Documentation
¶
Index ¶
- Constants
- func BySAIndexKeys(obj interface{}) ([]string, error)
- func NewAdvisingPodSecurityAdmissionLabelSynchronizationController(namespaceClient corev1client.NamespaceInterface, ...) (factory.Controller, error)
- func NewEnforcingPodSecurityAdmissionLabelSynchronizationController(namespaceClient corev1client.NamespaceInterface, ...) (factory.Controller, error)
- func NewPrivilegedNamespacesPSALabelSyncer(ctx context.Context, namespaceClient corev1client.NamespaceInterface, ...) *privilegedNamespacesPSALabelSyncer
- type PodSecurityAdmissionLabelSynchronizationController
- type RoleInterface
- type SAToSCCCache
Constants ¶
const BySAIndexName = "ByServiceAccount"
The index name to be used along with the BySAIndexKeys indexing function
Variables ¶
This section is empty.
Functions ¶
func BySAIndexKeys ¶
BySAIndexKeys is a cache.IndexFunc indexing function that shall be used on rolebinding and clusterrolebinding informer caches. It retrieves the subjects of the incoming object and if there are SA, SA groups or the system:authenticated group subjects, these will all be returned as a slice of strings to create an index for the SA or SA group.
func NewAdvisingPodSecurityAdmissionLabelSynchronizationController ¶
func NewAdvisingPodSecurityAdmissionLabelSynchronizationController( namespaceClient corev1client.NamespaceInterface, namespaceInformer corev1informers.NamespaceInformer, rbacInformers rbacv1informers.Interface, serviceAccountInformer corev1informers.ServiceAccountInformer, sccInformer securityv1informers.SecurityContextConstraintsInformer, eventRecorder events.Recorder, ) (factory.Controller, error)
func NewEnforcingPodSecurityAdmissionLabelSynchronizationController ¶
func NewEnforcingPodSecurityAdmissionLabelSynchronizationController( namespaceClient corev1client.NamespaceInterface, namespaceInformer corev1informers.NamespaceInformer, rbacInformers rbacv1informers.Interface, serviceAccountInformer corev1informers.ServiceAccountInformer, sccInformer securityv1informers.SecurityContextConstraintsInformer, eventRecorder events.Recorder, ) (factory.Controller, error)
func NewPrivilegedNamespacesPSALabelSyncer ¶
func NewPrivilegedNamespacesPSALabelSyncer( ctx context.Context, namespaceClient corev1client.NamespaceInterface, namespaceInformer corev1informers.NamespaceInformer, eventRecorder events.Recorder, ) *privilegedNamespacesPSALabelSyncer
Types ¶
type PodSecurityAdmissionLabelSynchronizationController ¶
type PodSecurityAdmissionLabelSynchronizationController struct {
// contains filtered or unexported fields
}
PodSecurityAdmissionLabelSynchronizationController watches over namespaces labelled with "security.openshift.io/scc.podSecurityLabelSync: true" and configures the PodSecurity admission namespace label to match the user account privileges in terms of being able to use SCCs
type RoleInterface ¶
type RoleInterface interface {
metav1.ObjectMetaAccessor
Name() string
Namespace() string
Rules() []rbacv1.PolicyRule
}
RoleInterface is an interface for generic access to role-like object, such as rbac.Role and rbac.ClusterRole
func NewRoleObj ¶
func NewRoleObj(obj interface{}) (RoleInterface, error)
NewRoleObj expects either a Role or a ClusterRole as its `obj` input argument, it returns an object that allows generic access to the role-like object
type SAToSCCCache ¶
type SAToSCCCache interface {
SCCsFor(serviceAccount *corev1.ServiceAccount) (sets.String, error)
IsRoleBindingRelevant(obj interface{}) bool
AddEventHandlers(
rbacv1informers rbacv1informers.Interface,
sccInformer securityv1informers.SecurityContextConstraintsInformer,
)
WithExternalQueueEnqueue(enqueueFunc func(interface{})) SAToSCCCache
}
func NewSAToSCCCache ¶
func NewSAToSCCCache( rbacInformers rbacv1informers.Interface, sccInfomer securityv1informers.SecurityContextConstraintsInformer, ) SAToSCCCache
Source Files
Directories