Documentation
¶
Overview ¶
Copyright 2019, Verizon Media Inc. Licensed under the terms of the 3-Clause BSD license. See LICENSE file in github.com/yahoo/k8s-athenz-istio-auth for terms.
Copyright 2019, Verizon Media Inc. Licensed under the terms of the 3-Clause BSD license. See LICENSE file in github.com/yahoo/k8s-athenz-istio-auth for terms.
Copyright 2019, Verizon Media Inc. Licensed under the terms of the 3-Clause BSD license. See LICENSE file in github.com/yahoo/k8s-athenz-istio-auth for terms.
Index ¶
- Constants
- func CheckAthenzMemberExpiry(member interface{}) (bool, error)
- func CheckAthenzSystemDisabled(member interface{}) (bool, error)
- func CheckIfMemberIsAllUsersFromDomain(member interface{}, domainName zms.DomainName) (string, error)
- func ConvertAthenzRoleNameToK8sName(roleName string) string
- func ConvertSliceToKeyedMap(in []model.Config) map[string]model.Config
- func Equal(c1, c2 model.Config) bool
- func GetAdminDomainNamespaceMap(systemNamespaces []string, adminDomains []string) map[string]string
- func GetAdminPrincipleNamespaceMap(customServiceMap map[string]string, adminDomains []string) map[string]string
- func GetMemberName(member interface{}) string
- func GetServiceRoleBindingSpec(athenzDomainName string, roleName string, k8sRoleName string, ...) (*v1alpha1.ServiceRoleBinding, error)
- func GetServiceRoleSpec(domainName zms.DomainName, roleName string, assertions []*zms.Assertion) (*v1alpha1.ServiceRole, error)
- func MemberToOriginJwtSubject(member interface{}) (string, error)
- func MemberToSpiffe(member interface{}, enableSpiffeTrustDomain bool, ...) ([]string, error)
- func NewConfig(schema collection.Schema, namespace string, name string, spec proto.Message) model.Config
- func ParseAssertionAction(assertion *zms.Assertion) (string, error)
- func ParseAssertionEffect(assertion *zms.Assertion) (string, error)
- func ParseAssertionResource(domainName zms.DomainName, assertion *zms.Assertion) (string, string, error)
- func ParseRoleFQDN(domainName zms.DomainName, roleFQDN string) (string, error)
- func PrincipalToSpiffe(principal string) (string, error)
- func PrincipalToTrustDomainSpiffe(principal string, adminDomainNamespaceMap map[string]string, ...) ([]string, error)
- func ReadConvertToModelConfig(serviceName, namespace, localDirPath string) (*model.Config, error)
- func ReadDirectoryConvertToModelConfig(namespace, localDirPath string) ([]model.Config, error)
- func RoleToSpiffe(athenzDomainName string, roleName string) (string, error)
- func RoleToTrustDomainSpiffe(athenzDomainName string, roleName string) (string, error)
- type ApiHandler
- type ComponentEnabled
- type DryRunHandler
- type EventHandler
- type Item
- type OnCompleteFunc
Constants ¶
const ( WildCardAll = "*" ServiceRoleKind = "ServiceRole" AthenzJwtPrefix = "athenz/" RequestAuthPrincipalProperty = "request.auth.principal" DryRunStoredFilesDirectory = "/root/authzpolicy/" )
const ConstraintSvcKey = "destination.labels[svc]"
Variables ¶
This section is empty.
Functions ¶
func CheckAthenzMemberExpiry ¶ added in v1.0.0
CheckAthenzMemberExpiry checks if Expiration field (timezone UTC) is set in the roleMember object, and then checks if expiration date surpasses current time
func CheckAthenzSystemDisabled ¶ added in v1.0.0
CheckAthenzSystemDisabled checks if athenz domain is systematically disabled, if so, controller skips processing current role member
func CheckIfMemberIsAllUsersFromDomain ¶ added in v1.0.0
func CheckIfMemberIsAllUsersFromDomain(member interface{}, domainName zms.DomainName) (string, error)
CheckIfMemberIsAllUsersFromDomain returns namespace for Athenz domain when role/group member is of form '<athenz-domain>.*'. Example: domain.sub-domain.* -> domain-sub--domain
func ConvertAthenzRoleNameToK8sName ¶
ConvertAthenzRoleNameToK8sName replaces the '_' in the Athenz role name to a '--' as Kubernetes resource name needs to follow a DNS-1123 subdomain format which must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character
func ConvertSliceToKeyedMap ¶ added in v1.0.0
ConvertSliceToKeyedMap converts the input model.Config slice into a map with (type/namespace/name) formatted key
func GetAdminDomainNamespaceMap ¶ added in v1.1.0
func GetAdminPrincipleNamespaceMap ¶ added in v1.1.0
func GetMemberName ¶ added in v1.0.0
func GetMemberName(member interface{}) string
GetMemberName computes the name of the member based on if the type of the member is *zms.GroupMember or *zms.RoleMember
func GetServiceRoleBindingSpec ¶
func GetServiceRoleBindingSpec(athenzDomainName string, roleName string, k8sRoleName string, members []*zms.RoleMember, enableOriginJwtSubject bool) (*v1alpha1.ServiceRoleBinding, error)
GetServiceRoleBindingSpec returns the ServiceRoleBindingSpec for a given Athenz role and its members
func GetServiceRoleSpec ¶
func GetServiceRoleSpec(domainName zms.DomainName, roleName string, assertions []*zms.Assertion) (*v1alpha1.ServiceRole, error)
GetServiceRoleSpec returns the ServiceRoleSpec for a given Athenz role and the associated assertions
func MemberToOriginJwtSubject ¶ added in v1.0.0
MemberToOriginSubject parses the Athenz role/group member into the request.auth.principal jwt format. Example: athenz/example.domain.service
func MemberToSpiffe ¶ added in v1.0.0
func MemberToSpiffe(member interface{}, enableSpiffeTrustDomain bool, adminDomainNamespaceMap map[string]string, adminPrincipleNamespaceMap map[string]string) ([]string, error)
MemberToSpiffe parses the Athenz role/group member into a SPIFFE compliant name. Example: example.domain/sa/service
func NewConfig ¶
func NewConfig(schema collection.Schema, namespace string, name string, spec proto.Message) model.Config
NewConfig returns a new model.Config resource for the passed-in type with the given namespace/name and spec
func ParseAssertionAction ¶ added in v1.0.0
ParseAssertionAction parses the action of an assertion into a supported Istio RBAC HTTP method
func ParseAssertionEffect ¶ added in v1.0.0
ParseAssertionEffect parses the effect of an assertion into a supported Istio RBAC action
func ParseAssertionResource ¶ added in v1.0.0
func ParseAssertionResource(domainName zms.DomainName, assertion *zms.Assertion) (string, string, error)
ParseAssertionResource parses the resource of an action into the service name (AccessRule constraint) and the HTTP paths if specified (suffix :<path>)
func ParseRoleFQDN ¶
func ParseRoleFQDN(domainName zms.DomainName, roleFQDN string) (string, error)
ParseRoleFQDN parses the Athenz role full name in the format <domainName>:role.<roleName> to roleName e.g. app-domain:role.reader -> reader
func PrincipalToSpiffe ¶
PrincipalToSpiffe converts the Athenz principal into a SPIFFE compliant format e.g. client-domain.frontend.some-app -> client-domain.frontend/sa/some-app
func PrincipalToTrustDomainSpiffe ¶ added in v1.1.0
func PrincipalToTrustDomainSpiffe(principal string, adminDomainNamespaceMap map[string]string, adminPrincipleNamespaceMap map[string]string) ([]string, error)
Update adminPrincipleNamespaceMap to
func ReadConvertToModelConfig ¶ added in v1.0.0
ReadConvertToModelConfig reads in the authorization policy yaml object and converts it into a model.Config struct
func ReadDirectoryConvertToModelConfig ¶ added in v1.0.0
ReadDirectoryConvertToModelConfig reads in the subdirectory for one namespace and converts files under the directory to a list of model.Config struct
func RoleToSpiffe ¶ added in v1.0.0
RoleToSpiffe reads athenz role name string, and generates the SPIFFE name of it SPIFFE name format: <athenz domain name>/ra/<role name>
Types ¶
type ApiHandler ¶ added in v1.0.0
type ApiHandler struct {
ConfigStoreCache model.ConfigStoreCache
}
func (*ApiHandler) Add ¶ added in v1.0.0
func (a *ApiHandler) Add(item *Item) error
func (*ApiHandler) Delete ¶ added in v1.0.0
func (a *ApiHandler) Delete(item *Item) error
func (*ApiHandler) Update ¶ added in v1.0.0
func (a *ApiHandler) Update(item *Item) error
type ComponentEnabled ¶ added in v1.0.0
type ComponentEnabled struct {
// contains filtered or unexported fields
}
func ParseComponentsEnabledAuthzPolicy ¶ added in v1.0.0
func ParseComponentsEnabledAuthzPolicy(componentsList string) (*ComponentEnabled, error)
type DryRunHandler ¶ added in v1.0.0
type DryRunHandler struct{}
func (*DryRunHandler) Add ¶ added in v1.0.0
func (d *DryRunHandler) Add(item *Item) error
func (*DryRunHandler) Delete ¶ added in v1.0.0
func (d *DryRunHandler) Delete(item *Item) error
func (*DryRunHandler) Update ¶ added in v1.0.0
func (d *DryRunHandler) Update(item *Item) error
type EventHandler ¶ added in v1.0.0
type Item ¶ added in v1.0.0
type Item struct {
Operation model.Event
Resource model.Config
// Handler function that should be invoked with the status of the current sync operation on the item
// If the handler returns an error, the operation is retried up to `queueNumRetries`
CallbackHandler OnCompleteFunc
}
func ComputeChangeList ¶ added in v1.0.0
func ComputeChangeList(currentCRs []model.Config, desiredCRs []model.Config, cbHandler OnCompleteFunc, checkFn additionalCheck) []*Item
ComputeChangeList checks if two set of config models have any differences, and return its changeList Controller which calls this function is required to pass its own callback handler checkFn is optional, can be set to nil if nothing needs to be checked
Source Files