psat

package

v0.12.1 Latest Latest Go to latest Published: Mar 4, 2021 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/spiffe/spire

Links

Open Source Insights

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuiltIn ¶

func BuiltIn() catalog.Plugin

Types ¶

type AttestorConfig ¶

type AttestorConfig struct {
	Clusters map[string]*ClusterConfig `hcl:"clusters"`
}

AttestorConfig contains a map of clusters that uses cluster name as key

type AttestorPlugin ¶

type AttestorPlugin struct {
	nodeattestor.UnsafeNodeAttestorServer
	// contains filtered or unexported fields
}

AttestorPlugin is a PSAT (Projected SAT) node attestor plugin

func New ¶

func New() *AttestorPlugin

New creates a new PSAT node attestor plugin

func (*AttestorPlugin) Attest ¶

func (p *AttestorPlugin) Attest(stream nodeattestor.NodeAttestor_AttestServer) error

func (*AttestorPlugin) Configure ¶

func (p *AttestorPlugin) Configure(ctx context.Context, req *spi.ConfigureRequest) (*spi.ConfigureResponse, error)

func (*AttestorPlugin) GetPluginInfo ¶

func (p *AttestorPlugin) GetPluginInfo(context.Context, *spi.GetPluginInfoRequest) (*spi.GetPluginInfoResponse, error)

type ClusterConfig ¶

type ClusterConfig struct {
	// Array of whitelisted service accounts names
	// Attestation is denied if coming from a service account that is not in the list
	ServiceAccountWhitelist []string `hcl:"service_account_whitelist"`

	// Audience for PSAT token validation
	// If audience is not configured, defaultAudience will be used
	// If audience value is set to an empty slice, k8s apiserver audience will be used
	Audience *[]string `hcl:"audience"`

	// Kubernetes configuration file path
	// Used to create a k8s client to query the API server. If string is empty, in-cluster configuration is used
	KubeConfigFile string `hcl:"kube_config_file"`

	// Node labels that are allowed to use as selectors
	AllowedNodeLabelKeys []string `hcl:"allowed_node_label_keys"`

	// Pod labels that are allowed to use as selectors
	AllowedPodLabelKeys []string `hcl:"allowed_pod_label_keys"`
}

ClusterConfig holds a single cluster configuration

Source Files ¶

View all Source files

psat.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL