Documentation
¶
Index ¶
- Constants
- Variables
- func ContextClearUserInfo(ctx context.Context) context.Context
- func ContextWithUserInfo(ctx context.Context, app *v1beta1.Application) context.Context
- func GenerateKubeConfig(ctx context.Context, cli kubernetes.Interface, cfg *clientcmdapi.Config, ...) (*clientcmdapi.Config, error)
- func GetUserInfoInAnnotation(obj *metav1.ObjectMeta) user.Info
- func GrantPrivileges(ctx context.Context, cli client.Client, privileges []PrivilegeDescription, ...) error
- func ListPrivileges(ctx context.Context, cli client.Client, clusters []string, identity *Identity) (map[string][]PrivilegeInfo, error)
- func MonitorContextWithUserInfo(ctx monitorContext.Context, app *v1beta1.Application) monitorContext.Context
- func NewImpersonatingRoundTripper(rt http.RoundTripper) http.RoundTripper
- func PrettyPrintPrivileges(identity *Identity, privilegesMap map[string][]PrivilegeInfo, ...) string
- func RevokePrivileges(ctx context.Context, cli client.Client, privileges []PrivilegeDescription, ...) error
- func SetUserInfoInAnnotation(obj *metav1.ObjectMeta, userInfo authv1.UserInfo)
- func WithReplace(o *opts)
- type ApplicationPrivilege
- type Identity
- func (identity *Identity) Match(subject rbacv1.Subject) bool
- func (identity *Identity) MatchAny(subjects []rbacv1.Subject) bool
- func (identity *Identity) Regularize()
- func (identity *Identity) String() string
- func (identity *Identity) Subjects() []rbacv1.Subject
- func (identity *Identity) Validate() error
- type KubeConfigGenerateOption
- type KubeConfigGenerateOptions
- type KubeConfigGenerateServiceAccountOptions
- type KubeConfigGenerateX509Options
- type KubeConfigWithGroupGenerateOption
- type KubeConfigWithIdentityGenerateOption
- type KubeConfigWithServiceAccountGenerateOption
- type KubeConfigWithUserGenerateOption
- type PrivilegeDescription
- type PrivilegeInfo
- type RoleBindingRef
- type RoleRef
- type ScopedPrivilege
Constants ¶
const ( // KubeVelaClientGroup the default group to be added to the generated X509 KubeConfig KubeVelaClientGroup = "kubevela:client" // CSRNamePrefix the prefix of the CSR name CSRNamePrefix = "kubevela-csr" )
const ( // KubeVelaReaderRoleName a role that can read any resources KubeVelaReaderRoleName = "kubevela:reader" // KubeVelaWriterRoleName a role that can read/write any resources KubeVelaWriterRoleName = "kubevela:writer" // KubeVelaWriterAppRoleName a role that can read/write any application KubeVelaWriterAppRoleName = "kubevela:writer:application" // KubeVelaReaderAppRoleName a role that can read any application KubeVelaReaderAppRoleName = "kubevela:reader:application" )
const ( // DefaultAuthenticateGroupPattern default value of groups patterns for authentication DefaultAuthenticateGroupPattern = types.KubeVelaName + ":*" )
const DefaultExpireTime = time.Hour * 24 * 365
DefaultExpireTime is default expire time for both X.509 and SA token apply
Variables ¶
var ( // AuthenticationWithUser flag for enable the authentication of User in requests AuthenticationWithUser = false // AuthenticationDefaultUser the default user to use while no User is set in application AuthenticationDefaultUser = user.Anonymous // AuthenticationGroupPattern pattern for the authentication of Group in requests AuthenticationGroupPattern = DefaultAuthenticateGroupPattern )
Functions ¶
func ContextClearUserInfo ¶ added in v1.4.5
ContextClearUserInfo clear user info in context
func ContextWithUserInfo ¶ added in v1.4.0
ContextWithUserInfo inject username & group from app annotations into context If serviceAccount is set and username is empty, identity will user the serviceAccount
func GenerateKubeConfig ¶ added in v1.4.0
func GenerateKubeConfig(ctx context.Context, cli kubernetes.Interface, cfg *clientcmdapi.Config, writer io.Writer, options ...KubeConfigGenerateOption) (*clientcmdapi.Config, error)
GenerateKubeConfig generate KubeConfig for users with given options.
func GetUserInfoInAnnotation ¶ added in v1.4.0
func GetUserInfoInAnnotation(obj *metav1.ObjectMeta) user.Info
GetUserInfoInAnnotation extract user info from annotations support compatibility for serviceAccount when name is empty
func GrantPrivileges ¶ added in v1.4.0
func GrantPrivileges(ctx context.Context, cli client.Client, privileges []PrivilegeDescription, identity *Identity, writer io.Writer, optionFuncs ...func(*opts)) error
GrantPrivileges grant privileges to identity
func ListPrivileges ¶ added in v1.4.0
func ListPrivileges(ctx context.Context, cli client.Client, clusters []string, identity *Identity) (map[string][]PrivilegeInfo, error)
ListPrivileges retrieve privilege information in specified clusters
func MonitorContextWithUserInfo ¶ added in v1.6.0
func MonitorContextWithUserInfo(ctx monitorContext.Context, app *v1beta1.Application) monitorContext.Context
MonitorContextWithUserInfo inject username & group from app annotations into monitor context
func NewImpersonatingRoundTripper ¶
func NewImpersonatingRoundTripper(rt http.RoundTripper) http.RoundTripper
NewImpersonatingRoundTripper will add an ImpersonateUser header to a request if the context has a specific user whom to act-as.
func PrettyPrintPrivileges ¶ added in v1.4.0
func PrettyPrintPrivileges(identity *Identity, privilegesMap map[string][]PrivilegeInfo, clusters []string, lim uint) string
PrettyPrintPrivileges print cluster privileges map in tree format
func RevokePrivileges ¶ added in v1.4.0
func RevokePrivileges(ctx context.Context, cli client.Client, privileges []PrivilegeDescription, identity *Identity, writer io.Writer, optionFuncs ...func(*opts)) error
RevokePrivileges revoke privileges (notice that the revoking process only deletes bond subject in the RoleBinding/ClusterRoleBinding, it does not ensure the identity's other related privileges are removed to prevent identity from accessing)
func SetUserInfoInAnnotation ¶ added in v1.4.0
func SetUserInfoInAnnotation(obj *metav1.ObjectMeta, userInfo authv1.UserInfo)
SetUserInfoInAnnotation set username and group from userInfo into annotations it will clear the existing service account annotation in avoid of permission leak
func WithReplace ¶ added in v1.5.0
func WithReplace(o *opts)
WithReplace means to replace all subjects, this is only useful in Grant Privileges
Types ¶
type ApplicationPrivilege ¶ added in v1.5.0
ApplicationPrivilege includes the application privileges in the destination
func (*ApplicationPrivilege) GetCluster ¶ added in v1.5.0
func (a *ApplicationPrivilege) GetCluster() string
GetCluster the cluster of the privilege
func (*ApplicationPrivilege) GetRoleBinding ¶ added in v1.5.0
func (a *ApplicationPrivilege) GetRoleBinding(subs []rbacv1.Subject) client.Object
GetRoleBinding the underlying RoleBinding/ClusterRoleBinding for the privilege
func (*ApplicationPrivilege) GetRoles ¶ added in v1.5.0
func (a *ApplicationPrivilege) GetRoles() []client.Object
GetRoles the underlying Roles/ClusterRoles for the privilege
type Identity ¶ added in v1.4.0
type Identity struct {
User string
Groups []string
ServiceAccount string
ServiceAccountNamespace string
}
Identity the kubernetes identity
func ReadIdentityFromKubeConfig ¶ added in v1.4.0
ReadIdentityFromKubeConfig extract identity from kubeconfig
func (*Identity) MatchAny ¶ added in v1.4.0
MatchAny validate if identity matches any one of the rbac subjects
func (*Identity) Regularize ¶ added in v1.4.0
func (identity *Identity) Regularize()
Regularize clean up input info
type KubeConfigGenerateOption ¶ added in v1.4.0
type KubeConfigGenerateOption interface {
ApplyToOptions(options *KubeConfigGenerateOptions)
}
KubeConfigGenerateOption option for create KubeConfig
type KubeConfigGenerateOptions ¶ added in v1.4.0
type KubeConfigGenerateOptions struct {
X509 *KubeConfigGenerateX509Options
ServiceAccount *KubeConfigGenerateServiceAccountOptions
}
KubeConfigGenerateOptions options for create KubeConfig
type KubeConfigGenerateServiceAccountOptions ¶ added in v1.4.0
type KubeConfigGenerateServiceAccountOptions struct {
ServiceAccountName string
ServiceAccountNamespace string
ExpireTime time.Duration
}
KubeConfigGenerateServiceAccountOptions options for create ServiceAccount based KubeConfig
type KubeConfigGenerateX509Options ¶ added in v1.4.0
type KubeConfigGenerateX509Options struct {
User string
Groups []string
ExpireTime time.Duration
PrivateKeyBits int
}
KubeConfigGenerateX509Options options for create X509 based KubeConfig
type KubeConfigWithGroupGenerateOption ¶ added in v1.4.0
type KubeConfigWithGroupGenerateOption string
KubeConfigWithGroupGenerateOption option for setting group in KubeConfig
func (KubeConfigWithGroupGenerateOption) ApplyToOptions ¶ added in v1.4.0
func (opt KubeConfigWithGroupGenerateOption) ApplyToOptions(options *KubeConfigGenerateOptions)
ApplyToOptions .
type KubeConfigWithIdentityGenerateOption ¶ added in v1.4.0
type KubeConfigWithIdentityGenerateOption Identity
KubeConfigWithIdentityGenerateOption option for setting identity in KubeConfig
func (KubeConfigWithIdentityGenerateOption) ApplyToOptions ¶ added in v1.4.0
func (opt KubeConfigWithIdentityGenerateOption) ApplyToOptions(options *KubeConfigGenerateOptions)
ApplyToOptions .
type KubeConfigWithServiceAccountGenerateOption ¶ added in v1.4.0
type KubeConfigWithServiceAccountGenerateOption types.NamespacedName
KubeConfigWithServiceAccountGenerateOption option for setting service account in KubeConfig
func (KubeConfigWithServiceAccountGenerateOption) ApplyToOptions ¶ added in v1.4.0
func (opt KubeConfigWithServiceAccountGenerateOption) ApplyToOptions(options *KubeConfigGenerateOptions)
ApplyToOptions .
type KubeConfigWithUserGenerateOption ¶ added in v1.4.0
type KubeConfigWithUserGenerateOption string
KubeConfigWithUserGenerateOption option for setting user in KubeConfig
func (KubeConfigWithUserGenerateOption) ApplyToOptions ¶ added in v1.4.0
func (opt KubeConfigWithUserGenerateOption) ApplyToOptions(options *KubeConfigGenerateOptions)
ApplyToOptions .
type PrivilegeDescription ¶ added in v1.4.0
type PrivilegeDescription interface {
GetCluster() string
GetRoles() []client.Object
GetRoleBinding([]rbacv1.Subject) client.Object
}
PrivilegeDescription describe the privilege to grant
type PrivilegeInfo ¶ added in v1.4.0
type PrivilegeInfo struct {
Rules []rbacv1.PolicyRule `json:"rules,omitempty"`
RoleRef `json:"roleRef,omitempty"`
RoleBindingRefs []RoleBindingRef `json:"roleBindingRefs,omitempty"`
}
PrivilegeInfo describes one privilege in Kubernetes. Either one ClusterRole or one Role is referenced. Related PolicyRules that describes the resource level admissions are included. The RoleBindingRefs records where this RoleRef comes from (from which ClusterRoleBinding or RoleBinding).
type RoleBindingRef ¶ added in v1.4.0
type RoleBindingRef authObjRef
RoleBindingRef the reference to ClusterRoleBinding or RoleBinding
type RoleRef ¶ added in v1.4.0
type RoleRef authObjRef
RoleRef the references to ClusterRole or Role
type ScopedPrivilege ¶ added in v1.4.0
ScopedPrivilege includes all resource privileges in the destination
func (*ScopedPrivilege) GetCluster ¶ added in v1.4.0
func (p *ScopedPrivilege) GetCluster() string
GetCluster the cluster of the privilege
func (*ScopedPrivilege) GetRoleBinding ¶ added in v1.4.0
func (p *ScopedPrivilege) GetRoleBinding(subs []rbacv1.Subject) client.Object
GetRoleBinding the underlying RoleBinding/ClusterRoleBinding for the privilege
func (*ScopedPrivilege) GetRoles ¶ added in v1.4.0
func (p *ScopedPrivilege) GetRoles() []client.Object
GetRoles the underlying Roles/ClusterRoles for the privilege
Source Files