Documentation
¶
Index ¶
- func NodeRestrictionEnabled(kubeConfig clientcmd.ClientConfig, clusterDb *ClusterDb, ...) bool
- type ClusterDb
- type ClusterMetadata
- type ClusterVersion
- type CollectConfig
- type CollectResult
- type NamedEntry
- type NodeEntry
- type NodeToPods
- type RbacDb
- type RoleEntry
- type RoleRef
- type ServiceAccountEntry
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NodeRestrictionEnabled ¶
func NodeRestrictionEnabled(kubeConfig clientcmd.ClientConfig, clusterDb *ClusterDb, metadata *ClusterMetadata) bool
Check if NodeRestriction is enabled by impersonating a node and creating a non-mirror pod
Types ¶
type ClusterDb ¶
type ClusterDb struct {
Pods []v1.Pod // TODO: only need name, namespace, serviceaccount, and node, not full object
Nodes []v1.Node // TODO: only need name, not full object
ServiceAccounts []v1.ServiceAccount // TODO: only need name, namespace, and annotations, not full object
Roles []rbac.Role
ClusterRoles []rbac.ClusterRole
RoleBindings []rbac.RoleBinding
ClusterRoleBindings []rbac.ClusterRoleBinding
}
ClusterDb holds cluster objects relevant to RBAC
type ClusterMetadata ¶
type ClusterMetadata struct {
ClusterName string `json:"cluster"`
Platform string `json:"platform"`
Version ClusterVersion `json:"version"`
Features []string `json:"features"`
}
type ClusterVersion ¶
type CollectConfig ¶
type CollectConfig struct {
AllServiceAccounts bool
IgnoreControlPlane bool
DiscoverProtections bool
OfflineDir string
NodeGroups []string
NodeUser string
Namespace string
}
CollectConfig holds the options for Collect()
type CollectResult ¶
type CollectResult struct {
Metadata ClusterMetadata `json:"metadata"`
ServiceAccounts []ServiceAccountEntry `json:"serviceAccounts"`
Nodes []NodeEntry `json:"nodes"`
Users []NamedEntry `json:"users"`
Groups []NamedEntry `json:"groups"`
Roles []RoleEntry `json:"roles"`
}
CollectResult is the output of Collect() Includes the cluster metadata and the RBAC data (basically ClusterMetadata + RbacDb)
func Collect ¶
func Collect(collectConfig CollectConfig) *CollectResult
Collect retrieves the RBAC settings in a k8s cluster
type NamedEntry ¶ added in v1.1.0
NamedEntry marks an identity with roles denoted by only a name, like a user or a group
type NodeEntry ¶
type NodeEntry struct {
Name string `json:"name"`
Roles []RoleRef `json:"roles"`
ServiceAccounts []string `json:"serviceAccounts"`
}
NodeEntry holds the RBAC info of a node
type NodeToPods ¶
NodeToPods list the pods on a node
type RbacDb ¶
type RbacDb struct {
ServiceAccounts []ServiceAccountEntry
Nodes []NodeEntry
Users []NamedEntry
Groups []NamedEntry
Roles []RoleEntry
}
RbacDb is a database holding the RBAC permissions in the cluster
type RoleEntry ¶
type RoleEntry struct {
Name string `json:"name"`
Namespace string `json:"namespace,omitempty"`
Rules []rbac.PolicyRule `json:"rules"`
}
RoleEntry describes a Role or a ClusterRole
type RoleRef ¶
type RoleRef struct {
Name string `json:"name"`
Namespace string `json:"namespace,omitempty"`
EffectiveNamespace string `json:"effectiveNamespace,omitempty"`
}
RoleRef denotes the outcome of a RoleBinding or a ClusterRoleBinding
type ServiceAccountEntry ¶
type ServiceAccountEntry struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
Nodes []NodeToPods `json:"nodes,omitempty"`
ProviderIAM map[string]string `json:"providerIAM,omitempty"`
Roles []RoleRef `json:"roles"`
}
ServiceAccountEntry holds the RBAC info of a serviceAccount
Source Files