identity

package
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2020 License: MPL-2.0, MPL-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ClusterRoleSubjectQuerier 

type ClusterRoleSubjectQuerier struct{}

ClusterRoleSubjectQuerier queries the API for role subjects.

func (ClusterRoleSubjectQuerier) Compatible 

func (q ClusterRoleSubjectQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (ClusterRoleSubjectQuerier) Do 

func (q ClusterRoleSubjectQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (ClusterRoleSubjectQuerier) String 

func (q ClusterRoleSubjectQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type ConfigUserQuerier 

type ConfigUserQuerier struct{}

ConfigUserQuerier queries a kubectl context for its user value.

func (ConfigUserQuerier) Compatible 

func (q ConfigUserQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (ConfigUserQuerier) Do 

func (q ConfigUserQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (ConfigUserQuerier) String 

func (q ConfigUserQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type CoreGroupQuerier 

type CoreGroupQuerier struct{}

CoreGroupQuerier queries a hard-coded set of group names enumerated in the API server source code.

They're included as string literals instead of imported constants in order to avoid k8s.io/apiserver and its transitive dependencies.

https://github.com/kubernetes/apiserver/blob/kubernetes-1.17.0/pkg/authentication/user/user.go#L69

func (CoreGroupQuerier) Compatible 

func (q CoreGroupQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (CoreGroupQuerier) Do 

func (q CoreGroupQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (CoreGroupQuerier) String 

func (q CoreGroupQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type CoreUserQuerier 

type CoreUserQuerier struct{}

CoreGroupQuerier queries a hard-coded set of user names enumerated in the API server source code.

They're included as string literals instead of imported constants in order to avoid k8s.io/apiserver and its transitive dependencies.

https://github.com/kubernetes/apiserver/blob/kubernetes-1.17.0/pkg/authentication/user/user.go#L69

func (CoreUserQuerier) Compatible 

func (q CoreUserQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (CoreUserQuerier) Do 

func (q CoreUserQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (CoreUserQuerier) String 

func (q CoreUserQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type Identity 

type Identity struct {
	meta.TypeMeta
	meta.ObjectMeta

	// Source describes the object (if any) in which this Identity was found, e.g. RoleBinding.
	Source *IdentitySource

	// Querier indicates which IdentityQuerier implementation produced this value.
	Querier string
}

Identity describes an object which may have RBAC grants.

func (Identity) String 

func (i Identity) String() (s string)

String returns the relevant fields in a human-readable format for use in info/error messages.

type IdentityList 

type IdentityList struct {
	// Items holds the collection elements.
	Items []Identity
}

IdentityList is a collection of Identity values.

Its structure ("Items") aligns with the list collections in k8s.io/api/rbac/v1.

func (*IdentityList) Add 

func (i *IdentityList) Add(namespace, kind, name string, source *IdentitySource)

Add appends and returns a new list item.

type IdentitySource 

type IdentitySource struct {
	meta.TypeMeta
	meta.ObjectMeta
}

IdentitySource describes where an Idenity was found, e.g. RoleBinding.

func (IdentitySource) String 

func (i IdentitySource) String() (s string)

String returns the relevant fields in a human-readable format for use in info/error messages.

type Querier 

type Querier interface {
	// String returns a unique description of the type of result provided by the querier.
	String() string

	// Compatible returns true if the implementation can serve the query.
	//
	// For example, a query may specify an object kind, e.g. ClusterRole, but a querier may not
	// know how to query it because it only supports Group.
	Compatible(*Query) bool

	// Do performs the query.
	Do(context.Context, *cage_k8s_core.Clientset, *Query) (*IdentityList, error)
}

Querier implementations perform queries of an identity-related object kind, e.g. ServiceAccount.

This decomposition makes a trade-off between more Go types/files and the ability to define the sub-queries independently in a more maintainable way.

type Query 

type Query struct {
	// Kind determines which Querier implementations are used by only running those which support this kind.
	Kind string

	// Name limits which identities are returned from Querier implementations. If it matches a candidate's
	// name, or if it is empty, the candidate is included the returned List.
	Name string

	// Namespace limits which are returned from Querier implementations. For example, if the querier
	// consumes a RoleBinding list, only bindings from the selected namespace are considered.
	Namespace string

	// ClientCmdConfig provides kubectl config values from which to seek query matches.
	ClientCmdConfig *clientcmdapi.Config
}

Query holds facets which limit an RBAC related query's result set.

func NewQuery 

func NewQuery(options ...QueryOption) *Query

NewQuery returns a Query initialized with all input options.

type QueryOption 

type QueryOption func(*Query)

QueryOption implementations accept the current Query state and update it based on option-specific logic.

It supports a functional option API based on https://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis.

func QueryClientCmdConfig 

func QueryClientCmdConfig(val *clientcmdapi.Config) QueryOption

QueryClientCmdConfig expands the query scope of an RBAC related query to seek matches from the config's identity-related entities.

func QueryKind 

func QueryKind(val string) QueryOption

QueryKind limits the query scope of an RBAC related query to a specific object kind.

func QueryName 

func QueryName(val string) QueryOption

QueryName limits the query scope of an RBAC related query to a specific name.

func QueryNamespace 

func QueryNamespace(val string) QueryOption

QueryNamespace limits the query scope of an RBAC related query to this namespace.

To align with kubectl's --namespace/--all-namespaces behavior, if this option is set to a non-empty value, Querier implementations will ignore it if the queried dataset is namespace agnostic, e.g. cluster roles. In other words, if the selected namespace is "frontend" and cluster roles are queried, any cluster role will be included in query results as long as it matchesj other criteria.

type Registry 

type Registry struct {
	CoreGroup           Querier
	CoreUser            Querier
	RoleSubject         Querier
	ClusterRoleSubject  Querier
	ServiceAccountUser  Querier
	ServiceAccountGroup Querier
	ConfigUser          Querier

	Clientset *cage_k8s_core.Clientset
}

func NewRegistry 

func NewRegistry(clientset *cage_k8s_core.Clientset) *Registry

NewRegistry builds a registry of known and discovered users.

func (*Registry) Query 

func (reg *Registry) Query(ctx context.Context, options ...QueryOption) (*IdentityList, error)

type RoleSubjectQuerier 

type RoleSubjectQuerier struct{}

RoleSubjectQuerier queries the API for role subjects.

func (RoleSubjectQuerier) Compatible 

func (q RoleSubjectQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (RoleSubjectQuerier) Do 

func (q RoleSubjectQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (RoleSubjectQuerier) String 

func (q RoleSubjectQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type ServiceAccountGroupQuerier 

type ServiceAccountGroupQuerier struct{}

ServiceAccountGroupQuerier detects valid names of service account based groups and queries the API to validate their namespaces if needed. If all validation checks pass, the group is returned in the identity list.

func (ServiceAccountGroupQuerier) Compatible 

func (q ServiceAccountGroupQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (ServiceAccountGroupQuerier) Do 

func (q ServiceAccountGroupQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (ServiceAccountGroupQuerier) String 

func (q ServiceAccountGroupQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

type ServiceAccountUserQuerier 

type ServiceAccountUserQuerier struct{}

ServiceAccountUserQuerier queries the API for service account based users.

func (ServiceAccountUserQuerier) Compatible 

func (q ServiceAccountUserQuerier) Compatible(query *Query) bool

Compatible returns true if the implementation can serve the query.

It implements Querier.

func (ServiceAccountUserQuerier) Do 

func (q ServiceAccountUserQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)

Do performs the query.

It implements Querier.

func (ServiceAccountUserQuerier) String 

func (q ServiceAccountUserQuerier) String() string

String returns a unique description of the type of result provided by the querier.

It implements Querier.

Source Files

View all Source files

Directories

Path Synopsis
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.