Documentation ¶
Index ¶
- Constants
- func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool)
- func AddAWSLoadbalancerControllerPermissions(p *Policy)
- func AddCCMPermissions(p *Policy, cloudRoutes bool)
- func AddClusterAutoscalerPermissions(p *Policy)
- func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy)
- func AddLegacyCCMPermissions(p *Policy)
- func AddNodeTerminationHandlerSQSPermissions(p *Policy)
- func AddServiceAccountRole(context *IAMModelContext, podSpec *corev1.PodSpec, serviceAccountRole Subject) error
- func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error)
- func WriteableVFSPaths(cluster *kops.Cluster, role Subject) ([]vfs.Path, error)
- type Condition
- type GenericServiceAccount
- type IAMModelContext
- type NodeRoleAPIServer
- type NodeRoleBastion
- type NodeRoleMaster
- type NodeRoleNode
- type Policy
- type PolicyBuilder
- type PolicyResource
- type Principal
- type Statement
- type StatementEffect
- type Subject
Constants ¶
const MaxLengthIAMRoleName = 64
MaxLengthIAMRoleName defines the max length of an IAMRole name
const PolicyDefaultVersion = "2012-10-17"
PolicyDefaultVersion is the default version included in all policy documents
Variables ¶
This section is empty.
Functions ¶
func AddAWSEBSCSIDriverPermissions ¶ added in v1.21.3
AddAWSEBSCSIDriverPermissions appens policy statements that the AWS EBS CSI Driver needs to operate.
func AddAWSLoadbalancerControllerPermissions ¶ added in v1.21.0
func AddAWSLoadbalancerControllerPermissions(p *Policy)
AddAWSLoadbalancerControllerPermissions adds the permissions needed for the aws load balancer controller to the givnen policy
func AddCCMPermissions ¶ added in v1.21.3
func AddClusterAutoscalerPermissions ¶ added in v1.21.3
func AddClusterAutoscalerPermissions(p *Policy)
func AddDNSControllerPermissions ¶ added in v1.19.0
func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy)
AddDNSControllerPermissions adds IAM permissions used by the dns-controller. TODO: Move this to dnscontroller, but it requires moving a lot of code around.
func AddLegacyCCMPermissions ¶ added in v1.21.3
func AddLegacyCCMPermissions(p *Policy)
func AddNodeTerminationHandlerSQSPermissions ¶ added in v1.21.3
func AddNodeTerminationHandlerSQSPermissions(p *Policy)
func AddServiceAccountRole ¶ added in v1.19.0
func AddServiceAccountRole(context *IAMModelContext, podSpec *corev1.PodSpec, serviceAccountRole Subject) error
AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role
func ReadableStatePaths ¶ added in v1.19.0
ReadableStatePaths returns the file paths that should be readable in the cluster's state store "directory"
Types ¶
type Condition ¶
type Condition map[string]interface{}
Condition is a map of Conditions to be evaluated for a given IAM Statement
type GenericServiceAccount ¶ added in v1.21.0
type GenericServiceAccount struct { NamespacedName types.NamespacedName Policy *Policy }
func (*GenericServiceAccount) BuildAWSPolicy ¶ added in v1.21.0
func (g *GenericServiceAccount) BuildAWSPolicy(*PolicyBuilder) (*Policy, error)
func (*GenericServiceAccount) ServiceAccount ¶ added in v1.21.0
func (g *GenericServiceAccount) ServiceAccount() (types.NamespacedName, bool)
type IAMModelContext ¶ added in v1.19.0
type IAMModelContext struct { // AWSAccountID holds the 12 digit AWS account ID, when running on AWS AWSAccountID string // AWSPartition defines the partition of the AWS account, typically "aws", "aws-cn", or "aws-us-gov" AWSPartition string Cluster *kops.Cluster }
func (*IAMModelContext) ClusterName ¶ added in v1.19.0
func (b *IAMModelContext) ClusterName() string
ClusterName returns the cluster name
func (*IAMModelContext) IAMNameForServiceAccountRole ¶ added in v1.19.0
func (b *IAMModelContext) IAMNameForServiceAccountRole(role Subject) (string, error)
IAMNameForServiceAccountRole determines the name of the IAM Role and Instance Profile to use for the service-account role
type NodeRoleAPIServer ¶ added in v1.21.0
type NodeRoleAPIServer struct {
// contains filtered or unexported fields
}
NodeRoleAPIServer represents the role of API server-only nodes, and implements Subject.
func (*NodeRoleAPIServer) BuildAWSPolicy ¶ added in v1.21.0
func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a Kubernetes master.
func (*NodeRoleAPIServer) ServiceAccount ¶ added in v1.21.0
func (_ *NodeRoleAPIServer) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type NodeRoleBastion ¶ added in v1.19.0
type NodeRoleBastion struct { }
NodeRoleNode represents the role of bastion nodes, and implements Subject.
func (*NodeRoleBastion) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleBastion) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a bastion host.
func (*NodeRoleBastion) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleBastion) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type NodeRoleMaster ¶ added in v1.19.0
type NodeRoleMaster struct { }
NodeRoleMaster represents the role of control-plane nodes, and implements Subject.
func (*NodeRoleMaster) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a Kubernetes master.
func (*NodeRoleMaster) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleMaster) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type NodeRoleNode ¶ added in v1.19.0
type NodeRoleNode struct {
// contains filtered or unexported fields
}
NodeRoleNode represents the role of normal ("worker") nodes, and implements Subject.
func (*NodeRoleNode) BuildAWSPolicy ¶ added in v1.19.0
func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)
BuildAWSPolicy generates a custom policy for a Kubernetes node.
func (*NodeRoleNode) ServiceAccount ¶ added in v1.19.0
func (_ *NodeRoleNode) ServiceAccount() (types.NamespacedName, bool)
ServiceAccount implements Subject.
type Policy ¶
type Policy struct { Statement []*Statement Version string // contains filtered or unexported fields }
Policy Struct is a collection of fields that form a valid AWS policy document
type PolicyBuilder ¶
type PolicyBuilder struct { Cluster *kops.Cluster HostedZoneID string KMSKeys []string Region string ResourceARN *string Role Subject UseServiceAccountExternalPermisssions bool }
PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.
func (*PolicyBuilder) AddS3Permissions ¶
func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)
AddS3Permissions builds an IAM Policy, with statements granting tailored access to S3 assets, depending on the instance group or service-account role
func (*PolicyBuilder) BuildAWSPolicy ¶
func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)
BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec
func (*PolicyBuilder) IAMPrefix ¶
func (b *PolicyBuilder) IAMPrefix() string
IAMPrefix returns the prefix for AWS ARNs in the current region, for use with IAM it is arn:aws in the default aws partition but different in other isolated or non-standard partitions
type PolicyResource ¶
type PolicyResource struct { Builder *PolicyBuilder DNSZone *awstasks.DNSZone }
PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role
func (*PolicyResource) GetDependencies ¶
GetDependencies adds the DNSZone task to the list of dependencies if set
type Statement ¶
type Statement struct { Effect StatementEffect Principal Principal Action stringorslice.StringOrSlice Resource stringorslice.StringOrSlice Condition Condition }
Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement
func ParseStatements ¶ added in v1.11.0
ParseStatements parses JSON into a list of Statements
func (*Statement) Equal ¶
Equal compares two IAM Statements and returns a bool TODO: Extend to support Condition Keys
func (*Statement) MarshalJSON ¶ added in v1.19.0
MarshalJSON formats the IAM statement for the AWS IAM restrictions. For example, `Resource: []` is not allowed, but golang would force us to use pointers.
type StatementEffect ¶
type StatementEffect string
StatementEffect is required and specifies what type of access the statement results in
const StatementEffectAllow StatementEffect = "Allow"
StatementEffectAllow allows access for the given resources in the statement (based on conditions)
const StatementEffectDeny StatementEffect = "Deny"
StatementEffectDeny allows access for the given resources in the statement (based on conditions)
type Subject ¶ added in v1.19.0
type Subject interface { // BuildAWSPolicy builds the AWS permissions for the given subject. BuildAWSPolicy(*PolicyBuilder) (*Policy, error) // ServiceAccount returns the kubernetes service account used by pods with this specified role. // For node roles, it returns an empty NamespacedName and false. ServiceAccount() (types.NamespacedName, bool) }
Subject represents an IAM identity, to which permissions are granted. It is implemented by NodeRole objects and per-ServiceAccount objects.
func BuildNodeRoleSubject ¶ added in v1.19.0
func BuildNodeRoleSubject(igRole kops.InstanceGroupRole, enableLifecycleHookPermissions bool) (Subject, error)
BuildNodeRoleSubject returns a Subject implementation for the specified InstanceGroupRole.