iam

package
v1.27.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 19, 2023 License: Apache-2.0 Imports: 18 Imported by: 68

Documentation

Index

Constants

View Source
const MaxLengthIAMRoleName = 64

MaxLengthIAMRoleName defines the max length of an IAMRole name

View Source
const PolicyDefaultVersion = "2012-10-17"

PolicyDefaultVersion is the default version included in all policy documents

Variables

This section is empty.

Functions

func AddAWSEBSCSIDriverPermissions added in v1.21.3

func AddAWSEBSCSIDriverPermissions(p *Policy, appendSnapshotPermissions bool)

AddAWSEBSCSIDriverPermissions appens policy statements that the AWS EBS CSI Driver needs to operate.

func AddAWSLoadbalancerControllerPermissions added in v1.21.0

func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2, enableShield bool)

AddAWSLoadbalancerControllerPermissions adds the permissions needed for the AWS Load Balancer Controller to the givnen policy

func AddCCMPermissions added in v1.21.3

func AddCCMPermissions(p *Policy, cloudRoutes bool)

func AddClusterAutoscalerPermissions added in v1.21.3

func AddClusterAutoscalerPermissions(p *Policy, useStaticInstanceList bool)

func AddDNSControllerPermissions added in v1.19.0

func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy)

AddDNSControllerPermissions adds IAM permissions used by the dns-controller. TODO: Move this to dnscontroller, but it requires moving a lot of code around.

func AddKubeRouterPermissions added in v1.24.0

func AddKubeRouterPermissions(b *PolicyBuilder, p *Policy)

AddKubeRouterPermissions adds IAM permissions used by kube-router for disabling the source/destination check on EC2 instances.

func AddLegacyCCMPermissions added in v1.21.3

func AddLegacyCCMPermissions(p *Policy)

func AddNodeTerminationHandlerSQSPermissions added in v1.21.3

func AddNodeTerminationHandlerSQSPermissions(p *Policy)

func AddServiceAccountRole added in v1.19.0

func AddServiceAccountRole(context *IAMModelContext, podSpec *corev1.PodSpec, serviceAccountRole Subject) error

AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role

func IAMNameForServiceAccountRole added in v1.23.0

func IAMNameForServiceAccountRole(name, namespace, clusterName string) string

func ReadableStatePaths added in v1.19.0

func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error)

ReadableStatePaths returns the file paths that should be readable in the cluster's state store "directory"

func WriteableVFSPaths

func WriteableVFSPaths(cluster *kops.Cluster, role Subject) ([]vfs.Path, error)

Types

type Condition

type Condition map[string]interface{}

Condition is a map of Conditions to be evaluated for a given IAM Statement

type GenericServiceAccount added in v1.21.0

type GenericServiceAccount struct {
	NamespacedName types.NamespacedName
	Policy         *Policy
}

func (*GenericServiceAccount) BuildAWSPolicy added in v1.21.0

func (g *GenericServiceAccount) BuildAWSPolicy(*PolicyBuilder) (*Policy, error)

func (*GenericServiceAccount) ServiceAccount added in v1.21.0

func (g *GenericServiceAccount) ServiceAccount() (types.NamespacedName, bool)

type IAMModelContext added in v1.19.0

type IAMModelContext struct {
	// AWSAccountID holds the 12 digit AWS account ID, when running on AWS
	AWSAccountID string
	// AWSPartition defines the partition of the AWS account, typically "aws", "aws-cn", or "aws-us-gov"
	AWSPartition string

	Cluster *kops.Cluster
}

func (*IAMModelContext) ClusterName added in v1.19.0

func (b *IAMModelContext) ClusterName() string

ClusterName returns the cluster name

func (*IAMModelContext) IAMNameForServiceAccountRole added in v1.19.0

func (b *IAMModelContext) IAMNameForServiceAccountRole(role Subject) (string, error)

IAMNameForServiceAccountRole determines the name of the IAM Role and Instance Profile to use for the service-account role

type NodeRoleAPIServer added in v1.21.0

type NodeRoleAPIServer struct {
	// contains filtered or unexported fields
}

NodeRoleAPIServer represents the role of API server-only nodes, and implements Subject.

func (*NodeRoleAPIServer) BuildAWSPolicy added in v1.21.0

func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)

BuildAWSPolicy generates a custom policy for a Kubernetes master.

func (*NodeRoleAPIServer) ServiceAccount added in v1.21.0

func (_ *NodeRoleAPIServer) ServiceAccount() (types.NamespacedName, bool)

ServiceAccount implements Subject.

type NodeRoleBastion added in v1.19.0

type NodeRoleBastion struct{}

NodeRoleNode represents the role of bastion nodes, and implements Subject.

func (*NodeRoleBastion) BuildAWSPolicy added in v1.19.0

func (r *NodeRoleBastion) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)

BuildAWSPolicy generates a custom policy for a bastion host.

func (*NodeRoleBastion) ServiceAccount added in v1.19.0

func (_ *NodeRoleBastion) ServiceAccount() (types.NamespacedName, bool)

ServiceAccount implements Subject.

type NodeRoleMaster added in v1.19.0

type NodeRoleMaster struct{}

NodeRoleMaster represents the role of control-plane nodes, and implements Subject.

func (*NodeRoleMaster) BuildAWSPolicy added in v1.19.0

func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)

BuildAWSPolicy generates a custom policy for a Kubernetes master.

func (*NodeRoleMaster) ServiceAccount added in v1.19.0

func (_ *NodeRoleMaster) ServiceAccount() (types.NamespacedName, bool)

ServiceAccount implements Subject.

type NodeRoleNode added in v1.19.0

type NodeRoleNode struct {
	// contains filtered or unexported fields
}

NodeRoleNode represents the role of normal ("worker") nodes, and implements Subject.

func (*NodeRoleNode) BuildAWSPolicy added in v1.19.0

func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error)

BuildAWSPolicy generates a custom policy for a Kubernetes node.

func (*NodeRoleNode) ServiceAccount added in v1.19.0

func (_ *NodeRoleNode) ServiceAccount() (types.NamespacedName, bool)

ServiceAccount implements Subject.

type Policy

type Policy struct {
	Statement []*Statement

	Version string
	// contains filtered or unexported fields
}

Policy Struct is a collection of fields that form a valid AWS policy document

func NewPolicy added in v1.21.3

func NewPolicy(clusterName, partition string) *Policy

func (*Policy) AddEC2CreateAction added in v1.23.0

func (p *Policy) AddEC2CreateAction(actions, resources []string)

func (*Policy) AddUnconditionalActions added in v1.23.0

func (p *Policy) AddUnconditionalActions(actions ...string)

func (*Policy) AsJSON

func (p *Policy) AsJSON() (string, error)

AsJSON converts the policy document to JSON format (parsable by AWS)

type PolicyBuilder

type PolicyBuilder struct {
	Cluster                               *kops.Cluster
	HostedZoneID                          string
	KMSKeys                               []string
	Region                                string
	Partition                             string
	ResourceARN                           *string
	Role                                  Subject
	UseServiceAccountExternalPermisssions bool
}

PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.

func (*PolicyBuilder) AddS3Permissions

func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)

AddS3Permissions builds an IAM Policy, with statements granting tailored access to S3 assets, depending on the instance group or service-account role

func (*PolicyBuilder) BuildAWSPolicy

func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)

BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec

type PolicyResource

type PolicyResource struct {
	Builder *PolicyBuilder
	DNSZone *awstasks.DNSZone
}

PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role

func (*PolicyResource) GetDependencies

func (b *PolicyResource) GetDependencies(tasks map[string]fi.CloudupTask) []fi.CloudupTask

GetDependencies adds the DNSZone task to the list of dependencies if set

func (*PolicyResource) Open

func (b *PolicyResource) Open() (io.Reader, error)

Open produces the AWS IAM policy for the given role

type Principal added in v1.19.0

type Principal struct {
	Federated string `json:",omitempty"`
	Service   string `json:",omitempty"`
}

func (*Principal) IsEmpty added in v1.19.0

func (p *Principal) IsEmpty() bool

type Statement

type Statement struct {
	Effect    StatementEffect
	Principal Principal
	Action    stringorslice.StringOrSlice
	Resource  stringorslice.StringOrSlice
	Condition Condition
}

Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement

func ParseStatements added in v1.11.0

func ParseStatements(policy string) ([]*Statement, error)

ParseStatements parses JSON into a list of Statements

func (*Statement) Equal

func (l *Statement) Equal(r *Statement) bool

Equal compares two IAM Statements and returns a bool TODO: Extend to support Condition Keys

func (*Statement) MarshalJSON added in v1.19.0

func (s *Statement) MarshalJSON() ([]byte, error)

MarshalJSON formats the IAM statement for the AWS IAM restrictions. For example, `Resource: []` is not allowed, but golang would force us to use pointers.

type StatementEffect

type StatementEffect string

StatementEffect is required and specifies what type of access the statement results in

const StatementEffectAllow StatementEffect = "Allow"

StatementEffectAllow allows access for the given resources in the statement (based on conditions)

const StatementEffectDeny StatementEffect = "Deny"

StatementEffectDeny allows access for the given resources in the statement (based on conditions)

type Subject added in v1.19.0

type Subject interface {
	// BuildAWSPolicy builds the AWS permissions for the given subject.
	BuildAWSPolicy(*PolicyBuilder) (*Policy, error)

	// ServiceAccount returns the kubernetes service account used by pods with this specified role.
	// For node roles, it returns an empty NamespacedName and false.
	ServiceAccount() (types.NamespacedName, bool)
}

Subject represents an IAM identity, to which permissions are granted. It is implemented by NodeRole objects and per-ServiceAccount objects.

func BuildNodeRoleSubject added in v1.19.0

func BuildNodeRoleSubject(igRole kops.InstanceGroupRole, enableLifecycleHookPermissions bool) (Subject, error)

BuildNodeRoleSubject returns a Subject implementation for the specified InstanceGroupRole.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL