Documentation
¶
Index ¶
- Constants
- func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy)
- func AddServiceAccountRole(context *IAMModelContext, podSpec *corev1.PodSpec, container *corev1.Container, ...) error
- func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error)
- func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) (string, error)
- func WriteableVFSPaths(cluster *kops.Cluster, role Subject) ([]vfs.Path, error)
- type Condition
- type IAMModelContext
- type NodeRoleBastion
- type NodeRoleMaster
- type NodeRoleNode
- type Policy
- type PolicyBuilder
- type PolicyResource
- type Principal
- type Statement
- type StatementEffect
- type Subject
Constants ¶
const PolicyDefaultVersion = "2012-10-17"
PolicyDefaultVersion is the default version included in all policy documents
Variables ¶
This section is empty.
Functions ¶
func AddDNSControllerPermissions ¶ added in v1.19.0
func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy)
AddDNSControllerPermissions adds IAM permissions used by the dns-controller. TODO: Move this to dnscontroller, but it requires moving a lot of code around.
func AddServiceAccountRole ¶ added in v1.19.0
func AddServiceAccountRole(context *IAMModelContext, podSpec *corev1.PodSpec, container *corev1.Container, serviceAccountRole Subject) error
AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role
func ReadableStatePaths ¶ added in v1.19.0
ReadableStatePaths returns the file paths that should be readable in the cluster's state store "directory"
func ServiceAccountIssuer ¶ added in v1.19.0
func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) (string, error)
ServiceAccountIssuer determines the issuer in the ServiceAccount JWTs
Types ¶
type Condition ¶
type Condition map[string]interface{}
Condition is a map of Conditions to be evaluated for a given IAM Statement
type IAMModelContext ¶ added in v1.19.0
type IAMModelContext struct {
// AWSAccountID holds the 12 digit AWS account ID, when running on AWS
AWSAccountID string
// AWSPartition defines the partition of the AWS account, typically "aws", "aws-cn", or "aws-us-gov"
AWSPartition string
Cluster *kops.Cluster
}
func (*IAMModelContext) ClusterName ¶ added in v1.19.0
func (b *IAMModelContext) ClusterName() string
ClusterName returns the cluster name
func (*IAMModelContext) IAMNameForServiceAccountRole ¶ added in v1.19.0
func (b *IAMModelContext) IAMNameForServiceAccountRole(role Subject) (string, error)
IAMNameForServiceAccountRole determines the name of the IAM Role and Instance Profile to use for the service-account role
type NodeRoleBastion ¶ added in v1.19.0
type NodeRoleBastion struct {
}
NodeRoleNode represents the role of bastion nodes, and implements Subject.
func (*NodeRoleBastion) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleBastion) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a bastion host.
func (*NodeRoleBastion) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleBastion) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type NodeRoleMaster ¶ added in v1.19.0
type NodeRoleMaster struct {
}
NodeRoleMaster represents the role of control-plane nodes, and implements Subject.
func (*NodeRoleMaster) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a Kubernetes master.
func (*NodeRoleMaster) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleMaster) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type NodeRoleNode ¶ added in v1.19.0
type NodeRoleNode struct {
}
NodeRoleNode represents the role of normal ("worker") nodes, and implements Subject.
func (*NodeRoleNode) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a Kubernetes node.
func (*NodeRoleNode) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleNode) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type PolicyBuilder ¶
type PolicyBuilder struct {
Cluster *kops.Cluster
HostedZoneID string
KMSKeys []string
Region string
ResourceARN *string
Role Subject
UseServiceAccountIAM bool
}
PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.
func (*PolicyBuilder) AddS3Permissions ¶
func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)
AddS3Permissions builds an IAM Policy, with statements granting tailored access to S3 assets, depending on the instance group or service-account role
func (*PolicyBuilder) BuildAWSPolicy ¶
func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)
BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec
func (*PolicyBuilder) IAMPrefix ¶
func (b *PolicyBuilder) IAMPrefix() string
IAMPrefix returns the prefix for AWS ARNs in the current region, for use with IAM it is arn:aws everywhere but in cn-north and us-gov-west-1
type PolicyResource ¶
type PolicyResource struct {
Builder *PolicyBuilder
DNSZone *awstasks.DNSZone
}
PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role
func (*PolicyResource) GetDependencies ¶
GetDependencies adds the DNSZone task to the list of dependencies if set
type Statement ¶
type Statement struct {
Effect StatementEffect
Principal Principal
Action stringorslice.StringOrSlice
Resource stringorslice.StringOrSlice
Condition Condition
}
Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement
func ParseStatements ¶ added in v1.11.0
ParseStatements parses JSON into a list of Statements
func (*Statement) Equal ¶
Equal compares two IAM Statements and returns a bool TODO: Extend to support Condition Keys
func (*Statement) MarshalJSON ¶ added in v1.19.0
MarshalJSON formats the IAM statement for the AWS IAM restrictions. For example, `Resource: []` is not allowed, but golang would force us to use pointers.
type StatementEffect ¶
type StatementEffect string
StatementEffect is required and specifies what type of access the statement results in
const StatementEffectAllow StatementEffect = "Allow"
StatementEffectAllow allows access for the given resources in the statement (based on conditions)
const StatementEffectDeny StatementEffect = "Deny"
StatementEffectDeny allows access for the given resources in the statement (based on conditions)
type Subject ¶ added in v1.19.0
type Subject interface {
// BuildAWSPolicy builds the AWS permissions for the given subject.
BuildAWSPolicy(*PolicyBuilder) (*Policy, error)
// ServiceAccount returns the kubernetes service account used by pods with this specified role.
// For node roles, it returns an empty NamespacedName and false.
ServiceAccount() (types.NamespacedName, bool)
}
Subject represents an IAM identity, to which permissions are granted. It is implemented by NodeRole objects and per-ServiceAccount objects.
func BuildNodeRoleSubject ¶ added in v1.19.0
func BuildNodeRoleSubject(igRole kops.InstanceGroupRole) (Subject, error)
BuildNodeRoleSubject returns a Subject implementation for the specified InstanceGroupRole.
Source Files