Documentation
¶
Index ¶
- Constants
- func DeleteOIDCServiceAccountIfExists(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, ...) error
- func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, ...) error
- func EventPolicyEventHandler(indexer cache.Indexer, gk schema.GroupKind, ...) cache.ResourceEventHandler
- func GetApplyingResourcesOfEventPolicyForGK(eventPolicy *v1alpha1.EventPolicy, gk schema.GroupKind, ...) ([]string, error)
- func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
- func GetAudienceDirect(gvk schema.GroupVersionKind, ns, name string) string
- func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, ...) ([]*v1alpha1.EventPolicy, error)
- func GetJWTExpiry(token string) (time.Time, error)
- func GetJWTFromHeader(header http.Header) string
- func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount
- func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
- func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error)
- func SetAuthHeader(jwt string, header http.Header)
- func SetupOIDCServiceAccount(ctx context.Context, flags feature.Flags, ...) pkgreconciler.Event
- func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []subjectsWithFilters, ...) bool
- func UpdateStatusWithEventPolicies(featureFlags feature.Flags, status *eventingduckv1.AppliedEventPoliciesStatus, ...) error
- func UpdateStatusWithProvidedEventPolicies(featureFlags feature.Flags, status *eventingduckv1.AppliedEventPoliciesStatus, ...) error
- type EventPolicyStatusMarker
- type IDToken
- type OIDCIdentityStatusMarker
- type OIDCTokenProvider
- type Verifier
Constants ¶
const ( // OIDCLabelKey is used to filter out all the informers that related to OIDC work OIDCLabelKey = "eventing.knative.dev/oidc" // OIDCLabelSelector is the label selector for the OIDC resources OIDCLabelSelector = OIDCLabelKey )
const (
AuthHeaderKey = "Authorization"
)
const (
TokenExpirationTime = time.Hour
)
Variables ¶
This section is empty.
Functions ¶
func DeleteOIDCServiceAccountIfExists ¶ added in v0.40.0
func DeleteOIDCServiceAccountIfExists(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error
DeleteOIDCServiceAccountIfExists makes sure the given resource does not have an OIDC service account. If it does that service account is deleted.
func EnsureOIDCServiceAccountExistsForResource ¶
func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error
EnsureOIDCServiceAccountExistsForResource makes sure the given resource has an OIDC service account with an owner reference to the resource set.
func EventPolicyEventHandler ¶ added in v0.42.0
func EventPolicyEventHandler(indexer cache.Indexer, gk schema.GroupKind, enqueueFn func(key types.NamespacedName)) cache.ResourceEventHandler
EventPolicyEventHandler returns an ResourceEventHandler, which passes the referencing resources of the EventPolicy to the enqueueFn if the EventPolicy was referencing or got updated and now is referencing the resource of the given GVK.
func GetApplyingResourcesOfEventPolicyForGK ¶ added in v0.42.0
func GetApplyingResourcesOfEventPolicyForGK(eventPolicy *v1alpha1.EventPolicy, gk schema.GroupKind, gkIndexer cache.Indexer) ([]string, error)
GetApplyingResourcesOfEventPolicyForGK returns all applying resource names of GK of the given event policy. It returns only the names, as the resources are part of the same namespace as the event policy.
This function is kind of the "inverse" of GetEventPoliciesForResource.
func GetAudience ¶
func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
GetAudience returns the audience string for the given object in the format <group>/<kind>/<namespace>/<name>
func GetAudienceDirect ¶ added in v0.42.0
func GetAudienceDirect(gvk schema.GroupVersionKind, ns, name string) string
GetAudienceDirect returns the audience string for the given object in the format <group>/<kind>/<namespace>/<name>
func GetEventPoliciesForResource ¶ added in v0.42.0
func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error)
GetEventPoliciesForResource returns the applying EventPolicies for a given resource
func GetJWTExpiry ¶ added in v0.40.0
GetJWTExpiry returns the expiry time of the token in UTC
func GetJWTFromHeader ¶
GetJWTFromHeader Returns the JWT from the Authorization header
func GetOIDCServiceAccountForResource ¶
func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount
GetOIDCServiceAccountForResource returns the service account to use for OIDC authentication for the given resource.
func GetOIDCServiceAccountNameForResource ¶
func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
GetOIDCServiceAccountNameForResource returns the service account name to use for OIDC authentication for the given resource.
func ResolveSubjects ¶ added in v0.42.0
func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error)
ResolveSubjects returns the OIDC service accounts names for the objects referenced in the EventPolicySpecFrom.
func SetAuthHeader ¶
SetAuthHeader sets Authorization header with the given JWT
func SetupOIDCServiceAccount ¶ added in v0.40.0
func SetupOIDCServiceAccount(ctx context.Context, flags feature.Flags, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event
func SubjectAndFiltersPass ¶ added in v0.43.0
func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []subjectsWithFilters, event *cloudevents.Event, logger *zap.SugaredLogger) bool
SubjectAndFiltersPass checks if the given sub is contained in the list of allowedSubs or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*), as well as if the event passes any filters associated with the subjects for an event policy
func UpdateStatusWithEventPolicies ¶ added in v0.42.0
func UpdateStatusWithEventPolicies(featureFlags feature.Flags, status *eventingduckv1.AppliedEventPoliciesStatus, statusMarker EventPolicyStatusMarker, eventPolicyLister listerseventingv1alpha1.EventPolicyLister, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error
func UpdateStatusWithProvidedEventPolicies ¶ added in v0.43.0
func UpdateStatusWithProvidedEventPolicies(featureFlags feature.Flags, status *eventingduckv1.AppliedEventPoliciesStatus, statusMarker EventPolicyStatusMarker, applyingEventPolicies []*v1alpha1.EventPolicy) error
Types ¶
type EventPolicyStatusMarker ¶ added in v0.42.0
type EventPolicyStatusMarker interface {
MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{})
MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{})
MarkEventPoliciesTrue()
MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{})
}
type OIDCIdentityStatusMarker ¶ added in v0.40.0
type OIDCTokenProvider ¶
type OIDCTokenProvider struct {
// contains filtered or unexported fields
}
func NewOIDCTokenProvider ¶
func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider
func (*OIDCTokenProvider) GetJWT ¶
func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error)
GetJWT returns a JWT from the given service account for the given audience.
func (*OIDCTokenProvider) GetNewJWT ¶ added in v0.40.0
func (c *OIDCTokenProvider) GetNewJWT(serviceAccount types.NamespacedName, audience string) (string, error)
GetNewJWT returns a new JWT from the given service account for the given audience without using the token cache.
type Verifier ¶ added in v0.43.0
type Verifier struct {
// contains filtered or unexported fields
}
func NewVerifier ¶ added in v0.43.0
func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, cmw configmap.Watcher) *Verifier
func (*Verifier) VerifyRequest ¶ added in v0.43.0
func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error
VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the responses HTTP status and returns an error
func (*Verifier) VerifyRequestFromSubject ¶ added in v0.43.0
func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error
VerifyRequestFromSubject verifies AuthN and AuthZ in the request. In the AuthZ part it checks if the request comes from the given allowedSubject. On verification errors, it sets the responses HTTP status and returns an error. This method is similar to VerifyRequest() except that VerifyRequestFromSubject() verifies in the AuthZ part that the request comes from a given subject.
Source Files