Documentation ¶
Index ¶
- Constants
- func WriteableVFSPaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]vfs.Path, error)
- type Condition
- type Policy
- type PolicyBuilder
- func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)
- func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)
- func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error)
- func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error)
- func (b *PolicyBuilder) BuildAWSPolicyNode() (*Policy, error)
- func (b *PolicyBuilder) IAMPrefix() string
- func (b *PolicyBuilder) UseBootstrapTokens() bool
- type PolicyResource
- type Statement
- type StatementEffect
Constants ¶
const PolicyDefaultVersion = "2012-10-17"
PolicyDefaultVersion is the default version included in all policy documents
Variables ¶
This section is empty.
Functions ¶
func WriteableVFSPaths ¶
Types ¶
type Condition ¶
type Condition map[string]interface{}
Condition is a map of Conditions to be evaluated for a given IAM Statement
type PolicyBuilder ¶
type PolicyBuilder struct { Cluster *kops.Cluster HostedZoneID string KMSKeys []string Region string ResourceARN *string Role kops.InstanceGroupRole }
PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.
func (*PolicyBuilder) AddS3Permissions ¶
func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)
AddS3Permissions updates an IAM Policy with statements granting tailored access to S3 assets, depending on the instance group role
func (*PolicyBuilder) BuildAWSPolicy ¶
func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)
BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec
func (*PolicyBuilder) BuildAWSPolicyBastion ¶
func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error)
BuildAWSPolicyBastion generates a custom policy for a bastion host.
func (*PolicyBuilder) BuildAWSPolicyMaster ¶
func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error)
BuildAWSPolicyMaster generates a custom policy for a Kubernetes master.
func (*PolicyBuilder) BuildAWSPolicyNode ¶
func (b *PolicyBuilder) BuildAWSPolicyNode() (*Policy, error)
BuildAWSPolicyNode generates a custom policy for a Kubernetes node.
func (*PolicyBuilder) IAMPrefix ¶
func (b *PolicyBuilder) IAMPrefix() string
IAMPrefix returns the prefix for AWS ARNs in the current region, for use with IAM it is arn:aws everywhere but in cn-north and us-gov-west-1
func (*PolicyBuilder) UseBootstrapTokens ¶
func (b *PolicyBuilder) UseBootstrapTokens() bool
UseBootstrapTokens check if we are using bootstrap tokens - @TODO, i don't like this we should probably pass in the kops model into the builder rather than duplicating the code. I'll leave for another PR
type PolicyResource ¶
type PolicyResource struct { Builder *PolicyBuilder DNSZone *awstasks.DNSZone }
PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role
func (*PolicyResource) GetDependencies ¶
GetDependencies adds the DNSZone task to the list of dependencies if set
type Statement ¶
type Statement struct { Effect StatementEffect Action stringorslice.StringOrSlice Resource stringorslice.StringOrSlice Condition Condition `json:",omitempty"` }
Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement
func ParseStatements ¶
ParseStatements parses JSON into a list of Statements
type StatementEffect ¶
type StatementEffect string
StatementEffect is required and specifies what type of access the statement results in
const StatementEffectAllow StatementEffect = "Allow"
StatementEffectAllow allows access for the given resources in the statement (based on conditions)
const StatementEffectDeny StatementEffect = "Deny"
StatementEffectDeny allows access for the given resources in the statement (based on conditions)