Documentation ¶
Index ¶
- Constants
- func CredentialIDForJTI(jti string) string
- func GetOrCreateServiceAccount(coreClient v1core.CoreV1Interface, namespace, name string) (*v1.ServiceAccount, error)
- func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool
- func MakeGroupNames(namespace string) []string
- func MakeNamespaceGroupName(namespace string) string
- func MakeUsername(namespace, name string) string
- func MatchesUsername(namespace, name string, username string) bool
- func SplitUsername(username string) (string, string, error)
- func UserInfo(namespace, name, uid string) user.Info
- type ServiceAccountInfo
Constants ¶
const ( ServiceAccountUsernamePrefix = "system:serviceaccount:" ServiceAccountUsernameSeparator = ":" ServiceAccountGroupPrefix = "system:serviceaccounts:" AllServiceAccountsGroup = "system:serviceaccounts" // CredentialIDKey is the key used in a user's "extra" to specify the unique // identifier for this identity document). CredentialIDKey = "authentication.kubernetes.io/credential-id" // IssuedCredentialIDAuditAnnotationKey is the annotation key used in the audit event that is persisted to the // '/token' endpoint for service accounts. // This annotation indicates the generated credential identifier for the service account token being issued. // This is useful when tracing back the origin of tokens that have gone on to make request that have persisted // their credential-identifier into the audit log via the user's extra info stored on subsequent audit events. IssuedCredentialIDAuditAnnotationKey = "authentication.kubernetes.io/issued-credential-id" // PodNameKey is the key used in a user's "extra" to specify the pod name of // the authenticating request. PodNameKey = "authentication.kubernetes.io/pod-name" // PodUIDKey is the key used in a user's "extra" to specify the pod UID of // the authenticating request. PodUIDKey = "authentication.kubernetes.io/pod-uid" // NodeNameKey is the key used in a user's "extra" to specify the node name of // the authenticating request. NodeNameKey = "authentication.kubernetes.io/node-name" // NodeUIDKey is the key used in a user's "extra" to specify the node UID of // the authenticating request. NodeUIDKey = "authentication.kubernetes.io/node-uid" )
Variables ¶
This section is empty.
Functions ¶
func CredentialIDForJTI ¶ added in v0.29.0
CredentialIDForJTI converts a given JTI string into a credential identifier for use in a users 'extra' info.
func GetOrCreateServiceAccount ¶ added in v0.20.0
func GetOrCreateServiceAccount(coreClient v1core.CoreV1Interface, namespace, name string) (*v1.ServiceAccount, error)
func IsServiceAccountToken ¶ added in v0.20.0
func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool
IsServiceAccountToken returns true if the secret is a valid api token for the service account
func MakeGroupNames ¶
MakeGroupNames generates service account group names for the given namespace
func MakeNamespaceGroupName ¶
MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
func MakeUsername ¶
MakeUsername generates a username from the given namespace and ServiceAccount name. The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
func MatchesUsername ¶
MatchesUsername checks whether the provided username matches the namespace and name without allocating. Use this when checking a service account namespace and name against a known string.
func SplitUsername ¶
SplitUsername returns the namespace and ServiceAccount name embedded in the given username, or an error if the username is not a valid name produced by MakeUsername