GO-2022-1181: AAD Pod Identity obtaining token with backslash in github.com/Azure/aad-pod-identity

nmi

package

v1.8.6 Latest Latest Go to latest Published: Dec 17, 2021 License: MIT Imports: 10 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Azure/aad-pod-identity

Links

Open Source Insights

Documentation ¶

Index ¶

func GetKubeClient(nodeName, mode string, enableScaleFeatures bool) (k8s.Client, error)
type Config
type ManagedClient
- func NewManagedTokenClient(client k8s.Client, config Config) (*ManagedClient, error)
- func (mc *ManagedClient) GetIdentities(ctx context.Context, podns, podname, clientID, resourceID string) (*aadpodid.AzureIdentity, error)
- func (mc *ManagedClient) GetTokens(ctx context.Context, rqClientID, rqResource string, ...) ([]*adal.Token, error)
type OperationMode
type StandardClient
- func NewStandardTokenClient(client k8s.Client, config Config) (*StandardClient, error)
- func (sc *StandardClient) GetIdentities(ctx context.Context, podns, podname, clientID, resourceID string) (*aadpodid.AzureIdentity, error)
- func (sc *StandardClient) GetTokens(ctx context.Context, rqClientID, rqResource string, ...) ([]*adal.Token, error)
type TokenClient
- func GetTokenClient(client k8s.Client, config Config) (TokenClient, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetKubeClient ¶

func GetKubeClient(nodeName, mode string, enableScaleFeatures bool) (k8s.Client, error)

GetKubeClient returns kube client based on nmi mode

Types ¶

type Config ¶

type Config struct {
	// Mode is the operation mode for token client
	Mode string
	// RetryAttemptsForCreated number of retries in NMI to find assigned identity in CREATED state for standard mode
	RetryAttemptsForCreated int
	// RetryAttemptsForAssigned number of retries in NMI to find assigned identity in ASSIGNED state for standard mode
	RetryAttemptsForAssigned int
	// FindIdentityRetryIntervalInSeconds Retry interval to find assigned identities in seconds for standard mode
	FindIdentityRetryIntervalInSeconds int
	// NodeName is the node on which NMI is running
	NodeName string
	// Namespaced makes NMI looks for identities in same namespace as pods
	Namespaced bool
}

Config is the parameters used by token client

type ManagedClient ¶

type ManagedClient struct {
	TokenClient
	KubeClient   k8s.Client
	IsNamespaced bool
}

ManagedClient implements the TokenClient interface

func NewManagedTokenClient ¶

func NewManagedTokenClient(client k8s.Client, config Config) (*ManagedClient, error)

NewManagedTokenClient creates new managed token client

func (*ManagedClient) GetIdentities ¶

func (mc *ManagedClient) GetIdentities(ctx context.Context, podns, podname, clientID, resourceID string) (*aadpodid.AzureIdentity, error)

GetIdentities gets the azure identity that matches the podns/podname and client id

func (*ManagedClient) GetTokens ¶ added in v1.7.0

func (mc *ManagedClient) GetTokens(ctx context.Context, rqClientID, rqResource string, azureID aadpodid.AzureIdentity) ([]*adal.Token, error)

GetTokens returns ADAL tokens based on the request and its pod identity.

type OperationMode ¶

type OperationMode string

OperationMode is the mode in which NMI is operating allowed values: standard, managed

const (
	// StandardMode is the name of NMI's standard mode.
	StandardMode OperationMode = "standard"

	// ManagedMode is the name of NMI's managed mode.
	ManagedMode OperationMode = "managed"
)

type StandardClient ¶

type StandardClient struct {
	TokenClient
	KubeClient                         k8s.Client
	ListPodIDsRetryAttemptsForCreated  int
	ListPodIDsRetryAttemptsForAssigned int
	ListPodIDsRetryIntervalInSeconds   int
	IsNamespaced                       bool
}

StandardClient implements the TokenClient interface

func NewStandardTokenClient ¶

func NewStandardTokenClient(client k8s.Client, config Config) (*StandardClient, error)

NewStandardTokenClient creates new standard nmi client

func (*StandardClient) GetIdentities ¶

func (sc *StandardClient) GetIdentities(ctx context.Context, podns, podname, clientID, resourceID string) (*aadpodid.AzureIdentity, error)

GetIdentities gets the azure identity that matches the podns/podname and client id

func (*StandardClient) GetTokens ¶ added in v1.7.0

func (sc *StandardClient) GetTokens(ctx context.Context, rqClientID, rqResource string, azureID aadpodid.AzureIdentity) ([]*adal.Token, error)

GetTokens returns ADAL tokens based on the request and its pod identity.

type TokenClient ¶

type TokenClient interface {
	// GetIdentities gets the list of identities which match the
	// given pod in the form of AzureIdentity.
	GetIdentities(ctx context.Context, podns, podname, clientID, resourceID string) (*aadpodid.AzureIdentity, error)
	// GetTokens acquires tokens by using the AzureIdentity.
	GetTokens(ctx context.Context, clientID, resource string, podID aadpodid.AzureIdentity) (tokens []*adal.Token, err error)
}

TokenClient is an abstraction used to retrieve pods' identities and ADAL tokens.

func GetTokenClient ¶

func GetTokenClient(client k8s.Client, config Config) (TokenClient, error)

GetTokenClient returns a token client

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
iptables
server

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL