node

package

v1.7.5 Latest Latest Go to latest Published: Aug 31, 2017 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Index ¶

func AddGraphEventHandlers(graph *Graph, pods coreinformers.PodInformer, ...)
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, ...) authorizer.Authorizer
type Graph
- func NewGraph() *Graph
type NodeAuthorizer
- func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddGraphEventHandlers ¶

func AddGraphEventHandlers(graph *Graph, pods coreinformers.PodInformer, pvs coreinformers.PersistentVolumeInformer)

func NewAuthorizer ¶

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacapi.PolicyRule) authorizer.Authorizer

New returns a new node authorizer

Types ¶

type Graph ¶

type Graph struct {
	// contains filtered or unexported fields
}

Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

func NewGraph ¶

func NewGraph() *Graph

func (*Graph) AddPV ¶

func (g *Graph) AddPV(pv *api.PersistentVolume)

AddPV sets up edges for the following relationships:

secret -> pv

pv -> pvc

func (*Graph) AddPod ¶

func (g *Graph) AddPod(pod *api.Pod)

AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

pod -> node

secret    -> pod
configmap -> pod
pvc       -> pod

func (*Graph) DeletePV ¶

func (g *Graph) DeletePV(name string)

func (*Graph) DeletePod ¶

func (g *Graph) DeletePod(name, namespace string)

type NodeAuthorizer ¶

type NodeAuthorizer struct {
	// contains filtered or unexported fields
}

NodeAuthorizer authorizes requests from kubelets, with the following logic:

If a request is not from a node (IdentifyNode() returns isNode=false), reject
If a specific node cannot be identified (IdentifyNode() returns nodeName=""), reject
If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret
For other resources, authorize all nodes uniformly using statically defined rules

func (*NodeAuthorizer) Authorize ¶

func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL