k8s

package
v1.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 13, 2022 License: Apache-2.0 Imports: 7 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AgentID

func AgentID(pluginName, trustDomain, cluster, uuid string) string

func GetNamesFromTokenStatus

func GetNamesFromTokenStatus(tokenStatus *authv1.TokenReviewStatus) (string, string, error)

GetNamesFromTokenStatus parses a fully qualified k8s username like: 'system:serviceaccount:spire:spire-agent' from tokenStatus. The string is split and the last two names are returned: namespace and service account name

func GetPodNameFromTokenStatus

func GetPodNameFromTokenStatus(tokenStatus *authv1.TokenReviewStatus) (string, error)

GetPodNameFromTokenStatus extracts pod name from a tokenReviewStatus type

func GetPodUIDFromTokenStatus

func GetPodUIDFromTokenStatus(tokenStatus *authv1.TokenReviewStatus) (string, error)

GetPodUIDFromTokenStatus extracts pod UID from a tokenReviewStatus type

func MakeSelectorValue added in v1.0.0

func MakeSelectorValue(kind string, values ...string) string

Types

type PSATAttestationData

type PSATAttestationData struct {
	Cluster string `json:"cluster"`
	Token   string `json:"token"`
}

type PSATClaims

type PSATClaims struct {
	jwt.Claims
	K8s struct {
		Namespace string `json:"namespace"`

		Pod struct {
			Name string `json:"name"`
			UID  string `json:"uid"`
		} `json:"pod"`

		ServiceAccount struct {
			Name string `json:"name"`
			UID  string `json:"uid"`
		} `json:"serviceaccount"`
	} `json:"kubernetes.io"`
}

PSATClaims represents claims in a projected service account token, for example:

{
	 "aud": [
	   "spire-server"
	 ],
	 "exp": 1550850854,
	 "iat": 1550843654,
	 "iss": "api",
	 "kubernetes.io": {
	   "namespace": "spire",
	   "pod": {
	 	"name": "spire-agent-5d84p",
	 	"uid": "56857f33-36a9-11e9-860c-080027b25557"
	   },
	   "serviceaccount": {
	 	"name": "spire-agent",
	 	"uid": "ca29bd95-36a8-11e9-b8af-080027b25557"
	   }
	 },
	 "nbf": 1550843654,
	 "sub": "system:serviceaccount:spire:spire-agent"
}

type SATAttestationData

type SATAttestationData struct {
	Cluster string `json:"cluster"`
	Token   string `json:"token"`
}

type SATClaims

type SATClaims struct {
	jwt.Claims
	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"`

	// This struct is included in case that a projected service account token is
	// parsed as a regular service account token
	K8s struct {
		Namespace      string `json:"namespace"`
		ServiceAccount struct {
			Name string `json:"name"`
		} `json:"serviceaccount"`
	} `json:"kubernetes.io"`
}

SATClaims represents claims in a service account token, for example:

{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "spire",
  "kubernetes.io/serviceaccount/secret.name": "spire-agent-token-zjr8v",
  "kubernetes.io/serviceaccount/service-account.name": "spire-agent",
  "kubernetes.io/serviceaccount/service-account.uid": "1881e84f-b612-11e8-a543-0800272c6e42",
  "sub": "system:serviceaccount:spire:spire-agent"
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL