kas

package
v0.1.24 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 18, 2024 License: Apache-2.0 Imports: 51 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AuditPolicyConfigMapKey  = "policy.yaml"
	AuditPolicyProfileMapKey = "profile"
)
View Source
const (
	KubeAPIServerConfigKey  = "config.json"
	AuthenticationConfigKey = "auth.json"
	OauthMetadataConfigKey  = "oauthMetadata.json"
	AuditLogFile            = "audit.log"
	EgressSelectorConfigKey = "config.yaml"
	DefaultEtcdPort         = 2379
)
View Source
const (
	KonnectivityHealthPort      = 2041
	KonnectivityServerLocalPort = 8090
	KonnectivityServerPort      = 8091
)
View Source
const (
	AuthConfigMapKey = "auth.json"
)
View Source
const (
	EgressSelectorConfigMapKey = "config.yaml"
)
View Source
const (
	KubeconfigKey = util.KubeconfigKey
)

Variables

This section is empty.

Functions

func GetKMSProvider added in v0.1.17

func GetKMSProvider(kmsSpec *hyperv1.KMSSpec, images KubeAPIServerImages) (kms.IKMSProvider, error)

func InClusterKASReadyURL

func InClusterKASReadyURL(platformType hyperv1.PlatformType) string

func InClusterKASURL

func InClusterKASURL(platformType hyperv1.PlatformType) string

func ReconcileAESCBCEncryptionConfig

func ReconcileAESCBCEncryptionConfig(config *corev1.Secret,
	ownerRef hcpconfig.OwnerRef,
	activeKey []byte,
	backupKey []byte,
) error

func ReconcileAuditConfig

func ReconcileAuditConfig(auditCfgMap *corev1.ConfigMap, ownerRef config.OwnerRef, auditConfig configv1.Audit) error

func ReconcileAuthConfig added in v0.1.20

func ReconcileAuthConfig(ctx context.Context, c crclient.Client, config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef, p KubeAPIServerConfigParams) error

func ReconcileAuthenticationTokenWebhookConfigSecret

func ReconcileAuthenticationTokenWebhookConfigSecret(
	secret *corev1.Secret,
	ownerRef config.OwnerRef,
	authenticatorSecret *corev1.Secret,
	servingCA *corev1.ConfigMap,
) error

func ReconcileBootstrapKubeconfigSecret

func ReconcileBootstrapKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, externalURL string) error

func ReconcileConfig

func ReconcileConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef, p KubeAPIServerConfigParams) error

func ReconcileEgressSelectorConfig

func ReconcileEgressSelectorConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef) error

func ReconcileExternalKubeconfigSecret

func ReconcileExternalKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, externalURL, secretKey string) error

func ReconcileExternalPrivateRoute added in v0.1.2

func ReconcileExternalPrivateRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error

func ReconcileExternalPublicRoute added in v0.1.2

func ReconcileExternalPublicRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error

func ReconcileInternalRoute

func ReconcileInternalRoute(route *routev1.Route, owner *metav1.OwnerReference) error

func ReconcileKMSEncryptionConfig

func ReconcileKMSEncryptionConfig(config *corev1.Secret,
	ownerRef hcpconfig.OwnerRef,
	encryptionSpec *hyperv1.KMSSpec,
) error

func ReconcileKonnectivityExternalRoute added in v0.1.10

func ReconcileKonnectivityExternalRoute(route *routev1.Route, ownerRef config.OwnerRef, hostname string, defaultIngressDomain string) error

func ReconcileKonnectivityInternalRoute added in v0.1.10

func ReconcileKonnectivityInternalRoute(route *routev1.Route, ownerRef config.OwnerRef) error

func ReconcileKonnectivityServerLocalService added in v0.1.10

func ReconcileKonnectivityServerLocalService(svc *corev1.Service, ownerRef config.OwnerRef) error

func ReconcileKonnectivityServerService added in v0.1.10

func ReconcileKonnectivityServerService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy, hcp *hyperv1.HostedControlPlane) error

func ReconcileKonnectivityServerServiceStatus added in v0.1.10

func ReconcileKonnectivityServerServiceStatus(svc *corev1.Service, route *routev1.Route, strategy *hyperv1.ServicePublishingStrategy, messageCollector events.MessageCollector) (host string, port int32, message string, err error)

func ReconcileKubeAPIServerDeployment

func ReconcileKubeAPIServerDeployment(deployment *appsv1.Deployment,
	hcp *hyperv1.HostedControlPlane,
	ownerRef config.OwnerRef,
	deploymentConfig config.DeploymentConfig,
	namedCertificates []configv1.APIServerNamedServingCert,
	cloudProviderName string,
	cloudProviderConfigRef *corev1.LocalObjectReference,
	cloudProviderCreds *corev1.LocalObjectReference,
	images KubeAPIServerImages,
	config *corev1.ConfigMap,
	auditConfig *corev1.ConfigMap,
	authConfig *corev1.ConfigMap,
	auditWebhookRef *corev1.LocalObjectReference,
	aesCBCActiveKey []byte,
	aesCBCBackupKey []byte,
	port int32,
	payloadVersion string,
	featureGateSpec *configv1.FeatureGateSpec,
	oidcCA *corev1.LocalObjectReference,
	cipherSuites []string,
) error

func ReconcileLocalhostKubeconfigSecret

func ReconcileLocalhostKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, apiServerPort int32) error

func ReconcileOauthMetadata

func ReconcileOauthMetadata(cfg *corev1.ConfigMap, ownerRef config.OwnerRef, userOauthMetadata string, externalOAuthAddress string, externalOAuthPort int32) error

func ReconcilePodDisruptionBudget

func ReconcilePodDisruptionBudget(pdb *policyv1.PodDisruptionBudget, p *KubeAPIServerParams) error

func ReconcilePrivateService

func ReconcilePrivateService(svc *corev1.Service, hcp *hyperv1.HostedControlPlane, owner *metav1.OwnerReference) error

func ReconcileRecordingRules

func ReconcileRecordingRules(r *prometheusoperatorv1.PrometheusRule, clusterID string)

func ReconcileService

func ReconcileService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, owner *metav1.OwnerReference, apiServerServicePort int, apiAllowedCIDRBlocks []string, hcp *hyperv1.HostedControlPlane) error

func ReconcileServiceCAPIKubeconfigSecret

func ReconcileServiceCAPIKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, capiClusterName string, platformType hyperv1.PlatformType) error

func ReconcileServiceClusterIP added in v0.1.16

func ReconcileServiceClusterIP(svc *corev1.Service, owner *metav1.OwnerReference) error

func ReconcileServiceKubeconfigSecret

func ReconcileServiceKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, platformType hyperv1.PlatformType) error

func ReconcileServiceMonitor

func ReconcileServiceMonitor(sm *prometheusoperatorv1.ServiceMonitor, ownerRef config.OwnerRef, clusterID string, metricsSet metrics.MetricsSet) error

func ReconcileServiceStatus

func ReconcileServiceStatus(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, apiServerPort int, messageCollector events.MessageCollector) (host string, port int32, message string, err error)

Types

type AudienceMatchPolicyType added in v0.1.20

type AudienceMatchPolicyType string

AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy

const (
	// MatchAny means the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny"
)

Valid types for AudienceMatchPolicyType

type AuthenticationConfiguration added in v0.1.20

type AuthenticationConfiguration struct {
	metav1.TypeMeta

	// jwt is a list of authenticator to authenticate Kubernetes users using
	// JWT compliant tokens. The authenticator will attempt to parse a raw ID token,
	// verify it's been signed by the configured issuer. The public key to verify the
	// signature is discovered from the issuer's public endpoint using OIDC discovery.
	// For an incoming token, each JWT authenticator will be attempted in
	// the order in which it is specified in this list.  Note however that
	// other authenticators may run before or after the JWT authenticators.
	// The specific position of JWT authenticators in relation to other
	// authenticators is neither defined nor stable across releases.  Since
	// each JWT authenticator must have a unique issuer URL, at most one
	// JWT authenticator will attempt to cryptographically validate the token.
	JWT []JWTAuthenticator `json:"jwt"`
}

AuthenticationConfiguration provides versioned configuration for authentication.

type ClaimMappings added in v0.1.20

type ClaimMappings struct {
	// username represents an option for the username attribute.
	// The claim's value must be a singular string.
	// Same as the --oidc-username-claim and --oidc-username-prefix flags.
	// If username.expression is set, the expression must produce a string value.
	//
	// In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set,
	// the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly.
	// For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config.
	// For prefix:
	//     (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config,
	//         set username.prefix=""
	//     (2) --oidc-username-prefix="" and  --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same
	//         behavior using authentication config, set username.prefix="<value of issuer.url>#"
	//	   (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>"
	// +required
	Username PrefixedClaimOrExpression `json:"username"`
	// groups represents an option for the groups attribute.
	// The claim's value must be a string or string array claim.
	// If groups.claim is set, the prefix must be specified (and can be the empty string).
	// If groups.expression is set, the expression must produce a string or string array value.
	//  "", [], and null values are treated as the group mapping not being present.
	// +optional
	Groups PrefixedClaimOrExpression `json:"groups,omitempty"`

