cache

package

v0.15.1 Latest Latest Go to latest Published: Oct 21, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/open-cluster-management-io/ocm

Links

Open Source Insights

Documentation ¶

Overview ¶

Package cache implements a ManifestWork Executor Validator with caching capabilities. It stores the result of whether the executor has operation permission(SubjectAccessReview) on a specific resource in a 2-level cache data structure, the first-level cache is the executor key, and the second-level cache is the description (dimension) of the operated resource. At the same time, it also contains a controller, which watches the RBAC resources(role, roleBinding, clusterRole, clusterRoleBinding) related to the executors used by the ManifestWorks in the cluster, and refresh the cache results of the corresponding executor when these RBAC resources have any changes.

Index ¶

Variables
func NewExecutorCacheController(ctx context.Context, recorder events.Recorder, ...) factory.Controller
func NewExecutorCacheValidator(ctx context.Context, recorder events.Recorder, ...) *sarCacheValidator
type CacheController
type SubjectAccessReviewCheckFn

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ResyncInterval = 10 * time.Minute
)

Functions ¶

func NewExecutorCacheController ¶

func NewExecutorCacheController(
	ctx context.Context,
	recorder events.Recorder,
	crbInformer rbacv1.ClusterRoleBindingInformer,
	rbInformer rbacv1.RoleBindingInformer,
	crInformer rbacv1.ClusterRoleInformer,
	rInformer rbacv1.RoleInformer,
	manifestWorkExecutorCachesLoader manifestWorkExecutorCachesLoader,
	executorCaches *store.ExecutorCaches,
	sarCheckerFn SubjectAccessReviewCheckFn,
) factory.Controller

NewExecutorCacheController returns an ExecutorCacheController, the controller will watch all the RBAC resources(role, rolebinding, clusterrole, clusterrolebinding) related to the executors used by the manifestworks, and update the caches of the corresponding executor when the RBAC resources change

func NewExecutorCacheValidator ¶

func NewExecutorCacheValidator(
	ctx context.Context,
	recorder events.Recorder,
	spokeKubeClient kubernetes.Interface,
	manifestWorkLister worklister.ManifestWorkNamespaceLister,
	restMapper meta.RESTMapper,
	validator *basic.SarValidator,
) *sarCacheValidator

NewExecutorCacheValidator creates a sarCacheValidator

Types ¶

type CacheController ¶

type CacheController struct {
	// contains filtered or unexported fields
}

CacheController is to refresh the executor auth result for manfiestwork workloads on the spoke cluster.

type SubjectAccessReviewCheckFn ¶

type SubjectAccessReviewCheckFn func(ctx context.Context, executor *workapiv1.ManifestWorkSubjectServiceAccount,
	gvr schema.GroupVersionResource, namespace, name string, ownedByTheWork bool) error

SubjectAccessReviewCheckFn is a function to checks if the executor has permission to operate the gvr resource by subjectaccessreview

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL