Affected by GO-2023-1979 and 1 other vulnerabilities

GO-2023-1979: Denial of service from large image in github.com/crossplane/crossplane

GO-2023-1980: Possible image tampering from missing image validation for Packages in github.com/crossplane/crossplane

roles

package

v1.1.0-rc.1 Latest Latest Go to latest Published: Feb 15, 2021 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/crossplane/crossplane

Documentation ¶

Index ¶

func ClusterRolesDiffer(current, desired runtime.Object) bool
func RenderClusterRoles(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
func Setup(mgr ctrl.Manager, log logging.Logger, allowClusterRole string) error
func SystemClusterRoleName(revisionName string) string
type ClusterRoleBackedValidator
- func NewClusterRoleBackedValidator(c client.Client, roleName string) *ClusterRoleBackedValidator
- func (v *ClusterRoleBackedValidator) ValidatePermissionRequests(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)
type ClusterRoleRenderFn
- func (fn ClusterRoleRenderFn) RenderClusterRoles(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
type ClusterRoleRenderer
type EnqueueRequestForAllRevisionsWithRequests
- func (e *EnqueueRequestForAllRevisionsWithRequests) Create(evt event.CreateEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Delete(evt event.DeleteEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Generic(evt event.GenericEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Update(evt event.UpdateEvent, q workqueue.RateLimitingInterface)
type PermissionRequestsValidator
type PermissionRequestsValidatorFn
- func (fn PermissionRequestsValidatorFn) ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)
type Reconciler
- func NewReconciler(mgr manager.Manager, opts ...ReconcilerOption) *Reconciler
- func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)
type ReconcilerOption
- func WithClientApplicator(ca resource.ClientApplicator) ReconcilerOption
- func WithClusterRoleRenderer(rr ClusterRoleRenderer) ReconcilerOption
- func WithLogger(log logging.Logger) ReconcilerOption
- func WithPermissionRequestsValidator(rv PermissionRequestsValidator) ReconcilerOption
- func WithRecorder(er event.Recorder) ReconcilerOption
type Rule
- func Expand(rs ...rbacv1.PolicyRule) []Rule
- func VerySecureValidator(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)
- func (r Rule) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ClusterRolesDiffer ¶

func ClusterRolesDiffer(current, desired runtime.Object) bool

ClusterRolesDiffer returns true if the supplied objects are different ClusterRoles. We consider ClusterRoles to be different if their labels and rules do not match.

func RenderClusterRoles ¶

func RenderClusterRoles(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

RenderClusterRoles returns ClusterRoles for the supplied ProviderRevision.

func Setup ¶

func Setup(mgr ctrl.Manager, log logging.Logger, allowClusterRole string) error

Setup adds a controller that reconciles a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

func SystemClusterRoleName ¶

func SystemClusterRoleName(revisionName string) string

SystemClusterRoleName returns the name of the 'system' cluster role - i.e. the role that a provider's ServiceAccount should be bound to.

Types ¶

type ClusterRoleBackedValidator ¶

type ClusterRoleBackedValidator struct {
	// contains filtered or unexported fields
}

A ClusterRoleBackedValidator is a PermissionRequestsValidator that validates permission requests by comparing them to an RBAC ClusterRole. The validator will reject any permission that is not permitted by the ClusterRole.

func NewClusterRoleBackedValidator ¶

func NewClusterRoleBackedValidator(c client.Client, roleName string) *ClusterRoleBackedValidator

NewClusterRoleBackedValidator creates a ClusterRoleBackedValidator backed by the named RBAC ClusterRole.

func (*ClusterRoleBackedValidator) ValidatePermissionRequests ¶

func (v *ClusterRoleBackedValidator) ValidatePermissionRequests(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests against the ClusterRole.

type ClusterRoleRenderFn ¶

type ClusterRoleRenderFn func(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

A ClusterRoleRenderFn renders ClusterRoles for the supplied CRDs.

func (ClusterRoleRenderFn) RenderClusterRoles ¶

func (fn ClusterRoleRenderFn) RenderClusterRoles(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

RenderClusterRoles renders ClusterRoles for the supplied CRDs.

type ClusterRoleRenderer ¶

type ClusterRoleRenderer interface {
	// RenderClusterRoles for the supplied CRDs.
	RenderClusterRoles(pr *v1.ProviderRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
}

A ClusterRoleRenderer renders ClusterRoles for the given CRDs.

type EnqueueRequestForAllRevisionsWithRequests ¶

type EnqueueRequestForAllRevisionsWithRequests struct {
	// contains filtered or unexported fields
}

EnqueueRequestForAllRevisionsWithRequests enqueues a request for all provider revisions with permission requests when the ClusterRole that enumerates allowed permissions changes.

func (*EnqueueRequestForAllRevisionsWithRequests) Create ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Create(evt event.CreateEvent, q workqueue.RateLimitingInterface)

Create enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Delete ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Delete(evt event.DeleteEvent, q workqueue.RateLimitingInterface)

Delete enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Generic ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Generic(evt event.GenericEvent, q workqueue.RateLimitingInterface)

Generic enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Update ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Update(evt event.UpdateEvent, q workqueue.RateLimitingInterface)

Update enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

type PermissionRequestsValidator ¶

type PermissionRequestsValidator interface {
	// ValidatePermissionRequests validates the supplied slice of RBAC rules. It
	// returns a slice of any rejected (i.e. disallowed) rules. It returns an
	// error if it is unable to validate permission requests.
	ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)
}

A PermissionRequestsValidator validates requested RBAC rules.

type PermissionRequestsValidatorFn ¶

type PermissionRequestsValidatorFn func(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

A PermissionRequestsValidatorFn validates requested RBAC rules.

func (PermissionRequestsValidatorFn) ValidatePermissionRequests ¶

func (fn PermissionRequestsValidatorFn) ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests validates the supplied slice of RBAC rules. It returns a slice of any rejected (i.e. disallowed) rules. It returns an error if it is unable to validate permission requests.

type Reconciler ¶

type Reconciler struct {
	// contains filtered or unexported fields
}

A Reconciler reconciles ProviderRevisions.

func NewReconciler ¶

func NewReconciler(mgr manager.Manager, opts ...ReconcilerOption) *Reconciler

NewReconciler returns a Reconciler of ProviderRevisions.

func (*Reconciler) Reconcile ¶

func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

type ReconcilerOption ¶

type ReconcilerOption func(*Reconciler)

ReconcilerOption is used to configure the Reconciler.

func WithClientApplicator ¶

func WithClientApplicator(ca resource.ClientApplicator) ReconcilerOption

WithClientApplicator specifies how the Reconciler should interact with the Kubernetes API.

func WithClusterRoleRenderer ¶

func WithClusterRoleRenderer(rr ClusterRoleRenderer) ReconcilerOption

WithClusterRoleRenderer specifies how the Reconciler should render RBAC ClusterRoles.

func WithLogger ¶

func WithLogger(log logging.Logger) ReconcilerOption

WithLogger specifies how the Reconciler should log messages.

func WithPermissionRequestsValidator ¶

func WithPermissionRequestsValidator(rv PermissionRequestsValidator) ReconcilerOption

WithPermissionRequestsValidator specifies how the Reconciler should validate requests for extra RBAC permissions.

func WithRecorder ¶

func WithRecorder(er event.Recorder) ReconcilerOption

WithRecorder specifies how the Reconciler should record Kubernetes events.

type Rule ¶

type Rule struct {
	// The API group of this resource. The empty string denotes the core
	// Kubernetes API group. '*' represents any API group.
	APIGroup string

	// The resource in question. '*' represents any resource.
	Resource string

	// The name of the resource. Unlike the rbacv1 API, we use '*' to represent
	// any resource name.
	ResourceName string

	// A non-resource URL. Mutually exclusive with the above resource fields.
	NonResourceURL string

	// The verb this rule allows.
	Verb string
}

A Rule represents a single, granular RBAC rule.

func Expand ¶

func Expand(rs ...rbacv1.PolicyRule) []Rule

Expand RBAC policy rules into our granular rules.

func VerySecureValidator ¶

func VerySecureValidator(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

VerySecureValidator is a PermissionRequestsValidatorFn that rejects all requested permissions.

func (Rule) String ¶

func (r Rule) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL