kas

package
v0.1.41 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 29, 2024 License: Apache-2.0 Imports: 52 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AuditPolicyConfigMapKey  = "policy.yaml"
	AuditPolicyProfileMapKey = "profile"
)
View Source
const (
	KubeAPIServerConfigKey  = "config.json"
	AuthenticationConfigKey = "auth.json"
	OauthMetadataConfigKey  = "oauthMetadata.json"
	AuditLogFile            = "audit.log"
	EgressSelectorConfigKey = "config.yaml"
	DefaultEtcdPort         = 2379
)
View Source
const (
	KonnectivityHealthPort      = 2041
	KonnectivityServerLocalPort = 8090
	KonnectivityServerPort      = 8091
)
View Source
const (
	AuthConfigMapKey = "auth.json"
)
View Source
const (
	EgressSelectorConfigMapKey = "config.yaml"
)
View Source
const (
	KubeconfigKey = util.KubeconfigKey
)

Variables

This section is empty.

Functions

func GetKMSProvider added in v0.1.17

func GetKMSProvider(kmsSpec *hyperv1.KMSSpec, images KubeAPIServerImages) (kms.IKMSProvider, error)

func InClusterKASReadyURL

func InClusterKASReadyURL(platformType hyperv1.PlatformType) string

func InClusterKASURL

func InClusterKASURL(platformType hyperv1.PlatformType) string

func ReconcileAESCBCEncryptionConfig

func ReconcileAESCBCEncryptionConfig(config *corev1.Secret,
	ownerRef hcpconfig.OwnerRef,
	activeKey []byte,
	backupKey []byte,
) error

func ReconcileAuditConfig

func ReconcileAuditConfig(auditCfgMap *corev1.ConfigMap, ownerRef config.OwnerRef, auditConfig configv1.Audit) error

func ReconcileAuthConfig added in v0.1.20

func ReconcileAuthConfig(ctx context.Context, c crclient.Client, config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef, p KubeAPIServerConfigParams) error

func ReconcileAuthenticationTokenWebhookConfigSecret

func ReconcileAuthenticationTokenWebhookConfigSecret(
	secret *corev1.Secret,
	ownerRef config.OwnerRef,
	authenticatorSecret *corev1.Secret,
	servingCA *corev1.ConfigMap,
) error

func ReconcileBootstrapKubeconfigSecret

func ReconcileBootstrapKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, externalURL string) error

func ReconcileConfig

func ReconcileConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef, p KubeAPIServerConfigParams) error

func ReconcileEgressSelectorConfig

func ReconcileEgressSelectorConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef) error

func ReconcileExternalKubeconfigSecret

func ReconcileExternalKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, externalURL, secretKey string) error

func ReconcileExternalPrivateRoute added in v0.1.2

func ReconcileExternalPrivateRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error

func ReconcileExternalPublicRoute added in v0.1.2

func ReconcileExternalPublicRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error

func ReconcileInternalRoute

func ReconcileInternalRoute(route *routev1.Route, owner *metav1.OwnerReference) error

func ReconcileKMSEncryptionConfig

func ReconcileKMSEncryptionConfig(config *corev1.Secret,
	ownerRef hcpconfig.OwnerRef,
	encryptionSpec *hyperv1.KMSSpec,
) error

func ReconcileKonnectivityExternalRoute added in v0.1.10

func ReconcileKonnectivityExternalRoute(route *routev1.Route, ownerRef config.OwnerRef, hostname string, defaultIngressDomain string) error

func ReconcileKonnectivityInternalRoute added in v0.1.10

func ReconcileKonnectivityInternalRoute(route *routev1.Route, ownerRef config.OwnerRef) error

func ReconcileKonnectivityServerLocalService added in v0.1.10

func ReconcileKonnectivityServerLocalService(svc *corev1.Service, ownerRef config.OwnerRef) error

func ReconcileKonnectivityServerService added in v0.1.10

func ReconcileKonnectivityServerService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy, hcp *hyperv1.HostedControlPlane) error

func ReconcileKonnectivityServerServiceStatus added in v0.1.10

func ReconcileKonnectivityServerServiceStatus(svc *corev1.Service, route *routev1.Route, strategy *hyperv1.ServicePublishingStrategy, messageCollector events.MessageCollector) (host string, port int32, message string, err error)

