node

package
v1.32.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 15, 2025 License: Apache-2.0 Imports: 36 Imported by: 61

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RegisterMetrics added in v1.20.0

func RegisterMetrics()

RegisterMetrics registers metrics for node package.

Types

type Graph

type Graph struct {
	// contains filtered or unexported fields
}

Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

func NewGraph

func NewGraph() *Graph

func (*Graph) AddPV

func (g *Graph) AddPV(pv *corev1.PersistentVolume)

AddPV sets up edges for the following relationships:

secret -> pv

pv -> pvc

func (*Graph) AddPod

func (g *Graph) AddPod(pod *corev1.Pod)

AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

pod       -> node
secret    -> pod
configmap -> pod
pvc       -> pod
svcacct   -> pod

func (*Graph) AddResourceSlice added in v1.30.0

func (g *Graph) AddResourceSlice(sliceName, nodeName string)

AddResourceSlice sets up edges for the following relationships:

node resource slice -> node

func (*Graph) AddVolumeAttachment added in v1.10.0

func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)

AddVolumeAttachment sets up edges for the following relationships:

volume attachment -> node

func (*Graph) DeletePV

func (g *Graph) DeletePV(name string)

func (*Graph) DeletePod

func (g *Graph) DeletePod(name, namespace string)

func (*Graph) DeleteResourceSlice added in v1.30.0

func (g *Graph) DeleteResourceSlice(sliceName string)

func (*Graph) DeleteVolumeAttachment added in v1.10.0

func (g *Graph) DeleteVolumeAttachment(name string)

type NodeAuthorizer

type NodeAuthorizer struct {
	// contains filtered or unexported fields
}

NodeAuthorizer authorizes requests from kubelets, with the following logic:

  1. If a request is not from a node (NodeIdentity() returns isNode=false), reject
  2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
  3. If a request is for a secret, configmap, persistent volume, resource claim, or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- configmap node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret node <- pod <- ResourceClaim
  4. If a request is for a resourceslice, then authorize access if there is an edge from the existing slice object to the node, which is the case if the existing object has the node in its NodeName field. For create, the access gets granted because the noderestriction admission plugin checks that the NodeName is set to the node.
  5. For other resources, authorize all nodes uniformly using statically defined rules

func NewAuthorizer

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer

NewAuthorizer returns a new node authorizer

func (*NodeAuthorizer) Authorize

func (*NodeAuthorizer) RulesFor added in v1.19.0

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL