Documentation
¶
Overview ¶
Package resources holds simple functions for synthesizing child resources from a Space.
Index ¶
- func BuildImagePushSecretName(secret *corev1.Secret) string
- func BuildServiceAccountName(space *v1alpha1.Space) string
- func ClusterRoleBindingName(space *v1alpha1.Space, role RoleName) string
- func FilterSubjectsByClusterRole(includeRoles []RoleName, roleBindings []*rbacv1.RoleBinding) []rbacv1.Subject
- func GetRoleBindingName(role, space string) string
- func MakeAppNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)
- func MakeBuildNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)
- func MakeBuildServiceAccount(space *v1alpha1.Space, kfSecrets []*corev1.Secret, gsaName string, ...) (*corev1.ServiceAccount, []*corev1.Secret, error)
- func MakeClusterRoleBinding(space *v1alpha1.Space, role RoleName, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding
- func MakeIAMPolicy(project, gsaName string, spaces []*v1alpha1.Space) (*unstructured.Unstructured, error)
- func MakeNamespace(space *v1alpha1.Space, asmRev string) (*v1.Namespace, error)
- func MakeRoleBindingForClusterRole(space *v1alpha1.Space, clusterRoleName RoleName) *rbacv1.RoleBinding
- func MakeSourceBuilderRole(space *v1alpha1.Space) *rbacv1.Role
- func MakeSourceBuilderRoleBinding(space *v1alpha1.Space) *rbacv1.RoleBinding
- func MakeSpaceManagerClusterRole(space *v1alpha1.Space) *rbacv1.ClusterRole
- func NamespaceName(space *v1alpha1.Space) string
- func RoleBindingName(space *v1alpha1.Space, role RoleName) string
- type RoleName
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildImagePushSecretName ¶
BuildImagePushSecretName generates a name for a secret given the original secret from config-secrets.
Example ¶
secret := &corev1.Secret{}
secret.ObjectMeta.Name = "gcr-key"
fmt.Println(BuildImagePushSecretName(secret))
Output: kf-registry-gcr-key
func BuildServiceAccountName ¶
BuildServiceAccountName gets the name of the service account for given the space.
Example ¶
space := &v1alpha1.Space{}
space.Status.BuildConfig.ServiceAccount = "some-name"
fmt.Println(BuildServiceAccountName(space))
Output: some-name
func ClusterRoleBindingName ¶
ClusterRoleBindingName generates the binding name for a given Role.
func FilterSubjectsByClusterRole ¶
func FilterSubjectsByClusterRole(includeRoles []RoleName, roleBindings []*rbacv1.RoleBinding) []rbacv1.Subject
FilterSubjectsByClusterRole returns a list of subjects from the given RoleBinding that have any of the given ClusterRoles.
The returned list will be in a determinstic order.
func GetRoleBindingName ¶
GetRoleBindingName finds the [space] RoleBinding name given an input role name.
func MakeAppNetworkPolicy ¶
func MakeAppNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)
MakeAppNetworkPolicy creates a network policy targeting apps.
func MakeBuildNetworkPolicy ¶
func MakeBuildNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)
MakeBuildNetworkPolicy creates a network policy targeting builds.
func MakeBuildServiceAccount ¶
func MakeBuildServiceAccount( space *v1alpha1.Space, kfSecrets []*corev1.Secret, gsaName string, containerregistry string, ) (*corev1.ServiceAccount, []*corev1.Secret, error)
MakeBuildServiceAccount creates a ServiceAccount for build pipelines to use.
