid 1234.
 4 | apiVersion: v1
 5 | kind: Pod
 6 | metadata:
 7 |   name: pod-with-defaults
 8 |   labels:
 9 |     app: pod-with-defaults
10 | spec:
11 |   restartPolicy: OnFailure
12 |   containers:
13 |     - name: busybox
14 |       image: busybox
15 |       command: ["sh", "-c", "echo I am running as user $(id -u)"]
16 | 


--------------------------------------------------------------------------------
/examples/pod-with-override.yaml:
--------------------------------------------------------------------------------
 1 | # A pod with a securityContext explicitly allowing it to run as root.
 2 | # The effect of deploying this with and without the webhook is the same. The
 3 | # explicit setting however prevents the webhook from applying more secure
 4 | # defaults.
 5 | apiVersion: v1
 6 | kind: Pod
 7 | metadata:
 8 |   name: pod-with-override
 9 |   labels:
10 |     app: pod-with-override
11 | spec:
12 |   restartPolicy: OnFailure
13 |   securityContext:
14 |     runAsNonRoot: false
15 |   containers:
16 |     - name: busybox
17 |       image: busybox
18 |       command: ["sh", "-c", "echo I am running as user $(id -u)"]
19 | 


--------------------------------------------------------------------------------
/examples/pod-with-conflict.yaml:
--------------------------------------------------------------------------------
 1 | # A pod with a conflicting securityContext setting: it has to run as a non-root
 2 | # user, but we explicitly request a user id of 0 (root).
 3 | # Without the webhook, the pod could be created, but would be unable to launch
 4 | # due to an unenforceable security context leading to it being stuck in a
 5 | # `CreateContainerConfigError` status. With the webhook, the creation of
 6 | # the pod is outright rejected.
 7 | apiVersion: v1
 8 | kind: Pod
 9 | metadata:
10 |   name: pod-with-conflict
11 |   labels:
12 |     app: pod-with-conflict
13 | spec:
14 |   restartPolicy: OnFailure
15 |   securityContext:
16 |     runAsNonRoot: true
17 |     runAsUser: 0
18 |   containers:
19 |     - name: busybox
20 |       image: busybox
21 |       command: ["sh", "-c", "echo I am running as user $(id -u)"]
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | # Copyright (c) 2019 StackRox Inc.
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #    http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | # Makefile for building the Admission Controller webhook demo server + docker image.
16 | 
17 | .DEFAULT_GOAL := docker-image
18 | 
19 | IMAGE ?= stackrox/admission-controller-webhook-demo:latest
20 | 
21 | image/webhook-server: $(shell find . -name '*.go')
22 | 	CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o $@ ./cmd/webhook-server
23 | 
24 | .PHONY: docker-image
25 | docker-image: image/webhook-server
26 | 	docker build -t $(IMAGE) image/
27 | 
28 | .PHONY: push-image
29 | push-image: docker-image
30 | 	docker push $(IMAGE)
31 | 


--------------------------------------------------------------------------------
/deployment/deployment.yaml.template:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: webhook-server
 5 |   namespace: webhook-demo
 6 |   labels:
 7 |     app: webhook-server
 8 | spec:
 9 |   replicas: 1
10 |   selector:
11 |     matchLabels:
12 |       app: webhook-server
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: webhook-server
17 |     spec:
18 |       securityContext:
19 |         runAsNonRoot: true
20 |         runAsUser: 1234
21 |       containers:
22 |       - name: server
23 |         image: stackrox/admission-controller-webhook-demo:latest
24 |         imagePullPolicy: Always
25 |         ports:
26 |         - containerPort: 8443
27 |           name: webhook-api
28 |         volumeMounts:
29 |         - name: webhook-tls-certs
30 |           mountPath: /run/secrets/tls
31 |           readOnly: true
32 |       volumes:
33 |       - name: webhook-tls-certs
34 |         secret:
35 |           secretName: webhook-server-tls
36 | ---
37 | apiVersion: v1
38 | kind: Service
39 | metadata:
40 |   name: webhook-server
41 |   namespace: webhook-demo
42 | spec:
43 |   selector:
44 |     app: webhook-server
45 |   ports:
46 |     - port: 443
47 |       targetPort: webhook-api
48 | ---
49 | apiVersion: admissionregistration.k8s.io/v1beta1
50 | kind: MutatingWebhookConfiguration
51 | metadata:
52 |   name: demo-webhook
53 | webhooks:
54 |   - name: webhook-server.webhook-demo.svc
55 |     sideEffects: None
56 |     admissionReviewVersions: ["v1", "v1beta1"]
57 |     clientConfig:
58 |       service:
59 |         name: webhook-server
60 |         namespace: webhook-demo
61 |         path: "/mutate"
62 |       caBundle: ${CA_PEM_B64}
63 |     rules:
64 |       - operations: [ "CREATE" ]
65 |         apiGroups: [""]
66 |         apiVersions: ["v1"]
67 |         resources: ["pods"]
68 | 


--------------------------------------------------------------------------------
/deploy.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Copyright (c) 2019 StackRox Inc.
 4 | #
 5 | # Licensed under the Apache License, Version 2.0 (the "License");
 6 | # you may not use this file except in compliance with the License.
 7 | # You may obtain a copy of the License at
 8 | #
 9 | #    http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | 
17 | # deploy.sh
18 | #
19 | # Sets up the environment for the admission controller webhook demo in the active cluster.
20 | 
21 | set -euo pipefail
22 | 
23 | basedir="$(dirname "$0")/deployment"
24 | keydir="$(mktemp -d)"
25 | 
26 | # Generate keys into a temporary directory.
27 | echo "Generating TLS keys ..."
28 | "${basedir}/generate-keys.sh" "$keydir"
29 | 
30 | # Create the `webhook-demo` namespace. This cannot be part of the YAML file as we first need to create the TLS secret,
31 | # which would fail otherwise.
32 | echo "Creating Kubernetes objects ..."
33 | kubectl create namespace webhook-demo
34 | 
35 | # Create the TLS secret for the generated keys.
36 | kubectl -n webhook-demo create secret tls webhook-server-tls \
37 |     --cert "${keydir}/webhook-server-tls.crt" \
38 |     --key "${keydir}/webhook-server-tls.key"
39 | 
40 | # Read the PEM-encoded CA certificate, base64 encode it, and replace the `${CA_PEM_B64}` placeholder in the YAML
41 | # template with it. Then, create the Kubernetes resources.
42 | ca_pem_b64="$(openssl base64 -A <"${keydir}/ca.crt")"
43 | sed -e 's@${CA_PEM_B64}@'"$ca_pem_b64"'@g' <"${basedir}/deployment.yaml.template" \
44 |     | kubectl create -f -
45 | 
46 | # Delete the key directory to prevent abuse (DO NOT USE THESE KEYS ANYWHERE ELSE).
47 | rm -rf "$keydir"
48 | 
49 | echo "The webhook server has been deployed and configured!"
50 | 


--------------------------------------------------------------------------------
/deployment/generate-keys.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | # Copyright (c) 2019 StackRox Inc.
 4 | #
 5 | # Licensed under the Apache License, Version 2.0 (the "License");
 6 | # you may not use this file except in compliance with the License.
 7 | # You may obtain a copy of the License at
 8 | #
 9 | #    http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 | 
17 | # generate-keys.sh
18 | #
19 | # Generate a (self-signed) CA certificate and a certificate and private key to be used by the webhook demo server.
20 | # The certificate will be issued for the Common Name (CN) of `webhook-server.webhook-demo.svc`, which is the
21 | # cluster-internal DNS name for the service.
22 | #
23 | # NOTE: THIS SCRIPT EXISTS FOR DEMO PURPOSES ONLY. DO NOT USE IT FOR YOUR PRODUCTION WORKLOADS.
24 | 
25 | : ${1?'missing key directory'}
26 | 
27 | key_dir="$1"
28 | 
29 | chmod 0700 "$key_dir"
30 | cd "$key_dir"
31 | 
32 | cat >server.conf <<EOF
33 | [req]
34 | req_extensions = v3_req
35 | distinguished_name = req_distinguished_name
36 | prompt = no
37 | [req_distinguished_name]
38 | CN = webhook-server.webhook-demo.svc
39 | [ v3_req ]
40 | basicConstraints = CA:FALSE
41 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment
42 | extendedKeyUsage = clientAuth, serverAuth
43 | subjectAltName = @alt_names
44 | [alt_names]
45 | DNS.1 = webhook-server.webhook-demo.svc
46 | EOF
47 | 
48 | 
49 | # Generate the CA cert and private key
50 | openssl req -nodes -new -x509 -keyout ca.key -out ca.crt -subj "/CN=Admission Controller Webhook Demo CA"
51 | # Generate the private key for the webhook server
52 | openssl genrsa -out webhook-server-tls.key 2048
53 | # Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
54 | openssl req -new -key webhook-server-tls.key -subj "/CN=webhook-server.webhook-demo.svc" -config server.conf \
55 |     | openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out webhook-server-tls.crt -extensions v3_req -extfile server.conf
56 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes Admission Controller Webhook Demo
 2 | 
 3 | This repository contains a small HTTP server that can be used as a Kubernetes
 4 | [MutatingAdmissionWebhook](https://kubernetes.io/docs/admin/admission-controllers/#mutatingadmissionwebhook-beta-in-19).
 5 | 
 6 | The logic of this demo webhook is fairly simple: it enforces more secure defaults for running
 7 | containers as non-root user. While it is still possible to run containers as root, the webhook
 8 | ensures that this is only possible if the setting `runAsNonRoot` is *explicitly* set to `false`
 9 | in the `securityContext` of the Pod. If no value is set for `runAsNonRoot`, a default of `true`
10 | is applied, and the user ID defaults to `1234`.
11 | 
12 | ## Prerequisites
13 | 
14 | A cluster on which this example can be tested must be running Kubernetes 1.9.0 or above,
15 | with the `admissionregistration.k8s.io/v1beta1` API enabled. You can verify that by observing that the
16 | following command produces a non-empty output:
17 | ```
18 | kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
19 | ```
20 | In addition, the `MutatingAdmissionWebhook` admission controller should be added and listed in the admission-control
21 | flag of `kube-apiserver`.
22 | 
23 | For building the image, [GNU make](https://www.gnu.org/software/make/) and [Go](https://golang.org) are required.
24 | 
25 | ## Deploying the Webhook Server
26 | 
27 | 1. Bring up a Kubernetes cluster satisfying the above prerequisites, and make
28 | sure it is active (i.e., either via the configuration in the default location, or by setting
29 | the `KUBECONFIG` environment variable).
30 | 2. Run `./deploy.sh`. This will create a CA, a certificate and private key for the webhook server,
31 | and deploy the resources in the newly created `webhook-demo` namespace in your Kubernetes cluster.
32 | 
33 | 
34 | ## Verify
35 | 
36 | 1. The `webhook-server` pod in the `webhook-demo` namespace should be running:
37 | ```
38 | $ kubectl -n webhook-demo get pods
39 | NAME                             READY     STATUS    RESTARTS   AGE
40 | webhook-server-6f976f7bf-hssc9   1/1       Running   0          35m
41 | ```
42 | 
43 | 2. A `MutatingWebhookConfiguration` named `demo-webhook` should exist:
44 | ```
45 | $ kubectl get mutatingwebhookconfigurations
46 | NAME           AGE
47 | demo-webhook   36m
48 | ```
49 | 
50 | 3. Deploy [a pod](examples/pod-with-defaults.yaml) that neither sets `runAsNonRoot` nor `runAsUser`:
51 | ```
52 | $ kubectl create -f examples/pod-with-defaults.yaml
53 | ```
54 | Verify that the pod has default values in its security context filled in:
55 | ```
56 | $ kubectl get pod/pod-with-defaults -o yaml
57 | ...
58 |   securityContext:
59 |     runAsNonRoot: true
60 |     runAsUser: 1234
61 | ...
62 | ```
63 | Also, check the logs that the pod had in fact been running as a non-root user:
64 | ```
65 | $ kubectl logs pod-with-defaults
66 | I am running as user 1234
67 | ```
68 | 
69 | 4. Deploy [a pod](examples/pod-with-override.yaml) that explicitly sets `runAsNonRoot` to `false`, allowing it to run as the
70 | `root` user:
71 | ```
72 | $ kubectl create -f examples/pod-with-override.yaml
73 | $ kubectl get pod/pod-with-override -o yaml
74 | ...
75 |   securityContext:
76 |     runAsNonRoot: false
77 | ...
78 | $ kubectl logs pod-with-override
79 | I am running as user 0
80 | ```
81 | 
82 | 5. Attempt to deploy [a pod](examples/pod-with-conflict.yaml) that has a conflicting setting: `runAsNonRoot` set to `true`, but `runAsUser` set to 0 (root).
83 | The admission controller should block the creation of that pod.
84 | ```
85 | $ kubectl create -f examples/pod-with-conflict.yaml 
86 | Error from server (InternalError): error when creating "examples/pod-with-conflict.yaml": Internal error
87 | occurred: admission webhook "webhook-server.webhook-demo.svc" denied the request: runAsNonRoot specified,
88 | but runAsUser set to 0 (the root user)
89 | ```
90 | 
91 | ## Build the Image from Sources (optional)
92 | 
93 | An image can be built by running `make`.
94 | If you want to modify the webhook server for testing purposes, be sure to set and export
95 | the shell environment variable `IMAGE` to an image tag for which you have push access. You can then
96 | build and push the image by running `make push-image`. Also make sure to change the image tag
97 | in `deployment/deployment.yaml.template`, and if necessary, add image pull secrets.
98 | 
99 | 


--------------------------------------------------------------------------------
/cmd/webhook-server/main.go:
--------------------------------------------------------------------------------
  1 | /*
  2 | Copyright (c) 2019 StackRox Inc.
  3 | 
  4 | Licensed under the Apache License, Version 2.0 (the "License");
  5 | you may not use this file except in compliance with the License.
  6 | You may obtain a copy of the License at
  7 | 
  8 |    http://www.apache.org/licenses/LICENSE-2.0
  9 | 
 10 | Unless required by applicable law or agreed to in writing, software
 11 | distributed under the License is distributed on an "AS IS" BASIS,
 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | See the License for the specific language governing permissions and
 14 | limitations under the License.
 15 | */
 16 | 
 17 | package main
 18 | 
 19 | import (
 20 | 	"errors"
 21 | 	"fmt"
 22 | 	"log"
 23 | 	"net/http"
 24 | 	"path/filepath"
 25 | 
 26 | 	admission "k8s.io/api/admission/v1beta1"
 27 | 	corev1 "k8s.io/api/core/v1"
 28 | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 29 | )
 30 | 
 31 | const (
 32 | 	tlsDir      = `/run/secrets/tls`
 33 | 	tlsCertFile = `tls.crt`
 34 | 	tlsKeyFile  = `tls.key`
 35 | )
 36 | 
 37 | var (
 38 | 	podResource = metav1.GroupVersionResource{Version: "v1", Resource: "pods"}
 39 | )
 40 | 
 41 | // applySecurityDefaults implements the logic of our example admission controller webhook. For every pod that is created
 42 | // (outside of Kubernetes namespaces), it first checks if `runAsNonRoot` is set. If it is not, it is set to a default
 43 | // value of `false`. Furthermore, if `runAsUser` is not set (and `runAsNonRoot` was not initially set), it defaults
 44 | // `runAsUser` to a value of 1234.
 45 | //
 46 | // To demonstrate how requests can be rejected, this webhook further validates that the `runAsNonRoot` setting does
 47 | // not conflict with the `runAsUser` setting - i.e., if the former is set to `true`, the latter must not be `0`.
 48 | // Note that we combine both the setting of defaults and the check for potential conflicts in one webhook; ideally,
 49 | // the latter would be performed in a validating webhook admission controller.
 50 | func applySecurityDefaults(req *admission.AdmissionRequest) ([]patchOperation, error) {
 51 | 	// This handler should only get called on Pod objects as per the MutatingWebhookConfiguration in the YAML file.
 52 | 	// However, if (for whatever reason) this gets invoked on an object of a different kind, issue a log message but
 53 | 	// let the object request pass through otherwise.
 54 | 	if req.Resource != podResource {
 55 | 		log.Printf("expect resource to be %s", podResource)
 56 | 		return nil, nil
 57 | 	}
 58 | 
 59 | 	// Parse the Pod object.
 60 | 	raw := req.Object.Raw
 61 | 	pod := corev1.Pod{}
 62 | 	if _, _, err := universalDeserializer.Decode(raw, nil, &pod); err != nil {
 63 | 		return nil, fmt.Errorf("could not deserialize pod object: %v", err)
 64 | 	}
 65 | 
 66 | 	// Retrieve the `runAsNonRoot` and `runAsUser` values.
 67 | 	var runAsNonRoot *bool
 68 | 	var runAsUser *int64
 69 | 	if pod.Spec.SecurityContext != nil {
 70 | 		runAsNonRoot = pod.Spec.SecurityContext.RunAsNonRoot
 71 | 		runAsUser = pod.Spec.SecurityContext.RunAsUser
 72 | 	}
 73 | 
 74 | 	// Create patch operations to apply sensible defaults, if those options are not set explicitly.
 75 | 	var patches []patchOperation
 76 | 	if runAsNonRoot == nil {
 77 | 		patches = append(patches, patchOperation{
 78 | 			Op:   "add",
 79 | 			Path: "/spec/securityContext/runAsNonRoot",
 80 | 			// The value must not be true if runAsUser is set to 0, as otherwise we would create a conflicting
 81 | 			// configuration ourselves.
 82 | 			Value: runAsUser == nil || *runAsUser != 0,
 83 | 		})
 84 | 
 85 | 		if runAsUser == nil {
 86 | 			patches = append(patches, patchOperation{
 87 | 				Op:    "add",
 88 | 				Path:  "/spec/securityContext/runAsUser",
 89 | 				Value: 1234,
 90 | 			})
 91 | 		}
 92 | 	} else if *runAsNonRoot == true && (runAsUser != nil && *runAsUser == 0) {
 93 | 		// Make sure that the settings are not contradictory, and fail the object creation if they are.
 94 | 		return nil, errors.New("runAsNonRoot specified, but runAsUser set to 0 (the root user)")
 95 | 	}
 96 | 
 97 | 	return patches, nil
 98 | }
 99 | 
100 | func main() {
101 | 	certPath := filepath.Join(tlsDir, tlsCertFile)
102 | 	keyPath := filepath.Join(tlsDir, tlsKeyFile)
103 | 
104 | 	mux := http.NewServeMux()
105 | 	mux.Handle("/mutate", admitFuncHandler(applySecurityDefaults))
106 | 	server := &http.Server{
107 | 		// We listen on port 8443 such that we do not need root privileges or extra capabilities for this server.
108 | 		// The Service object will take care of mapping this port to the HTTPS port 443.
109 | 		Addr:    ":8443",
110 | 		Handler: mux,
111 | 	}
112 | 	log.Fatal(server.ListenAndServeTLS(certPath, keyPath))
113 | }
114 | 


--------------------------------------------------------------------------------
/cmd/webhook-server/admission_controller.go:
--------------------------------------------------------------------------------
  1 | /*
  2 | Copyright (c) 2019 StackRox Inc.
  3 | 
  4 | Licensed under the Apache License, Version 2.0 (the "License");
  5 | you may not use this file except in compliance with the License.
  6 | You may obtain a copy of the License at
  7 | 
  8 |    http://www.apache.org/licenses/LICENSE-2.0
  9 | 
 10 | Unless required by applicable law or agreed to in writing, software
 11 | distributed under the License is distributed on an "AS IS" BASIS,
 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | See the License for the specific language governing permissions and
 14 | limitations under the License.
 15 | */
 16 | 
 17 | package main
 18 | 
 19 | import (
 20 | 	"encoding/json"
 21 | 	"errors"
 22 | 	"fmt"
 23 | 	"io/ioutil"
 24 | 	"log"
 25 | 	"net/http"
 26 | 
 27 | 	admission "k8s.io/api/admission/v1beta1"
 28 | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 29 | 	"k8s.io/apimachinery/pkg/runtime"
 30 | 	"k8s.io/apimachinery/pkg/runtime/serializer"
 31 | )
 32 | 
 33 | const (
 34 | 	jsonContentType = `application/json`
 35 | )
 36 | 
 37 | var (
 38 | 	universalDeserializer = serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer()
 39 | )
 40 | 
 41 | // patchOperation is an operation of a JSON patch, see https://tools.ietf.org/html/rfc6902 .
 42 | type patchOperation struct {
 43 | 	Op    string      `json:"op"`
 44 | 	Path  string      `json:"path"`
 45 | 	Value interface{} `json:"value,omitempty"`
 46 | }
 47 | 
 48 | // admitFunc is a callback for admission controller logic. Given an AdmissionRequest, it returns the sequence of patch
 49 | // operations to be applied in case of success, or the error that will be shown when the operation is rejected.
 50 | type admitFunc func(*admission.AdmissionRequest) ([]patchOperation, error)
 51 | 
 52 | // isKubeNamespace checks if the given namespace is a Kubernetes-owned namespace.
 53 | func isKubeNamespace(ns string) bool {
 54 | 	return ns == metav1.NamespacePublic || ns == metav1.NamespaceSystem
 55 | }
 56 | 
 57 | // doServeAdmitFunc parses the HTTP request for an admission controller webhook, and -- in case of a well-formed
 58 | // request -- delegates the admission control logic to the given admitFunc. The response body is then returned as raw
 59 | // bytes.
 60 | func doServeAdmitFunc(w http.ResponseWriter, r *http.Request, admit admitFunc) ([]byte, error) {
 61 | 	// Step 1: Request validation. Only handle POST requests with a body and json content type.
 62 | 
 63 | 	if r.Method != http.MethodPost {
 64 | 		w.WriteHeader(http.StatusMethodNotAllowed)
 65 | 		return nil, fmt.Errorf("invalid method %s, only POST requests are allowed", r.Method)
 66 | 	}
 67 | 
 68 | 	body, err := ioutil.ReadAll(r.Body)
 69 | 	if err != nil {
 70 | 		w.WriteHeader(http.StatusBadRequest)
 71 | 		return nil, fmt.Errorf("could not read request body: %v", err)
 72 | 	}
 73 | 
 74 | 	if contentType := r.Header.Get("Content-Type"); contentType != jsonContentType {
 75 | 		w.WriteHeader(http.StatusBadRequest)
 76 | 		return nil, fmt.Errorf("unsupported content type %s, only %s is supported", contentType, jsonContentType)
 77 | 	}
 78 | 
 79 | 	// Step 2: Parse the AdmissionReview request.
 80 | 
 81 | 	var admissionReviewReq admission.AdmissionReview
 82 | 
 83 | 	if _, _, err := universalDeserializer.Decode(body, nil, &admissionReviewReq); err != nil {
 84 | 		w.WriteHeader(http.StatusBadRequest)
 85 | 		return nil, fmt.Errorf("could not deserialize request: %v", err)
 86 | 	} else if admissionReviewReq.Request == nil {
 87 | 		w.WriteHeader(http.StatusBadRequest)
 88 | 		return nil, errors.New("malformed admission review: request is nil")
 89 | 	}
 90 | 
 91 | 	// Step 3: Construct the AdmissionReview response.
 92 | 
 93 | 	admissionReviewResponse := admission.AdmissionReview{
 94 | 		// Since the admission webhook now supports multiple API versions, we need
 95 | 		// to explicitly include the API version in the response.
 96 | 		// This API version needs to match the version from the request exactly, otherwise
 97 | 		// the API server will be unable to process the response.
 98 | 		// Note: a v1beta1 AdmissionReview is JSON-compatible with the v1 version, that's why
 99 | 		// we do not need to differentiate during unmarshaling or in the actual logic.
100 | 		TypeMeta: admissionReviewReq.TypeMeta,
101 | 		Response: &admission.AdmissionResponse{
102 | 			UID: admissionReviewReq.Request.UID,
103 | 		},
104 | 	}
105 | 
106 | 	var patchOps []patchOperation
107 | 	// Apply the admit() function only for non-Kubernetes namespaces. For objects in Kubernetes namespaces, return
108 | 	// an empty set of patch operations.
109 | 	if !isKubeNamespace(admissionReviewReq.Request.Namespace) {
110 | 		patchOps, err = admit(admissionReviewReq.Request)
111 | 	}
112 | 
113 | 	if err != nil {
114 | 		// If the handler returned an error, incorporate the error message into the response and deny the object
115 | 		// creation.
116 | 		admissionReviewResponse.Response.Allowed = false
117 | 		admissionReviewResponse.Response.Result = &metav1.Status{
118 | 			Message: err.Error(),
119 | 		}
120 | 	} else {
121 | 		// Otherwise, encode the patch operations to JSON and return a positive response.
122 | 		patchBytes, err := json.Marshal(patchOps)
123 | 		if err != nil {
124 | 			w.WriteHeader(http.StatusInternalServerError)
125 | 			return nil, fmt.Errorf("could not marshal JSON patch: %v", err)
126 | 		}
127 | 		admissionReviewResponse.Response.Allowed = true
128 | 		admissionReviewResponse.Response.Patch = patchBytes
129 | 
130 | 		// Announce that we are returning a JSON patch (note: this is the only
131 | 		// patch type currently supported, but we have to explicitly announce
132 | 		// it nonetheless).
133 | 		admissionReviewResponse.Response.PatchType = new(admission.PatchType)
134 | 		*admissionReviewResponse.Response.PatchType = admission.PatchTypeJSONPatch
135 | 	}
136 | 
137 | 	// Return the AdmissionReview with a response as JSON.
138 | 	bytes, err := json.Marshal(&admissionReviewResponse)
139 | 	if err != nil {
140 | 		return nil, fmt.Errorf("marshaling response: %v", err)
141 | 	}
142 | 	return bytes, nil
143 | }
144 | 
145 | // serveAdmitFunc is a wrapper around doServeAdmitFunc that adds error handling and logging.
146 | func serveAdmitFunc(w http.ResponseWriter, r *http.Request, admit admitFunc) {
147 | 	log.Print("Handling webhook request ...")
148 | 
149 | 	var writeErr error
150 | 	if bytes, err := doServeAdmitFunc(w, r, admit); err != nil {
151 | 		log.Printf("Error handling webhook request: %v", err)
152 | 		w.WriteHeader(http.StatusInternalServerError)
153 | 		_, writeErr = w.Write([]byte(err.Error()))
154 | 	} else {
155 | 		log.Print("Webhook request handled successfully")
156 | 		_, writeErr = w.Write(bytes)
157 | 	}
158 | 
159 | 	if writeErr != nil {
160 | 		log.Printf("Could not write response: %v", writeErr)
161 | 	}
162 | }
163 | 
164 | // admitFuncHandler takes an admitFunc and wraps it into a http.Handler by means of calling serveAdmitFunc.
165 | func admitFuncHandler(admit admitFunc) http.Handler {
166 | 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
167 | 		serveAdmitFunc(w, r, admit)
168 | 	})
169 | }
170 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
  1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
  2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
  3 | github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
  4 | github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
  5 | github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
  6 | github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
  7 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
  8 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
  9 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 10 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 11 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 12 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 13 | github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 14 | github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 15 | github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 16 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 17 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 18 | github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 19 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 20 | github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 21 | github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 22 | github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
 23 | github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 24 | github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 25 | github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 26 | github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 27 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 28 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 29 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 30 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 31 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 32 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 33 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 34 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 35 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 36 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 37 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 38 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 39 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 40 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 41 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 42 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 43 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 44 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 45 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 46 | github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 47 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 48 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 49 | github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 50 | github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 51 | github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 52 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 53 | github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 54 | github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 55 | github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 56 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 57 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 58 | github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
 59 | github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 60 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 61 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 62 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 63 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 64 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 65 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 66 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 67 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 68 | github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 69 | github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 70 | github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 71 | github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 72 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 73 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 74 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 75 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 76 | github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 77 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 78 | github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 79 | github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 80 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 81 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 82 | github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 83 | github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 84 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 85 | github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 86 | github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 87 | github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 88 | github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 89 | github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 90 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 91 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 92 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 93 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 94 | github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 95 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 96 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 97 | github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 98 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 99 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
100 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
101 | github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
102 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
103 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
104 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
105 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
106 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
107 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
108 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
109 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
110 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
111 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
112 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
113 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
114 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
115 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
116 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
117 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
118 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
119 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
120 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
121 | golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
122 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
123 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
124 | golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
125 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
126 | golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
127 | golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
128 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
129 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
130 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
131 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
132 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
133 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
134 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
135 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
136 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
137 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
138 | golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
139 | golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
140 | golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
141 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
142 | golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
143 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
144 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
145 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
146 | golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
147 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
148 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
149 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
150 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
151 | golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
152 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
153 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
154 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
155 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
156 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
157 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
158 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
159 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
160 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
161 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
162 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
163 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
164 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
165 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
166 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
167 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
168 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
169 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
170 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
171 | google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
172 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
173 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
174 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
175 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
176 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
177 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
178 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
179 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
180 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
181 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
182 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
183 | google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
184 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
185 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
186 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
187 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
188 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
189 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
190 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
191 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
192 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
193 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
194 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
195 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
196 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
197 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
198 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
199 | gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
200 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
201 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
202 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
203 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
204 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
205 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
206 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
207 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
208 | k8s.io/api v0.22.0 h1:elCpMZ9UE8dLdYxr55E06TmSeji9I3KH494qH70/y+c=
209 | k8s.io/api v0.22.0/go.mod h1:0AoXXqst47OI/L0oGKq9DG61dvGRPXs7X4/B7KyjBCU=
210 | k8s.io/apimachinery v0.22.0 h1:CqH/BdNAzZl+sr3tc0D3VsK3u6ARVSo3GWyLmfIjbP0=
211 | k8s.io/apimachinery v0.22.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
212 | k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
213 | k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
214 | k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
215 | k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
216 | k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
217 | sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
218 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
219 | sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
220 | sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
221 | sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
222 | 


--------------------------------------------------------------------------------