iam

package
v1.19.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2020 License: Apache-2.0 Imports: 13 Imported by: 68

Documentation

Index

Constants

View Source
const PolicyDefaultVersion = "2012-10-17"

PolicyDefaultVersion is the default version included in all policy documents

Variables

This section is empty.

Functions

func ReadableStatePaths added in v1.19.0

func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]string, error)

ReadableStatePaths returns the file paths that should be readable in the cluster's state store "directory"

func UseBootstrapTokens

func UseBootstrapTokens(cluster *kops.Cluster) bool

UseBootstrapTokens check if we are using bootstrap tokens - @TODO, i don't like this we should probably pass in the kops model into the builder rather than duplicating the code. I'll leave for another PR

func WriteableVFSPaths

func WriteableVFSPaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]vfs.Path, error)

Types

type Condition

type Condition map[string]interface{}

Condition is a map of Conditions to be evaluated for a given IAM Statement

type Policy

type Policy struct {
	Version   string
	Statement []*Statement
}

Policy Struct is a collection of fields that form a valid AWS policy document

func (*Policy) AsJSON

func (p *Policy) AsJSON() (string, error)

AsJSON converts the policy document to JSON format (parsable by AWS)

type PolicyBuilder

type PolicyBuilder struct {
	Cluster      *kops.Cluster
	HostedZoneID string
	KMSKeys      []string
	Region       string
	ResourceARN  *string
	Role         kops.InstanceGroupRole
}

PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.

func (*PolicyBuilder) AddS3Permissions

func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)

AddS3Permissions updates an IAM Policy with statements granting tailored access to S3 assets, depending on the instance group role

func (*PolicyBuilder) BuildAWSPolicy

func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)

BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec

func (*PolicyBuilder) BuildAWSPolicyBastion

func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error)

BuildAWSPolicyBastion generates a custom policy for a bastion host.

func (*PolicyBuilder) BuildAWSPolicyMaster

func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error)

BuildAWSPolicyMaster generates a custom policy for a Kubernetes master.

func (*PolicyBuilder) BuildAWSPolicyNode

func (b *PolicyBuilder) BuildAWSPolicyNode() (*Policy, error)

BuildAWSPolicyNode generates a custom policy for a Kubernetes node.

func (*PolicyBuilder) IAMPrefix

func (b *PolicyBuilder) IAMPrefix() string

IAMPrefix returns the prefix for AWS ARNs in the current region, for use with IAM it is arn:aws everywhere but in cn-north and us-gov-west-1

type PolicyResource

type PolicyResource struct {
	Builder *PolicyBuilder
	DNSZone *awstasks.DNSZone
}

PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role

func (*PolicyResource) GetDependencies

func (b *PolicyResource) GetDependencies(tasks map[string]fi.Task) []fi.Task

GetDependencies adds the DNSZone task to the list of dependencies if set

func (*PolicyResource) Open

func (b *PolicyResource) Open() (io.Reader, error)

Open produces the AWS IAM policy for the given role

type Statement

type Statement struct {
	Effect    StatementEffect
	Action    stringorslice.StringOrSlice
	Resource  stringorslice.StringOrSlice
	Condition Condition `json:",omitempty"`
}

Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement

func ParseStatements added in v1.11.0

func ParseStatements(policy string) ([]*Statement, error)

ParseStatements parses JSON into a list of Statements

func (*Statement) Equal

func (l *Statement) Equal(r *Statement) bool

Equal compares two IAM Statements and returns a bool TODO: Extend to support Condition Keys

type StatementEffect

type StatementEffect string

StatementEffect is required and specifies what type of access the statement results in

const StatementEffectAllow StatementEffect = "Allow"

StatementEffectAllow allows access for the given resources in the statement (based on conditions)

const StatementEffectDeny StatementEffect = "Deny"

StatementEffectDeny allows access for the given resources in the statement (based on conditions)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL