podidentityassociation

package
v0.201.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 14, 2025 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsPodIdentityAgentInstalled added in v0.166.0

func IsPodIdentityAgentInstalled(ctx context.Context, eksAPI awsapi.EKS, clusterName string) (bool, error)

func MakeAddonPodIdentityStackName added in v0.181.0

func MakeAddonPodIdentityStackName(clusterName, addonName, serviceAccountName string) string

func MakeStackName

func MakeStackName(clusterName, namespace, serviceAccountName string) string

MakeStackName creates a stack name for the specified access entry.

Types

type APIDeleter

type APIDeleter interface {
	APILister
	DeletePodIdentityAssociation(ctx context.Context, params *eks.DeletePodIdentityAssociationInput, optFns ...func(*eks.Options)) (*eks.DeletePodIdentityAssociationOutput, error)
}

APIDeleter lists and deletes pod identity associations using the EKS API.

type APILister

type APILister interface {
	ListPodIdentityAssociations(ctx context.Context, params *eks.ListPodIdentityAssociationsInput, optFns ...func(*eks.Options)) (*eks.ListPodIdentityAssociationsOutput, error)
}

APILister lists pod identity associations using the EKS API.

type APIUpdater

type APIUpdater interface {
	APILister
	DescribePodIdentityAssociation(ctx context.Context, params *eks.DescribePodIdentityAssociationInput, optFns ...func(*eks.Options)) (*eks.DescribePodIdentityAssociationOutput, error)
	UpdatePodIdentityAssociation(ctx context.Context, params *eks.UpdatePodIdentityAssociationInput, optFns ...func(*eks.Options)) (*eks.UpdatePodIdentityAssociationOutput, error)
}

APIUpdater updates pod identity associations using the EKS API.

type AddonCreator added in v0.166.0

type AddonCreator interface {
	Create(ctx context.Context, addon *api.Addon, waitTimeout time.Duration) error
}

type AddonMigrator added in v0.181.0

type AddonMigrator struct {
	ClusterName                   string
	AddonServiceAccountRoleMapper AddonServiceAccountRoleMapper
	IAMRoleGetter                 IAMRoleGetter
	StackDescriber                StackDescriber
	EKSAddonsAPI                  EKSAddonsAPI
	RoleMigrator                  RoleMigrator
}

AddonMigrator migrates EKS managed addons using IRSAv1 to EKS Pod Identity.

func (*AddonMigrator) Migrate added in v0.181.0

func (a *AddonMigrator) Migrate(ctx context.Context) (*tasks.TaskTree, error)

Migrate migrates all EKS addons to use EKS Pod Identity.

type AddonServiceAccountRoleMapper added in v0.181.0

type AddonServiceAccountRoleMapper map[string]*ekstypes.Addon

AddonServiceAccountRoleMapper maps service account role ARNs to EKS addons.

func CreateAddonServiceAccountRoleMapper added in v0.181.0

func CreateAddonServiceAccountRoleMapper(ctx context.Context, clusterName string, eksAddonsAPI EKSAddonsAPI) (AddonServiceAccountRoleMapper, error)

CreateAddonServiceAccountRoleMapper creates an AddonServiceAccountRoleMapper that maps service account role ARNs to EKS addons.

func (AddonServiceAccountRoleMapper) AddonForServiceAccountRole added in v0.181.0

func (m AddonServiceAccountRoleMapper) AddonForServiceAccountRole(roleARN string) *ekstypes.Addon

AddonForServiceAccountRole returns the addon used by roleARN.

type Creator

type Creator struct {
	// contains filtered or unexported fields
}

func NewCreator

func NewCreator(clusterName string, stackCreator StackCreator, eksAPI awsapi.EKS, clientSet kubeclient.Interface) *Creator

func (*Creator) CreatePodIdentityAssociations

func (c *Creator) CreatePodIdentityAssociations(ctx context.Context, podIdentityAssociations []api.PodIdentityAssociation) error

func (*Creator) CreateTasks

func (c *Creator) CreateTasks(ctx context.Context, podIdentityAssociations []api.PodIdentityAssociation, ignorePodIdentityExistsErr bool) *tasks.TaskTree

type Deleter

type Deleter struct {
	// ClusterName is the cluster name.
	ClusterName string
	// StackDeleter is used to delete stacks.
	StackDeleter StackDeleter
	// APIDeleter deletes pod identity associations using the EKS API.
	APIDeleter APIDeleter
	// ClientSet is used to delete K8s service accounts.
	ClientSet kubeclient.Interface
}

A Deleter deletes pod identity associations.

func NewDeleter

func NewDeleter(clusterName string, stackDeleter StackDeleter, apiDeleter APIDeleter, clientSet kubeclient.Interface) *Deleter

func (*Deleter) Delete

func (d *Deleter) Delete(ctx context.Context, podIDs []Identifier) error

Delete deletes the specified podIdentityAssociations.

func (*Deleter) DeleteTasks

func (d *Deleter) DeleteTasks(ctx context.Context, podIDs []Identifier) (*tasks.TaskTree, error)

type EKSAddonsAPI added in v0.181.0

type EKSAddonsAPI interface {
	ListAddons(ctx context.Context, params *eks.ListAddonsInput, optFns ...func(*eks.Options)) (*eks.ListAddonsOutput, error)
	DescribeAddon(ctx context.Context, params *eks.DescribeAddonInput, optFns ...func(*eks.Options)) (*eks.DescribeAddonOutput, error)
	DescribeAddonConfiguration(ctx context.Context, params *eks.DescribeAddonConfigurationInput, optFns ...func(*eks.Options)) (*eks.DescribeAddonConfigurationOutput, error)
	UpdateAddon(ctx context.Context, params *eks.UpdateAddonInput, optFns ...func(*eks.Options)) (*eks.UpdateAddonOutput, error)
}

type Getter

type Getter struct {
	// contains filtered or unexported fields
}

func NewGetter

func NewGetter(clusterName string, eksAPI awsapi.EKS) *Getter

func (*Getter) GetPodIdentityAssociations

func (g *Getter) GetPodIdentityAssociations(ctx context.Context, namespace, serviceAccountName string) ([]Summary, error)

type IAMRoleCreator added in v0.181.0

type IAMRoleCreator struct {
	ClusterName  string
	StackCreator StackCreator
}

IAMRoleCreator creates IAM resources for a pod identity association.

func (*IAMRoleCreator) Create added in v0.181.0

func (r *IAMRoleCreator) Create(ctx context.Context, podIdentityAssociation *api.PodIdentityAssociation, addonName string) (string, error)

Create creates IAM resources for podIdentityAssociation. If podIdentityAssociation belongs to an addon, addonName must be non-empty.

type IAMRoleGetter added in v0.181.0

type IAMRoleGetter interface {
	GetRole(ctx context.Context, params *iam.GetRoleInput, optFns ...func(*iam.Options)) (*iam.GetRoleOutput, error)
}

type IAMRoleUpdater added in v0.181.0

type IAMRoleUpdater struct {
	// StackUpdater updates CloudFormation stacks.
	StackUpdater StackUpdater
}

IAMRoleUpdater updates IAM resources for pod identity associations.

func (*IAMRoleUpdater) Update added in v0.181.0

func (u *IAMRoleUpdater) Update(ctx context.Context, podIdentityAssociation api.PodIdentityAssociation, stackName, podIdentityAssociationID string) (string, bool, error)

Update updates IAM resources for podIdentityAssociation and returns an IAM role ARN upon success. The boolean return value reports whether the IAM resources have changed or not.

type IRSAv1StackNameResolver added in v0.166.0

type IRSAv1StackNameResolver map[string]IRSAv1StackSummary

func (*IRSAv1StackNameResolver) GetStack added in v0.166.0

func (r *IRSAv1StackNameResolver) GetStack(roleARN string) (IRSAv1StackSummary, bool)

func (*IRSAv1StackNameResolver) Populate added in v0.166.0

func (r *IRSAv1StackNameResolver) Populate(
	getIAMServiceAccounts func() ([]*api.ClusterIAMServiceAccount, error),
) error

type IRSAv1StackSummary added in v0.166.0

type IRSAv1StackSummary struct {
	Name         string
	Tags         map[string]string
	Capabilities []string
}

type Identifier

type Identifier struct {
	// Namespace is the namespace the service account belongs to.
	Namespace string
	// ServiceAccountName is the name of the Kubernetes ServiceAccount.
	ServiceAccountName string
}

Identifier represents a pod identity association.

func ToIdentifiers

func ToIdentifiers(podIdentityAssociations []api.PodIdentityAssociation) []Identifier

ToIdentifiers maps a list of PodIdentityAssociations to a list of Identifiers.

func (Identifier) IDString added in v0.166.0

func (i Identifier) IDString() string

func (Identifier) NameString added in v0.166.0

func (i Identifier) NameString() string

type Migrator added in v0.166.0

type Migrator struct {
	// contains filtered or unexported fields
}

func NewMigrator added in v0.166.0

func NewMigrator(
	clusterName string,
	eksAPI awsapi.EKS,
	iamAPI awsapi.IAM,
	stackUpdater StackUpdater,
	clientSet kubernetes.Interface,
	addonCreator AddonCreator,
) *Migrator

func (*Migrator) MigrateToPodIdentity added in v0.166.0

func (m *Migrator) MigrateToPodIdentity(ctx context.Context, options PodIdentityMigrationOptions) error

type PodIdentityMigrationOptions added in v0.166.0

type PodIdentityMigrationOptions struct {
	RemoveOIDCProviderTrustRelationship bool
	Approve                             bool
	Timeout                             time.Duration
}

type RoleMigrator added in v0.181.0

type RoleMigrator interface {
	UpdateTrustPolicyForOwnedRoleTask(ctx context.Context, roleName, serviceAccountName string, stack IRSAv1StackSummary, removeOIDCProviderTrustRelationship bool) tasks.Task
	UpdateTrustPolicyForUnownedRoleTask(ctx context.Context, roleName string, removeOIDCProviderTrustRelationship bool) tasks.Task
}

A RoleMigrator updates an IAM role to use EKS Pod Identity.

type RoleUpdateValidator added in v0.181.0

type RoleUpdateValidator struct {
	StackDescriber StackDescriber
}

func (*RoleUpdateValidator) ValidateRoleUpdate added in v0.181.0

func (r *RoleUpdateValidator) ValidateRoleUpdate(pia api.PodIdentityAssociation, association ekstypes.PodIdentityAssociation, hasStack bool) error

ValidateRoleUpdate validates the role associated with pia.

type StackCreator added in v0.166.0

type StackCreator interface {
	CreateStack(ctx context.Context, name string, stack builder.ResourceSetReader, tags, parameters map[string]string, errs chan error) error
}

type StackDeleter

type StackDeleter interface {
	StackLister
	DeleteStackBySpecSync(ctx context.Context, stack *cfntypes.Stack, errCh chan error) error
}

A StackDeleter lists and deletes CloudFormation stacks.

type StackDescriber added in v0.181.0

type StackDescriber interface {
	DescribeStack(context.Context, *manager.Stack) (*manager.Stack, error)
}

type StackLister

type StackLister interface {
	ListPodIdentityStackNames(ctx context.Context) ([]string, error)
	DescribeStack(ctx context.Context, stack *manager.Stack) (*manager.Stack, error)
	GetStackTemplate(ctx context.Context, stackName string) (string, error)
	GetIAMServiceAccounts(ctx context.Context) ([]*api.ClusterIAMServiceAccount, error)
}

A StackLister lists and describes CloudFormation stacks.

type StackUpdater

type StackUpdater interface {
	StackLister
	// MustUpdateStack updates the CloudFormation stack.
	MustUpdateStack(ctx context.Context, options manager.UpdateStackOptions) error
}

A StackUpdater updates CloudFormation stacks.

type Summary

type Summary struct {
	AssociationARN     string
	Namespace          string
	ServiceAccountName string
	RoleARN            string
	OwnerARN           string
}

type UpdateConfig added in v0.181.0

type UpdateConfig struct {
	PodIdentityAssociation api.PodIdentityAssociation
	AssociationID          string
	HasIAMResourcesStack   bool
	StackName              string
}

UpdateConfig holds configuration for updating a pod identity association.

type Updater

type Updater struct {
	// ClusterName is the cluster name.
	ClusterName string
	// StackUpdater updates stacks.
	StackUpdater StackUpdater
	// APIDeleter updates pod identity associations using the EKS API.
	APIUpdater APIUpdater
}

An Updater updates pod identity associations.

func (*Updater) Update

func (u *Updater) Update(ctx context.Context, podIdentityAssociations []api.PodIdentityAssociation) error

Update updates the specified pod identity associations.

Directories

Path Synopsis
Code generated by counterfeiter.
Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL