config

package
v0.6.29 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2024 License: Apache-2.0 Imports: 12 Imported by: 8

Documentation

Index

Constants

View Source
const (
	// ConfiguredInitDirectories enables placing files directly in configured
	// directories with init
	ConfiguredInitDirectories featuregate.Feature = "ConfiguredInitDirectories"
	// IAMIdentityMappingCRD enables using CRDs to manage allowed users
	IAMIdentityMappingCRD featuregate.Feature = "IAMIdentityMappingCRD"
)

Variables

View Source
var DefaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
	ConfiguredInitDirectories: {Default: false, PreRelease: featuregate.Alpha},
	IAMIdentityMappingCRD:     {Default: false, PreRelease: featuregate.Alpha},
}

Functions

This section is empty.

Types

type Config

type Config struct {
	// PartitionID is the AWS partition tokens are valid in. See
	// github.com/aws/aws-sdk-go/aws/endpoints
	// endpoints.DefaultPartitions()
	PartitionID string

	// ClusterID is a unique-per-cluster identifier for your
	// aws-iam-authenticator installation.
	ClusterID string

	// KubeconfigPregenerated is set to `true` when a webhook kubeconfig is
	// pre-generated by running the `init` command, and therefore the
	// `server` shouldn't unnecessarily re-generate a new one.
	KubeconfigPregenerated bool

	// HostPort is the TCP Port on which to listen for authentication checks.
	HostPort int

	// Hostname is the address clients should use for this server.
	Hostname string

	// GenerateKubeconfigPath is the output path where a generated webhook
	// kubeconfig (for `--authentication-token-webhook-config-file`) will be
	// stored.
	GenerateKubeconfigPath string

	// StateDir is the directory where generated certificates and private keys
	// will be stored. You want these persisted between runs so that your API
	// server webhook configuration doesn't change on restart.
	StateDir string

	// RoleMappings is a list of mappings from AWS IAM Role to
	// Kubernetes username + groups.
	RoleMappings []RoleMapping

	// UserMappings is a list of mappings from AWS IAM User to
	// Kubernetes username + groups.
	UserMappings []UserMapping

	// AutoMappedAWSAccounts is a list of AWS accounts that are allowed without an explicit user/role mapping.
	// IAM ARN from these accounts automatically maps to the Kubernetes username.
	AutoMappedAWSAccounts []string

	// ScrubbedAWSAccounts is a list of AWS accounts that the role ARNs and uids
	// are scrubbed from server log statements
	ScrubbedAWSAccounts []string

	// ServerEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed
	// before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance).
	// If nil, defaults to using the IAM Role attached to the instance where aws-iam-authenticator is
	// running.
	ServerEC2DescribeInstancesRoleARN string

	// SourceARN is value which is passed while assuming role specified by ServerEC2DescribeInstancesRoleARN.
	// When a service assumes a role in your account, you can include the aws:SourceAccount and aws:SourceArn global
	// condition context keys in your role trust policy to limit access to the role to only requests that are generated
	// by expected resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
	SourceARN string

	// Address defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating
	// a local server to handle the authentication request for development.
	Address string

	// Master is an optional param which configures api servers endpoint for listening for new CRDs
	// +optional
	Master string

	// Kubeconfig is an optional param which configures the kubeconfig path for connecting to a specific
	// API server this is useful for local development, allowing you to connect to a remote server.
	// +optional
	Kubeconfig string

	// BackendMode is an ordered list of backends to get mappings from. Comma-delimited list of: MountedFile,EKSConfigMap,CRD,DynamicFile
	BackendMode []string

	// Ec2 DescribeInstances rate limiting variables initially set to defaults until we completely
	// understand we don't need to change
	EC2DescribeInstancesQps   int
	EC2DescribeInstancesBurst int
	// Dynamic File Path for DynamicFile BackendMode
	DynamicFilePath string
	// Use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true
	DynamicFileUserIDStrict bool
	// ReservedPrefixConfig defines reserved username prefixes for each backend
	ReservedPrefixConfig map[string]ReservedPrefixConfig
	// Dynamic File Path for BackendMode
	DynamicBackendModePath string
}

Config specifies the configuration for a aws-iam-authenticator server

func (*Config) CertOpts added in v0.5.4

func (c *Config) CertOpts() certs.CertificateOptions

func (*Config) CertPath

func (c *Config) CertPath() string

CertPath returns the path to the pem file containing the certificate

func (*Config) GenerateFiles

func (c *Config) GenerateFiles() error

GenerateFiles will generate the certificate and private key and then create the kubeconfig

func (*Config) GenerateWebhookKubeconfig added in v0.5.4

func (c *Config) GenerateWebhookKubeconfig() error

func (*Config) GetOrCreateX509KeyPair added in v0.5.4

func (c *Config) GetOrCreateX509KeyPair() (*tls.Certificate, error)

GetOrCreateCertificate will create a certificate if it cannot find one based on the config

func (*Config) KeyPath

func (c *Config) KeyPath() string

KeyPath returns the path to the pem file containing the private key

func (*Config) ListenAddr

func (c *Config) ListenAddr() string

ListenAddr returns the IP address and port mapping to bind with

func (*Config) ServerAddr added in v0.5.3

func (c *Config) ServerAddr() string

ServerAddr returns the host and port clients should use for server endpoint.

func (*Config) ServerURL added in v0.5.3

func (c *Config) ServerURL() string

ServerURL returns the URL to connect to this server.

type IdentityMapping added in v0.5.0

type IdentityMapping struct {
	IdentityARN string

	// Username is the username pattern that this instances assuming this
	// role will have in Kubernetes.
	Username string

	// Groups is a list of Kubernetes groups this role will authenticate
	// as (e.g., `system:masters`). Each group name can include placeholders.
	Groups []string
}

type ReservedPrefixConfig added in v0.5.15

type ReservedPrefixConfig struct {
	// Backend mode defined in Config.BackendMode
	BackendMode string `json:"backendmode" yaml:"backendmode"`
	// Defines the reserved prefixes for kubernetes username
	UsernamePrefixReserveList []string `json:"usernamePrefixReserveList,omitempty" yaml:"usernamePrefixReserveList,omitempty"`
}

type RoleMapping

type RoleMapping struct {
	// RoleARN is the AWS Resource Name of the role. (e.g., "arn:aws:iam::000000000000:role/Foo").
	RoleARN string `json:"rolearn"`

	// Username is the username pattern that this instances assuming this
	// role will have in Kubernetes.
	Username string `json:"username"`

	// Groups is a list of Kubernetes groups this role will authenticate
	// as (e.g., `system:masters`). Each group name can include placeholders.
	Groups []string `json:"groups" yaml:"groups"`

	// UserId is the AWS PrincipalId of the role. (e.g., "ABCXSOTJDDV").
	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
}

RoleMapping is a mapping of an AWS Role ARN to a Kubernetes username and a list of Kubernetes groups. The username and groups are specified as templates that may optionally contain two template parameters:

  1. "{{AccountID}}" is the 12 digit AWS ID.
  2. "{{SessionName}}" is the role session name.

The meaning of SessionName depends on the type of entity assuming the role. In the case of an EC2 instance role this will be the EC2 instance ID. In the case of a federated role it will be the federated identity (controlled by the federated identity provider). In the case of a role assumed directly with sts:AssumeRole it will be user controlled.

You can use plain values without parameters to have a more static mapping.

func (*RoleMapping) IdentityMapping added in v0.5.21

func (m *RoleMapping) IdentityMapping(identity *token.Identity) *IdentityMapping

IdentityMapping converts the RoleMapping into a generic IdentityMapping object

type UserMapping

type UserMapping struct {
	// UserARN is the AWS Resource Name of the user. (e.g., "arn:aws:iam::000000000000:user/Test").
	UserARN string `json:"userarn"`

	// Username is the Kubernetes username this role will authenticate as (e.g., `mycorp:foo`)
	Username string `json:"username"`

	// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
	Groups []string `json:"groups" yaml:"groups"`

	// UserId is the AWS PrincipalId of the user. (e.g., "ABCXSOTJDDV").
	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
}

UserMapping is a static mapping of a single AWS User ARN to a Kubernetes username and a list of Kubernetes groups

func (*UserMapping) IdentityMapping added in v0.5.21

func (m *UserMapping) IdentityMapping(identity *token.Identity) *IdentityMapping

IdentityMapping converts the UserMapping into a generic IdentityMapping object

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL