README
¶
Guard Kube Manager
This package stores and controls Guardians via KubeApi
Guardians which are composed of a set of micro-rules are used to control a guard-gate.
Guardians are stored either as a CRD or in a ConfigMap depending on the system used. Guardians are based on the guard.security.knative.dev package.
This package exports methods for reading and setting Guardians using either a ConfigMap or a Guardian CRD.
Documentation
¶
Index ¶
- Constants
- type KubeMgr
- func (k *KubeMgr) Create(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
- func (k *KubeMgr) DeletePod(ns string, podname string)
- func (k *KubeMgr) GetGuardian(ns string, sid string, cm bool, autoActivate bool) *spec.GuardianSpec
- func (k *KubeMgr) InitConfigs()
- func (k *KubeMgr) Read(ns string, sid string, isCm bool) (*spec.GuardianSpec, error)
- func (k *KubeMgr) Set(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
- func (k *KubeMgr) TokenData(token string, labels []string) (podname string, sid string, ns string, err error)
- func (k *KubeMgr) Watch(ns string, cmFlag bool, ...)
- func (k *KubeMgr) WatchOnce(ns string, cmFlag bool, ...) (e error)
- type KubeMgrInterface
Constants ¶
const ServiceAudience = "guard-service"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KubeMgr ¶
type KubeMgr struct {
// contains filtered or unexported fields
}
KubeMgr manages Guardian CRDs and Guardian CMs
func (*KubeMgr) Create ¶
Create - Create a new Guardian resource (ConfigMap or CRD) Uses delete and create sequence In rare cases, the resource may be created by another entity after the delete and before the create which will result in failure to write the data. This may happen for example when a manual update is performed in parallel to an update from the guard-service. Lose of manual updates is reported to the user which will normally retry. Lose guard-service updates occurs periodically such that data is not lost
func (*KubeMgr) GetGuardian ¶
GetGuardian - Returns a Guardian that was read from Crd or from ConfigMap or an auto-activated Guardian Never returns nil ns is the namespace being used sid is the service identifier being used cm if true a ConfigMap, otherwise a CRD autoActivate - if true, when a default guardian is returned, set it to auto activate mod
func (*KubeMgr) InitConfigs ¶
func (k *KubeMgr) InitConfigs()
Initialize the Kubernetes client and CRD client to communicate with the KubeApi
func (*KubeMgr) Read ¶
Read - Reads a Guardian ConfigMap or CRD from KubeApi Returns a Guardian Returns error if can't read a well structured Guardian
func (*KubeMgr) Set ¶
Set - Set a Guardian resource (Config Map or CRD) Use update if exists, create if not In case the resource read is corrupted, try to update using a well structured one Using a client side Read then Write sequence. In rare cases, the resource may be updated after the read and before the write which will result in failure to write the data. This may happen for example when a manual update is performed in parallel to an update from the guard-service. Lose of manual updates is reported to the user which will normally retry. Lose guard-service updates occurs periodically such that data is not lost
func (*KubeMgr) Watch ¶
func (k *KubeMgr) Watch(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec))
Watch never returns - use with a goroutine Watch for changes in Guardian CRDs and Guardian ConfigMaps No matter how we get an update, cmFlag is used when calling set() as this is what the guard-gate is configured for!
func (*KubeMgr) WatchOnce ¶
func (k *KubeMgr) WatchOnce(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec)) (e error)
Watch for changes in Guardian CRDs and Guardian ConfigMaps No matter how we get an update, cmFlag is used when calling set() as this is what the guard-gate is configured for!
type KubeMgrInterface ¶
type KubeMgrInterface interface {
InitConfigs()
Read(ns string, sid string, isCm bool) (*spec.GuardianSpec, error)
Create(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
Set(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
GetGuardian(ns string, sid string, cm bool, autoActivate bool) *spec.GuardianSpec
Watch(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec))
TokenData(token string, labels []string) (podname string, sid string, ns string, err error)
DeletePod(ns string, podname string)
}
func NewKubeMgr ¶
func NewKubeMgr() KubeMgrInterface
Source Files