bootstrappolicy

package
v1.5.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 19, 2017 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultOpenShiftSharedResourcesNamespace = "openshift"
	DefaultOpenShiftInfraNamespace           = "openshift-infra"
)

known namespaces

View Source
const (
	DefaultServiceAccountName  = "default"
	BuilderServiceAccountName  = "builder"
	DeployerServiceAccountName = "deployer"

	MasterUnqualifiedUsername   = "openshift-master"
	RouterUnqualifiedUsername   = "openshift-router"
	RegistryUnqualifiedUsername = "openshift-registry"

	MasterUsername      = "system:" + MasterUnqualifiedUsername
	RouterUsername      = "system:" + RouterUnqualifiedUsername
	RegistryUsername    = "system:" + RegistryUnqualifiedUsername
	SystemAdminUsername = "system:admin"

	// Not granted any API permissions, just an identity for a client certificate for the API proxy to use
	// Should not be changed without considering impact to pods that may be verifying this identity by default
	MasterProxyUnqualifiedUsername = "master-proxy"
	MasterProxyUsername            = "system:" + MasterProxyUnqualifiedUsername

	// Previous versions used this as the username for the master to connect to the kubelet
	// This should remain in the default role bindings for the NodeAdmin role
	LegacyMasterKubeletAdminClientUsername = "system:master"
	MasterKubeletAdminClientUsername       = "system:openshift-node-admin"
)

users

View Source
const (
	UnauthenticatedUsername = "system:anonymous"

	AuthenticatedGroup      = "system:authenticated"
	AuthenticatedOAuthGroup = "system:authenticated:oauth"
	UnauthenticatedGroup    = "system:unauthenticated"
	ClusterAdminGroup       = "system:cluster-admins"
	ClusterReaderGroup      = "system:cluster-readers"
	MastersGroup            = "system:masters"
	NodesGroup              = "system:nodes"
	NodeAdminsGroup         = "system:node-admins"
	NodeReadersGroup        = "system:node-readers"
	RouterGroup             = "system:routers"
	RegistryGroup           = "system:registries"
)

groups

View Source
const (
	ClusterAdminRoleName       = "cluster-admin"
	SudoerRoleName             = "sudoer"
	ClusterReaderRoleName      = "cluster-reader"
	StorageAdminRoleName       = "storage-admin"
	AdminRoleName              = "admin"
	EditRoleName               = "edit"
	ViewRoleName               = "view"
	SelfProvisionerRoleName    = "self-provisioner"
	BasicUserRoleName          = "basic-user"
	StatusCheckerRoleName      = "cluster-status"
	SelfAccessReviewerRoleName = "self-access-reviewer"

	RegistryAdminRoleName  = "registry-admin"
	RegistryViewerRoleName = "registry-viewer"
	RegistryEditorRoleName = "registry-editor"

	BuildStrategyDockerRoleName          = "system:build-strategy-docker"
	BuildStrategyCustomRoleName          = "system:build-strategy-custom"
	BuildStrategySourceRoleName          = "system:build-strategy-source"
	BuildStrategyJenkinsPipelineRoleName = "system:build-strategy-jenkinspipeline"

	ImageAuditorRoleName      = "system:image-auditor"
	ImagePullerRoleName       = "system:image-puller"
	ImagePusherRoleName       = "system:image-pusher"
	ImageBuilderRoleName      = "system:image-builder"
	ImagePrunerRoleName       = "system:image-pruner"
	ImageSignerRoleName       = "system:image-signer"
	DeployerRoleName          = "system:deployer"
	RouterRoleName            = "system:router"
	RegistryRoleName          = "system:registry"
	MasterRoleName            = "system:master"
	NodeRoleName              = "system:node"
	NodeProxierRoleName       = "system:node-proxier"
	SDNReaderRoleName         = "system:sdn-reader"
	SDNManagerRoleName        = "system:sdn-manager"
	OAuthTokenDeleterRoleName = "system:oauth-token-deleter"
	WebHooksRoleName          = "system:webhook"
	DiscoveryRoleName         = "system:discovery"

	// NodeAdmin has full access to the API provided by the kubelet
	NodeAdminRoleName = "system:node-admin"
	// NodeReader has read access to the metrics and stats provided by the kubelet
	NodeReaderRoleName = "system:node-reader"

	OpenshiftSharedResourceViewRoleName = "shared-resource-viewer"
)

Roles

View Source
const (
	SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s"
	SelfProvisionerRoleBindingName    = SelfProvisionerRoleName + "s"
	DeployerRoleBindingName           = DeployerRoleName + "s"
	ClusterAdminRoleBindingName       = ClusterAdminRoleName + "s"
	ClusterReaderRoleBindingName      = ClusterReaderRoleName + "s"
	BasicUserRoleBindingName          = BasicUserRoleName + "s"
	OAuthTokenDeleterRoleBindingName  = OAuthTokenDeleterRoleName + "s"
	StatusCheckerRoleBindingName      = StatusCheckerRoleName + "-binding"
	ImagePullerRoleBindingName        = ImagePullerRoleName + "s"
	ImageBuilderRoleBindingName       = ImageBuilderRoleName + "s"
	RouterRoleBindingName             = RouterRoleName + "s"
	RegistryRoleBindingName           = RegistryRoleName + "s"
	MasterRoleBindingName             = MasterRoleName + "s"
	NodeRoleBindingName               = NodeRoleName + "s"
	NodeProxierRoleBindingName        = NodeProxierRoleName + "s"
	NodeAdminRoleBindingName          = NodeAdminRoleName + "s"
	NodeReaderRoleBindingName         = NodeReaderRoleName + "s"
	SDNReaderRoleBindingName          = SDNReaderRoleName + "s"
	SDNManagerRoleBindingName         = SDNManagerRoleName + "s"
	WebHooksRoleBindingName           = WebHooksRoleName + "s"
	DiscoveryRoleBindingName          = DiscoveryRoleName + "-binding"
	RegistryAdminRoleBindingName      = RegistryAdminRoleName + "s"
	RegistryViewerRoleBindingName     = RegistryViewerRoleName + "s"
	RegistryEditorRoleBindingName     = RegistryEditorRoleName + "s"

	BuildStrategyDockerRoleBindingName          = BuildStrategyDockerRoleName + "-binding"
	BuildStrategyCustomRoleBindingName          = BuildStrategyCustomRoleName + "-binding"
	BuildStrategySourceRoleBindingName          = BuildStrategySourceRoleName + "-binding"
	BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding"

	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
)

RoleBindings

View Source
const (
	InfraBuildControllerServiceAccountName = "build-controller"
	BuildControllerRoleName                = "system:build-controller"

	InfraReplicationControllerServiceAccountName = "replication-controller"
	ReplicationControllerRoleName                = "system:replication-controller"

	InfraReplicaSetControllerServiceAccountName = "replicaset-controller"
	ReplicaSetControllerRoleName                = "system:replicaset-controller"

	InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller"
	DeploymentConfigControllerRoleName                = "system:deploymentconfig-controller"

	InfraDeploymentControllerServiceAccountName = "deployment-controller"
	DeploymentControllerRoleName                = "system:deployment-controller"

	InfraJobControllerServiceAccountName = "job-controller"
	JobControllerRoleName                = "system:job-controller"

	InfraDaemonSetControllerServiceAccountName = "daemonset-controller"
	DaemonSetControllerRoleName                = "system:daemonset-controller"

	InfraDisruptionControllerServiceAccountName = "disruption-controller"
	DisruptionControllerRoleName                = "system:disruption-controller"

	InfraHPAControllerServiceAccountName = "hpa-controller"
	HPAControllerRoleName                = "system:hpa-controller"

	InfraNamespaceControllerServiceAccountName = "namespace-controller"
	NamespaceControllerRoleName                = "system:namespace-controller"

	InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller"
	PersistentVolumeBinderControllerRoleName                = "system:pv-binder-controller"

	InfraPersistentVolumeAttachDetachControllerServiceAccountName = "pv-attach-detach-controller"
	PersistentVolumeAttachDetachControllerRoleName                = "system:pv-attach-detach-controller"

	InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller"
	PersistentVolumeRecyclerControllerRoleName                = "system:pv-recycler-controller"

	InfraPersistentVolumeProvisionerControllerServiceAccountName = "pv-provisioner-controller"
	PersistentVolumeProvisionerControllerRoleName                = "system:pv-provisioner-controller"

	InfraGCControllerServiceAccountName = "gc-controller"
	GCControllerRoleName                = "system:gc-controller"

	InfraServiceLoadBalancerControllerServiceAccountName = "service-load-balancer-controller"
	ServiceLoadBalancerControllerRoleName                = "system:service-load-balancer-controller"

	// TODO can we just rename these or how do we handle upgrades?
	InfraPetSetControllerServiceAccountName = "pet-set-controller"
	PetSetControllerRoleName                = "system:pet-set-controller"

	InfraUnidlingControllerServiceAccountName = "unidling-controller"
	UnidlingControllerRoleName                = "system:unidling-controller"

	ServiceServingCertServiceAccountName = "service-serving-cert-controller"
	ServiceServingCertControllerRoleName = "system:service-serving-cert-controller"

	InfraEndpointControllerServiceAccountName = "endpoint-controller"
	EndpointControllerRoleName                = "system:endpoint-controller"

	InfraServiceIngressIPControllerServiceAccountName = "service-ingress-ip-controller"
	ServiceIngressIPControllerRoleName                = "system:service-ingress-ip-controller"
)
View Source
const (
	// SecurityContextConstraintPrivileged is used as the name for the system default privileged scc.
	SecurityContextConstraintPrivileged     = "privileged"
	SecurityContextConstraintPrivilegedDesc = "" /* 261-byte string literal not displayed */

	// SecurityContextConstraintRestricted is used as the name for the system default restricted scc.
	SecurityContextConstraintRestricted     = "restricted"
	SecurityContextConstraintRestrictedDesc = "" /* 177-byte string literal not displayed */

	// SecurityContextConstraintNonRoot is used as the name for the system default non-root scc.
	SecurityContextConstraintNonRoot     = "nonroot"
	SecurityContextConstraintNonRootDesc = "" /* 202-byte string literal not displayed */

	// SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc.
	SecurityContextConstraintHostMountAndAnyUID     = "hostmount-anyuid"
	SecurityContextConstraintHostMountAndAnyUIDDesc = "" /* 267-byte string literal not displayed */

	// SecurityContextConstraintHostNS is used as the name for the system default scc
	// that grants access to all host ns features.
	SecurityContextConstraintHostNS     = "hostaccess"
	SecurityContextConstraintHostNSDesc = "" /* 287-byte string literal not displayed */

	// SecurityContextConstraintsAnyUID is used as the name for the system default scc that
	// grants access to run as any uid but is still restricted to specific SELinux contexts.
	SecurityContextConstraintsAnyUID     = "anyuid"
	SecurityContextConstraintsAnyUIDDesc = "" /* 150-byte string literal not displayed */

	// SecurityContextConstraintsHostNetwork is used as the name for the system default scc that
	// grants access to run with host networking and host ports but still allocates uid/gids/selinux from the
	// namespace.
	SecurityContextConstraintsHostNetwork     = "hostnetwork"
	SecurityContextConstraintsHostNetworkDesc = "" /* 157-byte string literal not displayed */

	// DescriptionAnnotation is the annotation used for attaching descriptions.
	DescriptionAnnotation = "kubernetes.io/description"
)

Variables

View Source
var InfraSAs = &InfraServiceAccounts{}

Functions

func GetBoostrapSCCAccess added in v1.0.8

func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[string][]string)

GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints.

func GetBootstrapClusterRoleBindings

func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding

func GetBootstrapClusterRoles

func GetBootstrapClusterRoles() []authorizationapi.ClusterRole

func GetBootstrapOpenshiftRoleBindings

func GetBootstrapOpenshiftRoleBindings(openshiftNamespace string) []authorizationapi.RoleBinding

func GetBootstrapOpenshiftRoles

func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role

func GetBootstrapSecurityContextConstraints

func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, sccNameToAdditionalUsers map[string][]string) []kapi.SecurityContextConstraints

GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints for system bootstrapping. This method takes additional users and groups that should be added to the strategies. Use GetBoostrapSCCAccess to produce the default set of mappings.

func GetBootstrapServiceAccountProjectRoleBindings

func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authorizationapi.RoleBinding

Types

type InfraServiceAccounts added in v1.1.1

type InfraServiceAccounts struct {
	// contains filtered or unexported fields
}

func (*InfraServiceAccounts) AllRoles added in v1.1.1

func (*InfraServiceAccounts) GetServiceAccounts added in v1.1.1

func (r *InfraServiceAccounts) GetServiceAccounts() []string

func (*InfraServiceAccounts) RoleFor added in v1.1.1

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL