Documentation ¶
Overview ¶
Package rbac contains a controller that is responsible for setting up RBAC to allow users to access the clusters they should be able to access.
Index ¶
Constants ¶
const ( // OwnerGroupNamePrefix represents owners group prefix OwnerGroupNamePrefix = "owners" // EditorGroupNamePrefix represents editors group prefix EditorGroupNamePrefix = "editors" // ViewerGroupNamePrefix represents viewers group prefix ViewerGroupNamePrefix = "viewers" // ProjectManagerGroupNamePrefix represents project managers group prefix. // Can create, update and delete projects and add/remove members & service accounts. ProjectManagerGroupNamePrefix = "projectmanagers" // RBACResourcesNamePrefix represents kubermatic group prefix RBACResourcesNamePrefix = "kubermatic" )
const (
CleanupFinalizerName = "kubermatic.io/controller-manager-rbac-cleanup"
)
const (
EtcdLauncherServiceAccountName = "etcd-launcher"
)
Variables ¶
var AllGroupsPrefixes = []string{ OwnerGroupNamePrefix, EditorGroupNamePrefix, ViewerGroupNamePrefix, ProjectManagerGroupNamePrefix, }
AllGroupsPrefixes holds a list of groups with prefixes that we will generate RBAC Roles/Binding for.
Note: adding a new group also requires updating generateVerbsForNamedResource method. the actual names of groups are different see generateActualGroupNameFor function
Functions ¶
func ExtractGroupPrefix ¶
ExtractGroupPrefix extracts only group prefix from the given group name
func GenerateActualGroupNameFor ¶
GenerateActualGroupNameFor generates a group name for the given project and group prefix.
Types ¶
type ClusterProvider ¶
type ClusterProvider struct {
// contains filtered or unexported fields
}
ClusterProvider holds set of clients that allow for communication with the cluster and that are required to properly generate RBAC for resources in that particular cluster
func NewClusterProvider ¶
func NewClusterProvider(providerName string, kubeClient kubernetes.Interface, kubeInformerProvider InformerProvider, kubermaticClient kubermaticclientset.Interface, kubermaticInformerFactory externalversions.SharedInformerFactory) *ClusterProvider
NewClusterProvider creates a brand new ClusterProvider
Note: This method will create and register Listers for RBAC Roles and Bindings
func (*ClusterProvider) AddIndexerFor ¶
func (p *ClusterProvider) AddIndexerFor(indexer cache.Indexer, gvk schema.GroupVersionKind)
AddIndexerFor adds Lister for the given resource Note: this method creates Lister for some resources, for example "cluster" resources
TODO: try rm this since we have InformerProvider
func (*ClusterProvider) StartInformers ¶
func (p *ClusterProvider) StartInformers(stopCh <-chan struct{})
StartInformers starts shared informers factories
func (*ClusterProvider) WaitForCachesToSync ¶
func (p *ClusterProvider) WaitForCachesToSync(stopCh <-chan struct{}) error
WaitForCachesToSync waits for all started informers' cache until they are synced.
type ControllerAggregator ¶
type ControllerAggregator struct {
// contains filtered or unexported fields
}
ControllerAggregator type holds controllers for managing RBAC for projects and theirs resources
func New ¶
func New(ctx context.Context, metrics *Metrics, mgr manager.Manager, seedManagerMap map[string]manager.Manager, labelSelectorFunc func(*metav1.ListOptions), workerPredicate predicate.Predicate, workerCount int) (*ControllerAggregator, error)
New creates a new controller aggregator for managing RBAC for resources
type InformerProvider ¶
type InformerProvider interface { // KubeInformerFactoryFor registers a shared informer factory for the given namespace KubeInformerFactoryFor(namespace string) kubeinformers.SharedInformerFactory // StartInformers starts all registered factories StartInformers(stopCh <-chan struct{}) // WaitForCachesToSync waits until caches from all factories are synced WaitForCachesToSync(stopCh <-chan struct{}) error }
InformerProvider allows for storing shared informer factories for the given namespaces additionally it provides method for starting and waiting for all registered factories
type InformerProviderImpl ¶
type InformerProviderImpl struct {
// contains filtered or unexported fields
}
InformerProviderImpl simply holds namespaced factories
func NewInformerProvider ¶
func NewInformerProvider(kubeClient kubernetes.Interface, resync time.Duration) *InformerProviderImpl
NewInformerProvider creates a new provider that
func (*InformerProviderImpl) KubeInformerFactoryFor ¶
func (p *InformerProviderImpl) KubeInformerFactoryFor(namespace string) kubeinformers.SharedInformerFactory
KubeInformerFactoryFor registers a shared informer factory for the given namespace
func (*InformerProviderImpl) StartInformers ¶
func (p *InformerProviderImpl) StartInformers(stopCh <-chan struct{})
StartInformers starts all registered factories
func (*InformerProviderImpl) WaitForCachesToSync ¶
func (p *InformerProviderImpl) WaitForCachesToSync(stopCh <-chan struct{}) error
WaitForCachesToSync waits until caches from all factories are synced
type Metrics ¶
type Metrics struct {
Workers prometheus.Gauge
}
Metrics contains metrics that this controller will collect and expose
func NewMetrics ¶
func NewMetrics() *Metrics
NewMetrics creates RBACGeneratorControllerMetrics with default values initialized, so metrics always show up.