Documentation ¶
Overview ¶
Package serviceaccount provides implementations to manage service accounts and service account tokens
Index ¶
- Constants
- Variables
- func IsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool
- func JWTTokenAuthenticator(keys []*rsa.PublicKey, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token
- func MakeGroupNames(namespace, name string) []string
- func MakeNamespaceGroupName(namespace string) string
- func MakeUsername(namespace, name string) string
- func ReadPrivateKey(file string) (*rsa.PrivateKey, error)
- func ReadPublicKey(file string) (*rsa.PublicKey, error)
- func SplitUsername(username string) (string, string, error)
- func UserInfo(namespace, name, uid string) user.Info
- type ServiceAccountTokenGetter
- type ServiceAccountsController
- type ServiceAccountsControllerOptions
- type TokenGenerator
- type TokensController
- type TokensControllerOptions
Constants ¶
const ( Issuer = "kubernetes/serviceaccount" SubjectClaim = "sub" IssuerClaim = "iss" ServiceAccountNameClaim = "kubernetes.io/serviceaccount/service-account.name" ServiceAccountUIDClaim = "kubernetes.io/serviceaccount/service-account.uid" SecretNameClaim = "kubernetes.io/serviceaccount/secret.name" NamespaceClaim = "kubernetes.io/serviceaccount/namespace" )
const ( ServiceAccountUsernamePrefix = "system:serviceaccount:" ServiceAccountUsernameSeparator = ":" ServiceAccountGroupPrefix = "system:serviceaccounts:" AllServiceAccountsGroup = "system:serviceaccounts" )
Variables ¶
var RemoveTokenBackoff = wait.Backoff{ Steps: 10, Duration: 100 * time.Millisecond, Jitter: 1.0, }
Functions ¶
func IsServiceAccountToken ¶
func IsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool
IsServiceAccountToken returns true if the secret is a valid api token for the service account
func JWTTokenAuthenticator ¶
func JWTTokenAuthenticator(keys []*rsa.PublicKey, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token
JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter
func MakeGroupNames ¶
MakeGroupNames generates service account group names for the given namespace and ServiceAccount name
func MakeNamespaceGroupName ¶
MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
func MakeUsername ¶
MakeUsername generates a username from the given namespace and ServiceAccount name. The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
func ReadPrivateKey ¶
func ReadPrivateKey(file string) (*rsa.PrivateKey, error)
ReadPrivateKey is a helper function for reading an rsa.PrivateKey from a PEM-encoded file
func ReadPublicKey ¶
ReadPublicKey is a helper function for reading an rsa.PublicKey from a PEM-encoded file Reads public keys from both public and private key files
func SplitUsername ¶
SplitUsername returns the namespace and ServiceAccount name embedded in the given username, or an error if the username is not a valid name produced by MakeUsername
Types ¶
type ServiceAccountTokenGetter ¶
type ServiceAccountTokenGetter interface { GetServiceAccount(namespace, name string) (*api.ServiceAccount, error) GetSecret(namespace, name string) (*api.Secret, error) }
ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
func NewGetterFromClient ¶
func NewGetterFromClient(c client.Interface) ServiceAccountTokenGetter
NewGetterFromClient returns a ServiceAccountTokenGetter that uses the specified client to retrieve service accounts and secrets. The client should NOT authenticate using a service account token the returned getter will be used to retrieve, or recursion will result.
func NewGetterFromRegistries ¶
func NewGetterFromRegistries(serviceAccounts serviceaccount.Registry, secrets secret.Registry) ServiceAccountTokenGetter
NewGetterFromRegistries returns a ServiceAccountTokenGetter that uses the specified registries to retrieve service accounts and secrets.
func NewGetterFromStorageInterface ¶
func NewGetterFromStorageInterface(storage storage.Interface) ServiceAccountTokenGetter
NewGetterFromStorageInterface returns a ServiceAccountTokenGetter that uses the specified storage to retrieve service accounts and secrets.
type ServiceAccountsController ¶
type ServiceAccountsController struct {
// contains filtered or unexported fields
}
ServiceAccountsController manages ServiceAccount objects inside Namespaces
func NewServiceAccountsController ¶
func NewServiceAccountsController(cl client.Interface, options ServiceAccountsControllerOptions) *ServiceAccountsController
NewServiceAccountsController returns a new *ServiceAccountsController.
func (*ServiceAccountsController) Run ¶
func (e *ServiceAccountsController) Run()
Runs controller loops and returns immediately
func (*ServiceAccountsController) Stop ¶
func (e *ServiceAccountsController) Stop()
Stop gracefully shuts down this controller
type ServiceAccountsControllerOptions ¶
type ServiceAccountsControllerOptions struct { // ServiceAccounts is the list of service accounts to ensure exist in every namespace ServiceAccounts []api.ServiceAccount // ServiceAccountResync is the interval between full resyncs of ServiceAccounts. // If non-zero, all service accounts will be re-listed this often. // Otherwise, re-list will be delayed as long as possible (until the watch is closed or times out). ServiceAccountResync time.Duration // NamespaceResync is the interval between full resyncs of Namespaces. // If non-zero, all namespaces will be re-listed this often. // Otherwise, re-list will be delayed as long as possible (until the watch is closed or times out). NamespaceResync time.Duration }
ServiceAccountsControllerOptions contains options for running a ServiceAccountsController
func DefaultServiceAccountsControllerOptions ¶
func DefaultServiceAccountsControllerOptions() ServiceAccountsControllerOptions
type TokenGenerator ¶
type TokenGenerator interface { // GenerateToken generates a token which will identify the given ServiceAccount. // The returned token will be stored in the given (and yet-unpersisted) Secret. GenerateToken(serviceAccount api.ServiceAccount, secret api.Secret) (string, error) }
func JWTTokenGenerator ¶
func JWTTokenGenerator(key *rsa.PrivateKey) TokenGenerator
JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. privateKey is a PEM-encoded byte array of a private RSA key. JWTTokenAuthenticator()
type TokensController ¶
type TokensController struct {
// contains filtered or unexported fields
}
TokensController manages ServiceAccountToken secrets for ServiceAccount objects
func NewTokensController ¶
func NewTokensController(cl client.Interface, options TokensControllerOptions) *TokensController
NewTokensController returns a new *TokensController.
func (*TokensController) Run ¶
func (e *TokensController) Run()
Runs controller loops and returns immediately
func (*TokensController) Stop ¶
func (e *TokensController) Stop()
Stop gracefully shuts down this controller
type TokensControllerOptions ¶
type TokensControllerOptions struct { // TokenGenerator is the generator to use to create new tokens TokenGenerator TokenGenerator // ServiceAccountResync is the time.Duration at which to fully re-list service accounts. // If zero, re-list will be delayed as long as possible ServiceAccountResync time.Duration // SecretResync is the time.Duration at which to fully re-list secrets. // If zero, re-list will be delayed as long as possible SecretResync time.Duration // This CA will be added in the secretes of service accounts RootCA []byte }
TokensControllerOptions contains options for the TokensController