	// uid represents an option for the uid attribute.
	// Claim must be a singular string claim.
	// If uid.expression is set, the expression must produce a string value.
	// +optional
	UID ClaimOrExpression `json:"uid"`

	// extra represents an option for the extra attribute.
	// expression must produce a string or string array value.
	// If the value is empty, the extra mapping will not be present.
	//
	// hard-coded extra key/value
	// - key: "foo"
	//   valueExpression: "'bar'"
	// This will result in an extra attribute - foo: ["bar"]
	//
	// hard-coded key, value copying claim value
	// - key: "foo"
	//   valueExpression: "claims.some_claim"
	// This will result in an extra attribute - foo: [value of some_claim]
	//
	// hard-coded key, value derived from claim value
	// - key: "admin"
	//   valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
	// This will result in:
	//  - if is_admin claim is present and true, extra attribute - admin: ["true"]
	//  - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
	//
	// +optional
	Extra []ExtraMapping `json:"extra,omitempty"`
}

ClaimMappings provides the configuration for claim mapping

type ClaimOrExpression added in v0.1.20

type ClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Either claim or expression must be set.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim.
	// +optional
	Expression string `json:"expression,omitempty"`
}

ClaimOrExpression provides the configuration for a single claim or expression.

type ClaimValidationRule added in v0.1.20

type ClaimValidationRule struct {
	// claim is the name of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim keys are supported.
	// Mutually exclusive with expression and message.
	// +optional
	Claim string `json:"claim,omitempty"`
	// requiredValue is the value of a required claim.
	// Same as --oidc-required-claim flag.
	// Only string claim values are supported.
	// If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
	// Mutually exclusive with expression and message.
	// +optional
	RequiredValue string `json:"requiredValue,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	// Must produce a boolean.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	// Must return true for the validation to pass.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Expression string `json:"expression,omitempty"`
	// message customizes the returned error message when expression returns false.
	// message is a literal string.
	// Mutually exclusive with claim and requiredValue.
	// +optional
	Message string `json:"message,omitempty"`
}

ClaimValidationRule provides the configuration for a single claim validation rule.

type ExtraMapping added in v0.1.20

type ExtraMapping struct {
	// key is a string to use as the extra attribute key.
	// key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
	// subdomain as defined by RFC 1123. All characters trailing the first "/" must
	// be valid HTTP Path characters as defined by RFC 3986.
	// key must be lowercase.
	// +required
	Key string `json:"key"`

	// valueExpression is a CEL expression to extract extra attribute value.
	// valueExpression must produce a string or string array value.
	// "", [], and null values are treated as the extra mapping not being present.
	// Empty string values contained within a string array are filtered out.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	ValueExpression string `json:"valueExpression"`
}

ExtraMapping provides the configuration for a single extra mapping.

type Issuer added in v0.1.20

type Issuer struct {
	// url points to the issuer URL in a format https://url or https://url/path.
	// This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
	// Same value as the --oidc-issuer-url flag.
	// Used to fetch discovery information unless overridden by discoveryURL.
	// Required to be unique.
	// Note that egress selection configuration is not used for this network connection.
	// +required
	URL string `json:"url"`

	// certificateAuthority contains PEM-encoded certificate authority certificates
	// used to validate the connection when fetching discovery information.
	// If unset, the system verifier is used.
	// Same value as the content of the file referenced by the --oidc-ca-file flag.
	// +optional
	CertificateAuthority string `json:"certificateAuthority,omitempty"`

	// audiences is the set of acceptable audiences the JWT must be issued to.
	// At least one of the entries must match the "aud" claim in presented JWTs.
	// Same value as the --oidc-client-id flag (though this field supports an array).
	// Required to be non-empty.
	// +required
	Audiences []string `json:"audiences"`

	// audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT.
	// Allowed values are:
	// 1. "MatchAny" when multiple audiences are specified and
	// 2. empty (or unset) or "MatchAny" when a single audience is specified.
	//
	// - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field.
	// For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both).
	//
	// - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others).
	//
	// For more nuanced audience validation, use claimValidationRules.
	//   example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match.
	// +optional
	AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"`
}

Issuer provides the configuration for a external provider specific settings.

type JWTAuthenticator added in v0.1.20

type JWTAuthenticator struct {
	// issuer contains the basic OIDC provider connection options.
	// +required
	Issuer Issuer `json:"issuer"`

	// claimValidationRules are rules that are applied to validate token claims to authenticate users.
	// +optional
	ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"`

	// claimMappings points claims of a token to be treated as user attributes.
	// +required
	ClaimMappings ClaimMappings `json:"claimMappings"`

	// userValidationRules are rules that are applied to final user before completing authentication.
	// These allow invariants to be applied to incoming identities such as preventing the
	// use of the system: prefix that is commonly used by Kubernetes components.
	// The validation rules are logically ANDed together and must all return true for the validation to pass.
	// +optional
	UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`
}

JWTAuthenticator provides the configuration for a single JWT authenticator.

type KubeAPIServerConfigParams

type KubeAPIServerConfigParams struct {
	ExternalIPConfig             *configv1.ExternalIPConfig
	ClusterNetwork               []string
	ServiceNetwork               []string
	NamedCertificates            []configv1.APIServerNamedServingCert
	KASPodPort                   int32
	TLSSecurityProfile           *configv1.TLSSecurityProfile
	AdditionalCORSAllowedOrigins []string
	InternalRegistryHostName     string
	ExternalRegistryHostNames    []string
	DefaultNodeSelector          string
	AdvertiseAddress             string
	ServiceAccountIssuerURL      string
	CloudProvider                string
	CloudProviderConfigRef       *corev1.LocalObjectReference
	EtcdURL                      string
	FeatureGates                 []string
	NodePortRange                string
	AuditWebhookEnabled          bool
	ConsolePublicURL             string
	DisableProfiling             bool
	APIServerSTSDirectives       string
	Authentication               *configv1.AuthenticationSpec
}

type KubeAPIServerImages

type KubeAPIServerImages struct {
	ClusterConfigOperator      string `json:"clusterConfigOperator"`
	CLI                        string `json:"cli"`
	HyperKube                  string `json:"hyperKube"`
	IBMCloudKMS                string `json:"ibmcloudKMS"`
	AWSKMS                     string `json:"awsKMS"`
	Portieris                  string `json:"portieris"`
	TokenMinterImage           string
	AWSPodIdentityWebhookImage string
	KonnectivityServer         string
}

type KubeAPIServerParams

type KubeAPIServerParams struct {
	APIServer           *configv1.APIServerSpec      `json:"apiServer"`
	Authentication      *configv1.AuthenticationSpec `json:"authentication"`
	FeatureGate         *configv1.FeatureGateSpec    `json:"featureGate"`
	Network             *configv1.NetworkSpec        `json:"network"`
	Image               *configv1.ImageSpec          `json:"image"`
	Scheduler           *configv1.SchedulerSpec      `json:"scheduler"`
	CloudProvider       string                       `json:"cloudProvider"`
	CloudProviderConfig *corev1.LocalObjectReference `json:"cloudProviderConfig"`
	CloudProviderCreds  *corev1.LocalObjectReference `json:"cloudProviderCreds"`

	ServiceAccountIssuer string   `json:"serviceAccountIssuer"`
	ServiceCIDRs         []string `json:"serviceCIDRs"`
	ClusterCIDRs         []string `json:"clusterCIDRs"`
	AdvertiseAddress     string   `json:"advertiseAddress"`
	ExternalAddress      string   `json:"externalAddress"`
	// ExternalPort is the port coming from the status of the SVC which is exposing the KAS, e.g. common router LB, dedicated private/public/ LB...
	// This is used to build kas urls for generated internal kubeconfigs for example.
	ExternalPort    int32  `json:"externalPort"`
	InternalAddress string `json:"internalAddress"`
	// KASPodPort is the port to expose in the KAS Pod.
	KASPodPort           int32                        `json:"apiServerPort"`
	ExternalOAuthAddress string                       `json:"externalOAuthAddress"`
	ExternalOAuthPort    int32                        `json:"externalOAuthPort"`
	OIDCCAConfigMap      *corev1.LocalObjectReference `json:"oidcCAConfigMap"`
	EtcdURL              string                       `json:"etcdAddress"`
	KubeConfigRef        *hyperv1.KubeconfigSecretRef `json:"kubeConfigRef"`
	AuditWebhookRef      *corev1.LocalObjectReference `json:"auditWebhookRef"`
	ConsolePublicURL     string                       `json:"consolePublicURL"`
	DisableProfiling     bool                         `json:"disableProfiling"`
	config.DeploymentConfig
	config.OwnerRef

	Images KubeAPIServerImages `json:"images"`

	Availability           hyperv1.AvailabilityPolicy
	APIServerSTSDirectives string
}

func NewKubeAPIServerParams

func NewKubeAPIServerParams(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider *imageprovider.ReleaseImageProvider, externalAPIAddress string, externalAPIPort int32, externalOAuthAddress string, externalOAuthPort int32, setDefaultSecurityContext bool) *KubeAPIServerParams

func (*KubeAPIServerParams) AdditionalCORSAllowedOrigins

func (p *KubeAPIServerParams) AdditionalCORSAllowedOrigins() []string

func (*KubeAPIServerParams) AuditPolicyConfig

func (p *KubeAPIServerParams) AuditPolicyConfig() configv1.Audit

func (*KubeAPIServerParams) CipherSuites added in v0.1.21

func (p *KubeAPIServerParams) CipherSuites() []string

func (*KubeAPIServerParams) ClusterNetwork

func (p *KubeAPIServerParams) ClusterNetwork() []string

func (*KubeAPIServerParams) ConfigParams

func (*KubeAPIServerParams) DefaultNodeSelector

func (p *KubeAPIServerParams) DefaultNodeSelector() string

func (*KubeAPIServerParams) ExternalIPConfig

func (p *KubeAPIServerParams) ExternalIPConfig() *configv1.ExternalIPConfig

func (*KubeAPIServerParams) ExternalKubeconfigKey

func (p *KubeAPIServerParams) ExternalKubeconfigKey() string

func (*KubeAPIServerParams) ExternalRegistryHostNames

func (p *KubeAPIServerParams) ExternalRegistryHostNames() []string

func (*KubeAPIServerParams) ExternalURL

func (p *KubeAPIServerParams) ExternalURL() string

func (*KubeAPIServerParams) FeatureGates

func (p *KubeAPIServerParams) FeatureGates() []string

func (*KubeAPIServerParams) InternalRegistryHostName

func (p *KubeAPIServerParams) InternalRegistryHostName() string

func (*KubeAPIServerParams) InternalURL

func (p *KubeAPIServerParams) InternalURL() string

InternalURL is used by ReconcileBootstrapKubeconfigSecret.

func (*KubeAPIServerParams) NamedCertificates

func (p *KubeAPIServerParams) NamedCertificates() []configv1.APIServerNamedServingCert

func (*KubeAPIServerParams) ServiceAccountIssuerURL

func (p *KubeAPIServerParams) ServiceAccountIssuerURL() string

func (*KubeAPIServerParams) ServiceNetwork

func (p *KubeAPIServerParams) ServiceNetwork() []string

func (*KubeAPIServerParams) ServiceNodePortRange

func (p *KubeAPIServerParams) ServiceNodePortRange() string

func (*KubeAPIServerParams) TLSSecurityProfile

func (p *KubeAPIServerParams) TLSSecurityProfile() *configv1.TLSSecurityProfile

type KubeAPIServerServiceParams

type KubeAPIServerServiceParams struct {
	AllowedCIDRBlocks []string
	OwnerReference    *metav1.OwnerReference
}

type PrefixedClaimOrExpression added in v0.1.20

type PrefixedClaimOrExpression struct {
	// claim is the JWT claim to use.
	// Mutually exclusive with expression.
	// +optional
	Claim string `json:"claim,omitempty"`
	// prefix is prepended to claim's value to prevent clashes with existing names.
	// prefix needs to be set if claim is set and can be the empty string.
	// Mutually exclusive with expression.
	// +optional
	Prefix *string `json:"prefix,omitempty"`

	// expression represents the expression which will be evaluated by CEL.
	//
	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
	// - 'claims' is a map of claim names to claim values.
	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
	//   Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'.
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// Mutually exclusive with claim and prefix.
	// +optional
	Expression string `json:"expression,omitempty"`
}

PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.

type UserValidationRule added in v0.1.20

type UserValidationRule struct {
	// expression represents the expression which will be evaluated by CEL.
	// Must return true for the validation to pass.
	//
	// CEL expressions have access to the contents of UserInfo, organized into CEL variable:
	// - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
	//    Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
	//    API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
	//
	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
	//
	// +required
	Expression string `json:"expression"`

	// message customizes the returned error message when rule returns false.
	// message is a literal string.
	// +optional
	Message string `json:"message,omitempty"`
}

UserValidationRule provides the configuration for a single user info validation rule.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL