Documentation
¶
Index ¶
- func AddGraphEventHandlers(graph *Graph, nodes corev1informers.NodeInformer, ...)
- func RegisterMetrics()
- type Graph
- func (g *Graph) AddPV(pv *corev1.PersistentVolume)
- func (g *Graph) AddPod(pod *corev1.Pod)
- func (g *Graph) AddResourceSlice(sliceName, nodeName string)
- func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)
- func (g *Graph) DeletePV(name string)
- func (g *Graph) DeletePod(name, namespace string)
- func (g *Graph) DeleteResourceSlice(sliceName string)
- func (g *Graph) DeleteVolumeAttachment(name string)
- type NodeAuthorizer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddGraphEventHandlers ¶
func AddGraphEventHandlers( graph *Graph, nodes corev1informers.NodeInformer, pods corev1informers.PodInformer, pvs corev1informers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, slices resourcev1alpha2informers.ResourceSliceInformer, )
func RegisterMetrics ¶ added in v1.20.0
func RegisterMetrics()
RegisterMetrics registers metrics for node package.
Types ¶
type Graph ¶
type Graph struct {
// contains filtered or unexported fields
}
Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:
node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret
func (*Graph) AddPV ¶
func (g *Graph) AddPV(pv *corev1.PersistentVolume)
AddPV sets up edges for the following relationships:
secret -> pv pv -> pvc
func (*Graph) AddPod ¶
AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):
pod -> node secret -> pod configmap -> pod pvc -> pod svcacct -> pod
func (*Graph) AddResourceSlice ¶ added in v1.30.0
AddResourceSlice sets up edges for the following relationships:
node resource slice -> node
func (*Graph) AddVolumeAttachment ¶ added in v1.10.0
AddVolumeAttachment sets up edges for the following relationships:
volume attachment -> node
func (*Graph) DeleteResourceSlice ¶ added in v1.30.0
func (*Graph) DeleteVolumeAttachment ¶ added in v1.10.0
type NodeAuthorizer ¶
type NodeAuthorizer struct {
// contains filtered or unexported fields
}
NodeAuthorizer authorizes requests from kubelets, with the following logic:
- If a request is not from a node (NodeIdentity() returns isNode=false), reject
- If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
- If a request is for a secret, configmap, persistent volume, resource claim, or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- configmap node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret node <- pod <- ResourceClaim
- If a request is for a resourceslice, then authorize access if there is an edge from the existing slice object to the node, which is the case if the existing object has the node in its NodeName field. For create, the access gets granted because the noderestriction admission plugin checks that the NodeName is set to the node.
- For other resources, authorize all nodes uniformly using statically defined rules
func NewAuthorizer ¶
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer
NewAuthorizer returns a new node authorizer
func (*NodeAuthorizer) Authorize ¶
func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error)
func (*NodeAuthorizer) RulesFor ¶ added in v1.19.0
func (r *NodeAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
Source Files