Documentation ¶
Index ¶
- Constants
- Variables
- func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[string][]string)
- func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding
- func GetBootstrapClusterRoles() []authorizationapi.ClusterRole
- func GetBootstrapOpenshiftRoleBindings(openshiftNamespace string) []authorizationapi.RoleBinding
- func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role
- func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, ...) []kapi.SecurityContextConstraints
- func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authorizationapi.RoleBinding
- type InfraServiceAccounts
Constants ¶
View Source
const ( DefaultOpenShiftInfraNamespace = "openshift-infra" )
known namespaces
View Source
const ( DefaultServiceAccountName = "default" BuilderServiceAccountName = "builder" DeployerServiceAccountName = "deployer" MasterUnqualifiedUsername = "openshift-master" RouterUnqualifiedUsername = "openshift-router" RegistryUnqualifiedUsername = "openshift-registry" MasterUsername = "system:" + MasterUnqualifiedUsername RouterUsername = "system:" + RouterUnqualifiedUsername RegistryUsername = "system:" + RegistryUnqualifiedUsername SystemAdminUsername = "system:admin" // Not granted any API permissions, just an identity for a client certificate for the API proxy to use // Should not be changed without considering impact to pods that may be verifying this identity by default MasterProxyUnqualifiedUsername = "master-proxy" MasterProxyUsername = "system:" + MasterProxyUnqualifiedUsername // Previous versions used this as the username for the master to connect to the kubelet // This should remain in the default role bindings for the NodeAdmin role LegacyMasterKubeletAdminClientUsername = "system:master" MasterKubeletAdminClientUsername = "system:openshift-node-admin" )
users
View Source
const ( UnauthenticatedUsername = "system:anonymous" AuthenticatedGroup = "system:authenticated" AuthenticatedOAuthGroup = "system:authenticated:oauth" UnauthenticatedGroup = "system:unauthenticated" ClusterAdminGroup = "system:cluster-admins" ClusterReaderGroup = "system:cluster-readers" MastersGroup = "system:masters" NodesGroup = "system:nodes" NodeAdminsGroup = "system:node-admins" NodeReadersGroup = "system:node-readers" RouterGroup = "system:routers" RegistryGroup = "system:registries" )
groups
View Source
const ( ClusterAdminRoleName = "cluster-admin" SudoerRoleName = "sudoer" ClusterReaderRoleName = "cluster-reader" StorageAdminRoleName = "storage-admin" AdminRoleName = "admin" EditRoleName = "edit" ViewRoleName = "view" SelfProvisionerRoleName = "self-provisioner" BasicUserRoleName = "basic-user" StatusCheckerRoleName = "cluster-status" SelfAccessReviewerRoleName = "self-access-reviewer" RegistryAdminRoleName = "registry-admin" RegistryViewerRoleName = "registry-viewer" RegistryEditorRoleName = "registry-editor" BuildStrategyDockerRoleName = "system:build-strategy-docker" BuildStrategyCustomRoleName = "system:build-strategy-custom" BuildStrategySourceRoleName = "system:build-strategy-source" BuildStrategyJenkinsPipelineRoleName = "system:build-strategy-jenkinspipeline" ImageAuditorRoleName = "system:image-auditor" ImagePullerRoleName = "system:image-puller" ImagePusherRoleName = "system:image-pusher" ImageBuilderRoleName = "system:image-builder" ImagePrunerRoleName = "system:image-pruner" ImageSignerRoleName = "system:image-signer" DeployerRoleName = "system:deployer" RouterRoleName = "system:router" RegistryRoleName = "system:registry" MasterRoleName = "system:master" NodeRoleName = "system:node" NodeProxierRoleName = "system:node-proxier" SDNReaderRoleName = "system:sdn-reader" SDNManagerRoleName = "system:sdn-manager" OAuthTokenDeleterRoleName = "system:oauth-token-deleter" WebHooksRoleName = "system:webhook" DiscoveryRoleName = "system:discovery" // NodeAdmin has full access to the API provided by the kubelet NodeAdminRoleName = "system:node-admin" // NodeReader has read access to the metrics and stats provided by the kubelet NodeReaderRoleName = "system:node-reader" )
Roles
View Source
const ( SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s" SelfProvisionerRoleBindingName = SelfProvisionerRoleName + "s" DeployerRoleBindingName = DeployerRoleName + "s" ClusterAdminRoleBindingName = ClusterAdminRoleName + "s" ClusterReaderRoleBindingName = ClusterReaderRoleName + "s" BasicUserRoleBindingName = BasicUserRoleName + "s" OAuthTokenDeleterRoleBindingName = OAuthTokenDeleterRoleName + "s" StatusCheckerRoleBindingName = StatusCheckerRoleName + "-binding" ImagePullerRoleBindingName = ImagePullerRoleName + "s" ImageBuilderRoleBindingName = ImageBuilderRoleName + "s" RouterRoleBindingName = RouterRoleName + "s" RegistryRoleBindingName = RegistryRoleName + "s" MasterRoleBindingName = MasterRoleName + "s" NodeRoleBindingName = NodeRoleName + "s" NodeProxierRoleBindingName = NodeProxierRoleName + "s" NodeAdminRoleBindingName = NodeAdminRoleName + "s" NodeReaderRoleBindingName = NodeReaderRoleName + "s" SDNReaderRoleBindingName = SDNReaderRoleName + "s" SDNManagerRoleBindingName = SDNManagerRoleName + "s" WebHooksRoleBindingName = WebHooksRoleName + "s" DiscoveryRoleBindingName = DiscoveryRoleName + "-binding" RegistryAdminRoleBindingName = RegistryAdminRoleName + "s" RegistryViewerRoleBindingName = RegistryViewerRoleName + "s" RegistryEditorRoleBindingName = RegistryEditorRoleName + "s" BuildStrategyDockerRoleBindingName = BuildStrategyDockerRoleName + "-binding" BuildStrategyCustomRoleBindingName = BuildStrategyCustomRoleName + "-binding" BuildStrategySourceRoleBindingName = BuildStrategySourceRoleName + "-binding" BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding" )
RoleBindings
View Source
const ( InfraBuildControllerServiceAccountName = "build-controller" BuildControllerRoleName = "system:build-controller" InfraReplicationControllerServiceAccountName = "replication-controller" ReplicationControllerRoleName = "system:replication-controller" InfraReplicaSetControllerServiceAccountName = "replicaset-controller" ReplicaSetControllerRoleName = "system:replicaset-controller" InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller" DeploymentConfigControllerRoleName = "system:deploymentconfig-controller" InfraDeploymentControllerServiceAccountName = "deployment-controller" DeploymentControllerRoleName = "system:deployment-controller" InfraJobControllerServiceAccountName = "job-controller" JobControllerRoleName = "system:job-controller" InfraDaemonSetControllerServiceAccountName = "daemonset-controller" DaemonSetControllerRoleName = "system:daemonset-controller" InfraDisruptionControllerServiceAccountName = "disruption-controller" DisruptionControllerRoleName = "system:disruption-controller" InfraHPAControllerServiceAccountName = "hpa-controller" HPAControllerRoleName = "system:hpa-controller" InfraNamespaceControllerServiceAccountName = "namespace-controller" NamespaceControllerRoleName = "system:namespace-controller" InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller" PersistentVolumeBinderControllerRoleName = "system:pv-binder-controller" InfraPersistentVolumeAttachDetachControllerServiceAccountName = "pv-attach-detach-controller" PersistentVolumeAttachDetachControllerRoleName = "system:pv-attach-detach-controller" InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller" PersistentVolumeRecyclerControllerRoleName = "system:pv-recycler-controller" InfraPersistentVolumeProvisionerControllerServiceAccountName = "pv-provisioner-controller" PersistentVolumeProvisionerControllerRoleName = "system:pv-provisioner-controller" InfraGCControllerServiceAccountName = "gc-controller" GCControllerRoleName = "system:gc-controller" InfraServiceLoadBalancerControllerServiceAccountName = "service-load-balancer-controller" ServiceLoadBalancerControllerRoleName = "system:service-load-balancer-controller" // TODO can we just rename these or how do we handle upgrades? InfraPetSetControllerServiceAccountName = "pet-set-controller" PetSetControllerRoleName = "system:pet-set-controller" InfraUnidlingControllerServiceAccountName = "unidling-controller" UnidlingControllerRoleName = "system:unidling-controller" ServiceServingCertServiceAccountName = "service-serving-cert-controller" ServiceServingCertControllerRoleName = "system:service-serving-cert-controller" InfraEndpointControllerServiceAccountName = "endpoint-controller" EndpointControllerRoleName = "system:endpoint-controller" InfraServiceIngressIPControllerServiceAccountName = "service-ingress-ip-controller" ServiceIngressIPControllerRoleName = "system:service-ingress-ip-controller" )
View Source
const ( // SecurityContextConstraintPrivileged is used as the name for the system default privileged scc. SecurityContextConstraintPrivileged = "privileged" SecurityContextConstraintPrivilegedDesc = "" /* 261-byte string literal not displayed */ // SecurityContextConstraintRestricted is used as the name for the system default restricted scc. SecurityContextConstraintRestricted = "restricted" SecurityContextConstraintRestrictedDesc = "" /* 177-byte string literal not displayed */ // SecurityContextConstraintNonRoot is used as the name for the system default non-root scc. SecurityContextConstraintNonRoot = "nonroot" SecurityContextConstraintNonRootDesc = "" /* 202-byte string literal not displayed */ // SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc. SecurityContextConstraintHostMountAndAnyUID = "hostmount-anyuid" SecurityContextConstraintHostMountAndAnyUIDDesc = "" /* 267-byte string literal not displayed */ // SecurityContextConstraintHostNS is used as the name for the system default scc // that grants access to all host ns features. SecurityContextConstraintHostNS = "hostaccess" SecurityContextConstraintHostNSDesc = "" /* 287-byte string literal not displayed */ // SecurityContextConstraintsAnyUID is used as the name for the system default scc that // grants access to run as any uid but is still restricted to specific SELinux contexts. SecurityContextConstraintsAnyUID = "anyuid" SecurityContextConstraintsAnyUIDDesc = "" /* 150-byte string literal not displayed */ // SecurityContextConstraintsHostNetwork is used as the name for the system default scc that // grants access to run with host networking and host ports but still allocates uid/gids/selinux from the // namespace. SecurityContextConstraintsHostNetwork = "hostnetwork" SecurityContextConstraintsHostNetworkDesc = "" /* 157-byte string literal not displayed */ // DescriptionAnnotation is the annotation used for attaching descriptions. DescriptionAnnotation = "kubernetes.io/description" )
Variables ¶
View Source
var InfraSAs = &InfraServiceAccounts{}
Functions ¶
func GetBoostrapSCCAccess ¶ added in v1.0.8
GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints.
func GetBootstrapClusterRoleBindings ¶
func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding
func GetBootstrapClusterRoles ¶
func GetBootstrapClusterRoles() []authorizationapi.ClusterRole
func GetBootstrapOpenshiftRoleBindings ¶
func GetBootstrapOpenshiftRoleBindings(openshiftNamespace string) []authorizationapi.RoleBinding
func GetBootstrapOpenshiftRoles ¶
func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role
func GetBootstrapSecurityContextConstraints ¶
func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, sccNameToAdditionalUsers map[string][]string) []kapi.SecurityContextConstraints
GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints for system bootstrapping. This method takes additional users and groups that should be added to the strategies. Use GetBoostrapSCCAccess to produce the default set of mappings.
func GetBootstrapServiceAccountProjectRoleBindings ¶
func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authorizationapi.RoleBinding
Types ¶
type InfraServiceAccounts ¶ added in v1.1.1
type InfraServiceAccounts struct {
// contains filtered or unexported fields
}
func (*InfraServiceAccounts) AllRoles ¶ added in v1.1.1
func (r *InfraServiceAccounts) AllRoles() []authorizationapi.ClusterRole
func (*InfraServiceAccounts) GetServiceAccounts ¶ added in v1.1.1
func (r *InfraServiceAccounts) GetServiceAccounts() []string
func (*InfraServiceAccounts) RoleFor ¶ added in v1.1.1
func (r *InfraServiceAccounts) RoleFor(saName string) (authorizationapi.ClusterRole, bool)
Click to show internal directories.
Click to hide internal directories.