serviceaccount

package

v1.8.13 Latest Latest Go to latest Published: May 11, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Index ¶

Constants
func InternalIsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool
func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool
func JWTTokenAuthenticator(keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token
func UserInfo(namespace, name, uid string) user.Info
type ServiceAccountTokenGetter
type TokenGenerator
- func JWTTokenGenerator(privateKey interface{}) TokenGenerator

Constants ¶

View Source

const (
	Issuer = "kubernetes/serviceaccount"

	SubjectClaim            = "sub"
	IssuerClaim             = "iss"
	ServiceAccountNameClaim = "kubernetes.io/serviceaccount/service-account.name"
	ServiceAccountUIDClaim  = "kubernetes.io/serviceaccount/service-account.uid"
	SecretNameClaim         = "kubernetes.io/serviceaccount/secret.name"
	NamespaceClaim          = "kubernetes.io/serviceaccount/namespace"
)

Variables ¶

This section is empty.

Functions ¶

func InternalIsServiceAccountToken ¶ added in v1.6.0

func InternalIsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool

TODO: remove the duplicate code InternalIsServiceAccountToken returns true if the secret is a valid api token for the service account

func IsServiceAccountToken ¶ added in v1.2.0

func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool

IsServiceAccountToken returns true if the secret is a valid api token for the service account

func JWTTokenAuthenticator ¶

func JWTTokenAuthenticator(keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token

JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter

func UserInfo ¶ added in v1.2.0

func UserInfo(namespace, name, uid string) user.Info

UserInfo returns a user.Info interface for the given namespace, service account name and UID

Types ¶

type ServiceAccountTokenGetter ¶

type ServiceAccountTokenGetter interface {
	GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error)
	GetSecret(namespace, name string) (*v1.Secret, error)
}

ServiceAccountTokenGetter defines functions to retrieve a named service account and secret

type TokenGenerator ¶

type TokenGenerator interface {
	// GenerateToken generates a token which will identify the given ServiceAccount.
	// The returned token will be stored in the given (and yet-unpersisted) Secret.
	GenerateToken(serviceAccount v1.ServiceAccount, secret v1.Secret) (string, error)
}

func JWTTokenGenerator ¶

func JWTTokenGenerator(privateKey interface{}) TokenGenerator

JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. privateKey is a PEM-encoded byte array of a private RSA key. JWTTokenAuthenticator()

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL