podimpersonation

package
v2.0.0-...-a554480 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 8, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TokenLabel = "pod-impersonation.oneblock.ai/token"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type PodImpersonation

type PodImpersonation struct {
	// contains filtered or unexported fields
}

func New

func New(key string, cg proxy.ClientGetter, roleTimeout time.Duration, imageName func() string) *PodImpersonation

func (*PodImpersonation) CreatePod

func (s *PodImpersonation) CreatePod(ctx context.Context, user user.Info, pod *v1.Pod, podOptions *PodOptions) (*v1.Pod, error)

CreatePod will create a pod with a service account that impersonates as user. Corresponding ClusterRoles, ClusterRoleBindings, and ServiceAccounts will be create. IMPORTANT NOTES:

  1. To ensure this is used securely the namespace assigned to the pod must be a dedicated namespace used only for the purpose of running impersonated pods. This is to ensure proper protection for the service accounts created.
  2. The pod must KUBECONFIG env var set to where you expect the kubeconfig to reside

func (*PodImpersonation) DeleteRole

func (s *PodImpersonation) DeleteRole(ctx context.Context, pod v1.Pod) error

func (*PodImpersonation) PurgeOldRoles

func (s *PodImpersonation) PurgeOldRoles(gvk schema.GroupVersionKind, key string, obj runtime.Object) error

type PodOptions

type PodOptions struct {
	ConfigMapsToCreate []*v1.ConfigMap
	SecretsToCreate    []*v1.Secret
	Wait               bool
	ImageOverride      string
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL