roles

package
v1.14.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2023 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Overview

Package roles implements the RBAC manager's support for providers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ClusterRolesDiffer 

func ClusterRolesDiffer(current, desired runtime.Object) bool

ClusterRolesDiffer returns true if the supplied objects are different ClusterRoles. We consider ClusterRoles to be different if their labels and rules do not match.

func RenderClusterRoles 

func RenderClusterRoles(pr *v1.ProviderRevision, rs []Resource) []rbacv1.ClusterRole

RenderClusterRoles returns ClusterRoles for the supplied ProviderRevision.

func Setup 

func Setup(mgr ctrl.Manager, o controller.Options) error

Setup adds a controller that reconciles a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

func SystemClusterRoleName 

func SystemClusterRoleName(revisionName string) string

SystemClusterRoleName returns the name of the 'system' cluster role - i.e. the role that a provider's ServiceAccount should be bound to.

Types

type ClusterRoleBackedValidator 

type ClusterRoleBackedValidator struct {
	// contains filtered or unexported fields
}

A ClusterRoleBackedValidator is a PermissionRequestsValidator that validates permission requests by comparing them to an RBAC ClusterRole. The validator will reject any permission that is not permitted by the ClusterRole.

func NewClusterRoleBackedValidator 

func NewClusterRoleBackedValidator(c client.Client, roleName string) *ClusterRoleBackedValidator

NewClusterRoleBackedValidator creates a ClusterRoleBackedValidator backed by the named RBAC ClusterRole.

func (*ClusterRoleBackedValidator) ValidatePermissionRequests 

func (v *ClusterRoleBackedValidator) ValidatePermissionRequests(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests against the ClusterRole, returning the list of rejected rules.

type ClusterRoleRenderFn 

type ClusterRoleRenderFn func(pr *v1.ProviderRevision, rs []Resource) []rbacv1.ClusterRole

A ClusterRoleRenderFn renders ClusterRoles for the supplied resources.

func (ClusterRoleRenderFn) RenderClusterRoles 

func (fn ClusterRoleRenderFn) RenderClusterRoles(pr *v1.ProviderRevision, rs []Resource) []rbacv1.ClusterRole

RenderClusterRoles renders ClusterRoles for the supplied CRDs.

type ClusterRoleRenderer 

type ClusterRoleRenderer interface {
	// RenderClusterRoles for the supplied resources.
	RenderClusterRoles(pr *v1.ProviderRevision, rs []Resource) []rbacv1.ClusterRole
}

A ClusterRoleRenderer renders ClusterRoles for the given resources.

type EnqueueRequestForAllRevisionsInFamily added in v1.12.1 

type EnqueueRequestForAllRevisionsInFamily struct {
	// contains filtered or unexported fields
}

EnqueueRequestForAllRevisionsInFamily enqueues a request for all provider revisions with the same family as one that changed.

func (*EnqueueRequestForAllRevisionsInFamily) Create added in v1.12.1 

func (e *EnqueueRequestForAllRevisionsInFamily) Create(ctx context.Context, evt event.CreateEvent, q workqueue.RateLimitingInterface)

Create enqueues a request for all provider revisions within the same family.

func (*EnqueueRequestForAllRevisionsInFamily) Delete added in v1.12.1 

func (e *EnqueueRequestForAllRevisionsInFamily) Delete(ctx context.Context, evt event.DeleteEvent, q workqueue.RateLimitingInterface)

Delete enqueues a request for all provider revisions within the same family.

func (*EnqueueRequestForAllRevisionsInFamily) Generic added in v1.12.1 

func (e *EnqueueRequestForAllRevisionsInFamily) Generic(ctx context.Context, evt event.GenericEvent, q workqueue.RateLimitingInterface)

Generic enqueues a request for all provider revisions within the same family.

func (*EnqueueRequestForAllRevisionsInFamily) Update added in v1.12.1 

func (e *EnqueueRequestForAllRevisionsInFamily) Update(ctx context.Context, evt event.UpdateEvent, q workqueue.RateLimitingInterface)

Update enqueues a request for all provider revisions within the same family.

type EnqueueRequestForAllRevisionsWithRequests 

type EnqueueRequestForAllRevisionsWithRequests struct {
	// contains filtered or unexported fields
}

EnqueueRequestForAllRevisionsWithRequests enqueues a request for all provider revisions with permission requests when the ClusterRole that enumerates allowed permissions changes.

func (*EnqueueRequestForAllRevisionsWithRequests) Create 

func (e *EnqueueRequestForAllRevisionsWithRequests) Create(ctx context.Context, evt event.CreateEvent, q workqueue.RateLimitingInterface)

Create enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Delete 

func (e *EnqueueRequestForAllRevisionsWithRequests) Delete(ctx context.Context, evt event.DeleteEvent, q workqueue.RateLimitingInterface)

Delete enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Generic 

func (e *EnqueueRequestForAllRevisionsWithRequests) Generic(ctx context.Context, evt event.GenericEvent, q workqueue.RateLimitingInterface)

Generic enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Update 

func (e *EnqueueRequestForAllRevisionsWithRequests) Update(ctx context.Context, evt event.UpdateEvent, q workqueue.RateLimitingInterface)

Update enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

type OrgDiffer added in v1.12.1 

type OrgDiffer struct {
	// The default OCI registry to use when parsing references.
	DefaultRegistry string
}

An OrgDiffer determines whether two references are part of the same org. In this context we consider an org to consist of:

  • The registry (e.g. xpkg.upbound.io or index.docker.io).
  • The part of the repository path before the first slash (e.g. crossplane in crossplane/provider-aws).

func (OrgDiffer) Differs added in v1.12.1 

func (d OrgDiffer) Differs(a, b string) bool

Differs returns true if the supplied references are not part of the same OCI registry and org.

type PermissionRequestsValidator 

type PermissionRequestsValidator interface {
	// ValidatePermissionRequests validates the supplied slice of RBAC rules. It
	// returns a slice of any rejected (i.e. disallowed) rules. It returns an
	// error if it is unable to validate permission requests.
	ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)
}

A PermissionRequestsValidator validates requested RBAC rules.

type PermissionRequestsValidatorFn 

type PermissionRequestsValidatorFn func(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

A PermissionRequestsValidatorFn validates requested RBAC rules.

func (PermissionRequestsValidatorFn) ValidatePermissionRequests 

func (fn PermissionRequestsValidatorFn) ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests validates the supplied slice of RBAC rules. It returns a slice of any rejected (i.e. disallowed) rules. It returns an error if it is unable to validate permission requests.

type Reconciler 

type Reconciler struct {
	// contains filtered or unexported fields
}

A Reconciler reconciles ProviderRevisions.

func NewReconciler 

func NewReconciler(mgr manager.Manager, opts ...ReconcilerOption) *Reconciler

NewReconciler returns a Reconciler of ProviderRevisions.

func (*Reconciler) Reconcile 

func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

type ReconcilerOption 

type ReconcilerOption func(*Reconciler)

ReconcilerOption is used to configure the Reconciler.

func WithClientApplicator 

func WithClientApplicator(ca resource.ClientApplicator) ReconcilerOption

WithClientApplicator specifies how the Reconciler should interact with the Kubernetes API.

func WithClusterRoleRenderer 

func WithClusterRoleRenderer(rr ClusterRoleRenderer) ReconcilerOption

WithClusterRoleRenderer specifies how the Reconciler should render RBAC ClusterRoles.

func WithLogger 

func WithLogger(log logging.Logger) ReconcilerOption

WithLogger specifies how the Reconciler should log messages.

func WithOrgDiffer added in v1.12.1 

func WithOrgDiffer(d OrgDiffer) ReconcilerOption

WithOrgDiffer specifies how the Reconciler should diff OCI orgs. It does this to ensure that two providers may only be part of the same family if they're in the same OCI org.

func WithPermissionRequestsValidator 

func WithPermissionRequestsValidator(rv PermissionRequestsValidator) ReconcilerOption

WithPermissionRequestsValidator specifies how the Reconciler should validate requests for extra RBAC permissions.

func WithRecorder 

func WithRecorder(er event.Recorder) ReconcilerOption

WithRecorder specifies how the Reconciler should record Kubernetes events.

type Resource added in v1.12.1 

type Resource struct {
	// Group is the unversioned API group of this resource.
	Group string

	// Plural is the plural name of this resource.
	Plural string
}

A Resource is a Kubernetes API resource.

func DefinedResources added in v1.12.1 

func DefinedResources(refs []xpv1.TypedReference) []Resource

DefinedResources returns the resources defined by the supplied references.

type Rule 

type Rule struct {
	// The API group of this resource. The empty string denotes the core
	// Kubernetes API group. '*' represents any API group.
	APIGroup string

	// The resource in question. '*' represents any resource.
	Resource string

	// The name of the resource. Unlike the rbacv1 API, we use '*' to represent
	// any resource name.
	ResourceName string

	// A non-resource URL. Mutually exclusive with the above resource fields.
	NonResourceURL string

	// The verb this rule allows.
	Verb string
}

A Rule represents a single, granular RBAC rule.

func Expand 

func Expand(ctx context.Context, rs ...rbacv1.PolicyRule) ([]Rule, error)

Expand RBAC policy rules into our granular rules.

func VerySecureValidator 

func VerySecureValidator(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

VerySecureValidator is a PermissionRequestsValidatorFn that rejects all requested permissions.

func (Rule) String 

func (r Rule) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.