kubernetes

package
v2.17.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 16, 2021 License: Apache-2.0 Imports: 53 Imported by: 2

Documentation

Index

Constants

View Source
const (
	ServiceAccountLabelGroup      = "initialGroup"
	ServiceAccountAnnotationOwner = "owner"
)
View Source
const (
	// NamespacePrefix is the prefix for the cluster namespace
	NamespacePrefix = "cluster-"
)

Variables

This section is empty.

Functions

func AddonProviderFactory

func AddonProviderFactory(mapper meta.RESTMapper, seedKubeconfigGetter provider.SeedKubeconfigGetter, accessibleAddons sets.String) provider.AddonProviderGetter

func CreateOrUpdateCredentialSecretForCluster

func CreateOrUpdateCredentialSecretForCluster(ctx context.Context, seedClient ctrlruntimeclient.Client, cluster *kubermaticv1.Cluster) error

CreateOrUpdateCredentialSecretForCluster creates a new secret for a credential.

func IsMainServiceAccount

func IsMainServiceAccount(email string) bool

IsMainServiceAccount determines whether the given email address belongs to main service account

func IsProjectServiceAccount added in v2.17.0

func IsProjectServiceAccount(email string) bool

IsProjectServiceAccount determines whether the given email address belongs to a project service account

func IsServiceAccount

func IsServiceAccount(email string) bool

IsServiceAccount determines whether the given email address belongs to a project service account or main service account

func LoadPresets

func LoadPresets(yamlContent []byte) (*kubermaticv1.PresetList, error)

LoadPresets loads the custom presets for supported providers

func LoadPresetsFromFile

func LoadPresetsFromFile(path string) (*kubermaticv1.PresetList, error)

LoadPresetsFromFile loads the custom presets for supported providers

func NamespaceName

func NamespaceName(clusterName string) string

NamespaceName returns the namespace name for a cluster

Types

type AddonConfigProvider

type AddonConfigProvider struct {
	// contains filtered or unexported fields
}

AddonConfigProvider struct that holds required components of the AddonConfigProvider

func NewAddonConfigProvider

func NewAddonConfigProvider(client ctrlruntimeclient.Client) *AddonConfigProvider

NewAddonConfigProvider returns a new AddonConfigProvider

func (*AddonConfigProvider) Get

Get addon configuration

func (*AddonConfigProvider) List

List available addon configurations

type AddonProvider

type AddonProvider struct {
	// contains filtered or unexported fields
}

AddonProvider struct that holds required components of the AddonProvider implementation

func NewAddonProvider

func NewAddonProvider(
	clientPrivileged ctrlruntimeclient.Client,
	createSeedImpersonatedClient impersonationClient,
	accessibleAddons sets.String) *AddonProvider

NewAddonProvider returns a new addon provider that respects RBAC policies it uses createSeedImpersonatedClient to create a connection that uses user impersonation

func (*AddonProvider) Delete

func (p *AddonProvider) Delete(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string) error

Delete deletes the given addon

func (*AddonProvider) DeleteUnsecured

func (p *AddonProvider) DeleteUnsecured(cluster *kubermaticv1.Cluster, addonName string) error

DeleteUnsecured deletes the given addon

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*AddonProvider) Get

func (p *AddonProvider) Get(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string) (*kubermaticv1.Addon, error)

Get returns the given addon, it uses the projectInternalName to determine the group the user belongs to

func (*AddonProvider) GetUnsecured

func (p *AddonProvider) GetUnsecured(cluster *kubermaticv1.Cluster, addonName string) (*kubermaticv1.Addon, error)

GetUnsecured returns the given addon

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*AddonProvider) List

func (p *AddonProvider) List(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster) ([]*kubermaticv1.Addon, error)

List returns all addons in the given cluster

func (*AddonProvider) ListUnsecured

func (p *AddonProvider) ListUnsecured(cluster *kubermaticv1.Cluster) ([]*kubermaticv1.Addon, error)

func (*AddonProvider) New

func (p *AddonProvider) New(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string, variables *runtime.RawExtension, labels map[string]string) (*kubermaticv1.Addon, error)

New creates a new addon in the given cluster

func (*AddonProvider) NewUnsecured

func (p *AddonProvider) NewUnsecured(cluster *kubermaticv1.Cluster, addonName string, variables *runtime.RawExtension, labels map[string]string) (*kubermaticv1.Addon, error)

NewUnsecured creates a new addon in the given cluster

Note that this function: is unsafe in a sense that it uses privileged account to create the resource

func (*AddonProvider) Update

func (p *AddonProvider) Update(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addon *kubermaticv1.Addon) (*kubermaticv1.Addon, error)

Update updates an addon

func (*AddonProvider) UpdateUnsecured

func (p *AddonProvider) UpdateUnsecured(cluster *kubermaticv1.Cluster, addon *kubermaticv1.Addon) (*kubermaticv1.Addon, error)

UpdateUnsecured updates an addon

Note that this function: is unsafe in a sense that it uses privileged account to update the resource

type AdminProvider

type AdminProvider struct {
	// contains filtered or unexported fields
}

AdminProvider manages admin resources

func NewAdminProvider

func NewAdminProvider(client ctrlruntimeclient.Client) *AdminProvider

NewAdminProvider returns a admin provider

func (*AdminProvider) GetAdmins

func (a *AdminProvider) GetAdmins(userInfo *provider.UserInfo) ([]kubermaticv1.User, error)

GetAdmins return all users with admin rights

func (*AdminProvider) SetAdmin

func (a *AdminProvider) SetAdmin(userInfo *provider.UserInfo, email string, isAdmin bool) (*kubermaticv1.User, error)

SetAdmin set/clear admin rights

type AdmissionPluginsProvider

type AdmissionPluginsProvider struct {
	// contains filtered or unexported fields
}

AdmissionPluginsProvider is a object to handle admission plugins

func NewAdmissionPluginsProvider

func NewAdmissionPluginsProvider(ctx context.Context, client ctrlruntimeclient.Client) *AdmissionPluginsProvider

func (*AdmissionPluginsProvider) Delete

func (p *AdmissionPluginsProvider) Delete(userInfo *provider.UserInfo, name string) error

func (*AdmissionPluginsProvider) Get

func (*AdmissionPluginsProvider) List

func (*AdmissionPluginsProvider) ListPluginNamesFromVersion

func (p *AdmissionPluginsProvider) ListPluginNamesFromVersion(fromVersion string) ([]string, error)

func (*AdmissionPluginsProvider) Update

type ClusterProvider

type ClusterProvider struct {
	// contains filtered or unexported fields
}

ClusterProvider struct that holds required components in order to provide cluster provided that is RBAC compliant

func NewClusterProvider

func NewClusterProvider(
	cfg *restclient.Config,
	createSeedImpersonatedClient impersonationClient,
	userClusterConnProvider UserClusterConnectionProvider,
	workerName string,
	extractGroupPrefix extractGroupPrefixFunc,
	client ctrlruntimeclient.Client,
	k8sClient kubernetes.Interface,
	oidcKubeConfEndpoint bool,
	versions kubermatic.Versions) *ClusterProvider

NewClusterProvider returns a new cluster provider that respects RBAC policies it uses createSeedImpersonatedClient to create a connection that uses user impersonation

func (*ClusterProvider) Delete

func (p *ClusterProvider) Delete(userInfo *provider.UserInfo, clusterName string) error

Delete deletes the given cluster

func (*ClusterProvider) DeleteUnsecured

func (p *ClusterProvider) DeleteUnsecured(cluster *kubermaticv1.Cluster) error

DeleteUnsecured deletes a cluster.

Note that the admin privileges are used to delete cluster

func (*ClusterProvider) Get

func (p *ClusterProvider) Get(userInfo *provider.UserInfo, clusterName string, options *provider.ClusterGetOptions) (*kubermaticv1.Cluster, error)

Get returns the given cluster, it uses the projectInternalName to determine the group the user belongs to

func (*ClusterProvider) GetAdminClientForCustomerCluster

func (p *ClusterProvider) GetAdminClientForCustomerCluster(ctx context.Context, c *kubermaticv1.Cluster) (ctrlruntimeclient.Client, error)

GetAdminClientForCustomerCluster returns a client to interact with all resources in the given cluster

Note that the client you will get has admin privileges

func (*ClusterProvider) GetAdminKubeconfigForCustomerCluster

func (p *ClusterProvider) GetAdminKubeconfigForCustomerCluster(c *kubermaticv1.Cluster) (*clientcmdapi.Config, error)

GetAdminKubeconfigForCustomerCluster returns the admin kubeconfig for the given cluster

func (*ClusterProvider) GetClientForCustomerCluster

func (p *ClusterProvider) GetClientForCustomerCluster(ctx context.Context, userInfo *provider.UserInfo, c *kubermaticv1.Cluster) (ctrlruntimeclient.Client, error)

GetClientForCustomerCluster returns a client to interact with all resources in the given cluster

Note that the client doesn't use admin account instead it authn/authz as userInfo(email, group) This implies that you have to make sure the user has the appropriate permissions inside the user cluster

func (*ClusterProvider) GetSeedClusterAdminClient

func (p *ClusterProvider) GetSeedClusterAdminClient() kubernetes.Interface

GetSeedClusterAdminClient returns a kubernetes client to interact with the seed cluster resources.

Note that this client has admin privileges in the seed cluster.

func (*ClusterProvider) GetSeedClusterAdminRuntimeClient

func (p *ClusterProvider) GetSeedClusterAdminRuntimeClient() ctrlruntimeclient.Client

GetSeedClusterAdminRuntimeClient returns a runtime client to interact with the seed cluster resources.

Note that this client has admin privileges in the seed cluster.

func (*ClusterProvider) GetTokenForCustomerCluster

func (p *ClusterProvider) GetTokenForCustomerCluster(ctx context.Context, userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster) (string, error)

func (*ClusterProvider) GetUnsecured

func (p *ClusterProvider) GetUnsecured(project *kubermaticv1.Project, clusterName string, options *provider.ClusterGetOptions) (*kubermaticv1.Cluster, error)

GetUnsecured returns a cluster for the project and given name.

Note that the admin privileges are used to get cluster

func (*ClusterProvider) GetViewerKubeconfigForCustomerCluster

func (p *ClusterProvider) GetViewerKubeconfigForCustomerCluster(c *kubermaticv1.Cluster) (*clientcmdapi.Config, error)

GetViewerKubeconfigForCustomerCluster returns the viewer kubeconfig for the given cluster

func (*ClusterProvider) IsCluster added in v2.16.3

func (p *ClusterProvider) IsCluster(clusterName string) bool

IsCluster checks if cluster exist with the given name

func (*ClusterProvider) List

List gets all clusters that belong to the given project If you want to filter the result please take a look at ClusterListOptions

Note: After we get the list of clusters we could try to get each cluster individually using unprivileged account to see if the user have read access, We don't do this because we assume that if the user was able to get the project (argument) it has to have at least read access.

func (*ClusterProvider) ListAll

func (p *ClusterProvider) ListAll() (*kubermaticv1.ClusterList, error)

ListAll gets all clusters

Note that the admin privileges are used to list all clusters

func (*ClusterProvider) New

New creates a brand new cluster that is bound to the given project

func (*ClusterProvider) NewUnsecured

func (p *ClusterProvider) NewUnsecured(project *kubermaticv1.Project, cluster *kubermaticv1.Cluster, userEmail string) (*kubermaticv1.Cluster, error)

NewUnsecured creates a brand new cluster that is bound to the given project.

Note that the admin privileges are used to create cluster

func (*ClusterProvider) RevokeAdminKubeconfig

func (p *ClusterProvider) RevokeAdminKubeconfig(c *kubermaticv1.Cluster) error

RevokeAdminKubeconfig revokes the viewer token and kubeconfig

func (*ClusterProvider) RevokeViewerKubeconfig

func (p *ClusterProvider) RevokeViewerKubeconfig(c *kubermaticv1.Cluster) error

RevokeViewerKubeconfig revokes the viewer token and kubeconfig

func (*ClusterProvider) SeedAdminConfig

func (p *ClusterProvider) SeedAdminConfig() *restclient.Config

SeedAdminConfig return an admin kubeconfig for the seed. This function does not perform any kind of access control. Try to not use it.

func (*ClusterProvider) Update

func (p *ClusterProvider) Update(project *kubermaticv1.Project, userInfo *provider.UserInfo, newCluster *kubermaticv1.Cluster) (*kubermaticv1.Cluster, error)

Update updates a cluster

func (*ClusterProvider) UpdateUnsecured

func (p *ClusterProvider) UpdateUnsecured(project *kubermaticv1.Project, cluster *kubermaticv1.Cluster) (*kubermaticv1.Cluster, error)

UpdateUnsecured updates a cluster.

Note that the admin privileges are used to update cluster

type ConstraintProvider added in v2.16.3

type ConstraintProvider struct {
	// contains filtered or unexported fields
}

ConstraintProvider struct that holds required components in order manage constraints

func NewConstraintProvider added in v2.16.3

func NewConstraintProvider(createSeedImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) (*ConstraintProvider, error)

NewConstraintProvider returns a constraint provider

func (*ConstraintProvider) Create added in v2.16.3

func (*ConstraintProvider) CreateUnsecured added in v2.16.3

func (p *ConstraintProvider) CreateUnsecured(constraint *kubermaticv1.Constraint) (*kubermaticv1.Constraint, error)

func (*ConstraintProvider) Delete added in v2.16.3

func (p *ConstraintProvider) Delete(cluster *kubermaticv1.Cluster, userInfo *provider.UserInfo, name string) error

Delete deletes a constraint

func (*ConstraintProvider) DeleteUnsecured added in v2.16.3

func (p *ConstraintProvider) DeleteUnsecured(cluster *kubermaticv1.Cluster, name string) error

DeleteUnsecured deletes a constraint using a privileged client

func (*ConstraintProvider) Get added in v2.16.3

Get gets a constraint using a privileged client

func (*ConstraintProvider) List added in v2.16.3

List gets all constraints

func (*ConstraintProvider) Update added in v2.16.3

func (*ConstraintProvider) UpdateUnsecured added in v2.16.3

func (p *ConstraintProvider) UpdateUnsecured(constraint *kubermaticv1.Constraint) (*kubermaticv1.Constraint, error)

type ConstraintTemplateProvider added in v2.16.3

type ConstraintTemplateProvider struct {
	// contains filtered or unexported fields
}

ConstraintTemplateProvider struct that holds required components in order manage constraint templates

func NewConstraintTemplateProvider added in v2.16.3

func NewConstraintTemplateProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) (*ConstraintTemplateProvider, error)

NewConstraintTemplateProvider returns a constraint template provider

func (*ConstraintTemplateProvider) Create added in v2.16.3

Create creates a constraint template

func (*ConstraintTemplateProvider) Delete added in v2.16.3

Delete deletes a constraint template

func (*ConstraintTemplateProvider) Get added in v2.16.3

Get gets a constraint template

func (*ConstraintTemplateProvider) List added in v2.16.3

List gets all constraint templates

func (*ConstraintTemplateProvider) Update added in v2.16.3

Update updates a constraint template

type DefaultImpersonationClient

type DefaultImpersonationClient struct {
	// contains filtered or unexported fields
}

DefaultImpersonationClient knows how to create impersonated client set

func NewImpersonationClient

func NewImpersonationClient(cfg *restclient.Config, restMapper meta.RESTMapper) *DefaultImpersonationClient

NewImpersonationClient creates a new default impersonation client that knows how to create Interface client for a impersonated user

func (*DefaultImpersonationClient) CreateImpersonatedClient

CreateImpersonatedClient actually creates impersonated client set for the given user.

type DefaultKubermaticImpersonationClient

type DefaultKubermaticImpersonationClient struct {
	// contains filtered or unexported fields
}

DefaultKubermaticImpersonationClient knows how to create impersonated client set

func (*DefaultKubermaticImpersonationClient) CreateImpersonatedKubermaticClientSet

CreateImpersonatedKubermaticClientSet actually creates impersonated kubermatic client set for the given user.

type EventRecorder

type EventRecorder struct {
	// contains filtered or unexported fields
}

EventRecorder gives option to record events for objects. They can be then read from them using K8S API.

func NewEventRecorder

func NewEventRecorder() *EventRecorder

NewEventRecorder returns a new event recorder provider object. See EventRecorder for more information.

func (*EventRecorder) ClusterRecorderFor

func (e *EventRecorder) ClusterRecorderFor(client kubernetes.Interface) record.EventRecorder

ClusterRecorderFor returns an event recorder that will be able to record events for objects in the cluster accessible using provided client.

type ExternalClusterProvider

type ExternalClusterProvider struct {
	// contains filtered or unexported fields
}

ExternalClusterProvider struct that holds required components in order to provide connection to the cluster

func NewExternalClusterProvider

func NewExternalClusterProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) (*ExternalClusterProvider, error)

NewExternalClusterProvider returns an external cluster provider

func (*ExternalClusterProvider) CreateOrUpdateKubeconfigSecretForCluster

func (p *ExternalClusterProvider) CreateOrUpdateKubeconfigSecretForCluster(ctx context.Context, cluster *kubermaticapiv1.ExternalCluster, kubeconfig string) error

func (*ExternalClusterProvider) Delete

Delete deletes the given cluster

func (*ExternalClusterProvider) DeleteUnsecured

func (p *ExternalClusterProvider) DeleteUnsecured(cluster *kubermaticapiv1.ExternalCluster) error

DeleteUnsecured deletes an external cluster.

Note that the admin privileges are used to delete cluster

func (*ExternalClusterProvider) GenerateClient

func (*ExternalClusterProvider) Get

Get returns the given cluster

func (*ExternalClusterProvider) GetClient

func (*ExternalClusterProvider) GetNode

func (p *ExternalClusterProvider) GetNode(cluster *kubermaticapiv1.ExternalCluster, nodeName string) (*corev1.Node, error)

func (*ExternalClusterProvider) GetUnsecured

func (p *ExternalClusterProvider) GetUnsecured(clusterName string) (*kubermaticapiv1.ExternalCluster, error)

GetUnsecured returns an external cluster for the project and given name.

Note that the admin privileges are used to get cluster

func (*ExternalClusterProvider) GetVersion

func (*ExternalClusterProvider) IsMetricServerAvailable

func (p *ExternalClusterProvider) IsMetricServerAvailable(cluster *kubermaticapiv1.ExternalCluster) (bool, error)

func (*ExternalClusterProvider) List

List gets all external clusters that belong to the given project

func (*ExternalClusterProvider) ListNodes

func (*ExternalClusterProvider) New

New creates a brand new external cluster in the system with the given name

func (*ExternalClusterProvider) NewUnsecured

NewUnsecured creates a brand new external cluster in the system with the given name

Note that this function: is unsafe in a sense that it uses privileged account to create the resource

func (*ExternalClusterProvider) Update

Update updates the given cluster

func (*ExternalClusterProvider) UpdateUnsecured

Update updates the given cluster

type PresetsProvider

type PresetsProvider struct {
	// contains filtered or unexported fields
}

PresetsProvider is a object to handle presets from a predefined config

func NewPresetsProvider

func NewPresetsProvider(ctx context.Context, client ctrlruntimeclient.Client, presetsFile string, dynamicPresets bool) (*PresetsProvider, error)

func (*PresetsProvider) CreatePreset added in v2.16.3

func (m *PresetsProvider) CreatePreset(preset *kubermaticv1.Preset) (*kubermaticv1.Preset, error)

func (*PresetsProvider) GetPreset

func (m *PresetsProvider) GetPreset(userInfo *provider.UserInfo, name string) (*kubermaticv1.Preset, error)

GetPreset returns preset with the name which belong to the specific email group

func (*PresetsProvider) GetPresets

func (m *PresetsProvider) GetPresets(userInfo *provider.UserInfo) ([]kubermaticv1.Preset, error)

GetPresets returns presets which belong to the specific email group and for all users

func (*PresetsProvider) SetCloudCredentials

func (m *PresetsProvider) SetCloudCredentials(userInfo *provider.UserInfo, presetName string, cloud kubermaticv1.CloudSpec, dc *kubermaticv1.Datacenter) (*kubermaticv1.CloudSpec, error)

func (*PresetsProvider) UpdatePreset added in v2.16.3

func (m *PresetsProvider) UpdatePreset(preset *kubermaticv1.Preset) (*kubermaticv1.Preset, error)

type PrivilegedProjectProvider

type PrivilegedProjectProvider struct {
	// contains filtered or unexported fields
}

PrivilegedProjectProvider represents a data structure that knows how to manage projects in a privileged way

func NewPrivilegedProjectProvider

func NewPrivilegedProjectProvider(client ctrlruntimeclient.Client) (*PrivilegedProjectProvider, error)

NewPrivilegedProjectProvider returns a privileged project provider

func (*PrivilegedProjectProvider) DeleteUnsecured

func (p *PrivilegedProjectProvider) DeleteUnsecured(projectInternalName string) error

DeleteUnsecured deletes any given project This function is unsafe in a sense that it uses privileged account to delete project with the given name

Note: Before deletion project's status.phase is set to ProjectTerminating

func (*PrivilegedProjectProvider) GetUnsecured

func (p *PrivilegedProjectProvider) GetUnsecured(projectInternalName string, options *provider.ProjectGetOptions) (*kubermaticapiv1.Project, error)

GetUnsecured returns the project with the given name This function is unsafe in a sense that it uses privileged account to get project with the given name

func (*PrivilegedProjectProvider) UpdateUnsecured

UpdateUnsecured update a specific project and returns the updated project This function is unsafe in a sense that it uses privileged account to update the project

type PrivilegedSSHKeyProvider

type PrivilegedSSHKeyProvider struct {
	// contains filtered or unexported fields
}

PrivilegedSSHKeyProvider represents a data structure that knows how to manage ssh keys in a privileged way

func NewPrivilegedSSHKeyProvider

func NewPrivilegedSSHKeyProvider(client ctrlruntimeclient.Client) (*PrivilegedSSHKeyProvider, error)

NewPrivilegedSSHKeyProvider returns a privileged ssh key provider

func (*PrivilegedSSHKeyProvider) CreateUnsecured

func (p *PrivilegedSSHKeyProvider) CreateUnsecured(project *kubermaticapiv1.Project, keyName, pubKey string) (*kubermaticapiv1.UserSSHKey, error)

Create creates a ssh key that belongs to the given project This function is unsafe in a sense that it uses privileged account to create the ssh key

func (*PrivilegedSSHKeyProvider) DeleteUnsecured

func (p *PrivilegedSSHKeyProvider) DeleteUnsecured(keyName string) error

Delete deletes the given ssh key This function is unsafe in a sense that it uses privileged account to delete the ssh key

func (*PrivilegedSSHKeyProvider) GetUnsecured

func (p *PrivilegedSSHKeyProvider) GetUnsecured(keyName string) (*kubermaticapiv1.UserSSHKey, error)

GetUnsecured returns a key with the given name This function is unsafe in a sense that it uses privileged account to get the ssh key

func (*PrivilegedSSHKeyProvider) UpdateUnsecured

UpdateUnsecured update a specific ssh key and returns the updated ssh key This function is unsafe in a sense that it uses privileged account to update the ssh key

type ProjectMemberProvider

type ProjectMemberProvider struct {
	// contains filtered or unexported fields
}

ProjectMemberProvider binds users with projects

func NewProjectMemberProvider

func NewProjectMemberProvider(createMasterImpersonatedClient impersonationClient, clientPrivileged ctrlruntimeclient.Client, isServiceAccountFunc func(string) bool) *ProjectMemberProvider

NewProjectMemberProvider returns a project members provider

func (*ProjectMemberProvider) Create

func (p *ProjectMemberProvider) Create(userInfo *provider.UserInfo, project *kubermaticapiv1.Project, memberEmail, group string) (*kubermaticapiv1.UserProjectBinding, error)

Create creates a binding for the given member and the given project

func (*ProjectMemberProvider) CreateUnsecured

func (p *ProjectMemberProvider) CreateUnsecured(project *kubermaticapiv1.Project, memberEmail, group string) (*kubermaticapiv1.UserProjectBinding, error)

CreateUnsecured creates a binding for the given member and the given project This function is unsafe in a sense that it uses privileged account to create the resource

func (*ProjectMemberProvider) Delete

func (p *ProjectMemberProvider) Delete(userInfo *provider.UserInfo, bindingName string) error

Delete deletes the given binding Note: Use List to get binding for the specific member of the given project

func (*ProjectMemberProvider) DeleteUnsecured

func (p *ProjectMemberProvider) DeleteUnsecured(bindingName string) error

DeleteUnsecured deletes the given binding Note: Use List to get binding for the specific member of the given project This function is unsafe in a sense that it uses privileged account to delete the resource

func (*ProjectMemberProvider) List

List gets all members of the given project

func (*ProjectMemberProvider) MapUserToGroup

func (p *ProjectMemberProvider) MapUserToGroup(userEmail string, projectID string) (string, error)

MapUserToGroup maps the given user to a specific group of the given project This function is unsafe in a sense that it uses privileged account to list all members in the system

func (*ProjectMemberProvider) MappingsFor

func (p *ProjectMemberProvider) MappingsFor(userEmail string) ([]*kubermaticapiv1.UserProjectBinding, error)

MappingsFor returns the list of projects (bindings) for the given user This function is unsafe in a sense that it uses privileged account to list all members in the system

func (*ProjectMemberProvider) Update

Update updates the given binding

func (*ProjectMemberProvider) UpdateUnsecured

UpdateUnsecured updates the given binding This function is unsafe in a sense that it uses privileged account to update the resource

type ProjectProvider

type ProjectProvider struct {
	// contains filtered or unexported fields
}

ProjectProvider represents a data structure that knows how to manage projects

func NewProjectProvider

func NewProjectProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) (*ProjectProvider, error)

NewProjectProvider returns a project provider

func (*ProjectProvider) Delete

func (p *ProjectProvider) Delete(userInfo *provider.UserInfo, projectInternalName string) error

Delete deletes the given project as the given user

Note: Before deletion project's status.phase is set to ProjectTerminating

func (*ProjectProvider) Get

func (p *ProjectProvider) Get(userInfo *provider.UserInfo, projectInternalName string, options *provider.ProjectGetOptions) (*kubermaticapiv1.Project, error)

Get returns the project with the given name

func (*ProjectProvider) List

List gets a list of projects, by default it returns all resources. If you want to filter the result please set ProjectListOptions

Note that the list is taken from the cache

func (*ProjectProvider) New

func (p *ProjectProvider) New(user *kubermaticapiv1.User, projectName string, labels map[string]string) (*kubermaticapiv1.Project, error)

New creates a brand new project in the system with the given name

Note: a user cannot own more than one project with the given name since we get the list of the current projects from a cache (lister) there is a small time window during which a user can create more that one project with the given name.

func (*ProjectProvider) Update

func (p *ProjectProvider) Update(userInfo *provider.UserInfo, newProject *kubermaticapiv1.Project) (*kubermaticapiv1.Project, error)

Update update a specific project for a specific user and returns the updated project

type SSHKeyProvider

type SSHKeyProvider struct {
	// contains filtered or unexported fields
}

SSHKeyProvider struct that holds required components in order to provide ssh key provider that is RBAC compliant

func NewSSHKeyProvider

func NewSSHKeyProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) *SSHKeyProvider

NewSSHKeyProvider returns a new ssh key provider that respects RBAC policies it uses createMasterImpersonatedClient to create a connection that uses User Impersonation

func (*SSHKeyProvider) Create

func (p *SSHKeyProvider) Create(userInfo *provider.UserInfo, project *kubermaticapiv1.Project, keyName, pubKey string) (*kubermaticapiv1.UserSSHKey, error)

Create creates a ssh key that will belong to the given project

func (*SSHKeyProvider) Delete

func (p *SSHKeyProvider) Delete(userInfo *provider.UserInfo, keyName string) error

Delete simply deletes the given key

func (*SSHKeyProvider) Get

func (p *SSHKeyProvider) Get(userInfo *provider.UserInfo, keyName string) (*kubermaticapiv1.UserSSHKey, error)

Get returns a key with the given name

func (*SSHKeyProvider) List

List gets a list of ssh keys, by default it will get all the keys that belong to the given project. If you want to filter the result please take a look at SSHKeyListOptions

Note: After we get the list of the keys we could try to get each individually using unprivileged account to see if the user have read access, We don't do this because we assume that if the user was able to get the project (argument) it has to have at least read access.

func (*SSHKeyProvider) Update

Update simply updates the given key

type ServiceAccountProvider

type ServiceAccountProvider struct {
	// contains filtered or unexported fields
}

ServiceAccountProvider manages service account resources

func NewServiceAccountProvider

func NewServiceAccountProvider(createMasterImpersonatedClient impersonationClient, clientPrivileged ctrlruntimeclient.Client, domain string) *ServiceAccountProvider

NewServiceAccountProvider returns a service account provider

func (*ServiceAccountProvider) CreateMainServiceAccount

func (p *ServiceAccountProvider) CreateMainServiceAccount(userInfo *provider.UserInfo, name, group string) (*kubermaticv1.User, error)

CreateMainServiceAccount creates a new main service account

func (*ServiceAccountProvider) CreateProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) CreateProjectServiceAccount(userInfo *provider.UserInfo, project *kubermaticv1.Project, name, group string) (*kubermaticv1.User, error)

CreateProjectServiceAccount creates a new service account for the project

func (*ServiceAccountProvider) CreateUnsecuredProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) CreateUnsecuredProjectServiceAccount(project *kubermaticv1.Project, name, group string) (*kubermaticv1.User, error)

CreateUnsecuredProjectServiceAccount creates a new service accounts

Note that this function: is unsafe in a sense that it uses privileged account to create the resources

func (*ServiceAccountProvider) DeleteMainServiceAccount

func (p *ServiceAccountProvider) DeleteMainServiceAccount(userInfo *provider.UserInfo, serviceAccount *kubermaticv1.User) error

DeleteMainServiceAccount deletes main service account

func (*ServiceAccountProvider) DeleteProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) DeleteProjectServiceAccount(userInfo *provider.UserInfo, name string) error

DeleteProjectServiceAccount simply deletes the given project service account

func (*ServiceAccountProvider) DeleteUnsecuredProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) DeleteUnsecuredProjectServiceAccount(name string) error

DeleteUnsecuredProjectServiceAccount deletes project service account

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*ServiceAccountProvider) GetMainServiceAccount

func (p *ServiceAccountProvider) GetMainServiceAccount(userInfo *provider.UserInfo, name string, options *provider.ServiceAccountGetOptions) (*kubermaticv1.User, error)

GetMainServiceAccount gets the main service account

func (*ServiceAccountProvider) GetProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) GetProjectServiceAccount(userInfo *provider.UserInfo, name string, options *provider.ServiceAccountGetOptions) (*kubermaticv1.User, error)

GetProjectServiceAccount method returns project service account with given name

func (*ServiceAccountProvider) GetUnsecuredProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) GetUnsecuredProjectServiceAccount(name string, options *provider.ServiceAccountGetOptions) (*kubermaticv1.User, error)

GetUnsecuredProjectServiceAccount gets the project service account

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*ServiceAccountProvider) ListMainServiceAccounts

func (p *ServiceAccountProvider) ListMainServiceAccounts(userInfo *provider.UserInfo, options *provider.ServiceAccountListOptions) ([]*kubermaticv1.User, error)

ListMainServiceAccounts gets main service accounts

func (*ServiceAccountProvider) ListProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) ListProjectServiceAccount(userInfo *provider.UserInfo, project *kubermaticv1.Project, options *provider.ServiceAccountListOptions) ([]*kubermaticv1.User, error)

ListProjectServiceAccount gets service accounts for the project

func (*ServiceAccountProvider) ListUnsecuredProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) ListUnsecuredProjectServiceAccount(project *kubermaticv1.Project, options *provider.ServiceAccountListOptions) ([]*kubermaticv1.User, error)

ListUnsecuredProjectServiceAccount gets all service accounts for the project If you want to filter the result please take a look at ServiceAccountListOptions

Note that this function: is unsafe in a sense that it uses privileged account to get the resources

func (*ServiceAccountProvider) UpdateMainServiceAccount

func (p *ServiceAccountProvider) UpdateMainServiceAccount(userInfo *provider.UserInfo, serviceAccount *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateUnsecuredProjectServiceAccount updated the project service account

func (*ServiceAccountProvider) UpdateProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) UpdateProjectServiceAccount(userInfo *provider.UserInfo, serviceAccount *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateProjectServiceAccount simply updates the given project service account

func (*ServiceAccountProvider) UpdateUnsecuredProjectServiceAccount added in v2.17.0

func (p *ServiceAccountProvider) UpdateUnsecuredProjectServiceAccount(serviceAccount *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateUnsecuredProjectServiceAccount updated the project service account

Note that this function: is unsafe in a sense that it uses privileged account to update the resource

type ServiceAccountTokenProvider

type ServiceAccountTokenProvider struct {
	// contains filtered or unexported fields
}

ServiceAccountProvider manages service account resources

func NewServiceAccountTokenProvider

func NewServiceAccountTokenProvider(impersonationClient impersonationClient, clientPrivileged ctrlruntimeclient.Client) (*ServiceAccountTokenProvider, error)

NewServiceAccountProvider returns a service account provider

func (*ServiceAccountTokenProvider) Create

func (p *ServiceAccountTokenProvider) Create(userInfo *provider.UserInfo, sa *kubermaticv1.User, projectID, tokenName, tokenID, token string) (*v1.Secret, error)

Create creates a new token for service account

func (*ServiceAccountTokenProvider) CreateUnsecured

func (p *ServiceAccountTokenProvider) CreateUnsecured(sa *kubermaticv1.User, projectID, tokenName, tokenID, token string) (*v1.Secret, error)

CreateUnsecured creates a new token

Note that this function: is unsafe in a sense that it uses privileged account to create the resource

func (*ServiceAccountTokenProvider) Delete

func (p *ServiceAccountTokenProvider) Delete(userInfo *provider.UserInfo, name string) error

Delete method deletes given token

func (*ServiceAccountTokenProvider) DeleteUnsecured

func (p *ServiceAccountTokenProvider) DeleteUnsecured(name string) error

DeleteUnsecured deletes the token

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*ServiceAccountTokenProvider) Get

func (p *ServiceAccountTokenProvider) Get(userInfo *provider.UserInfo, name string) (*v1.Secret, error)

Get method returns token by name

func (*ServiceAccountTokenProvider) GetUnsecured

func (p *ServiceAccountTokenProvider) GetUnsecured(name string) (*v1.Secret, error)

GetUnsecured gets the token by name

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*ServiceAccountTokenProvider) List

List gets tokens for the given service account and project

func (*ServiceAccountTokenProvider) ListUnsecured

ListUnsecured returns all tokens in kubermatic namespace

Note that this function: is unsafe in a sense that it uses privileged account to get the resource gets resources from the cache

func (*ServiceAccountTokenProvider) Update

func (p *ServiceAccountTokenProvider) Update(userInfo *provider.UserInfo, secret *v1.Secret) (*v1.Secret, error)

Update method updates given token

func (*ServiceAccountTokenProvider) UpdateUnsecured

func (p *ServiceAccountTokenProvider) UpdateUnsecured(secret *v1.Secret) (*v1.Secret, error)

UpdateUnsecured updates the token

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

type SettingsProvider

type SettingsProvider struct {
	// contains filtered or unexported fields
}

UserProvider manages user resources

func NewSettingsProvider

func NewSettingsProvider(ctx context.Context, client kubermaticclientset.Interface, runtimeClient ctrlruntimeclient.Client) *SettingsProvider

NewUserProvider returns a user provider

func (*SettingsProvider) GetGlobalSettings

func (s *SettingsProvider) GetGlobalSettings() (*kubermaticv1.KubermaticSetting, error)

func (*SettingsProvider) UpdateGlobalSettings

func (s *SettingsProvider) UpdateGlobalSettings(userInfo *provider.UserInfo, settings *kubermaticv1.KubermaticSetting) (*kubermaticv1.KubermaticSetting, error)

func (*SettingsProvider) WatchGlobalSettings

func (s *SettingsProvider) WatchGlobalSettings() (watch.Interface, error)

type UserClusterConnectionProvider

type UserClusterConnectionProvider interface {
	GetClient(context.Context, *kubermaticv1.Cluster, ...k8cuserclusterclient.ConfigOption) (ctrlruntimeclient.Client, error)
}

UserClusterConnectionProvider offers functions to interact with an user cluster

type UserProvider

type UserProvider struct {
	// contains filtered or unexported fields
}

UserProvider manages user resources

func NewUserProvider

func NewUserProvider(runtimeClient ctrlruntimeclient.Client, isServiceAccountFunc func(email string) bool,
	client kubermaticclientset.Interface) *UserProvider

NewUserProvider returns a user provider

func (*UserProvider) AddUserTokenToBlacklist

func (p *UserProvider) AddUserTokenToBlacklist(user *kubermaticv1.User, token string, expiry apiv1.Time) error

func (*UserProvider) CreateUser

func (p *UserProvider) CreateUser(id, name, email string) (*kubermaticv1.User, error)

CreateUser creates a new user.

Note that: The name of the newly created resource will be unique and it is derived from the user's email address (sha256(email) This prevents creating multiple resources for the same user with the same email address.

In the beginning I was considering to hex-encode the email address as it will produce a unique output because the email address in unique. The only issue I have found with this approach is that the length can get quite long quite fast. Thus decided to use sha256 as it produces fixed output and the hash collisions are very, very, very, very rare.

func (*UserProvider) GetUserBlacklistTokens

func (p *UserProvider) GetUserBlacklistTokens(user *kubermaticv1.User) ([]string, error)

func (*UserProvider) UpdateUser

func (p *UserProvider) UpdateUser(user *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateUser updates user.

func (*UserProvider) UserByEmail

func (p *UserProvider) UserByEmail(email string) (*kubermaticv1.User, error)

UserByEmail returns a user by the given email

func (*UserProvider) UserByID

func (p *UserProvider) UserByID(id string) (*kubermaticv1.User, error)

UserByID returns a user by the given ID

func (*UserProvider) WatchUser

func (p *UserProvider) WatchUser() (watch.Interface, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL