authconfigmap

package
v0.59.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2021 License: Apache-2.0 Imports: 27 Imported by: 12

Documentation

Overview

Package authconfigmap allows manipulation of the EKS auth ConfigMap (aws-auth), which maps IAM entities to Kubernetes groups.

See for more information: - https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html - https://github.com/kubernetes-sigs/aws-iam-authenticator/blob/master/README.md#full-configuration-format

Index

Constants

View Source 
const (
	// ObjectName is the Kubernetes resource name of the auth ConfigMap
	ObjectName = "aws-auth"
	// ObjectNamespace is the namespace the object can be found
	ObjectNamespace = metav1.NamespaceSystem

	// GroupMasters is the admin group which is also automatically
	// granted to the IAM role that creates the cluster.
	GroupMasters = "system:masters"

	// RoleNodeGroupUsername is the default username for a nodegroup
	// role mapping.
	RoleNodeGroupUsername = "system:node:{{EC2PrivateDNSName}}"
)
View Source 
const AssetDebug = false

AssetDebug is true if the assets were built with the debug flag enabled.

Variables

View Source 
var RoleNodeGroupGroups = []string{"system:bootstrappers", "system:nodes"}

RoleNodeGroupGroups are the groups to allow roles to interact with the cluster, required for the instance role ARNs of nodegroups.

Functions

func AddNodeGroup 

func AddNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

AddNodeGroup creates or adds a nodegroup IAM role in the auth ConfigMap for the given nodegroup.

func Asset 

func Asset(name string) ([]byte, error)

Asset loads and returns the asset for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetDigest 

func AssetDigest(name string) ([sha256.Size]byte, error)

AssetDigest returns the digest of the file with the given name. It returns an error if the asset could not be found or the digest could not be loaded.

func AssetDir 

func AssetDir(name string) ([]string, error)

AssetDir returns the file names below a certain directory embedded in the file by go-bindata. For example if you run go-bindata on data/... and data contains the following hierarchy: 

data/
  foo.txt
  img/
    a.png
    b.png

then AssetDir("data") would return []string{"foo.txt", "img"}, AssetDir("data/img") would return []string{"a.png", "b.png"}, AssetDir("foo.txt") and AssetDir("notexist") would return an error, and AssetDir("") will return []string{"data"}.

func AssetInfo 

func AssetInfo(name string) (os.FileInfo, error)

AssetInfo loads and returns the asset info for the given name. It returns an error if the asset could not be found or could not be loaded.

func AssetNames 

func AssetNames() []string

AssetNames returns the names of the assets.

func AssetString 

func AssetString(name string) (string, error)

AssetString returns the asset contents as a string (instead of a []byte).

func Digests 

func Digests() (map[string][sha256.Size]byte, error)

Digests returns a map of all known files and their checksums.

func MustAsset 

func MustAsset(name string) []byte

MustAsset is like Asset but panics when Asset would return an error. It simplifies safe initialization of global variables.

func MustAssetString 

func MustAssetString(name string) string

MustAssetString is like AssetString but panics when Asset would return an error. It simplifies safe initialization of global variables.

func ObjectMeta 

func ObjectMeta() metav1.ObjectMeta

ObjectMeta constructs metadata for the ConfigMap.

func RemoveNodeGroup 

func RemoveNodeGroup(clientSet kubernetes.Interface, ng *api.NodeGroup) error

RemoveNodeGroup removes a nodegroup from the ConfigMap and does a client update.

func RestoreAsset 

func RestoreAsset(dir, name string) error

RestoreAsset restores an asset under the given directory.

func RestoreAssets 

func RestoreAssets(dir, name string) error

RestoreAssets restores an asset under the given directory recursively.

Types

type AuthConfigMap 

type AuthConfigMap struct {
	// contains filtered or unexported fields
}

AuthConfigMap allows modifying the auth ConfigMap.

func New 

func New(client v1.ConfigMapInterface, cm *corev1.ConfigMap) *AuthConfigMap

New creates an AuthConfigMap instance that manipulates a ConfigMap. If it is nil, one is created.

func NewFromClientSet 

func NewFromClientSet(clientSet kubernetes.Interface) (*AuthConfigMap, error)

NewFromClientSet fetches the auth ConfigMap.

func (*AuthConfigMap) AddAccount 

func (a *AuthConfigMap) AddAccount(account string) error

AddAccount appends an IAM account to the `mapAccounts` entry in the Configmap. It also deduplicates.

func (*AuthConfigMap) AddIdentity 

func (a *AuthConfigMap) AddIdentity(identity iam.Identity) error

AddIdentity maps an IAM role or user ARN to a k8s group dynamically. It modifies the role or user with given groups. If you are calling this as part of node creation you should use DefaultNodeGroups.

func (*AuthConfigMap) AddIdentityIfNotPresent 

func (a *AuthConfigMap) AddIdentityIfNotPresent(identity iam.Identity, exists func(iam.Identity) bool) error

AddIdentityIfNotPresent adds the specified identity if the predicate exists(identity) returns false for all entries

func (*AuthConfigMap) Identities 

func (a *AuthConfigMap) Identities() ([]iam.Identity, error)

Identities returns a list of iam users and roles that are currently in the (cached) configmap.

func (*AuthConfigMap) RemoveAccount 

func (a *AuthConfigMap) RemoveAccount(account string) error

RemoveAccount removes the given IAM account entry in mapAccounts.

func (*AuthConfigMap) RemoveIdentity 

func (a *AuthConfigMap) RemoveIdentity(arnToDelete string, all bool) error

RemoveIdentity removes an identity. If `all` is false it will only remove the first it encounters and return an error if it cannot find it. If `all` is true it will remove all of them and not return an error if it cannot be found.

func (*AuthConfigMap) Save 

func (a *AuthConfigMap) Save() (err error)

Save persists the ConfigMap to the cluster. It determines whether to create or update by looking at the ConfigMap's UID.

type ServiceAccess 

type ServiceAccess struct {
	// contains filtered or unexported fields
}

Grants an AWS service access to an EKS cluster

func NewServiceAccess 

func NewServiceAccess(rawClient *kubernetes.RawClient, acm *AuthConfigMap, accountID string) *ServiceAccess

NewServiceAccess creates a new ServiceAccess

func (*ServiceAccess) Grant 

func (s *ServiceAccess) Grant(serviceName, namespace string) error

Grant grants access to the specified service

type ServiceName 

type ServiceName string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.