Documentation
¶
Overview ¶
Package rbac provides various Access Review API
Index ¶
Constants ¶
This section is empty.
Variables ¶
var MetricsACLConfig = ACLConfig{ // contains filtered or unexported fields }
MetricsACLConfig is an instance of ACLConfig and holds configuration for accessing observability metrics gathered from ManagedClusters
Functions ¶
func GetResourceAccess ¶
func GetResourceAccess( kclient kubernetes.Interface, gr schema.GroupResource, resourcenames []string, namespace string, ) (map[string][]string, error)
GetResourceAccess returns all configured ACLs for a given resource type. It returns a map of resource names and ACLs for that resource. for a given resource, if no ACLs are configured, an empty list is returned for it in the results.
- resourcenames are the names of the resources for which ACLs are and returned, if no resource names are passed, ACLs for all allowed resources of the given type are returned.
- namespace is used for namespace-scoped resources, for cluster-scoped resources it should be left empty. If not specified, it defaults to the value "default" for namespace-scoped resources.
Types ¶
type ACLConfig ¶
type ACLConfig struct {
// contains filtered or unexported fields
}
ACLConfig holds the access control configuration needed to perform an action e.g. "get" permission on the "managedclusters" resource is needed to "view" a managedcluster on the ACM Hub. The configuration includes ApiGroup, Resource type but not Version as rules in K8s ClusterRole do not include/specify version.
type AccessReviewer ¶
type AccessReviewer struct {
// contains filtered or unexported fields
}
AccessReviewer is the API for custom fined-grained access control, it holds the configuration needed to connect to the Kubernetes cluster to retrieve user's access information. It must be instantiated through the NewAccessReviewer function as it will do any required validation.
func NewAccessReviewer ¶
func NewAccessReviewer(kConfig *rest.Config, kClient kubernetes.Interface) (*AccessReviewer, error)
NewAccessReviewer creates an instance of AccessReviewer. It takes two parameters kConfig and kClient, but expects a value to be set for only one of them. An error will be thrown if neither or both values are set.
- kConfig is k8s cluster configuration. This should be set when API consumer intends to use the AccessReviewer instance to retrieve ACLs for different users. User specific details(i.e Token) would need to be passed to every invocation of access review API, which will be used to create a k8s client to connect to the cluster to retrieve user specific ACLs.
- kClient is K8s cluster client. This should be set when API consumer intends to use the AccessReviewer instance for a single user. The provided k8s client connection will be directly used to fetch ACLs from the cluster. In this case, access review API can be invoked without needing to pass the user's Token on every call.
func (*AccessReviewer) GetMetricsAccess ¶
func (r *AccessReviewer) GetMetricsAccess(userToken string, clusters ...string) (map[string][]string, error)
GetMetricsAccess retrieves the user's ACLs from the k8s cluster and processes them to determine user's access to observability metrics that are gathered from managed clusters. It returns a map where the keys are managed clusters and the values are slices of allowed namespaces.
- userToken is the user's OAuth bearer token, is required if k8s config was set on the AccessReviewer
- clusters are the names of the managed clusters for which allowed metrics access is returned. If no clusters are specified, then metrics access is returned for all "allowed" managed clusters.
Source Files