Documentation
¶
Index ¶
- Constants
- type ClusterFeaturesGetter
- type Forwarder
- type ForwarderConfig
- type GenTestKubeClientTLSCertOptions
- type KubeClusterConfig
- type KubeServiceType
- type RoleSpec
- type ServeOption
- type SpdyRoundTripper
- type TLSServer
- type TLSServerConfig
- type TestConfig
- type TestContext
- func (c *TestContext) Close() error
- func (c *TestContext) CreateUserAndRole(ctx context.Context, t *testing.T, username string, roleSpec RoleSpec) (types.User, types.Role)
- func (c *TestContext) GenTestKubeClientTLSCert(t *testing.T, userName, kubeCluster string, ...) (*kubernetes.Clientset, *rest.Config)
- func (c *TestContext) KubeProxyAddress() string
- func (c *TestContext) NewJoiningSession(cfg *rest.Config, sessionID string, mode types.SessionParticipantMode) (*streamproto.SessionStream, error)
Constants ¶
View Source
const ( // The SPDY subprotocol "v4.channel.k8s.io" is used for remote command // attachment/execution. It is the 4th version of the subprotocol and // adds support for exit codes. StreamProtocolV4Name = "v4.channel.k8s.io" // DefaultStreamCreationTimeout DefaultStreamCreationTimeout = 30 * time.Second IdleTimeout = 15 * time.Minute )
View Source
const ( // Enable stdin for remote command execution ExecStdinParam = "input" // Enable stdout for remote command execution ExecStdoutParam = "output" // Enable stderr for remote command execution ExecStderrParam = "error" // Enable TTY for remote command execution ExecTTYParam = "tty" // Command to run for remote command execution ExecCommandParam = "command" // Name of header that specifies stream type StreamType = "streamType" // Value for streamType header for stdin stream StreamTypeStdin = "stdin" // Value for streamType header for stdout stream StreamTypeStdout = "stdout" // Value for streamType header for stderr stream StreamTypeStderr = "stderr" // Value for streamType header for data stream StreamTypeData = "data" // Value for streamType header for error stream StreamTypeError = "error" // Value for streamType header for terminal resize stream StreamTypeResize = "resize" // Name of header that specifies the port being forwarded PortHeader = "port" // Name of header that specifies a request ID used to associate the error // and data streams for a single forwarded connection PortForwardRequestIDHeader = "requestID" // PortForwardProtocolV1Name is the subprotocol "portforward.k8s.io" is used for port forwarding PortForwardProtocolV1Name = "portforward.k8s.io" )
These constants are for remote command execution and port forwarding and are used by both the client side and server side components.
This is probably not the ideal place for them, but it didn't seem worth it to create pkg/exec and pkg/portforward just to contain a single file with constants in it. Suggestions for more appropriate alternatives are definitely welcome!
View Source
const ( // KubeService is a Teleport kubernetes_service. A KubeService always forwards // requests directly to a Kubernetes endpoint. KubeService = "kube_service" // ProxyService is a Teleport proxy_service with kube_listen_addr/ // kube_public_addr enabled. A ProxyService always forwards requests to a // Teleport KubeService or LegacyProxyService. ProxyService = "kube_proxy" // LegacyProxyService is a Teleport proxy_service with the kubernetes section // enabled. A LegacyProxyService can forward requests directly to a Kubernetes // endpoint, or to another Teleport LegacyProxyService or KubeService. LegacyProxyService = "legacy_proxy" )
View Source
const ( // ImpersonateHeaderPrefix is K8s impersonation prefix for impersonation feature: // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation ImpersonateHeaderPrefix = "Impersonate-" // ImpersonateUserHeader is impersonation header for users ImpersonateUserHeader = "Impersonate-User" // ImpersonateGroupHeader is K8s impersonation header for user ImpersonateGroupHeader = "Impersonate-Group" // ImpersonationRequestDeniedMessage is access denied message for impersonation ImpersonationRequestDeniedMessage = "impersonation request has been denied" )
View Source
const ( PresenceVerifyInterval = time.Second * 15 PresenceMaxDifference = time.Minute )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClusterFeaturesGetter ¶
ClusterFeaturesGetter is a function that returns the Teleport cluster licensed features.
type Forwarder ¶
type Forwarder struct {
// contains filtered or unexported fields
}
Forwarder intercepts kubernetes requests, acting as Kubernetes API proxy. it blindly forwards most of the requests on HTTPS protocol layer, however some requests like exec sessions it intercepts and records.
func NewForwarder ¶
func NewForwarder(cfg ForwarderConfig) (*Forwarder, error)
NewForwarder returns new instance of Kubernetes request forwarding proxy.
type ForwarderConfig ¶
type ForwarderConfig struct {
// ReverseTunnelSrv is the teleport reverse tunnel server
ReverseTunnelSrv reversetunnelclient.Server
// ClusterName is a local cluster name
ClusterName string
// Keygen points to a key generator implementation
Keygen sshca.Authority
// Authz authenticates user
Authz authz.Authorizer
// AuthClient is a auth server client.
AuthClient auth.ClientI
// CachingAuthClient is a caching auth server client for read-only access.
CachingAuthClient auth.ReadKubernetesAccessPoint
// Emitter is used to emit audit events
Emitter apievents.Emitter
// DataDir is a data dir to store logs
DataDir string
// Namespace is a namespace of the proxy server (not a K8s namespace)
Namespace string
// HostID is a unique ID of a proxy server
HostID string
// ClusterOverride if set, routes all requests
// to the cluster name, used in tests
ClusterOverride string
// Context passes the optional external context
// passing global close to all forwarder operations
Context context.Context
// KubeconfigPath is a path to kubernetes configuration
KubeconfigPath string
// KubeServiceType specifies which Teleport service type this forwarder is for
KubeServiceType KubeServiceType
// KubeClusterName is the name of the kubernetes cluster that this
// forwarder handles.
KubeClusterName string
// Clock is a server clock, could be overridden in tests
Clock clockwork.Clock
// ConnPingPeriod is a period for sending ping messages on the incoming
// connection.
ConnPingPeriod time.Duration
// Component name to include in log output.
Component string
// LockWatcher is a lock watcher.
LockWatcher *services.LockWatcher
// CheckImpersonationPermissions is an optional override of the default
// impersonation permissions check, for use in testing
CheckImpersonationPermissions servicecfg.ImpersonationPermissionsChecker
// PublicAddr is the address that can be used to reach the kube cluster
PublicAddr string
// PROXYSigner is used to sign PROXY headers for securely propagating client IP address
PROXYSigner multiplexer.PROXYHeaderSigner
// TracerProvider is used to create tracers capable
// of starting spans.
TracerProvider oteltrace.TracerProvider
// ConnTLSConfig is the TLS client configuration to use when connecting to
// the upstream Teleport proxy or Kubernetes service when forwarding requests
// using the forward identity (i.e. proxy impersonating a user) method.
ConnTLSConfig *tls.Config
// ClusterFeaturesGetter is a function that returns the Teleport cluster licensed features.
// It is used to determine if the cluster is licensed for Kubernetes usage.
ClusterFeatures ClusterFeaturesGetter
// contains filtered or unexported fields
}
ForwarderConfig specifies configuration for proxy forwarder
func (*ForwarderConfig) CheckAndSetDefaults ¶
func (f *ForwarderConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type GenTestKubeClientTLSCertOptions ¶
GenTestKubeClientTLSCertOptions is a function that can be used to modify the identity used to generate the kube client certificate.
func WithResourceAccessRequests ¶
func WithResourceAccessRequests(r ...types.ResourceID) GenTestKubeClientTLSCertOptions
WithResourceAccessRequests adds resource access requests to the identity.
type KubeClusterConfig ¶
type KubeClusterConfig struct {
// Name is the cluster name.
Name string
// APIEndpoint is the cluster API endpoint.
APIEndpoint string
}
KubeClusterConfig defines the cluster to be created
type KubeServiceType ¶
type KubeServiceType = string
KubeServiceType specifies a Teleport service type which can forward Kubernetes requests
type RoleSpec ¶
type RoleSpec struct {
Name string
KubeUsers []string
KubeGroups []string
SessionRequire []*types.SessionRequirePolicy
SessionJoin []*types.SessionJoinPolicy
SetupRoleFunc func(types.Role) // If nil all pods are allowed.
}
RoleSpec defiens the role name and kube details to be created.
type ServeOption ¶
type ServeOption func(*multiplexer.Config)
ServeOption is a functional option for the multiplexer.
func WithMultiplexerIgnoreSelfConnections ¶
func WithMultiplexerIgnoreSelfConnections() ServeOption
WithMultiplexerIgnoreSelfConnections is used for tests, it makes multiplexer ignore the fact that it's self connection (coming from same IP as the listening address) when deciding if it should drop connection with missing required PROXY header. This is needed since all connections in tests are self connections.
type SpdyRoundTripper ¶
type SpdyRoundTripper struct {
// contains filtered or unexported fields
}
SpdyRoundTripper knows how to upgrade an HTTP request to one that supports multiplexed streams. After RoundTrip() is invoked, Conn will be set and usable. SpdyRoundTripper implements the UpgradeRoundTripper interface.
func NewSpdyRoundTripperWithDialer ¶
func NewSpdyRoundTripperWithDialer(cfg roundTripperConfig) *SpdyRoundTripper
NewSpdyRoundTripperWithDialer creates a new SpdyRoundTripper that will use the specified tlsConfig. This function is mostly meant for unit tests.
func (*SpdyRoundTripper) NewConnection ¶
func (s *SpdyRoundTripper) NewConnection(resp *http.Response) (httpstream.Connection, error)
NewConnection validates the upgrade response, creating and returning a new httpstream.Connection if there were no errors.
func (*SpdyRoundTripper) RoundTrip ¶
RoundTrip executes the Request and upgrades it. After a successful upgrade, clients may call SpdyRoundTripper.Connection() to retrieve the upgraded connection.
func (*SpdyRoundTripper) TLSClientConfig ¶
func (s *SpdyRoundTripper) TLSClientConfig() *tls.Config
TLSClientConfig implements pkg/util/net.TLSClientConfigHolder for proper TLS checking during proxying with a spdy roundtripper.
type TLSServer ¶
type TLSServer struct {
*http.Server
// TLSServerConfig is TLS server configuration used for auth server
TLSServerConfig
// contains filtered or unexported fields
}
TLSServer is TLS auth server
func NewTLSServer ¶
func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)
NewTLSServer returns new unstarted TLS server
func (*TLSServer) GetConfigForClient ¶
GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities
type TLSServerConfig ¶
type TLSServerConfig struct {
// ForwarderConfig is a config of a forwarder
ForwarderConfig
// TLS is a base TLS configuration
TLS *tls.Config
// LimiterConfig is limiter config
LimiterConfig limiter.Config
// AccessPoint is caching access point
AccessPoint auth.ReadKubernetesAccessPoint
// OnHeartbeat is a callback for kubernetes_service heartbeats.
OnHeartbeat func(error)
// GetRotation returns the certificate rotation state.
GetRotation services.RotationGetter
// ConnectedProxyGetter gets the proxies teleport is connected to.
ConnectedProxyGetter *reversetunnel.ConnectedProxyGetter
// Log is the logger.
Log logrus.FieldLogger
// Selectors is a list of resource monitor selectors.
ResourceMatchers []services.ResourceMatcher
// OnReconcile is called after each kube_cluster resource reconciliation.
OnReconcile func(types.KubeClusters)
// CloudClients is a set of cloud clients that Teleport supports.
CloudClients cloud.Clients
// StaticLabels is a map of static labels associated with this service.
// Each cluster advertised by this kubernetes_service will include these static labels.
// If the service and a cluster define labels with the same key,
// service labels take precedence over cluster labels.
// Used for RBAC.
StaticLabels map[string]string
// DynamicLabels define the dynamic labels associated with this service.
// Each cluster advertised by this kubernetes_service will include these dynamic labels.
// If the service and a cluster define labels with the same key,
// service labels take precedence over cluster labels.
// Used for RBAC.
DynamicLabels *labels.Dynamic
// CloudLabels is a map of static labels imported from a cloud provider associated with this
// service. Used for RBAC.
// If StaticLabels and CloudLabels define labels with the same key,
// StaticLabels take precedence over CloudLabels.
CloudLabels labels.Importer
// IngressReporter reports new and active connections.
IngressReporter *ingress.Reporter
// KubernetesServersWatcher is used by the kube proxy to watch for changes in the
// kubernetes servers of a cluster. Proxy requires it to update the kubeServersMap
// which holds the list of kubernetes_services connected to the proxy for a given
// kubernetes cluster name. Proxy uses this map to route requests to the correct
// kubernetes_service. The servers are kept in memory to avoid making unnecessary
// unmarshal calls followed by filtering and to improve memory usage.
KubernetesServersWatcher *services.KubeServerWatcher
// PROXYProtocolMode controls behavior related to unsigned PROXY protocol headers.
PROXYProtocolMode multiplexer.PROXYProtocolMode
}
TLSServerConfig is a configuration for TLS server
func (*TLSServerConfig) CheckAndSetDefaults ¶
func (c *TLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type TestConfig ¶
type TestConfig struct {
Clusters []KubeClusterConfig
ResourceMatchers []services.ResourceMatcher
OnReconcile func(types.KubeClusters)
OnEvent func(apievents.AuditEvent)
ClusterFeatures func() proto.Features
}
TestConfig defines the suite options.
type TestContext ¶
type TestContext struct {
HostID string
ClusterName string
TLSServer *auth.TestTLSServer
AuthServer *auth.Server
AuthClient *auth.Client
Authz authz.Authorizer
KubeServer *TLSServer
KubeProxy *TLSServer
Emitter *eventstest.ChannelEmitter
Context context.Context
// contains filtered or unexported fields
}
func SetupTestContext ¶
func SetupTestContext(ctx context.Context, t *testing.T, cfg TestConfig) *TestContext
SetupTestContext creates a kube service with clusters configured.
func (*TestContext) Close ¶
func (c *TestContext) Close() error
Close closes resources associated with the test context.
func (*TestContext) CreateUserAndRole ¶
func (c *TestContext) CreateUserAndRole(ctx context.Context, t *testing.T, username string, roleSpec RoleSpec) (types.User, types.Role)
CreateUserAndRole creates Teleport user and role with specified names
func (*TestContext) GenTestKubeClientTLSCert ¶
func (c *TestContext) GenTestKubeClientTLSCert(t *testing.T, userName, kubeCluster string, opts ...GenTestKubeClientTLSCertOptions) (*kubernetes.Clientset, *rest.Config)
GenTestKubeClientTLSCert generates a kube client to access kube service
func (*TestContext) KubeProxyAddress ¶
func (c *TestContext) KubeProxyAddress() string
KubeProxyAddress returns the address of the kube proxy.
func (*TestContext) NewJoiningSession ¶
func (c *TestContext) NewJoiningSession(cfg *rest.Config, sessionID string, mode types.SessionParticipantMode) (*streamproto.SessionStream, error)
NewJoiningSession creates a new session stream for joining an existing session.
Source Files
¶
- auth.go
- cluster_details.go
- compression.go
- constants.go
- forwarder.go
- kube_creds.go
- portforward_spdy.go
- portforward_websocket.go
- prometheus.go
- remotecommand.go
- remotecommand_websocket.go
- resource_deletecollection.go
- resource_filters.go
- resource_list.go
- response_rewriter.go
- roundtrip.go
- scheme.go
- self_subject_reviews.go
- server.go
- sess.go
- transport.go
- url.go
- utils_testing.go
- watcher.go
- websocket_client_testing.go
Directories
Click to show internal directories.
Click to hide internal directories.