Documentation ¶
Index ¶
- Constants
- type PodImpersonation
- func (s *PodImpersonation) CreatePod(ctx context.Context, user user.Info, pod *v1.Pod, podOptions *PodOptions) (*v1.Pod, error)
- func (s *PodImpersonation) DeleteRole(ctx context.Context, pod v1.Pod) error
- func (s *PodImpersonation) PurgeOldRoles(gvk schema.GroupVersionKind, key string, obj runtime.Object) error
- type PodOptions
Constants ¶
View Source
const (
TokenLabel = "pod-impersonation.oneblock.ai/token"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type PodImpersonation ¶
type PodImpersonation struct {
// contains filtered or unexported fields
}
func New ¶
func New(key string, cg proxy.ClientGetter, roleTimeout time.Duration, imageName func() string) *PodImpersonation
func (*PodImpersonation) CreatePod ¶
func (s *PodImpersonation) CreatePod(ctx context.Context, user user.Info, pod *v1.Pod, podOptions *PodOptions) (*v1.Pod, error)
CreatePod will create a pod with a service account that impersonates as user. Corresponding ClusterRoles, ClusterRoleBindings, and ServiceAccounts will be create. IMPORTANT NOTES:
- To ensure this is used securely the namespace assigned to the pod must be a dedicated namespace used only for the purpose of running impersonated pods. This is to ensure proper protection for the service accounts created.
- The pod must KUBECONFIG env var set to where you expect the kubeconfig to reside
func (*PodImpersonation) DeleteRole ¶
func (*PodImpersonation) PurgeOldRoles ¶
func (s *PodImpersonation) PurgeOldRoles(gvk schema.GroupVersionKind, key string, obj runtime.Object) error
Click to show internal directories.
Click to hide internal directories.