func ReconcileKubeAPIServerDeployment

func ReconcileKubeAPIServerDeployment(deployment *appsv1.Deployment,
	hcp *hyperv1.HostedControlPlane,
	ownerRef config.OwnerRef,
	deploymentConfig config.DeploymentConfig,
	namedCertificates []configv1.APIServerNamedServingCert,
	cloudProviderName string,
	cloudProviderConfigRef *corev1.LocalObjectReference,
	cloudProviderCreds *corev1.LocalObjectReference,
	images KubeAPIServerImages,
	config *corev1.ConfigMap,
	auditConfig *corev1.ConfigMap,
	authConfig *corev1.ConfigMap,
	auditWebhookRef *corev1.LocalObjectReference,
	aesCBCActiveKey []byte,
	aesCBCBackupKey []byte,
	port int32,
	payloadVersion string,
	featureGateSpec *configv1.FeatureGateSpec,
	oidcCA *corev1.LocalObjectReference,
	cipherSuites []string,
) error

func ReconcileLocalhostKubeconfigSecret

func ReconcileLocalhostKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, apiServerPort int32) error

func ReconcileOauthMetadata

func ReconcileOauthMetadata(cfg *corev1.ConfigMap, ownerRef config.OwnerRef, userOauthMetadata string, externalOAuthAddress string, externalOAuthPort int32) error

func ReconcilePodDisruptionBudget

func ReconcilePodDisruptionBudget(pdb *policyv1.PodDisruptionBudget, p *KubeAPIServerParams) error

func ReconcilePrivateService

func ReconcilePrivateService(svc *corev1.Service, hcp *hyperv1.HostedControlPlane, owner *metav1.OwnerReference) error

func ReconcileRecordingRules

func ReconcileRecordingRules(r *prometheusoperatorv1.PrometheusRule, clusterID string)

func ReconcileService

func ReconcileService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, owner *metav1.OwnerReference, apiServerServicePort int, apiAllowedCIDRBlocks []string, hcp *hyperv1.HostedControlPlane) error

func ReconcileServiceCAPIKubeconfigSecret

func ReconcileServiceCAPIKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, capiClusterName string, platformType hyperv1.PlatformType) error

func ReconcileServiceClusterIP added in v0.1.16

func ReconcileServiceClusterIP(svc *corev1.Service, owner *metav1.OwnerReference) error

func ReconcileServiceKubeconfigSecret

func ReconcileServiceKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, platformType hyperv1.PlatformType) error

func ReconcileServiceMonitor

func ReconcileServiceMonitor(sm *prometheusoperatorv1.ServiceMonitor, ownerRef config.OwnerRef, clusterID string, metricsSet metrics.MetricsSet) error

func ReconcileServiceStatus

func ReconcileServiceStatus(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, apiServerPort int, messageCollector events.MessageCollector) (host string, port int32, message string, err error)

func RenderAuditLogScript added in v0.1.34

func RenderAuditLogScript(auditLogFilePath string) string

Types

type AudienceMatchPolicyType added in v0.1.20

type AudienceMatchPolicyType string

AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy

const (
	// MatchAny means the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny"
)

Valid types for AudienceMatchPolicyType

type AuthenticationConfiguration added in v0.1.20

type AuthenticationConfiguration struct {
	metav1.TypeMeta

	// jwt is a list of authenticator to authenticate Kubernetes users using
	// JWT compliant tokens. The authenticator will attempt to parse a raw ID token,
	// verify it's been signed by the configured issuer. The public key to verify the
	// signature is discovered from the issuer's public endpoint using OIDC discovery.
	// For an incoming token, each JWT authenticator will be attempted in
	// the order in which it is specified in this list.  Note however that
	// other authenticators may run before or after the JWT authenticators.
	// The specific position of JWT authenticators in relation to other
	// authenticators is neither defined nor stable across releases.  Since
	// each JWT authenticator must have a unique issuer URL, at most one
	// JWT authenticator will attempt to cryptographically validate the token.
	JWT []JWTAuthenticator `json:"jwt"`
}

AuthenticationConfiguration provides versioned configuration for authentication.

type ClaimMappings added in v0.1.20

type ClaimMappings struct {
	// username represents an option for the username attribute.
	// The claim's value must be a singular string.
	// Same as the --oidc-username-claim and --oidc-username-prefix flags.
	// If username.expression is set, the expression must produce a string value.
	//
	// In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
	// the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
	// For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
	// For prefix:
	//     (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
	//         set username.prefix=""
	//     (2) --oidc-username-prefix="" and  --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
	//         behavior using authentication config, set username.prefix="<value of issuer.url>#"
	//	   (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>"
	// +required
	Username PrefixedClaimOrExpression `json:"username"`
	// groups represents an option for the groups attribute.
	// The claim's value must be a string or string array claim.
	// If groups.claim is set, the prefix must be specified (and can be the empty string).
	// If groups.expression is set, the expression must produce a string or string array value.
	//  "", [], and null values are treated as the group mapping not being present.
	// +optional
	Groups PrefixedClaimOrExpression `json:"groups,omitempty"`

	// uid represents an option for the uid attribute.
	// Claim must be a singular string claim.
	// If uid.expression is set, the expression must produce a string value.
	// +optional
	UID ClaimOrExpression `json:"uid"`

	// extra represents an option for the extra attribute.
	// expression must produce a string or string array value.
	// If the value is empty, the extra mapping will not be present.
	//
	// hard-coded extra key/value
	// - key: "foo"
	//   valueExpression: "'bar'"
	// This will result in an extra attribute - foo: ["bar"]
	//
	// hard-coded key, value copying claim value
	// - key: "foo"
	//   valueExpression: "claims.some_claim"
	// This will result in an extra attribute - foo: [value of some_claim]
	//
	// hard-coded key, value derived from claim value
	// - key: "admin"
	//   valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
	// This will result in:
	//  - if is_admin claim is present and true, extra attribute - admin: ["true"]
	//  - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
	//
	// +optional
	Extra []ExtraMapping `json:"extra,omitempty"`
}

ClaimMappings provides the configuration for claim mapping

type ClaimOrExpression added in v0.1.20

type ClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Either claim or expression must be set.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim.
	// +optional
	Expression string `json:"expression,omitempty"`
}

ClaimOrExpression provides the configuration for a single claim or expression.

type ClaimValidationRule added in v0.1.20

type ClaimValidationRule struct {
	// claim is the name of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim keys are supported.
	// Mutually exclusive with expression and message.
	// +optional
	Claim string `json:"claim,omitempty"`
	// requiredValue is the value of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim values are supported.
	// If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
	// Mutually exclusive with expression and message.
	// +optional
	RequiredValue string `json:"requiredValue,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	// Must produce a boolean.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	// Must return true for the validation to pass.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Expression string `json:"expression,omitempty"`
	// message customizes the returned error message when expression returns false.
	// message is a literal string.
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Message string `json:"message,omitempty"`
}

ClaimValidationRule provides the configuration for a single claim validation rule.

type ExtraMapping added in v0.1.20

type ExtraMapping struct {
	// key is a string to use as the extra attribute key.
	// key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
	// subdomain as defined by RFC 1123. All characters trailing the first "/" must
	// be valid HTTP Path characters as defined by RFC 3986.
	// key must be lowercase.
	// +required
	Key string `json:"key"`

	// valueExpression is a CEL expression to extract extra attribute value.
	// valueExpression must produce a string or string array value.
	// "", [], and null values are treated as the extra mapping not being present.
	// Empty string values contained within a string array are filtered out.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	ValueExpression string `json:"valueExpression"`
}

ExtraMapping provides the configuration for a single extra mapping.

type Issuer added in v0.1.20

type Issuer struct {
	// url points to the issuer URL in a format https://url or https://url/path.
	// This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
	// Same value as the --oidc-issuer-url flag.
	// Used to fetch discovery information unless overridden by discoveryURL.
	// Required to be unique.
	// Note that egress selection configuration is not used for this network connection.
	// +required
	URL string `json:"url"`

	// certificateAuthority contains PEM-encoded certificate authority certificates
	// used to validate the connection when fetching discovery information.
	// If unset, the system verifier is used.
	// Same value as the content of the file referenced by the --oidc-ca-file flag.
	// +optional
	CertificateAuthority string `json:"certificateAuthority,omitempty"`

	// audiences is the set of acceptable audiences the JWT must be issued to.
	// At least one of the entries must match the "aud" claim in presented JWTs.
	// Same value as the --oidc-client-id flag (though this field supports an array).
	// Required to be non-empty.
	// +required
	Audiences []string `json:"audiences"`

	// audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
	// Allowed values are:
	// 1. "MatchAny" when multiple audiences are specified and
	// 2. empty (or unset) or "MatchAny" when a single audience is specified.
	//
	// - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	// For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).
	//
	// - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).
	//
	// For more nuanced audience validation, use claimValidationRules.
	//   example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.
	// +optional
	AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"`
}

Issuer provides the configuration for a external provider specific settings.

type JWTAuthenticator added in v0.1.20

type JWTAuthenticator struct {
	// issuer contains the basic OIDC provider connection options.
	// +required
	Issuer Issuer `json:"issuer"`

	// claimValidationRules are rules that are applied to validate token claims to authenticate users.
	// +optional
	ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"`

	// claimMappings points claims of a token to be treated as user attributes.
	// +required
	ClaimMappings ClaimMappings `json:"claimMappings"`

	// userValidationRules are rules that are applied to final user before completing authentication.
	// These allow invariants to be applied to incoming identities such as preventing the
	// use of the system: prefix that is commonly used by Kubernetes components.
	// The validation rules are logically ANDed together and must all return true for the validation to pass.
	// +optional
	UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`
}

JWTAuthenticator provides the configuration for a single JWT authenticator.

type KubeAPIServerConfigParams

type KubeAPIServerConfigParams struct {
	ExternalIPConfig             *configv1.ExternalIPConfig
	ClusterNetwork               []string
	ServiceNetwork               []string
	NamedCertificates            []configv1.APIServerNamedServingCert
	KASPodPort                   int32
	TLSSecurityProfile           *configv1.TLSSecurityProfile
	AdditionalCORSAllowedOrigins []string
	InternalRegistryHostName     string
	ExternalRegistryHostNames    []string
	DefaultNodeSelector          string
	AdvertiseAddress             string
	ServiceAccountIssuerURL      string
	CloudProvider                string
	CloudProviderConfigRef       *corev1.LocalObjectReference
	EtcdURL                      string
	FeatureGates                 []string
	NodePortRange                string
	AuditWebhookEnabled          bool
	ConsolePublicURL             string
	DisableProfiling             bool
	APIServerSTSDirectives       string
	Authentication               *configv1.AuthenticationSpec
}

type KubeAPIServerImages

type KubeAPIServerImages struct {
	ClusterConfigOperator      string `json:"clusterConfigOperator"`
	CLI                        string `json:"cli"`
	HyperKube                  string `json:"hyperKube"`
	IBMCloudKMS                string `json:"ibmcloudKMS"`
	AWSKMS                     string `json:"awsKMS"`
	AzureKMS                   string `json:"azureKMS"`
	Portieris                  string `json:"portieris"`
	TokenMinterImage           string
	AWSPodIdentityWebhookImage string
	KonnectivityServer         string
}

type KubeAPIServerParams

type KubeAPIServerParams struct {
	APIServer           *configv1.APIServerSpec      `json:"apiServer"`
	Authentication      *configv1.AuthenticationSpec `json:"authentication"`
	FeatureGate         *configv1.FeatureGateSpec    `json:"featureGate"`
	Network             *configv1.NetworkSpec        `json:"network"`
	Image               *configv1.ImageSpec          `json:"image"`
	Scheduler           *configv1.SchedulerSpec      `json:"scheduler"`
	CloudProvider       string                       `json:"cloudProvider"`
	CloudProviderConfig *corev1.LocalObjectReference `json:"cloudProviderConfig"`
	CloudProviderCreds  *corev1.LocalObjectReference `json:"cloudProviderCreds"`

	ServiceAccountIssuer string   `json:"serviceAccountIssuer"`
	ServiceCIDRs         []string `json:"serviceCIDRs"`
	ClusterCIDRs         []string `json:"clusterCIDRs"`
	AdvertiseAddress     string   `json:"advertiseAddress"`
	ExternalAddress      string   `json:"externalAddress"`
	// ExternalPort is the port coming from the status of the SVC which is exposing the KAS, e.g. common router LB, dedicated private/public/ LB...
	// This is used to build kas urls for generated internal kubeconfigs for example.
	ExternalPort    int32  `json:"externalPort"`
	InternalAddress string `json:"internalAddress"`
	// KASPodPort is the port to expose in the KAS Pod.
	KASPodPort           int32                        `json:"apiServerPort"`
	ExternalOAuthAddress string                       `json:"externalOAuthAddress"`
	ExternalOAuthPort    int32                        `json:"externalOAuthPort"`
	OIDCCAConfigMap      *corev1.LocalObjectReference `json:"oidcCAConfigMap"`
	EtcdURL              string                       `json:"etcdAddress"`
	KubeConfigRef        *hyperv1.KubeconfigSecretRef `json:"kubeConfigRef"`
	AuditWebhookRef      *corev1.LocalObjectReference `json:"auditWebhookRef"`
	ConsolePublicURL     string                       `json:"consolePublicURL"`
	DisableProfiling     bool                         `json:"disableProfiling"`
	config.DeploymentConfig
	config.OwnerRef

	Images KubeAPIServerImages `json:"images"`

	Availability           hyperv1.AvailabilityPolicy
	APIServerSTSDirectives string
}

func NewKubeAPIServerParams

func NewKubeAPIServerParams(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider *imageprovider.ReleaseImageProvider, externalAPIAddress string, externalAPIPort int32, externalOAuthAddress string, externalOAuthPort int32, setDefaultSecurityContext bool) *KubeAPIServerParams

func (*KubeAPIServerParams) AdditionalCORSAllowedOrigins

func (p *KubeAPIServerParams) AdditionalCORSAllowedOrigins() []string

func (*KubeAPIServerParams) AuditPolicyConfig

func (p *KubeAPIServerParams) AuditPolicyConfig() configv1.Audit

func (*KubeAPIServerParams) CipherSuites added in v0.1.21

func (p *KubeAPIServerParams) CipherSuites() []string

func (*KubeAPIServerParams) ClusterNetwork

func (p *KubeAPIServerParams) ClusterNetwork() []string

func (*KubeAPIServerParams) ConfigParams

func (*KubeAPIServerParams) DefaultNodeSelector

func (p *KubeAPIServerParams) DefaultNodeSelector() string

func (*KubeAPIServerParams) ExternalIPConfig

func (p *KubeAPIServerParams) ExternalIPConfig() *configv1.ExternalIPConfig

func (*KubeAPIServerParams) ExternalKubeconfigKey

func (p *KubeAPIServerParams) ExternalKubeconfigKey() string

func (*KubeAPIServerParams) ExternalRegistryHostNames

func (p *KubeAPIServerParams) ExternalRegistryHostNames() []string

func (*KubeAPIServerParams) ExternalURL

func (p *KubeAPIServerParams) ExternalURL() string

func (*KubeAPIServerParams) FeatureGates

func (p *KubeAPIServerParams) FeatureGates() []string

func (*KubeAPIServerParams) InternalRegistryHostName

func (p *KubeAPIServerParams) InternalRegistryHostName() string

func (*KubeAPIServerParams) InternalURL

func (p *KubeAPIServerParams) InternalURL() string

InternalURL is used by ReconcileBootstrapKubeconfigSecret.

func (*KubeAPIServerParams) NamedCertificates

func (p *KubeAPIServerParams) NamedCertificates() []configv1.APIServerNamedServingCert

func (*KubeAPIServerParams) ServiceAccountIssuerURL

func (p *KubeAPIServerParams) ServiceAccountIssuerURL() string

func (*KubeAPIServerParams) ServiceNetwork

func (p *KubeAPIServerParams) ServiceNetwork() []string

func (*KubeAPIServerParams) ServiceNodePortRange

func (p *KubeAPIServerParams) ServiceNodePortRange() string

func (*KubeAPIServerParams) TLSSecurityProfile

func (p *KubeAPIServerParams) TLSSecurityProfile() *configv1.TLSSecurityProfile

type KubeAPIServerServiceParams

type KubeAPIServerServiceParams struct {
	AllowedCIDRBlocks []string
	OwnerReference    *metav1.OwnerReference
}

type PrefixedClaimOrExpression added in v0.1.20

type PrefixedClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`
	// prefix is prepended to claim's value to prevent clashes with existing names.
	// prefix needs to be set if claim is set and can be the empty string.
	// Mutually exclusive with expression.
	// +optional
	Prefix *string `json:"prefix,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and prefix.
	// +optional
	Expression string `json:"expression,omitempty"`
}

PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.

type UserValidationRule added in v0.1.20

type UserValidationRule struct {
	// expression represents the expression which will be evaluated by CEL.
	// Must return true for the validation to pass.
	//
	// CEL expressions have access to the contents of UserInfo, organized into CEL variable:
	// - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
	//    Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
	//    API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	Expression string `json:"expression"`

	// message customizes the returned error message when rule returns false.
	// message is a literal string.
	// +optional
	Message string `json:"message,omitempty"`
}

UserValidationRule provides the configuration for a single user info validation rule.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL