Documentation ¶
Index ¶
Constants ¶
const ( // The SPDY subprotocol "v4.channel.k8s.io" is used for remote command // attachment/execution. It is the 4th version of the subprotocol and // adds support for exit codes. StreamProtocolV4Name = "v4.channel.k8s.io" // DefaultStreamCreationTimeout DefaultStreamCreationTimeout = 30 * time.Second IdleTimeout = 15 * time.Minute )
const ( // Enable stdin for remote command execution ExecStdinParam = "input" // Enable stdout for remote command execution ExecStdoutParam = "output" // Enable stderr for remote command execution ExecStderrParam = "error" // Enable TTY for remote command execution ExecTTYParam = "tty" // Command to run for remote command execution ExecCommandParam = "command" // Name of header that specifies stream type StreamType = "streamType" // Value for streamType header for stdin stream StreamTypeStdin = "stdin" // Value for streamType header for stdout stream StreamTypeStdout = "stdout" // Value for streamType header for stderr stream StreamTypeStderr = "stderr" // Value for streamType header for data stream StreamTypeData = "data" // Value for streamType header for error stream StreamTypeError = "error" // Value for streamType header for terminal resize stream StreamTypeResize = "resize" // Name of header that specifies the port being forwarded PortHeader = "port" // Name of header that specifies a request ID used to associate the error // and data streams for a single forwarded connection PortForwardRequestIDHeader = "requestID" // PortForwardProtocolV1Name is the subprotocol "portforward.k8s.io" is used for port forwarding PortForwardProtocolV1Name = "portforward.k8s.io" )
These constants are for remote command execution and port forwarding and are used by both the client side and server side components.
This is probably not the ideal place for them, but it didn't seem worth it to create pkg/exec and pkg/portforward just to contain a single file with constants in it. Suggestions for more appropriate alternatives are definitely welcome!
const ( // ImpersonateHeaderPrefix is K8s impersonation prefix for impersonation feature: // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation ImpersonateHeaderPrefix = "Impersonate-" // ImpersonateUserHeader is impersonation header for users ImpersonateUserHeader = "Impersonate-User" // ImpersonateGroupHeader is K8s impersonation header for user ImpersonateGroupHeader = "Impersonate-Group" // ImpersonationRequestDeniedMessage is access denied message for impersonation ImpersonationRequestDeniedMessage = "impersonation request has been denied" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DialWithContext ¶
DialWithContext is the function used to dial to remote endpoints
type Forwarder ¶
type Forwarder struct { sync.Mutex *log.Entry httprouter.Router ForwarderConfig // contains filtered or unexported fields }
Forwarder intercepts kubernetes requests, acting as Kubernetes API proxy. it blindly forwards most of the requests on HTTPS protocol layer, however some requests like exec sessions it intercepts and records.
func NewForwarder ¶
func NewForwarder(cfg ForwarderConfig) (*Forwarder, error)
NewForwarder returns new instance of Kubernetes request forwarding proxy.
type ForwarderConfig ¶
type ForwarderConfig struct { // Tunnel is the teleport reverse tunnel server Tunnel reversetunnel.Server // ClusterName is a local cluster name ClusterName string // Keygen points to a key generator implementation Keygen sshca.Authority // Auth authenticates user Auth auth.Authorizer // Client is a proxy client Client auth.ClientI // TargetAddr is a target address TargetAddr string // DataDir is a data dir to store logs DataDir string // Namespace is a namespace of the proxy server (not a K8s namespace) Namespace string // AccessPoint is a caching access point to auth server // for caching common requests to the backend AccessPoint auth.AccessPoint // AuditLog is audit log to send events to AuditLog events.IAuditLog // ServerID is a unique ID of a proxy server ServerID string // ClusterOverride if set, routes all requests // to the cluster name, used in tests ClusterOverride string // Context passes the optional external context // passing global close to all forwarder operations Context context.Context // KubeconfigPath is a path to kubernetes configuration KubeconfigPath string // Clock is a server clock, could be overriden in tests Clock clockwork.Clock }
ForwarderConfig specifies configuration for proxy forwarder
func (*ForwarderConfig) CheckAndSetDefaults ¶
func (f *ForwarderConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type SpdyRoundTripper ¶
type SpdyRoundTripper struct {
// contains filtered or unexported fields
}
SpdyRoundTripper knows how to upgrade an HTTP request to one that supports multiplexed streams. After RoundTrip() is invoked, Conn will be set and usable. SpdyRoundTripper implements the UpgradeRoundTripper interface.
func NewSpdyRoundTripperWithDialer ¶
func NewSpdyRoundTripperWithDialer(cfg roundTripperConfig) *SpdyRoundTripper
NewSpdyRoundTripperWithDialer creates a new SpdyRoundTripper that will use the specified tlsConfig. This function is mostly meant for unit tests.
func (*SpdyRoundTripper) NewConnection ¶
func (s *SpdyRoundTripper) NewConnection(resp *http.Response) (httpstream.Connection, error)
NewConnection validates the upgrade response, creating and returning a new httpstream.Connection if there were no errors.
func (*SpdyRoundTripper) RoundTrip ¶
RoundTrip executes the Request and upgrades it. After a successful upgrade, clients may call SpdyRoundTripper.Connection() to retrieve the upgraded connection.
func (*SpdyRoundTripper) TLSClientConfig ¶
func (s *SpdyRoundTripper) TLSClientConfig() *tls.Config
TLSClientConfig implements pkg/util/net.TLSClientConfigHolder for proper TLS checking during proxying with a spdy roundtripper.
type TLSServer ¶
type TLSServer struct { *http.Server // TLSServerConfig is TLS server configuration used for auth server TLSServerConfig }
TLSServer is TLS auth server
func NewTLSServer ¶
func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error)
NewTLSServer returns new unstarted TLS server
func (*TLSServer) GetConfigForClient ¶
GetConfigForClient is getting called on every connection and server's GetConfigForClient reloads the list of trusted local and remote certificate authorities
type TLSServerConfig ¶
type TLSServerConfig struct { // ForwarderConfig is a config of a forwarder ForwarderConfig // TLS is a base TLS configuration TLS *tls.Config // LimiterConfig is limiter config LimiterConfig limiter.LimiterConfig // AccessPoint is caching access point AccessPoint auth.AccessPoint // Component is used for debugging purposes Component string }
TLSServerConfig is a configuration for TLS server
func (*TLSServerConfig) CheckAndSetDefaults ¶
func (c *TLSServerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values