kubernetes

package
v1.0.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 11, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetRestConfig

func GetRestConfig(ctx context.Context, path string) (*rest.Config, error)

Types

type Client

type Client interface {
	libClient.Client

	// Authorize attempts to authorize the user to perform the desired operation
	// on the specified resource. If the user is not authorized, an error is
	// returned.
	Authorize(
		ctx context.Context,
		verb string,
		gvr schema.GroupVersionResource,
		subresource string,
		key libClient.ObjectKey,
	) error

	// InternalClient returns the internal controller-runtime client used by this
	// client. This is useful for cases where the API server needs to bypass
	// the extra authorization checks performed by this client.
	InternalClient() libClient.Client

	// Watch returns a suitable implementation of the watch.Interface for
	// subscribing to the resources described by the provided arguments.
	Watch(
		ctx context.Context,
		obj libClient.Object,
		namespace string,
		opts metav1.ListOptions,
	) (watch.Interface, error)
}

The Client interface combines the familiar controller-runtime Client interface with helpful Authorized and Watch functions that are absent from that interface.

func NewClient

func NewClient(
	ctx context.Context,
	restCfg *rest.Config,
	opts ClientOptions,
) (Client, error)

NewClient returns an implementation of the Client interface. The interface and implementation offer two key advantages:

  1. The Client interface combines the familiar controller-runtime Client interface with a helpful Watch function that is absent from that interface.
  2. The implementation enforces RBAC by retrieving context-bound user.Info and using it to conduct a SubjectAccessReview or SelfSubjectAccessReview before (if successful) performing the desired operation. This permits this client to retain the benefits of using a single underlying client (typically with a built-in cache), while still enforcing RBAC as if the operation had been performed with a user-specific client constructed ad-hoc using the user's own credentials.

type ClientOptions

type ClientOptions struct {
	// SkipAuthorization, if true, will cause the implementation of the Client
	// interface to bypass efforts to authorize the Kargo API user's authority to
	// perform any desired operation, in which case, such operations are
	// unconditionally executed using the implementation's own internal client.
	// This does NOT bypass authorization entirely. The Kargo API server will
	// still be constrained by the permissions of the Kubernetes user from whose
	// configuration the internal client was constructed. This option is useful
	// for scenarios where the Kargo API server is executed locally on a user's
	// system and the user wished to provide the API server with their own
	// Kubernetes client configuration. This is used, for instance, by the
	// `kargo server` command.
	SkipAuthorization bool
	// GlobalServiceAccountNamespaces is a list of namespaces in which we should
	// always look for ServiceAccounts when attempting to authorize a user.
	GlobalServiceAccountNamespaces []string
	// NewInternalClient may be used to take control of how the client's own
	// internal/underlying controller-runtime client is created. This is mainly
	// useful for tests wherein one may, for instance, wish to inject a custom
	// implementation of that interface created using fake.NewClientBuilder().
	// Ordinarily, the value of this field should be left as nil/unspecified, in
	// which case, the NewClient function to which this struct is passed will
	// supply its own default implementation.
	NewInternalClient func(
		context.Context,
		*rest.Config,
		*runtime.Scheme,
	) (libClient.Client, error)
	// NewInternalDynamicClient may be used to take control of how the client's
	// own internal/underlying client-go dynamic client is created. This is mainly
	// useful for tests wherein one may wish to inject a custom implementation of
	// that interface. Ordinarily, the value of this field should be left as
	// nil/unspecified, in which case, the NewClient function to which this struct
	// is passed will supply its own default implementation.
	NewInternalDynamicClient func(*rest.Config) (dynamic.Interface, error)
	// Scheme may be used to take control of the scheme used by the client's own
	// internal/underlying controller-runtime client. Ordinarily, the value of
	// this field should be left as nil/unspecified, in which case, the NewClient
	// function to which this struct is passed will supply a default scheme that
	// includes all Kubernetes APIs used by the Kargo API server.
	Scheme *runtime.Scheme
}

ClientOptions specifies options for customizing the client returned by the NewClient function.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL