Documentation ¶
Overview ¶
Package serviceaccount enforces all pods having an associated serviceaccount, and all containers mounting the API token for that serviceaccount at a known location
Index ¶
- Constants
- func Register(plugins *admission.Plugins)
- type Plugin
- func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
- func (s *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate)
- func (s *Plugin) SetExternalKubeClientSet(cl kubernetes.Interface)
- func (s *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)
- func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
- func (s *Plugin) ValidateInitialization() error
Constants ¶
const ( // DefaultServiceAccountName is the name of the default service account to set on pods which do not specify a service account DefaultServiceAccountName = "default" // EnforceMountableSecretsAnnotation is a default annotation that indicates that a service account should enforce mountable secrets. // The value must be true to have this annotation take effect EnforceMountableSecretsAnnotation = "kubernetes.io/enforce-mountable-secrets" // ServiceAccountVolumeName is the prefix name that will be added to volumes that mount ServiceAccount secrets ServiceAccountVolumeName = "kube-api-access" // DefaultAPITokenMountPath is the path that ServiceAccountToken secrets are automounted to. // The token file would then be accessible at /var/run/secrets/kubernetes.io/serviceaccount DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount" // PluginName is the name of this admission plugin PluginName = "ServiceAccount" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Plugin ¶ added in v1.15.0
type Plugin struct { *admission.Handler // LimitSecretReferences rejects pods that reference secrets their service accounts do not reference LimitSecretReferences bool // RequireAPIToken determines whether pod creation attempts are rejected if no API token exists for the pod's service account RequireAPIToken bool // MountServiceAccountToken creates Volume and VolumeMounts for the first referenced ServiceAccountToken for the pod's service account MountServiceAccountToken bool // contains filtered or unexported fields }
Plugin contains the client used by the admission controller
func NewServiceAccount ¶
func NewServiceAccount() *Plugin
NewServiceAccount returns an admission.Interface implementation which limits admission of Pod CREATE requests based on the pod's ServiceAccount: 1. If the pod does not specify a ServiceAccount, it sets the pod's ServiceAccount to "default" 2. It ensures the ServiceAccount referenced by the pod exists 3. If LimitSecretReferences is true, it rejects the pod if the pod references Secret objects which the pod's ServiceAccount does not reference 4. If the pod does not contain any ImagePullSecrets, the ImagePullSecrets of the service account are added. 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers
func (*Plugin) Admit ¶ added in v1.15.0
func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
Admit verifies if the pod should be admitted
func (*Plugin) InspectFeatureGates ¶ added in v1.17.0
func (s *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate)
InspectFeatureGates allows setting bools without taking a dep on a global variable
func (*Plugin) SetExternalKubeClientSet ¶ added in v1.15.0
func (s *Plugin) SetExternalKubeClientSet(cl kubernetes.Interface)
SetExternalKubeClientSet sets the client for the plugin
func (*Plugin) SetExternalKubeInformerFactory ¶ added in v1.15.0
func (s *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)
SetExternalKubeInformerFactory registers informers with the plugin
func (*Plugin) Validate ¶ added in v1.15.0
func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)
Validate the data we obtained
func (*Plugin) ValidateInitialization ¶ added in v1.15.0
ValidateInitialization ensures an authorizer is set.