整体：

TODO: webhook中使用service方式时，apiserver的pod使用hostNetwork，实际是无法解析service fqdn域名的，那么，在apiserver中是如何正确地请求到webhook的。

apiExtensionsServer
apiServer -> DefaultBuildHandlerChain(增加request的filter) -> installAPI
aggregatorAPi
v1.19.0 scheduling资源

handler pkg/registry/

filter: vendor/k8s.io/apiserver/pkg/server/config.go DefaultBuildHandlerChain

apiInstaller : vendor/k8s.io/apiserver/pkg/endpoints/install.go APIInstaller.Install()

apiGroup (/apis/apps等) 逻辑 vendor/k8s.io/kube-aggregate/pkg/apiserver/handler_apis.go apiGroupHandler.ServeHTTP

k8s filter：

withPanicRecovery
withCacheControl
withWarningRecorder
withAuditAnnotations
withRequestInfo
withWaitGroup
WithTimeoutForNonLongRunningRequests 客户端请求超时机制实现
WithCORS
WithAuthentication 身份验证
WithAudit 审计
WithImpersonation
WithAuthorization 授权

认证
authentication注册： pkg/kubeapiserver/options/authentication.go BuiltInAuthenticationOptions.ApplyTo() -> authenticatorConfig.New()

授权
Authorizer注册：
cmd/kube-apiserver/app/server.go buildGenericConfig().BuildAuthorizer()
|
pkg/kubeapiserver/authorizer/config.go New()

准入控制
admissionPlugin注册： pkg/kubeapiserver/options/admissions.go NewAdmissionOptions() 先注册mutating/validating，再注册buildin
cmd/kube-apiserver/app/server.go buildGenericConfig().(Admission.ApplyTo())