Documentation ¶
Index ¶
- Constants
- func ControllerRoleBindings() []rbacv1.ClusterRoleBinding
- func ControllerRoles() []rbacv1.ClusterRole
- func GetBoostrapSCCAccess(infraNamespace string) (map[string][]string, map[string][]string)
- func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding
- func GetBootstrapClusterRoles() []rbacv1.ClusterRole
- func GetBootstrapClusterRolesToAggregate() map[string]string
- func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding
- func GetBootstrapNamespaceRoles() map[string][]rbacv1.Role
- func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, ...) []*securityapi.SecurityContextConstraints
- func GetBootstrapServiceAccountProjectRoleBindingNames() sets.String
- func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbacv1.RoleBinding
- func GetDeadClusterRoleBindings() []rbacv1.ClusterRoleBinding
- func GetDeadClusterRoles() []rbacv1.ClusterRole
- func GetOpenshiftBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding
- func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole
- func NamespaceRoleBindings() map[string][]rbacv1.RoleBinding
- func NamespaceRoles() map[string][]rbacv1.Role
- type PolicyData
Constants ¶
const ( DefaultOpenShiftInfraNamespace = "openshift-infra" DefaultOpenShiftNodeNamespace = "openshift-node" )
known namespaces
const ( DefaultServiceAccountName = "default" BuilderServiceAccountName = "builder" DeployerServiceAccountName = "deployer" MasterUnqualifiedUsername = "openshift-master" AggregatorUnqualifiedUsername = "openshift-aggregator" MasterUsername = "system:" + MasterUnqualifiedUsername AggregatorUsername = "system:" + AggregatorUnqualifiedUsername SystemAdminUsername = "system:admin" // Not granted any API permissions, just an identity for a client certificate for the API proxy to use // Should not be changed without considering impact to pods that may be verifying this identity by default MasterProxyUnqualifiedUsername = "master-proxy" MasterProxyUsername = "system:" + MasterProxyUnqualifiedUsername // Previous versions used this as the username for the master to connect to the kubelet // This should remain in the default role bindings for the NodeAdmin role LegacyMasterKubeletAdminClientUsername = "system:master" MasterKubeletAdminClientUsername = "system:openshift-node-admin" )
users
const ( AuthenticatedGroup = "system:authenticated" AuthenticatedOAuthGroup = "system:authenticated:oauth" UnauthenticatedGroup = "system:unauthenticated" ClusterAdminGroup = "system:cluster-admins" ClusterReaderGroup = "system:cluster-readers" MastersGroup = "system:masters" NodesGroup = "system:nodes" NodeAdminsGroup = "system:node-admins" )
groups
const ( ClusterAdminRoleName = "cluster-admin" SudoerRoleName = "sudoer" ScopeImpersonationRoleName = "system:scope-impersonation" ClusterReaderRoleName = "cluster-reader" StorageAdminRoleName = "storage-admin" ClusterDebuggerRoleName = "cluster-debugger" AdminRoleName = "admin" EditRoleName = "edit" ViewRoleName = "view" AggregatedAdminRoleName = "system:openshift:aggregate-to-admin" AggregatedEditRoleName = "system:openshift:aggregate-to-edit" AggregatedViewRoleName = "system:openshift:aggregate-to-view" AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader" SelfProvisionerRoleName = "self-provisioner" BasicUserRoleName = "basic-user" StatusCheckerRoleName = "cluster-status" SelfAccessReviewerRoleName = "self-access-reviewer" RegistryAdminRoleName = "registry-admin" RegistryViewerRoleName = "registry-viewer" RegistryEditorRoleName = "registry-editor" TemplateServiceBrokerClientRoleName = "system:openshift:templateservicebroker-client" BuildStrategyDockerRoleName = "system:build-strategy-docker" BuildStrategyCustomRoleName = "system:build-strategy-custom" BuildStrategySourceRoleName = "system:build-strategy-source" BuildStrategyJenkinsPipelineRoleName = "system:build-strategy-jenkinspipeline" ImageAuditorRoleName = "system:image-auditor" ImagePullerRoleName = "system:image-puller" ImagePusherRoleName = "system:image-pusher" ImageBuilderRoleName = "system:image-builder" ImagePrunerRoleName = "system:image-pruner" ImageSignerRoleName = "system:image-signer" DeployerRoleName = "system:deployer" RouterRoleName = "system:router" RegistryRoleName = "system:registry" MasterRoleName = "system:master" SDNReaderRoleName = "system:sdn-reader" SDNManagerRoleName = "system:sdn-manager" OAuthTokenDeleterRoleName = "system:oauth-token-deleter" WebHooksRoleName = "system:webhook" DiscoveryRoleName = "system:openshift:discovery" // NodeAdmin has full access to the API provided by the kubelet NodeAdminRoleName = "system:node-admin" // NodeReader has read access to the metrics and stats provided by the kubelet NodeReaderRoleName = "system:node-reader" NodeBootstrapRoleName = "system:node-bootstrapper" NodeConfigReaderRoleName = "system:node-config-reader" )
Roles
const ( // Legacy roles that must continue to have a plural form SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s" SelfProvisionerRoleBindingName = SelfProvisionerRoleName + "s" DeployerRoleBindingName = DeployerRoleName + "s" ClusterAdminRoleBindingName = ClusterAdminRoleName + "s" ClusterReaderRoleBindingName = ClusterReaderRoleName + "s" BasicUserRoleBindingName = BasicUserRoleName + "s" OAuthTokenDeleterRoleBindingName = OAuthTokenDeleterRoleName + "s" StatusCheckerRoleBindingName = StatusCheckerRoleName + "-binding" ImagePullerRoleBindingName = ImagePullerRoleName + "s" ImageBuilderRoleBindingName = ImageBuilderRoleName + "s" MasterRoleBindingName = MasterRoleName + "s" NodeProxierRoleBindingName = "system:node-proxier" + "s" NodeAdminRoleBindingName = NodeAdminRoleName + "s" SDNReaderRoleBindingName = SDNReaderRoleName + "s" WebHooksRoleBindingName = WebHooksRoleName + "s" // Bindings BuildStrategyDockerRoleBindingName = BuildStrategyDockerRoleName + "-binding" BuildStrategySourceRoleBindingName = BuildStrategySourceRoleName + "-binding" BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding" )
RoleBindings
const ( // Authorization resources DockerBuildResource = "builds/docker" OptimizedDockerBuildResource = "builds/optimizeddocker" SourceBuildResource = "builds/source" CustomBuildResource = "builds/custom" JenkinsPipelineBuildResource = "builds/jenkinspipeline" // These are valid under the "nodes" resource NodeMetricsSubresource = "metrics" NodeStatsSubresource = "stats" NodeSpecSubresource = "spec" NodeLogSubresource = "log" )
Resources and Subresources
const ( InfraOriginNamespaceServiceAccountName = "origin-namespace-controller" InfraServiceAccountControllerServiceAccountName = "serviceaccount-controller" InfraServiceAccountPullSecretsControllerServiceAccountName = "serviceaccount-pull-secrets-controller" InfraServiceAccountTokensControllerServiceAccountName = "serviceaccount-tokens-controller" InfraServiceServingCertServiceAccountName = "service-serving-cert-controller" InfraBuildControllerServiceAccountName = "build-controller" InfraBuildConfigChangeControllerServiceAccountName = "build-config-change-controller" InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller" InfraDeployerControllerServiceAccountName = "deployer-controller" InfraImageTriggerControllerServiceAccountName = "image-trigger-controller" InfraImageImportControllerServiceAccountName = "image-import-controller" InfraSDNControllerServiceAccountName = "sdn-controller" InfraClusterQuotaReconciliationControllerServiceAccountName = "cluster-quota-reconciliation-controller" InfraUnidlingControllerServiceAccountName = "unidling-controller" InfraServiceIngressIPControllerServiceAccountName = "service-ingress-ip-controller" InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller" InfraResourceQuotaControllerServiceAccountName = "resourcequota-controller" InfraDefaultRoleBindingsControllerServiceAccountName = "default-rolebindings-controller" InfraIngressToRouteControllerServiceAccountName = "ingress-to-route-controller" InfraNamespaceSecurityAllocationControllerServiceAccountName = "namespace-security-allocation-controller" // template instance controller watches for TemplateInstance object creation // and instantiates templates as a result. InfraTemplateInstanceControllerServiceAccountName = "template-instance-controller" InfraTemplateInstanceFinalizerControllerServiceAccountName = "template-instance-finalizer-controller" // template service broker is an open service broker-compliant API // implementation which serves up OpenShift templates. It uses the // TemplateInstance backend for most of the heavy lifting. InfraTemplateServiceBrokerServiceAccountName = "template-service-broker" // This is a special constant which maps to the service account name used by the underlying // Kubernetes code, so that we can build out the extra policy required to scale OpenShift resources. InfraHorizontalPodAutoscalerControllerServiceAccountName = "horizontal-pod-autoscaler" )
const ( // SecurityContextConstraintPrivileged is used as the name for the system default privileged scc. SecurityContextConstraintPrivileged = "privileged" SecurityContextConstraintPrivilegedDesc = "" /* 261-byte string literal not displayed */ // SecurityContextConstraintRestricted is used as the name for the system default restricted scc. SecurityContextConstraintRestricted = "restricted" SecurityContextConstraintRestrictedDesc = "" /* 227-byte string literal not displayed */ // SecurityContextConstraintNonRoot is used as the name for the system default non-root scc. SecurityContextConstraintNonRoot = "nonroot" SecurityContextConstraintNonRootDesc = "" /* 202-byte string literal not displayed */ // SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc. SecurityContextConstraintHostMountAndAnyUID = "hostmount-anyuid" SecurityContextConstraintHostMountAndAnyUIDDesc = "" /* 267-byte string literal not displayed */ // SecurityContextConstraintHostNS is used as the name for the system default scc // that grants access to all host ns features. SecurityContextConstraintHostNS = "hostaccess" SecurityContextConstraintHostNSDesc = "" /* 287-byte string literal not displayed */ // SecurityContextConstraintsAnyUID is used as the name for the system default scc that // grants access to run as any uid but is still restricted to specific SELinux contexts. SecurityContextConstraintsAnyUID = "anyuid" SecurityContextConstraintsAnyUIDDesc = "anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID." // SecurityContextConstraintsHostNetwork is used as the name for the system default scc that // grants access to run with host networking and host ports but still allocates uid/gids/selinux from the // namespace. SecurityContextConstraintsHostNetwork = "hostnetwork" SecurityContextConstraintsHostNetworkDesc = "" /* 157-byte string literal not displayed */ // DescriptionAnnotation is the annotation used for attaching descriptions. DescriptionAnnotation = "kubernetes.io/description" )
const (
InfraNodeBootstrapServiceAccountName = "node-bootstrapper"
)
Service Account Names that are not controller related
Variables ¶
This section is empty.
Functions ¶
func ControllerRoleBindings ¶
func ControllerRoleBindings() []rbacv1.ClusterRoleBinding
ControllerRoleBindings returns the role bindings used by controllers
func ControllerRoles ¶
func ControllerRoles() []rbacv1.ClusterRole
ControllerRoles returns the cluster roles used by controllers
func GetBoostrapSCCAccess ¶
GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints.
func GetBootstrapClusterRoleBindings ¶
func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding
func GetBootstrapClusterRoles ¶
func GetBootstrapClusterRoles() []rbacv1.ClusterRole
func GetBootstrapNamespaceRoleBindings ¶
func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding
func GetBootstrapSecurityContextConstraints ¶
func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string][]string, sccNameToAdditionalUsers map[string][]string) []*securityapi.SecurityContextConstraints
GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints for system bootstrapping. This method takes additional users and groups that should be added to the strategies. Use GetBoostrapSCCAccess to produce the default set of mappings.
func GetBootstrapServiceAccountProjectRoleBindings ¶
func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbacv1.RoleBinding
func GetDeadClusterRoleBindings ¶
func GetDeadClusterRoleBindings() []rbacv1.ClusterRoleBinding
GetDeadClusterRoleBindings returns cluster role bindings which should no longer have any subjects. These are enumerated so that a reconcile that tightens permissions will properly remove them.
func GetDeadClusterRoles ¶
func GetDeadClusterRoles() []rbacv1.ClusterRole
GetDeadClusterRoles returns cluster roles which should no longer have any permissions. These are enumerated so that a reconcile that tightens permissions will properly.
func GetOpenshiftBootstrapClusterRoleBindings ¶
func GetOpenshiftBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding
func GetOpenshiftBootstrapClusterRoles ¶
func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole
func NamespaceRoleBindings ¶
func NamespaceRoleBindings() map[string][]rbacv1.RoleBinding
NamespaceRoleBindings returns a map of namespace to slice of role bindings to create
func NamespaceRoles ¶
NamespaceRoles returns a map of namespace to slice of roles to create
Types ¶
type PolicyData ¶
type PolicyData struct { ClusterRoles []rbacv1.ClusterRole ClusterRoleBindings []rbacv1.ClusterRoleBinding Roles map[string][]rbacv1.Role RoleBindings map[string][]rbacv1.RoleBinding // ClusterRolesToAggregate maps from previous clusterrole name to the new clusterrole name ClusterRolesToAggregate map[string]string }
func Policy ¶
func Policy() *PolicyData