bootstrappolicy

package
v3.11.0-alpha.0+incomp... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2018 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultOpenShiftSharedResourcesNamespace = "openshift"
	DefaultOpenShiftInfraNamespace           = "openshift-infra"
	DefaultOpenShiftNodeNamespace            = "openshift-node"
)

known namespaces

View Source
const (
	DefaultServiceAccountName  = "default"
	BuilderServiceAccountName  = "builder"
	DeployerServiceAccountName = "deployer"

	MasterUnqualifiedUsername     = "openshift-master"
	AggregatorUnqualifiedUsername = "openshift-aggregator"

	MasterUsername      = "system:" + MasterUnqualifiedUsername
	AggregatorUsername  = "system:" + AggregatorUnqualifiedUsername
	SystemAdminUsername = "system:admin"

	// Not granted any API permissions, just an identity for a client certificate for the API proxy to use
	// Should not be changed without considering impact to pods that may be verifying this identity by default
	MasterProxyUnqualifiedUsername = "master-proxy"
	MasterProxyUsername            = "system:" + MasterProxyUnqualifiedUsername

	// Previous versions used this as the username for the master to connect to the kubelet
	// This should remain in the default role bindings for the NodeAdmin role
	LegacyMasterKubeletAdminClientUsername = "system:master"
	MasterKubeletAdminClientUsername       = "system:openshift-node-admin"
)

users

View Source
const (
	UnauthenticatedUsername = "system:anonymous"

	AuthenticatedGroup      = "system:authenticated"
	AuthenticatedOAuthGroup = "system:authenticated:oauth"
	UnauthenticatedGroup    = "system:unauthenticated"
	ClusterAdminGroup       = "system:cluster-admins"
	ClusterReaderGroup      = "system:cluster-readers"
	MastersGroup            = "system:masters"
	NodesGroup              = "system:nodes"
	NodeAdminsGroup         = "system:node-admins"
	NodeReadersGroup        = "system:node-readers"
)

groups

View Source
const (
	ClusterAdminRoleName       = "cluster-admin"
	SudoerRoleName             = "sudoer"
	ScopeImpersonationRoleName = "system:scope-impersonation"
	ClusterReaderRoleName      = "cluster-reader"
	StorageAdminRoleName       = "storage-admin"
	ClusterDebuggerRoleName    = "cluster-debugger"
	AdminRoleName              = "admin"
	EditRoleName               = "edit"
	ViewRoleName               = "view"
	AggregatedAdminRoleName    = "system:openshift:aggregate-to-admin"
	AggregatedEditRoleName     = "system:openshift:aggregate-to-edit"
	AggregatedViewRoleName     = "system:openshift:aggregate-to-view"
	SelfProvisionerRoleName    = "self-provisioner"
	BasicUserRoleName          = "basic-user"
	StatusCheckerRoleName      = "cluster-status"
	SelfAccessReviewerRoleName = "self-access-reviewer"

	RegistryAdminRoleName  = "registry-admin"
	RegistryViewerRoleName = "registry-viewer"
	RegistryEditorRoleName = "registry-editor"

	TemplateServiceBrokerClientRoleName = "system:openshift:templateservicebroker-client"

	BuildStrategyDockerRoleName          = "system:build-strategy-docker"
	BuildStrategyCustomRoleName          = "system:build-strategy-custom"
	BuildStrategySourceRoleName          = "system:build-strategy-source"
	BuildStrategyJenkinsPipelineRoleName = "system:build-strategy-jenkinspipeline"

	ImageAuditorRoleName                = "system:image-auditor"
	ImagePullerRoleName                 = "system:image-puller"
	ImagePusherRoleName                 = "system:image-pusher"
	ImageBuilderRoleName                = "system:image-builder"
	ImagePrunerRoleName                 = "system:image-pruner"
	ImageSignerRoleName                 = "system:image-signer"
	DeployerRoleName                    = "system:deployer"
	RouterRoleName                      = "system:router"
	RegistryRoleName                    = "system:registry"
	MasterRoleName                      = "system:master"
	NodeRoleName                        = "system:node"
	NodeProxierRoleName                 = "system:node-proxier"
	SDNReaderRoleName                   = "system:sdn-reader"
	SDNManagerRoleName                  = "system:sdn-manager"
	OAuthTokenDeleterRoleName           = "system:oauth-token-deleter"
	WebHooksRoleName                    = "system:webhook"
	DiscoveryRoleName                   = "system:discovery"
	PersistentVolumeProvisionerRoleName = "system:persistent-volume-provisioner"

	// NodeAdmin has full access to the API provided by the kubelet
	NodeAdminRoleName = "system:node-admin"
	// NodeReader has read access to the metrics and stats provided by the kubelet
	NodeReaderRoleName = "system:node-reader"

	OpenshiftSharedResourceViewRoleName = "shared-resource-viewer"

	NodeBootstrapRoleName    = "system:node-bootstrapper"
	NodeConfigReaderRoleName = "system:node-config-reader"
)

Roles

View Source
const (
	// Legacy roles that must continue to have a plural form
	SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s"
	SelfProvisionerRoleBindingName    = SelfProvisionerRoleName + "s"
	DeployerRoleBindingName           = DeployerRoleName + "s"
	ClusterAdminRoleBindingName       = ClusterAdminRoleName + "s"
	ClusterReaderRoleBindingName      = ClusterReaderRoleName + "s"
	BasicUserRoleBindingName          = BasicUserRoleName + "s"
	OAuthTokenDeleterRoleBindingName  = OAuthTokenDeleterRoleName + "s"
	StatusCheckerRoleBindingName      = StatusCheckerRoleName + "-binding"
	ImagePullerRoleBindingName        = ImagePullerRoleName + "s"
	ImageBuilderRoleBindingName       = ImageBuilderRoleName + "s"
	RouterRoleBindingName             = RouterRoleName + "s"
	RegistryRoleBindingName           = RegistryRoleName + "s"
	MasterRoleBindingName             = MasterRoleName + "s"
	NodeRoleBindingName               = NodeRoleName + "s"
	NodeProxierRoleBindingName        = NodeProxierRoleName + "s"
	NodeAdminRoleBindingName          = NodeAdminRoleName + "s"
	NodeReaderRoleBindingName         = NodeReaderRoleName + "s"
	SDNReaderRoleBindingName          = SDNReaderRoleName + "s"
	SDNManagerRoleBindingName         = SDNManagerRoleName + "s"
	WebHooksRoleBindingName           = WebHooksRoleName + "s"
	DiscoveryRoleBindingName          = DiscoveryRoleName + "-binding"
	RegistryAdminRoleBindingName      = RegistryAdminRoleName + "s"
	RegistryViewerRoleBindingName     = RegistryViewerRoleName + "s"
	RegistryEditorRoleBindingName     = RegistryEditorRoleName + "s"

	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"

	// Bindings
	BuildStrategyDockerRoleBindingName          = BuildStrategyDockerRoleName + "-binding"
	BuildStrategyCustomRoleBindingName          = BuildStrategyCustomRoleName + "-binding"
	BuildStrategySourceRoleBindingName          = BuildStrategySourceRoleName + "-binding"
	BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding"
)

RoleBindings

View Source
const (
	// Authorization resources
	DockerBuildResource          = "builds/docker"
	OptimizedDockerBuildResource = "builds/optimizeddocker"
	SourceBuildResource          = "builds/source"
	CustomBuildResource          = "builds/custom"
	JenkinsPipelineBuildResource = "builds/jenkinspipeline"

	// These are valid under the "nodes" resource
	NodeMetricsSubresource = "metrics"
	NodeStatsSubresource   = "stats"
	NodeSpecSubresource    = "spec"
	NodeLogSubresource     = "log"
)

Resources and Subresources

View Source
const (
	InfraOriginNamespaceServiceAccountName                       = "origin-namespace-controller"
	InfraServiceAccountControllerServiceAccountName              = "serviceaccount-controller"
	InfraServiceAccountPullSecretsControllerServiceAccountName   = "serviceaccount-pull-secrets-controller"
	InfraServiceAccountTokensControllerServiceAccountName        = "serviceaccount-tokens-controller"
	InfraServiceServingCertServiceAccountName                    = "service-serving-cert-controller"
	InfraBuildControllerServiceAccountName                       = "build-controller"
	InfraBuildConfigChangeControllerServiceAccountName           = "build-config-change-controller"
	InfraDeploymentConfigControllerServiceAccountName            = "deploymentconfig-controller"
	InfraDeployerControllerServiceAccountName                    = "deployer-controller"
	InfraImageTriggerControllerServiceAccountName                = "image-trigger-controller"
	InfraImageImportControllerServiceAccountName                 = "image-import-controller"
	InfraSDNControllerServiceAccountName                         = "sdn-controller"
	InfraClusterQuotaReconciliationControllerServiceAccountName  = "cluster-quota-reconciliation-controller"
	InfraUnidlingControllerServiceAccountName                    = "unidling-controller"
	InfraServiceIngressIPControllerServiceAccountName            = "service-ingress-ip-controller"
	InfraPersistentVolumeRecyclerControllerServiceAccountName    = "pv-recycler-controller"
	InfraResourceQuotaControllerServiceAccountName               = "resourcequota-controller"
	InfraDefaultRoleBindingsControllerServiceAccountName         = "default-rolebindings-controller"
	InfraIngressToRouteControllerServiceAccountName              = "ingress-to-route-controller"
	InfraNamespaceSecurityAllocationControllerServiceAccountName = "namespace-security-allocation-controller"

	// template instance controller watches for TemplateInstance object creation
	// and instantiates templates as a result.
	InfraTemplateInstanceControllerServiceAccountName          = "template-instance-controller"
	InfraTemplateInstanceFinalizerControllerServiceAccountName = "template-instance-finalizer-controller"

	// template service broker is an open service broker-compliant API
	// implementation which serves up OpenShift templates.  It uses the
	// TemplateInstance backend for most of the heavy lifting.
	InfraTemplateServiceBrokerServiceAccountName = "template-service-broker"

	// This is a special constant which maps to the service account name used by the underlying
	// Kubernetes code, so that we can build out the extra policy required to scale OpenShift resources.
	InfraHorizontalPodAutoscalerControllerServiceAccountName = "horizontal-pod-autoscaler"
)
View Source
const (
	// SecurityContextConstraintPrivileged is used as the name for the system default privileged scc.
	SecurityContextConstraintPrivileged     = "privileged"
	SecurityContextConstraintPrivilegedDesc = "" /* 261-byte string literal not displayed */

	// SecurityContextConstraintRestricted is used as the name for the system default restricted scc.
	SecurityContextConstraintRestricted     = "restricted"
	SecurityContextConstraintRestrictedDesc = "" /* 227-byte string literal not displayed */

	// SecurityContextConstraintNonRoot is used as the name for the system default non-root scc.
	SecurityContextConstraintNonRoot     = "nonroot"
	SecurityContextConstraintNonRootDesc = "" /* 202-byte string literal not displayed */

	// SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc.
	SecurityContextConstraintHostMountAndAnyUID     = "hostmount-anyuid"
	SecurityContextConstraintHostMountAndAnyUIDDesc = "" /* 267-byte string literal not displayed */

	// SecurityContextConstraintHostNS is used as the name for the system default scc
	// that grants access to all host ns features.
	SecurityContextConstraintHostNS     = "hostaccess"
	SecurityContextConstraintHostNSDesc = "" /* 287-byte string literal not displayed */

	// SecurityContextConstraintsAnyUID is used as the name for the system default scc that
	// grants access to run as any uid but is still restricted to specific SELinux contexts.
	SecurityContextConstraintsAnyUID     = "anyuid"
	SecurityContextConstraintsAnyUIDDesc = "anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID."

	// SecurityContextConstraintsHostNetwork is used as the name for the system default scc that
	// grants access to run with host networking and host ports but still allocates uid/gids/selinux from the
	// namespace.
	SecurityContextConstraintsHostNetwork     = "hostnetwork"
	SecurityContextConstraintsHostNetworkDesc = "" /* 157-byte string literal not displayed */

	// DescriptionAnnotation is the annotation used for attaching descriptions.
	DescriptionAnnotation = "kubernetes.io/description"
)
View Source
const (
	InfraNodeBootstrapServiceAccountName = "node-bootstrapper"
)

Service Account Names that are not controller related

Variables

This section is empty.

Functions

func ControllerRoleBindings

func ControllerRoleBindings() []rbac.ClusterRoleBinding

ControllerRoleBindings returns the role bindings used by controllers

func ControllerRoles

func ControllerRoles() []rbac.ClusterRole

ControllerRoles returns the cluster roles used by controllers

func GetBoostrapSCCAccess added in v1.0.8

func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[string][]string)

GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints.

func GetBootstrapClusterRoleBindings

func GetBootstrapClusterRoleBindings() []rbac.ClusterRoleBinding

func GetBootstrapClusterRoles

func GetBootstrapClusterRoles() []rbac.ClusterRole

func GetBootstrapClusterRolesToAggregate

func GetBootstrapClusterRolesToAggregate() map[string]string

func GetBootstrapNamespaceRoleBindings

func GetBootstrapNamespaceRoleBindings() map[string][]rbac.RoleBinding

func GetBootstrapNamespaceRoles

func GetBootstrapNamespaceRoles() map[string][]rbac.Role

func GetBootstrapSecurityContextConstraints

func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, sccNameToAdditionalUsers map[string][]string) []*securityapi.SecurityContextConstraints

GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints for system bootstrapping. This method takes additional users and groups that should be added to the strategies. Use GetBoostrapSCCAccess to produce the default set of mappings.

func GetBootstrapServiceAccountProjectRoleBindingNames

func GetBootstrapServiceAccountProjectRoleBindingNames() sets.String

func GetBootstrapServiceAccountProjectRoleBindings

func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbac.RoleBinding

func GetBootstrapServiceAccountProjectV1RoleBindings

func GetBootstrapServiceAccountProjectV1RoleBindings(namespace string) []rbacv1.RoleBinding

func GetDeadClusterRoleBindings

func GetDeadClusterRoleBindings() []rbac.ClusterRoleBinding

GetDeadClusterRoleBindings returns cluster role bindings which should no longer have any subjects. These are enumerated so that a reconcile that tightens permissions will properly remove them.

func GetDeadClusterRoles

func GetDeadClusterRoles() []rbac.ClusterRole

GetDeadClusterRoles returns cluster roles which should no longer have any permissions. These are enumerated so that a reconcile that tightens permissions will properly.

func GetOpenshiftBootstrapClusterRoleBindings

func GetOpenshiftBootstrapClusterRoleBindings() []rbac.ClusterRoleBinding

func GetOpenshiftBootstrapClusterRoles

func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole

func NamespaceRoleBindings

func NamespaceRoleBindings() map[string][]rbac.RoleBinding

NamespaceRoleBindings returns a map of namespace to slice of role bindings to create

func NamespaceRoles

func NamespaceRoles() map[string][]rbac.Role

NamespaceRoles returns a map of namespace to slice of roles to create

Types

type PolicyData

type PolicyData struct {
	ClusterRoles        []rbac.ClusterRole
	ClusterRoleBindings []rbac.ClusterRoleBinding
	Roles               map[string][]rbac.Role
	RoleBindings        map[string][]rbac.RoleBinding
	// ClusterRolesToAggregate maps from previous clusterrole name to the new clusterrole name
	ClusterRolesToAggregate map[string]string
}

func Policy

func Policy() *PolicyData

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL