cache

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 6, 2023 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package cache implements a ManifestWork Executor Validator with caching capabilities. It stores the result of whether the executor has operation permission(SubjectAccessReview) on a specific resource in a 2-level cache data structure, the first-level cache is the executor key, and the second-level cache is the description (dimension) of the operated resource. At the same time, it also contains a controller, which watches the RBAC resources(role, roleBinding, clusterRole, clusterRoleBinding) related to the executors used by the ManifestWorks in the cluster, and refresh the cache results of the corresponding executor when these RBAC resources have any changes.

Index

Constants

This section is empty.

Variables

View Source
var (
	ResyncInterval = 10 * time.Minute
)

Functions

func NewExecutorCacheController

func NewExecutorCacheController(
	ctx context.Context,
	recorder events.Recorder,
	crbInformer rbacv1.ClusterRoleBindingInformer,
	rbInformer rbacv1.RoleBindingInformer,
	crInformer rbacv1.ClusterRoleInformer,
	rInformer rbacv1.RoleInformer,
	manifestWorkExecutorCachesLoader manifestWorkExecutorCachesLoader,
	executorCaches *store.ExecutorCaches,
	sarCheckerFn SubjectAccessReviewCheckFn,
) factory.Controller

NewExecutorCacheController returns an ExecutorCacheController, the controller will watch all the RBAC resources(role, rolebinding, clusterrole, clusterrolebinding) related to the executors used by the manifestworks, and update the caches of the corresponding executor when the RBAC resources change

func NewExecutorCacheValidator

func NewExecutorCacheValidator(
	ctx context.Context,
	recorder events.Recorder,
	spokeKubeClient kubernetes.Interface,
	manifestWorkLister worklister.ManifestWorkNamespaceLister,
	restMapper meta.RESTMapper,
	validator *basic.SarValidator,
) *sarCacheValidator

NewExecutorCacheValidator creates a sarCacheValidator

Types

type CacheController

type CacheController struct {
	// contains filtered or unexported fields
}

CacheController is to refresh the executor auth result for manfiestwork workloads on the spoke cluster.

type SubjectAccessReviewCheckFn

type SubjectAccessReviewCheckFn func(ctx context.Context, executor *workapiv1.ManifestWorkSubjectServiceAccount,
	gvr schema.GroupVersionResource, namespace, name string, ownedByTheWork bool) error

SubjectAccessReviewCheckFn is a function to checks if the executor has permission to operate the gvr resource by subjectaccessreview

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL