rbac

package
v2.19.15 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 1, 2023 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Overview

Package rbac contains a controller that is responsible for setting up RBAC to allow users to access the clusters they should be able to access.

Index

Constants

View Source
const (
	// OwnerGroupNamePrefix represents owners group prefix
	OwnerGroupNamePrefix = "owners"

	// EditorGroupNamePrefix represents editors group prefix
	EditorGroupNamePrefix = "editors"

	// ViewerGroupNamePrefix represents viewers group prefix
	ViewerGroupNamePrefix = "viewers"

	// ProjectManagerGroupNamePrefix represents project managers group prefix.
	// Can create, update and delete projects and add/remove members & service accounts.
	ProjectManagerGroupNamePrefix = "projectmanagers"

	// RBACResourcesNamePrefix represents kubermatic group prefix
	RBACResourcesNamePrefix = "kubermatic"
)
View Source
const (
	CleanupFinalizerName = "kubermatic.io/controller-manager-rbac-cleanup"
)
View Source
const (
	EtcdLauncherServiceAccountName = "etcd-launcher"
)

Variables

AllGroupsPrefixes holds a list of groups with prefixes that we will generate RBAC Roles/Binding for.

Note: adding a new group also requires updating generateVerbsForNamedResource method. the actual names of groups are different see generateActualGroupNameFor function

Functions

func ExtractGroupPrefix

func ExtractGroupPrefix(groupName string) string

ExtractGroupPrefix extracts only group prefix from the given group name

func GenerateActualGroupNameFor

func GenerateActualGroupNameFor(projectName, groupName string) string

GenerateActualGroupNameFor generates a group name for the given project and group prefix.

Types

type ClusterProvider

type ClusterProvider struct {
	// contains filtered or unexported fields
}

ClusterProvider holds set of clients that allow for communication with the cluster and that are required to properly generate RBAC for resources in that particular cluster

func NewClusterProvider

func NewClusterProvider(providerName string, kubeClient kubernetes.Interface, kubeInformerProvider InformerProvider, kubermaticClient kubermaticclientset.Interface, kubermaticInformerFactory externalversions.SharedInformerFactory) *ClusterProvider

NewClusterProvider creates a brand new ClusterProvider

Note: This method will create and register Listers for RBAC Roles and Bindings

func (*ClusterProvider) AddIndexerFor

func (p *ClusterProvider) AddIndexerFor(indexer cache.Indexer, gvk schema.GroupVersionKind)

AddIndexerFor adds Lister for the given resource Note: this method creates Lister for some resources, for example "cluster" resources

TODO: try rm this since we have InformerProvider

func (*ClusterProvider) StartInformers

func (p *ClusterProvider) StartInformers(stopCh <-chan struct{})

StartInformers starts shared informers factories

func (*ClusterProvider) WaitForCachesToSync

func (p *ClusterProvider) WaitForCachesToSync(stopCh <-chan struct{}) error

WaitForCachesToSync waits for all started informers' cache until they are synced.

type ControllerAggregator

type ControllerAggregator struct {
	// contains filtered or unexported fields
}

ControllerAggregator type holds controllers for managing RBAC for projects and theirs resources

func New

func New(ctx context.Context, metrics *Metrics, mgr manager.Manager, seedManagerMap map[string]manager.Manager, labelSelectorFunc func(*metav1.ListOptions), workerPredicate predicate.Predicate, workerCount int) (*ControllerAggregator, error)

New creates a new controller aggregator for managing RBAC for resources

type InformerProvider

type InformerProvider interface {
	// KubeInformerFactoryFor registers a shared informer factory for the given namespace
	KubeInformerFactoryFor(namespace string) kubeinformers.SharedInformerFactory
	// StartInformers starts all registered factories
	StartInformers(stopCh <-chan struct{})
	// WaitForCachesToSync waits until caches from all factories are synced
	WaitForCachesToSync(stopCh <-chan struct{}) error
}

InformerProvider allows for storing shared informer factories for the given namespaces additionally it provides method for starting and waiting for all registered factories

type InformerProviderImpl

type InformerProviderImpl struct {
	// contains filtered or unexported fields
}

InformerProviderImpl simply holds namespaced factories

func NewInformerProvider

func NewInformerProvider(kubeClient kubernetes.Interface, resync time.Duration) *InformerProviderImpl

NewInformerProvider creates a new provider that

func (*InformerProviderImpl) KubeInformerFactoryFor

func (p *InformerProviderImpl) KubeInformerFactoryFor(namespace string) kubeinformers.SharedInformerFactory

KubeInformerFactoryFor registers a shared informer factory for the given namespace

func (*InformerProviderImpl) StartInformers

func (p *InformerProviderImpl) StartInformers(stopCh <-chan struct{})

StartInformers starts all registered factories

func (*InformerProviderImpl) WaitForCachesToSync

func (p *InformerProviderImpl) WaitForCachesToSync(stopCh <-chan struct{}) error

WaitForCachesToSync waits until caches from all factories are synced

type Metrics

type Metrics struct {
	Workers prometheus.Gauge
}

Metrics contains metrics that this controller will collect and expose

func NewMetrics

func NewMetrics() *Metrics

NewMetrics creates RBACGeneratorControllerMetrics with default values initialized, so metrics always show up.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL