Documentation
¶
Index ¶
Constants ¶
View Source
const ( // // Annotations for ServiceAccount // // The workloadIdentityProvider annotattion // This must be the format of "projects/{PROJECT_NUMBER}/locations/{LOCATION}/workloadIdentityPools/{POOL_ID}/providers/{PROVIDER_ID}" WorkloadIdentityProviderAnnotation = "workload-identity-provider" // The serviceaccount email annotation ServiceAccountEmailAnnotation = "service-account-email" // The audience annotation AudienceAnnotation = "audience" // // Annotations for ServiceAccount // // UserID to be set in the container securityContext.runAsUser for the gcloud sdk RunAsUserAnnotation = "gcloud-run-as-user" // // Annotations for both ServiceAccount and Pod // // TokenExpiration annotation in seconds TokenExpirationAnnotation = "token-expiration" // // Annotations for Pod // // A comma-separated list of container names to skip adding environment variables and volumes to. Applies to `initContainers` and `containers` SkipContainersAnnotation = "skip-containers" // // Annotations for Pod // // The External Credentials JSON blob to be injected into the cluster, only used in 'direct' mode. ExternalCredentialsJsonAnnotation = "external-credentials-json" // // Annotations for ServiceAccount // // Set to 'direct' or 'gcloud' to determine credential injection mode. Defaults to 'gcloud'. InjectionModeAnnotation = "injection-mode" )
View Source
const ( // Defaults AnnotationDomainDefault = "cloud.google.com" AudienceDefault = "sts.googleapis.com" DefaultTokenExpirationDefault = time.Duration(24) * time.Hour MinTokenExprationDefault = time.Duration(1) * time.Hour DefaultGCloudRegionDefault = "asia-northeast1" GcloudImageDefault = "google/cloud-sdk:slim" VolumeModeDefault = 0440 SetupContainerResources = "" // Constants for injected fields DirectInjectedExternalVolumeName = "external-credential-config" DirectInjectedExternalMountPath = "/var/run/secrets/workload-identity" ExternalCredConfigFilename = "federation.json" K8sSATokenVolumeName = "gcp-iam-token" K8sSATokenMountPath = "/var/run/secrets/sts.googleapis.com/serviceaccount" K8sSATokenName = "token" GCloudConfigVolumeName = "gcloud-config" GCloudConfigMountPath = "/var/run/secrets/gcloud/config" GCloudSetupInitContainerName = "gcloud-setup" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CredentialFormat ¶
type CredentialFormat struct {
// Type is either "text" or "json". When not provided "text" type is assumed.
Type string `json:"type"`
}
type CredentialSource ¶
type CredentialSource struct {
File string `json:"file"`
Format CredentialFormat `json:"format"`
}
CredentialSource stores the information necessary to retrieve the credentials for the STS exchange. One field amongst File, URL, and Executable should be filled, depending on the kind of credential in question. The EnvironmentID should start with AWS if being used for an AWS credential.
type ExternalAccountCredentials ¶
type ExternalAccountCredentials struct {
// Type is the Credentials file type - always 'external_account' in our case.
Type string `json:"type"`
// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload
// identity pool or the workforce pool and the provider identifier in that pool.
Audience string `json:"audience"`
// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec
// e.g. `urn:ietf:params:oauth:token-type:jwt`.
SubjectTokenType string `json:"subject_token_type"`
// TokenURL is the STS token exchange endpoint.
TokenURL string `json:"token_url"`
// TokenInfoURL is the token_info endpoint used to retrieve the account related information (
// user attributes like account identifier, eg. email, username, uid, etc). This is
// needed for gCloud session account identification.
TokenInfoURL string `json:"token_info_url,omitempty"`
// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only
// required for workload identity pools when APIs to be accessed have not integrated with UberMint.
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
// ServiceAccountImpersonationLifetimeSeconds is the number of seconds the service account impersonation
// token will be valid for.
ServiceAccountImpersonationLifetimeSeconds int `json:"service_account_impersonation_lifetime_seconds,omitempty"`
// CredentialSource contains the necessary information to retrieve the token itself, as well
// as some environmental information.
CredentialSource CredentialSource `json:"credential_source"`
}
Config stores the configuration for fetching tokens with external credentials.
func NewExternalAccountCredentials ¶
func NewExternalAccountCredentials(aud, gsaEmail string) *ExternalAccountCredentials
type GCPWorkloadIdentityConfig ¶
type GCPWorkloadIdentityConfig struct {
WorkloadIdentityProvider *string
ServiceAccountEmail *string
RunAsUser *int64
InjectionMode InjectionMode
Audience *string
TokenExpirationSeconds *int64
}
func NewGCPWorkloadIdentityConfig ¶
func NewGCPWorkloadIdentityConfig( annotationDomain string, sa corev1.ServiceAccount, ) (*GCPWorkloadIdentityConfig, error)
type GCPWorkloadIdentityMutator ¶
type GCPWorkloadIdentityMutator struct {
AnnotationDomain string
DefaultAudience string
DefaultTokenExpiration time.Duration
MinTokenExpration time.Duration
DefaultGCloudRegion string
GcloudImage string
DefaultMode int32
SetupContainerResources *corev1.ResourceRequirements
client.Client
// contains filtered or unexported fields
}
GCPWorkloadIdentityMutator inject configurations for containers to acquire workload federated identity automatically
func (*GCPWorkloadIdentityMutator) Handle ¶
func (m *GCPWorkloadIdentityMutator) Handle(ctx context.Context, ar admission.Request) admission.Response
Handle implements admission.Handler
func (*GCPWorkloadIdentityMutator) SetupWithManager ¶
type InjectionMode ¶
type InjectionMode string
const ( UndefinedMode InjectionMode = "" GCloudMode InjectionMode = "gcloud" DirectMode InjectionMode = "direct" )
Source Files
Click to show internal directories.
Click to hide internal directories.