Documentation ¶
Index ¶
- func AddGraphEventHandlers(graph *Graph, nodes corev1informers.NodeInformer, ...)
- type Graph
- func (g *Graph) AddPV(pv *corev1.PersistentVolume)
- func (g *Graph) AddPod(pod *corev1.Pod)
- func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)
- func (g *Graph) DeletePV(name string)
- func (g *Graph) DeletePod(name, namespace string)
- func (g *Graph) DeleteVolumeAttachment(name string)
- func (g *Graph) SetNodeConfigMap(nodeName, configMapName, configMapNamespace string)
- type NodeAuthorizer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddGraphEventHandlers ¶
func AddGraphEventHandlers( graph *Graph, nodes corev1informers.NodeInformer, pods corev1informers.PodInformer, pvs corev1informers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, )
Types ¶
type Graph ¶
type Graph struct {
// contains filtered or unexported fields
}
Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:
node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret
func (*Graph) AddPV ¶
func (g *Graph) AddPV(pv *corev1.PersistentVolume)
AddPV sets up edges for the following relationships:
secret -> pv pv -> pvc
func (*Graph) AddPod ¶
AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):
pod -> node secret -> pod configmap -> pod pvc -> pod svcacct -> pod
func (*Graph) AddVolumeAttachment ¶
AddVolumeAttachment sets up edges for the following relationships:
volume attachment -> node
type NodeAuthorizer ¶
type NodeAuthorizer struct {
// contains filtered or unexported fields
}
NodeAuthorizer authorizes requests from kubelets, with the following logic:
- If a request is not from a node (NodeIdentity() returns isNode=false), reject
- If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
- If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- configmap node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret
- For other resources, authorize all nodes uniformly using statically defined rules
func NewAuthorizer ¶
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer
NewAuthorizer returns a new node authorizer
func (*NodeAuthorizer) Authorize ¶
func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error)
func (*NodeAuthorizer) RulesFor ¶
func (r *NodeAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
Click to show internal directories.
Click to hide internal directories.