Documentation
¶
Index ¶
- Constants
- func FilterToUsersAndGroups(subjects []rbacv1.Subject) []rbacv1.Subject
- func GetCommonLabels(projectID string) map[string]string
- func GetDefaultClusterRoles(opts Options) map[string]string
- func GetHelmResourceLabels(projectID, helmAPIVersion string) map[string]string
- func GetProjectNamespaceAnnotations(projectID, projectLabel, clusterID string) map[string]string
- func GetProjectNamespaceLabels(projectID, projectLabel, projectLabelValue string, isOrphaned bool) map[string]string
- func HasCleanupLabel(projectHelmChart *v1alpha1.ProjectHelmChart) bool
- func HasHelmProjectOperatedLabel(labels map[string]string) bool
- func IsDefaultClusterRoleRef(opts Options, roleRefName string) (string, bool)
- func LoadValuesOverrideFromFile(path string) (v1alpha1.GenericMap, error)
- type DefaultNetworkPolicyOptions
- type DefaultServiceAccountOptions
- type HardeningOptions
- type OperatorOptions
- type Options
- type RuntimeOptions
Constants ¶
View Source
const ( // HelmProjectOperatedLabel marks all HelmCharts, HelmReleases, and namespaces created by this operator HelmProjectOperatedLabel = "helm.cattle.io/helm-project-operated" // HelmProjectOperatorProjectLabel is applied to the Project Registration Namespace, the ProjectReleaseNamespace, and // (only if both ProjectLabel and ProjectReleaseLabelValue are provided) to all Project namespaces // // If ProjectLabel and ProjectReleaseLabelValue are supplied, this label will be supplied to the global.cattle.projectNamespaceSelector // to identify all namespaces tied to a given project HelmProjectOperatorProjectLabel = "helm.cattle.io/projectId" )
View Source
const ( // HelmProjectOperatorProjectHelmChartRoleLabel is a label that identifies a Role as one that needs RoleBindings to be managed by the Helm Project Operator // The value of this label will be the release name of the Helm chart, which will be used to identify which ProjectHelmChart's enqueue should resynchronize this. HelmProjectOperatorProjectHelmChartRoleLabel = "helm.cattle.io/project-helm-chart-role" // HelmProjectOperatorProjectHelmChartRoleAggregateFromLabel is a label that identifies which subjects should be bound to the Project Helm Chart Role // The value of this label will be the name of the default k8s ClusterRoles (cluster-admin, admin, edit, view). For the provided ClusterRole, // the operator will automatically create a RoleBinding in the Project Release Namespace binding all subjects who have that permission across all namespaces in the project // to the Role that contains this label. This label will only be viewed if the Role has HelmProjectOperatorProjectHelmChartRoleLabel set as well HelmProjectOperatorProjectHelmChartRoleAggregateFromLabel = "helm.cattle.io/project-helm-chart-role-aggregate-from" )
View Source
const ( // HelmProjectOperatedCleanupLabel is a label attached to ProjectHelmCharts to facilitate cleanup; all ProjectHelmCharts // with this label will have their HelmCharts and HelmReleases cleaned up until the next time the Operator is deployed; // on redeploying the operator, this label will automatically be removed from all ProjectHelmCharts deployed in the cluster. HelmProjectOperatedCleanupLabel = "helm.cattle.io/helm-project-operator-cleanup" )
View Source
const ( // HelmProjectOperatedNamespaceOrphanedLabel marks all auto-generated namespaces that no longer have resources tracked // by this operator; if a namespace has this label, it is safe to delete HelmProjectOperatedNamespaceOrphanedLabel = "helm.cattle.io/helm-project-operator-orphaned" )
View Source
const ( // HelmProjectOperatorDashboardValuesConfigMapLabel is a label that identifies a ConfigMap that should be merged into status.dashboardValues when available // The value of this label will be the release name of the Helm chart, which will be used to identify which ProjectHelmChart's status needs to be updated. HelmProjectOperatorDashboardValuesConfigMapLabel = "helm.cattle.io/dashboard-values-configmap" )
View Source
const ( // HelmProjectOperatorHelmAPIVersionLabel is a label that identifies the HelmAPIVersion that a HelmChart or HelmRelease is tied to // This is used to identify whether a HelmChart or HelmRelease should be deleted from the cluster on uninstall HelmProjectOperatorHelmAPIVersionLabel = "helm.cattle.io/helm-api-version" )
View Source
const ( // HelmProjectOperatorProjectHelmChartRoleBindingLabel is a label that identifies a RoleBinding as one that has been created in response to a ProjectHelmChart role // The value of this label will be the release name of the Helm chart, which will be used to identify which ProjectHelmChart's enqueue should resynchronize this. HelmProjectOperatorProjectHelmChartRoleBindingLabel = "helm.cattle.io/project-helm-chart-role-binding" )
View Source
const ( // ProjectRegistrationNamespaceFmt is the format used in order to create project registration namespaces if ProjectLabel is provided // If SystemProjectLabel is also provided, the project release namespace will be this namespace with `-<ReleaseName>` suffixed, where // ReleaseName is provided by the Project Operator that implements Helm Project Operator ProjectRegistrationNamespaceFmt = "cattle-project-%s" )
Variables ¶
This section is empty.
Functions ¶
func FilterToUsersAndGroups ¶
FilterToUsersAndGroups returns a subset of the provided subjects that are only Users and Groups i.e. it filters out ServiceAccount subjects
func GetCommonLabels ¶
GetCommonLabels returns all common labels added to all generated resources
func GetDefaultClusterRoles ¶
GetDefaultClusterRoles returns the default ClusterRoles that this operator was started with
func GetHelmResourceLabels ¶
GetHelmResourceLabels returns the labels to be added to all generated Helm resources (HelmCharts, HelmReleases)
func GetProjectNamespaceAnnotations ¶
GetProjectNamespaceAnnotations returns the annotations to be added to all Project Namespaces Note: annotations allow integration with Rancher Projects since they handle importing namespaces into Projects
func GetProjectNamespaceLabels ¶
func GetProjectNamespaceLabels(projectID, projectLabel, projectLabelValue string, isOrphaned bool) map[string]string
GetProjectNamespaceLabels returns the labels to be added to all Project Namespaces
func HasCleanupLabel ¶
func HasCleanupLabel(projectHelmChart *v1alpha1.ProjectHelmChart) bool
HasCleanupLabel returns whether a ProjectHelmChart has the cleanup label
func HasHelmProjectOperatedLabel ¶
HasHelmProjectOperatedLabel returns whether a ProjectHelmChart has the Helm Project Operated label
func IsDefaultClusterRoleRef ¶
IsDefaultClusterRoleRef returns whether the provided name is a default ClusterRole ref that this operator was started with (e.g. the values provided to AdminClusterRole, EditClusterRole, or ViewClusterRole in RuntimeOptions)
func LoadValuesOverrideFromFile ¶
func LoadValuesOverrideFromFile(path string) (v1alpha1.GenericMap, error)
LoadValuesOverrideFromFile unmarshalls the struct found at the file to YAML and reads it into memory
Types ¶
type DefaultNetworkPolicyOptions ¶
type DefaultNetworkPolicyOptions networkingv1.NetworkPolicySpec
DefaultNetworkPolicyOptions is the NetworkPolicySpec specified for generated NetworkPolicy created by the hardening controller
type DefaultServiceAccountOptions ¶
type DefaultServiceAccountOptions struct {
Secrets []corev1.ObjectReference `yaml:"secrets,omitempty"`
ImagePullSecrets []corev1.LocalObjectReference `yaml:"imagePullSecrets,omitempty"`
AutomountServiceAccountToken *bool `yaml:"automountServiceAccountToken,omitEmpty"`
}
DefaultServiceAccountOptions represents the overrides to be supplied to the default Service Account's fields Note: the values of these fields is identical to what is defined on the corev1.ServiceAccount object
type HardeningOptions ¶
type HardeningOptions struct {
// ServiceAccount represents the overrides to be supplied to the default service account patched by the hardening controller
ServiceAccount *DefaultServiceAccountOptions `yaml:"serviceAccountSpec"`
// NetworkPolicy represents the overrides to be supplied to the generated NetworkPolicy created by the hardening controller
NetworkPolicy *DefaultNetworkPolicyOptions `yaml:"networkPolicySpec"`
}
HardeningOptions are options that can be provided to override the default hardening resources applied to all namespaces created by this Project Operator. To disable this, specify DisableHardening in the RuntimeOptions.
func LoadHardeningOptionsFromFile ¶
func LoadHardeningOptionsFromFile(path string) (HardeningOptions, error)
LoadHardeningOptionsFromFile unmarshalls the struct found at the file to YAML and reads it into memory
type OperatorOptions ¶
type OperatorOptions struct {
// HelmAPIVersion is the unique API version marking ProjectHelmCharts that this Helm Project Operator should watch for
HelmAPIVersion string
// ReleaseName is a name that identifies releases created for this operator
ReleaseName string
// SystemNamespaces are additional operator namespaces to treat as if they are system namespaces whether or not
// they are marked via some sort of annotation
SystemNamespaces []string
// ChartContent is the base64 tgz contents of the folder containing the Helm chart that needs to be deployed
ChartContent string
// Singleton marks whether only a single ProjectHelmChart can exist per registration namespace
// If enabled, it will ensure that releases are named based on the registration namespace rather than
// the name provided on the ProjectHelmChart, which is what triggers an UnableToCreateHelmRelease status
// on the ProjectHelmChart created after this one
Singleton bool
}
OperatorOptions are options provided by an operator that is implementing Helm Project Operator
func (OperatorOptions) Validate ¶
func (opts OperatorOptions) Validate() error
Validate validates the provided OperatorOptions
type Options ¶
type Options struct {
RuntimeOptions
OperatorOptions
}
Options defines options that can be set on initializing the HelmProjectOperator
type RuntimeOptions ¶
type RuntimeOptions struct {
// Namespace is the systemNamespace to create HelmCharts and HelmReleases in
// It's generally expected that this namespace is not widely accessible by all users in your cluster; it's recommended that it is placed
// in something akin to a System Project that is locked down in terms of permissions since resources like HelmCharts and HelmReleases are deployed there
Namespace string `` /* 193-byte string literal not displayed */
// NodeName is the name of the node running the operator; it adds additional information to events about where they were generated from
NodeName string `usage:"Name of the node this controller is running on" env:"NODE_NAME"`
// ControllerName is the name of the controller that identifies this operator; this ensures that all HelmCharts and HelmReleases have the correct managed-by annotation
// so that multiple iterations of this operator in the same namespace do not try to manage the same HelmChart and HelmRelease objects
ControllerName string `` /* 160-byte string literal not displayed */
// HelmJobImage is the job image to use to run the HelmChart job (default rancher/klipper-helm:v0.7.0-build20220315)
// Generally, this HelmJobImage can be left undefined, but may be necessary to be set if you are running with a non-default image
HelmJobImage string `usage:"Job image to use to perform helm operations on HelmChart creation" env:"HELM_JOB_IMAGE"`
// ClusterID identifies the cluster that the operator is being operated frmo within; it adds an additional annotation to project registration
// namespaces that indicates the projectID with the cluster label.
//
// Note: primarily used for integration with Rancher Projects
ClusterID string `usage:"Identifies the cluster this controller is running on. Ignored if --project-label is not provided." env:"CLUSTER_ID"`
// SystemDefaultRegistry is the prefix to be added to all images deployed by the HelmChart embedded into the Project Operator
// to point at the right set of images that need to be deployed. This is usually provided in Rancher as global.cattle.systemDefaultRegistry
SystemDefaultRegistry string `` /* 187-byte string literal not displayed */
// CattleURL is the Rancher URL that this chart has been deployed onto. This is usually provided in Rancher Helm charts as global.cattle.url
CattleURL string `usage:"Default Rancher URL to provide to the Helm chart under global.cattle.url" env:"CATTLE_URL"`
// ProjectLabel is the label that identifies projects
// Note: this field is optional and ensures that ProjectHelmCharts auto-infer their spec.projectNamespaceSelector
// If provided, any spec.projectNamespaceSelector provided will be ignored
// example: field.cattle.io/projectId
ProjectLabel string `usage:"Label on namespaces to create Project Registration Namespaces and watch for ProjectHelmCharts" env:"PROJECT_LABEL"`
// SystemProjectLabelValues are values of ProjectLabel that identify system namespaces. Does nothing if ProjectLabel is not provided
// example: p-ranch
// If both this and the ProjectLabel example are provided, any namespaces with label 'field.cattle.io/projectId: <system-project-label-value>'
// will be treated as a systemNamespace, which means that no ProjectHelmChart will be allowed to select it
SystemProjectLabelValues []string `usage:"Values on project label on namespaces that marks it as a system namespace" env:"SYSTEM_PROJECT_LABEL_VALUE"`
// ProjectReleaseLabelValue is the value of the ProjectLabel that should be added to Project Release Namespaces. Does nothing if ProjectLabel is not provided
// example: p-ranch
// If provided, dedicated Project Release namespaces will be created in the cluster for each ProjectHelmChart that needs a Helm Release
// The created Project Release namespaces will also automatically be identified as a System Project Namespaces based on this label, so other
// namespaces with this label value will be treated as a system namespace as well
ProjectReleaseLabelValue string `usage:"Value on project label on namespaces that marks it as a system namespace" env:"SYSTEM_PROJECT_LABEL_VALUE"`
// AdminClusterRole configures the operator to automaticaly create RoleBindings on Roles in the Project Release Namespace marked with
// 'helm.cattle.io/project-helm-chart-role': '<helm-release>' and 'helm.cattle.io/project-helm-chart-role-aggregate-from': 'admin'
// based on ClusterRoleBindings or RoleBindings in the Project Registration namespace tied to the provided ClusterRole, if it exists
AdminClusterRole string `usage:"ClusterRole tied to admin users who should have permissions in the Project Release Namespace" env:"ADMIN_CLUSTER_ROLE"`
// EditClusterRole configures the operator to automaticaly create RoleBindings on Roles in the Project Release Namespace marked with
// 'helm.cattle.io/project-helm-chart-role': '<helm-release>' and 'helm.cattle.io/project-helm-chart-role-aggregate-from': 'edit'
// based on ClusterRoleBindings or RoleBindings in the Project Registration namespace tied to the provided ClusterRole, if it exists
EditClusterRole string `usage:"ClusterRole tied to edit users who should have permissions in the Project Release Namespace" env:"EDIT_CLUSTER_ROLE"`
// ViewClusterRole configures the operator to automaticaly create RoleBindings on Roles in the Project Release Namespace marked with
// 'helm.cattle.io/project-helm-chart-role': '<helm-release>' and 'helm.cattle.io/project-helm-chart-role-aggregate-from': 'view'
// based on ClusterRoleBindings or RoleBindings in the Project Registration namespace tied to the provided ClusterRole, if it exists
ViewClusterRole string `usage:"ClusterRole tied to view users who should have permissions in the Project Release Namespace" env:"VIEW_CLUSTER_ROLE"`
// DisableHardening turns off the controller that manages the default service account and a default NetworkPolicy deployed on all
// namespaces marked with the Helm Project Operated Label to prevent generated namespaces from breaking a CIS 1.16 Hardened Scan by patching
// the default ServiceAccount and creating a default secure NetworkPolicy.
//
// ref: https://docs.rke2.io/security/cis_self_assessment16/#515
// ref: https://docs.rke2.io/security/cis_self_assessment16/#532
//
// To configure the default ServiceAccount and NetworkPolicy across all generated namespaces, you can provide overrides in the HardeningOptionsFile
// If you need to configure the default ServiceAccount and NetworkPolicy on a per-namespace basis, it is recommended that you disable this
DisableHardening bool `` /* 162-byte string literal not displayed */
// HardeningOptionsFile is the path to the file that contains the configuration for the default ServiceAccount and NetworkPolicy deployed on operated namespaces
// By default, the default service account of the namespace is patched to disable automountServiceAccountToken
// By default, a default NetworkPolicy is deployed in the namespace that selects all pods in the namespace and limits all ingress and egress
HardeningOptionsFile string `` /* 187-byte string literal not displayed */
// ValuesOverrideFile is the path to the file that contains operated-provided overrides on the values.yaml that should be applied for each ProjectHelmChart
ValuesOverrideFile string `` /* 130-byte string literal not displayed */
// DisableEmbeddedHelmLocker determines whether to disable embedded Helm Locker controller in favor of external Helm Locker
DisableEmbeddedHelmLocker bool `` /* 126-byte string literal not displayed */
// DisableEmbeddedHelmController determines whether to disable embedded Helm Controller controller in favor of external Helm Controller
// This should be the default in most RKE2 clusters since the RKE2 server binary already embeds a Helm Controller instance that manages HelmCharts
DisableEmbeddedHelmController bool `` /* 170-byte string literal not displayed */
}
func (RuntimeOptions) Validate ¶
func (opts RuntimeOptions) Validate() error
Validate validates the provided RuntimeOptions
Source Files
Click to show internal directories.
Click to hide internal directories.