Example (EmptyGSA) ¶
sa, secrets, err := MakeBuildServiceAccount(
&v1alpha1.Space{
ObjectMeta: metav1.ObjectMeta{
Name: "some-space",
},
Status: v1alpha1.SpaceStatus{
BuildConfig: v1alpha1.SpaceStatusBuildConfig{
ServiceAccount: "build-creds",
},
},
},
[]*corev1.Secret{
{
ObjectMeta: metav1.ObjectMeta{
Name: "gcr-key",
},
Data: map[string][]byte{
"key-1": []byte("value-1"),
"key-2": []byte("value-2"),
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "ar-key",
},
Data: map[string][]byte{
"key-3": []byte("value-3"),
"key-4": []byte("value-4"),
},
},
},
"",
"ContainerRegistry",
)
if err != nil {
panic(err)
}
saSecretNames := []string{}
for _, s := range sa.Secrets {
saSecretNames = append(saSecretNames, s.Name)
}
saImagePullSecretNames := []string{}
for _, s := range sa.ImagePullSecrets {
saImagePullSecretNames = append(saImagePullSecretNames, s.Name)
}
fmt.Println("ServiceAccount Name:", sa.Name)
fmt.Println("ServiceAccount Namespace:", sa.Namespace)
fmt.Println("ServiceAccount Managed Label:", sa.Labels[v1alpha1.ManagedByLabel])
fmt.Println("ServiceAccount Annotations:", sa.Annotations)
fmt.Println("ServiceAccount Secrets:", strings.Join(saSecretNames, ", "))
fmt.Println("ServiceAccount ImagePullSecrets:", strings.Join(saImagePullSecretNames, ", "))
fmt.Println("Secrets Count:", len(secrets))
fmt.Println("Secret Name:", secrets[0].Name)
fmt.Println("Secret Type:", secrets[0].Type)
fmt.Println("Secret Namespace:", secrets[0].Namespace)
fmt.Println("Secret Managed Label:", secrets[0].Labels[v1alpha1.ManagedByLabel])
fmt.Println("Secret Data[key-1]:", string(secrets[0].Data["key-1"]))
fmt.Println("Secret Data[key-2]:", string(secrets[0].Data["key-2"]))
fmt.Println("Secret Annotation:", string(secrets[0].Annotations["tekton.dev/docker-0"]))
fmt.Println()
fmt.Println("Secret Name:", secrets[1].Name)
fmt.Println("Secret Type:", secrets[1].Type)
fmt.Println("Secret Namespace:", secrets[1].Namespace)
fmt.Println("Secret Managed Label:", secrets[1].Labels[v1alpha1.ManagedByLabel])
fmt.Println("Secret Data[key-3]:", string(secrets[1].Data["key-3"]))
fmt.Println("Secret Data[key-4]:", string(secrets[1].Data["key-4"]))
fmt.Println("Secret Annotation:", string(secrets[1].Annotations["tekton.dev/docker-1"]))
Output: ServiceAccount Name: build-creds ServiceAccount Namespace: some-space ServiceAccount Managed Label: kf ServiceAccount Annotations: map[] ServiceAccount Secrets: kf-registry-gcr-key, kf-registry-ar-key ServiceAccount ImagePullSecrets: kf-registry-gcr-key, kf-registry-ar-key Secrets Count: 2 Secret Name: kf-registry-gcr-key Secret Type: kubernetes.io/dockerconfigjson Secret Namespace: some-space Secret Managed Label: kf Secret Data[key-1]: value-1 Secret Data[key-2]: value-2 Secret Annotation: ContainerRegistry Secret Name: kf-registry-ar-key Secret Type: kubernetes.io/dockerconfigjson Secret Namespace: some-space Secret Managed Label: kf Secret Data[key-3]: value-3 Secret Data[key-4]: value-4 Secret Annotation: ContainerRegistry
Example (WithGSA) ¶
sa, _, err := MakeBuildServiceAccount(
&v1alpha1.Space{
Status: v1alpha1.SpaceStatus{
BuildConfig: v1alpha1.SpaceStatusBuildConfig{
ServiceAccount: "build-creds",
},
},
},
nil,
"some-gsa",
"",
)
if err != nil {
panic(err)
}
fmt.Println("ServiceAccount Annotations:", sa.Annotations)
fmt.Println("ServiceAccount len(Secrets):", len(sa.Secrets))
Output: ServiceAccount Annotations: map[iam.gke.io/gcp-service-account:some-gsa] ServiceAccount len(Secrets): 0
func MakeClusterRoleBinding ¶
func MakeClusterRoleBinding(space *v1alpha1.Space, role RoleName, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding
MakeClusterRoleBinding creates a populated RoleBinding for a given Role.
func MakeIAMPolicy ¶
func MakeIAMPolicy(project, gsaName string, spaces []*v1alpha1.Space) (*unstructured.Unstructured, error)
MakeIAMPolicy returns an IAM Policy for the given Spaces.
func MakeNamespace ¶
MakeNamespace creates a Namespace from a Space object.
Example ¶
space := &v1alpha1.Space{}
space.Name = "my-space"
ns, err := MakeNamespace(space, "some-asm-rev")
if err != nil {
panic(err)
}
fmt.Println("Name:", NamespaceName(space))
fmt.Println("Label Count:", len(ns.Labels))
fmt.Println("Managed By:", ns.Labels[managedByLabel])
fmt.Println("Metadata name:", ns.Labels[v1.LabelMetadataName])
fmt.Println("Istio Injection:", ns.Labels[networking.IstioInjectionLabel])
Output: Name: my-space Label Count: 3 Managed By: kf Metadata name: my-space Istio Injection: some-asm-rev
func MakeRoleBindingForClusterRole ¶
func MakeRoleBindingForClusterRole(space *v1alpha1.Space, clusterRoleName RoleName) *rbacv1.RoleBinding
MakeRoleBindingForClusterRole creates a blank RoleBinding for a given Role. These don't have subjects to ensure Kf isn't in the critical path of actuating or validating capability to update RoleBindings which opens the way to privilige escalation.
Kf is responsible for ensuring this type exists, but allows users to edit it to perform the actual binding.
func MakeSourceBuilderRole ¶
MakeSourceBuilderRole creates a Role to allow requests to the sourcepackages upload subresource api.
func MakeSourceBuilderRoleBinding ¶
func MakeSourceBuilderRoleBinding(space *v1alpha1.Space) *rbacv1.RoleBinding
MakeSourceBuilderRoleBinding creates a RoleBinding to allow requests to the sourcepackages upload subresource api from the kf-builder.
func MakeSpaceManagerClusterRole ¶
func MakeSpaceManagerClusterRole(space *v1alpha1.Space) *rbacv1.ClusterRole
MakeSpaceManagerClusterRole creates a ClusterRole that gives Space managers the ability to read and modify the given Space (but not create or delete it).
func NamespaceName ¶
NamespaceName gets the name of a namespace given the space.
Example ¶
space := &v1alpha1.Space{}
space.Name = "my-space"
fmt.Println(NamespaceName(space))
Output: my-space
Types ¶
type RoleName ¶
type RoleName string
RoleName contains the names of ClusterRoles that Kf uses.
const ( // SpaceManager holds the name of the ClusterRole for Kf Space managers. SpaceManager RoleName = "space-manager" // SpaceDeveloper holds the name of the ClusterRole for Kf Space developers. SpaceDeveloper RoleName = "space-developer" // SpaceAuditor holds the name of the ClusterRole for Kf Space auditors. SpaceAuditor RoleName = "space-auditor" )
const ( // ClusterReaderRole holds the name of the ClusterRole that grants read access // at the cluster scope for Kf developers, managers, and auditors. ClusterReaderRole RoleName = "kf-cluster-reader" )
func AllRoleNames ¶
func AllRoleNames() []RoleName
AllRoleNames returns the list of Roles that Kf supports.
func ClusterRoleName ¶
ClusterRoleName generates the ClusterRole name for a given Space.
Source Files
Click to show internal directories.
Click to hide internal directories.