Documentation ¶
Overview ¶
Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.
Package authcheck provides utilities to check authentication configuration for data plane resources. File authtype contains functions to differentiate authentication mode.
Package authcheck provides utilities to check authentication configuration for data plane resources. enqueue.go contains customized EventHandlers to enqueue resources for authentication check.
Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.
Package authcheck provides utilities to check authentication configuration for data plane resources. list.go contains functions to get a list of resources based on label selector and get information from a list of resources.
Package authcheck provides utilities to check authentication configuration for data plane resources. probechecker.go utilities to perform a probe check for liviness and readiness.
Index ¶
- Constants
- Variables
- func AuthenticationCheckForSecret(ctx context.Context) error
- func AuthenticationCheckForWorkloadIdentityGSA(resource string, client *http.Client) error
- func EnqueueBrokerCell(impl *controller.Impl, brokerCellLister v1alpha1.BrokerCellLister) cache.ResourceEventHandler
- func EnqueuePullSubscription(impl *controller.Impl, pullSubscriptionLister listers.PullSubscriptionLister) cache.ResourceEventHandler
- func EnqueueTopic(impl *controller.Impl, topicLister listers.TopicLister) cache.ResourceEventHandler
- func GetEventList(ctx context.Context, kubeClientSet kubernetes.Interface, pod, namespace string) (*corev1.EventList, error)
- func GetMountFailureMessageFromEventList(el *corev1.EventList, secret *corev1.SecretKeySelector) string
- func GetPodList(ctx context.Context, ls labels.Selector, kubeClientSet kubernetes.Interface, ...) (*corev1.PodList, error)
- func GetTerminationLogFromPodList(pl *corev1.PodList) string
- type AuthType
- type AuthTypeArgs
- type AuthenticationCheck
- type FakeAuthenticationCheck
- type ProbeChecker
Constants ¶
const ( AuthenticationCheckUnknownReason = "AuthenticationCheckPending" ControlPlaneNamespace = "events-system" BrokerServiceAccountName = "broker" )
const DefaultProbeCheckPort = 8080
DefaultProbeCheckPort is the default port for checking sync pool health.
Variables ¶
var ( BrokerSecret = &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{Name: "google-broker-key"}, Key: "key.json", } )
Functions ¶
func AuthenticationCheckForSecret ¶
AuthenticationCheckForSecret performs the authentication check for Pod in secret mode.
func AuthenticationCheckForWorkloadIdentityGSA ¶
AuthenticationCheckForWorkloadIdentityGSA performs the authentication check for Pod in workload-identity-gsa mode.
func EnqueueBrokerCell ¶
func EnqueueBrokerCell(impl *controller.Impl, brokerCellLister v1alpha1.BrokerCellLister) cache.ResourceEventHandler
EnqueueBrokerCell returns an event handler for resources which are not created/owned by brokercell. It is used for serviceAccountInformer and secretinformer.
func EnqueuePullSubscription ¶
func EnqueuePullSubscription(impl *controller.Impl, pullSubscriptionLister listers.PullSubscriptionLister) cache.ResourceEventHandler
EnqueuePullSubscription returns an event handler for resources which are not created/owned by pullsubscription. It is used for serviceAccountInformer.
func EnqueueTopic ¶
func EnqueueTopic(impl *controller.Impl, topicLister listers.TopicLister) cache.ResourceEventHandler
EnqueueTopic returns an event handler for resources which are not created/owned by topic. It is used for serviceAccountInformer.
func GetEventList ¶
func GetEventList(ctx context.Context, kubeClientSet kubernetes.Interface, pod, namespace string) (*corev1.EventList, error)
GetEventList get a list of k8s event in a certain namespace with certain field selector related to Pod.
func GetMountFailureMessageFromEventList ¶
func GetMountFailureMessageFromEventList(el *corev1.EventList, secret *corev1.SecretKeySelector) string
GetMountFailureMessageFromEventList gets the k8s events message that related to secret errors. It returns the first relevant k8s event message from any Event in the list.
func GetPodList ¶
func GetPodList(ctx context.Context, ls labels.Selector, kubeClientSet kubernetes.Interface, namespace string) (*corev1.PodList, error)
GetPodList get a list of Pods in a certain namespace with certain label selector.
func GetTerminationLogFromPodList ¶
GetTerminationLogFromPodList gets the termination log from Pods that failed due to authentication check errors. It returns the first authentication termination log from any Pods in the list.
Types ¶
type AuthType ¶
type AuthType string
const ( // Secret option is referring to authentication configuration for secret. // https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform#importing_credentials_as_a_secret Secret AuthType = "secret" // WorkloadIdentityGSA option is referring to authentication configuration for Workload Identity using GSA // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity WorkloadIdentityGSA AuthType = "workload-identity-gsa" WorkloadIdentity AuthType = "workload-identity" )
func GetAuthTypeForBrokerCell ¶
func GetAuthTypeForBrokerCell(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, secretLister corev1listers.SecretLister, args AuthTypeArgs) (AuthType, error)
GetAuthTypeForBrokerCell will get authType for BrokerCell.
func GetAuthTypeForSources ¶
func GetAuthTypeForSources(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, args AuthTypeArgs) (AuthType, error)
GetAuthTypeForSources will get authType for Sources.
type AuthTypeArgs ¶
type AuthTypeArgs struct { Namespace string ServiceAccountName string Secret *corev1.SecretKeySelector }
type AuthenticationCheck ¶
func NewDefault ¶
func NewDefault(authType AuthType) AuthenticationCheck
type FakeAuthenticationCheck ¶
type FakeAuthenticationCheck struct {
Err error
}
type ProbeChecker ¶
type ProbeChecker struct {
// contains filtered or unexported fields
}
func NewProbeChecker ¶
func NewProbeChecker(logger *zap.Logger, authType AuthType) ProbeChecker
NewProbeChecker returns ProbeChecker with default probe checker port.
func (*ProbeChecker) ServeHTTP ¶
func (pc *ProbeChecker) ServeHTTP(w http.ResponseWriter, req *http.Request)
ServerHTTP will perform the authentication check if the request path is /healthz.
func (*ProbeChecker) Start ¶
func (pc *ProbeChecker) Start(ctx context.Context)
Start will initialize an http server and start to listen.