aws

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 7, 2021 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ObjectName is the Kubernetes resource name of the auth ConfigMap
	ObjectName = "aws-auth"
	// ObjectNamespace is the namespace the object can be found
	ObjectNamespace = metav1.NamespaceSystem

	// GroupMasters is the admin group which is also automatically
	// granted to the IAM role that creates the cluster.
	GroupMasters = "system:masters"

	// RoleNodeGroupUsername is the default username for a nodegroup
	// role mapping.
	RoleNodeGroupUsername = "system:node:{{EC2PrivateDNSName}}"
)
View Source 
const (
	// ResourceTypeRole is the resource type of the role ARN
	ResourceTypeRole = "role"
	// ResourceTypeUser is the resource type of the user ARN
	ResourceTypeUser = "user"
)

Variables

View Source 
var (
	// ErrNeitherUserNorRole is the error returned when an identity is missing both UserARN
	// and RoleARN.
	ErrNeitherUserNorRole = errors.New("arn is neither user nor role")

	// ErrNoKubernetesIdentity is the error returned when an identity has neither a Kubernetes
	// username nor a list of groups.
	ErrNoKubernetesIdentity = errors.New("neither username nor group are set for iam identity")
)

Functions

func ObjectMeta 

func ObjectMeta() metav1.ObjectMeta

ObjectMeta constructs metadata for the ConfigMap.

Types

type ARN 

type ARN struct {
	arn.ARN
}

ARN implements the pflag.Value interface for aws-sdk-go/aws/arn.ARN

func Parse 

func Parse(s string) (ARN, error)

Parse wraps the aws-sdk-go/aws/arn.Parse function and instead returns a iam.ARN

func (*ARN) IsRole 

func (a *ARN) IsRole() bool

IsRole returns whether the arn represents a IAM role or not

func (*ARN) IsUser 

func (a *ARN) IsUser() bool

IsUser returns whether the arn represents a IAM user or not

func (*ARN) ResourceType 

func (a *ARN) ResourceType() string

ResourceType returns the type of the resource specified in the ARN. Typically, in the case of IAM, it is a role or a user

type Agent 

type Agent struct {
	Session    *session.Session
	IAMService *iam.IAM
	Clientset  kubernetes.Interface
}

func (*Agent) CreateIAMECRUser 

func (a *Agent) CreateIAMECRUser(region string) (*PorterAWSCredentials, error)

CreateIAMECRUser creates an IAM user if it does not exist, and attaches a ECR-read policy to the user

func (*Agent) CreateIAMKubernetesMapping 

func (a *Agent) CreateIAMKubernetesMapping(clusterIDGuess string) (*PorterAWSCredentials, error)

type AuthConfigMap 

type AuthConfigMap struct {
	// contains filtered or unexported fields
}

AuthConfigMap allows modifying the auth ConfigMap.

func New 

func New(client v1.ConfigMapInterface, cm *corev1.ConfigMap) *AuthConfigMap

New creates an AuthConfigMap instance that manipulates a ConfigMap. If it is nil, one is created.

func NewFromClientSet 

func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)

NewFromClientSet fetches the auth ConfigMap.

func (*AuthConfigMap) AddIdentity 

func (a *AuthConfigMap) AddIdentity(identity Identity) error

AddIdentity maps an IAM role or user ARN to a k8s group dynamically. It modifies the role or user with given groups. If you are calling this as part of node creation you should use DefaultNodeGroups.

func (*AuthConfigMap) Identities 

func (a *AuthConfigMap) Identities() ([]Identity, error)

Identities returns a list of iam users and roles that are currently in the (cached) configmap.

func (*AuthConfigMap) Save 

func (a *AuthConfigMap) Save() (err error)

Save persists the ConfigMap to the cluster. It determines whether to create or update by looking at the ConfigMap's UID.

type Identity 

type Identity interface {
	ARN() string
	Type() string
	Username() string
	Groups() []string
}

Identity represents an IAM identity and its corresponding Kubernetes identity

func NewIdentity 

func NewIdentity(arn string, username string, groups []string) (Identity, error)

NewIdentity determines into which field the given arn goes and returns the new identity alongside any error resulting for checking its validity.

type KubernetesIdentity 

type KubernetesIdentity struct {
	KubernetesUsername string   `json:"username,omitempty"`
	KubernetesGroups   []string `json:"groups,omitempty"`
}

KubernetesIdentity represents a kubernetes identity to be used in iam mappings

func (KubernetesIdentity) Groups 

func (k KubernetesIdentity) Groups() []string

Groups returns the Kubernetes groups

func (KubernetesIdentity) Username 

func (k KubernetesIdentity) Username() string

Username returns the Kubernetes username

type PorterAWSCredentials 

type PorterAWSCredentials struct {
	AWSAccessKeyID     string `json:"aws_access_key_id"`
	AWSSecretAccessKey string `json:"aws_secret_access_key"`
	AWSClusterID       string `json:"aws_cluster_id"`
}

type RoleIdentity 

type RoleIdentity struct {
	RoleARN string `json:"rolearn,omitempty"`
	KubernetesIdentity
}

RoleIdentity represents a mapping from an IAM role to a kubernetes identity

func (RoleIdentity) ARN 

func (r RoleIdentity) ARN() string

ARN returns the ARN of the iam mapping

func (RoleIdentity) Type 

func (r RoleIdentity) Type() string

Type returns the resource type of the iam mapping

type UserIdentity 

type UserIdentity struct {
	UserARN string `json:"userarn,omitempty"`
	KubernetesIdentity
}

UserIdentity represents a mapping from an IAM user to a kubernetes identity

func (UserIdentity) ARN 

func (u UserIdentity) ARN() string

ARN returns the ARN of the iam mapping

func (UserIdentity) Type 

func (u UserIdentity) Type() string

Type returns the resource type of the iam mapping

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.