proxy

package
v4.3.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 24, 2020 License: Apache-2.0 Imports: 56 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// The SPDY subprotocol "v4.channel.k8s.io" is used for remote command
	// attachment/execution. It is the 4th version of the subprotocol and
	// adds support for exit codes.
	StreamProtocolV4Name = "v4.channel.k8s.io"

	// DefaultStreamCreationTimeout
	DefaultStreamCreationTimeout = 30 * time.Second

	IdleTimeout = 15 * time.Minute
)
View Source
const (
	// Enable stdin for remote command execution
	ExecStdinParam = "input"
	// Enable stdout for remote command execution
	ExecStdoutParam = "output"
	// Enable stderr for remote command execution
	ExecStderrParam = "error"
	// Enable TTY for remote command execution
	ExecTTYParam = "tty"
	// Command to run for remote command execution
	ExecCommandParam = "command"

	// Name of header that specifies stream type
	StreamType = "streamType"
	// Value for streamType header for stdin stream
	StreamTypeStdin = "stdin"
	// Value for streamType header for stdout stream
	StreamTypeStdout = "stdout"
	// Value for streamType header for stderr stream
	StreamTypeStderr = "stderr"
	// Value for streamType header for data stream
	StreamTypeData = "data"
	// Value for streamType header for error stream
	StreamTypeError = "error"
	// Value for streamType header for terminal resize stream
	StreamTypeResize = "resize"

	// Name of header that specifies the port being forwarded
	PortHeader = "port"
	// Name of header that specifies a request ID used to associate the error
	// and data streams for a single forwarded connection
	PortForwardRequestIDHeader = "requestID"

	// PortForwardProtocolV1Name is the subprotocol "portforward.k8s.io" is used for port forwarding
	PortForwardProtocolV1Name = "portforward.k8s.io"
)

These constants are for remote command execution and port forwarding and are used by both the client side and server side components.

This is probably not the ideal place for them, but it didn't seem worth it to create pkg/exec and pkg/portforward just to contain a single file with constants in it. Suggestions for more appropriate alternatives are definitely welcome!

View Source
const (
	// ImpersonateHeaderPrefix is K8s impersonation prefix for impersonation feature:
	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
	ImpersonateHeaderPrefix = "Impersonate-"
	// ImpersonateUserHeader is impersonation header for users
	ImpersonateUserHeader = "Impersonate-User"
	// ImpersonateGroupHeader is K8s impersonation header for user
	ImpersonateGroupHeader = "Impersonate-Group"
	// ImpersonationRequestDeniedMessage is access denied message for impersonation
	ImpersonationRequestDeniedMessage = "impersonation request has been denied"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type DialFunc

type DialFunc func(string, string) (net.Conn, error)

DialFunc is a network dialer function that returns a network connection

type DialWithContext

type DialWithContext func(context context.Context, network, address string) (net.Conn, error)

DialWithContext is the function used to dial to remote endpoints

type Forwarder

type Forwarder struct {
	sync.Mutex
	*log.Entry
	httprouter.Router
	ForwarderConfig
	// contains filtered or unexported fields
}

Forwarder intercepts kubernetes requests, acting as Kubernetes API proxy. it blindly forwards most of the requests on HTTPS protocol layer, however some requests like exec sessions it intercepts and records.

func NewForwarder

func NewForwarder(cfg ForwarderConfig) (*Forwarder, error)

NewForwarder returns new instance of Kubernetes request forwarding proxy.

func (*Forwarder) Close

func (f *Forwarder) Close() error

Close signals close to all outstanding or background operations to complete

type ForwarderConfig

type ForwarderConfig struct {
	// Tunnel is the teleport reverse tunnel server
	Tunnel reversetunnel.Server
	// ClusterName is a local cluster name
	ClusterName string
	// Keygen points to a key generator implementation
	Keygen sshca.Authority
	// Auth authenticates user
	Auth auth.Authorizer
	// Client is a proxy client
	Client auth.ClientI
	// DataDir is a data dir to store logs
	DataDir string
	// Namespace is a namespace of the proxy server (not a K8s namespace)
	Namespace string
	// AccessPoint is a caching access point to auth server
	// for caching common requests to the backend
	AccessPoint auth.AccessPoint
	// AuditLog is audit log to send events to
	AuditLog events.IAuditLog
	// ServerID is a unique ID of a proxy server
	ServerID string
	// ClusterOverride if set, routes all requests
	// to the cluster name, used in tests
	ClusterOverride string
	// Context passes the optional external context
	// passing global close to all forwarder operations
	Context context.Context
	// KubeconfigPath is a path to kubernetes configuration
	KubeconfigPath string
	// Clock is a server clock, could be overridden in tests
	Clock clockwork.Clock
}

ForwarderConfig specifies configuration for proxy forwarder

func (*ForwarderConfig) CheckAndSetDefaults

func (f *ForwarderConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type SpdyRoundTripper

type SpdyRoundTripper struct {
	// contains filtered or unexported fields
}

SpdyRoundTripper knows how to upgrade an HTTP request to one that supports multiplexed streams. After RoundTrip() is invoked, Conn will be set and usable. SpdyRoundTripper implements the UpgradeRoundTripper interface.

func NewSpdyRoundTripperWithDialer

func NewSpdyRoundTripperWithDialer(cfg roundTripperConfig) *SpdyRoundTripper

NewSpdyRoundTripperWithDialer creates a new SpdyRoundTripper that will use the specified tlsConfig. This function is mostly meant for unit tests.

func (*SpdyRoundTripper) Dial

func (s *SpdyRoundTripper) Dial(req *http.Request) (net.Conn, error)

Dial implements k8s.io/apimachinery/pkg/util/net.Dialer.

func (*SpdyRoundTripper) NewConnection

func (s *SpdyRoundTripper) NewConnection(resp *http.Response) (httpstream.Connection, error)

NewConnection validates the upgrade response, creating and returning a new httpstream.Connection if there were no errors.

func (*SpdyRoundTripper) RoundTrip

func (s *SpdyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip executes the Request and upgrades it. After a successful upgrade, clients may call SpdyRoundTripper.Connection() to retrieve the upgraded connection.

func (*SpdyRoundTripper) TLSClientConfig

func (s *SpdyRoundTripper) TLSClientConfig() *tls.Config

TLSClientConfig implements pkg/util/net.TLSClientConfigHolder for proper TLS checking during proxying with a spdy roundtripper.

type TLSServer

type TLSServer struct {
	*http.Server
	// TLSServerConfig is TLS server configuration used for auth server
	TLSServerConfig
}

TLSServer is TLS auth server

func NewTLSServer

func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)

NewTLSServer returns new unstarted TLS server

func (*TLSServer) GetConfigForClient

func (t *TLSServer) GetConfigForClient(info *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities

func (*TLSServer) Serve

func (t *TLSServer) Serve(listener net.Listener) error

Serve takes TCP listener, upgrades to TLS using config and starts serving

type TLSServerConfig

type TLSServerConfig struct {
	// ForwarderConfig is a config of a forwarder
	ForwarderConfig
	// TLS is a base TLS configuration
	TLS *tls.Config
	// LimiterConfig is limiter config
	LimiterConfig limiter.LimiterConfig
	// AccessPoint is caching access point
	AccessPoint auth.AccessPoint
	// Component is used for debugging purposes
	Component string
}

TLSServerConfig is a configuration for TLS server

func (*TLSServerConfig) CheckAndSetDefaults

func (c *TLSServerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL