Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddGraphEventHandlers ¶
func AddGraphEventHandlers(graph *Graph, pods coreinformers.PodInformer, pvs coreinformers.PersistentVolumeInformer)
func NewAuthorizer ¶
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacapi.PolicyRule) authorizer.Authorizer
NewAuthorizer returns a new node authorizer
Types ¶
type Graph ¶
type Graph struct {
// contains filtered or unexported fields
}
Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:
node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret
func (*Graph) AddPV ¶
func (g *Graph) AddPV(pv *api.PersistentVolume)
AddPV sets up edges for the following relationships:
secret -> pv pv -> pvc
type NodeAuthorizer ¶
type NodeAuthorizer struct {
// contains filtered or unexported fields
}
NodeAuthorizer authorizes requests from kubelets, with the following logic:
- If a request is not from a node (NodeIdentity() returns isNode=false), reject
- If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
- If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret
- For other resources, authorize all nodes uniformly using statically defined rules
func (*NodeAuthorizer) Authorize ¶
func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)
Click to show internal directories.
Click to hide internal directories.