Documentation ¶
Index ¶
- Constants
- func GetEnvDefault(variable string, defaultVal string) string
- func IncRequestCounter(kind string)
- func IncRequestErrorCounter(kind string, severity string)
- type AwsIAMForServiceAccount
- type ConditionExistError
- type GcpWorkloadIdentity
- type IAMRole
- type MapOfInterfaces
- type Plugin
- type ProfileReconciler
- func (r *ProfileReconciler) GetPluginSpec(profileIns *profilev1.Profile) ([]Plugin, error)
- func (r *ProfileReconciler) PatchDefaultPluginSpec(ctx context.Context, profileIns *profilev1.Profile) error
- func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)
- func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error
Constants ¶
const ( // plugin kind KIND_AWS_IAM_FOR_SERVICE_ACCOUNT = "AwsIamForServiceAccount" AWS_ANNOTATION_KEY = "eks.amazonaws.com/role-arn" AWS_TRUST_IDENTITY_SUBJECT = "system:serviceaccount:%s:%s" AWS_DEFAULT_AUDIENCE = "sts.amazonaws.com" DEFAULT_SERVICE_ACCOUNT = DEFAULT_EDITOR )
const ACTION = "action"
const ADMIN = "admin"
const AUTHZPOLICYISTIO = "ns-owner-access-istio"
const COMPONENT = "component"
const DEFAULT_EDITOR = "default-editor"
const DEFAULT_VIEWER = "default-viewer"
const GCP_ANNOTATION_KEY = "iam.gke.io/gcp-service-account"
const GCP_SA_SUFFIX = ".iam.gserviceaccount.com"
const ISTIOALLOWALL = "allow-all"
Istio constants
const KFQUOTA = "kf-resource-quota"
const KIND = "kind"
const KIND_WORKLOAD_IDENTITY = "WorkloadIdentity"
plugin kind
const MAX_TAG_LEN = 30
const PATH = "path"
const PROFILE = "profile_controller"
const PROFILEFINALIZER = "profile-finalizer"
const REQUSER = "user"
User that make the request
const ROLE = "role"
const SEVERITY = "severity"
const SEVERITY_CRITICAL = "critical"
const SEVERITY_MAJOR = "major"
const SEVERITY_MINOR = "minor"
const USER = "user"
annotation key, consumed by kfam API
const WORKLOAD_IDENTITY_ROLE = "roles/iam.workloadIdentityUser"
Variables ¶
This section is empty.
Functions ¶
func GetEnvDefault ¶
func IncRequestCounter ¶
func IncRequestCounter(kind string)
func IncRequestErrorCounter ¶
Types ¶
type AwsIAMForServiceAccount ¶
type AwsIAMForServiceAccount struct { AwsIAMRole string `json:"awsIamRole,omitempty"` AnnotateOnly bool `json:"annotateOnly,omitempty"` }
func (*AwsIAMForServiceAccount) ApplyPlugin ¶
func (aws *AwsIAMForServiceAccount) ApplyPlugin(r *ProfileReconciler, profile *profilev1.Profile) error
ApplyPlugin annotate service account with the ARN of the IAM role and update trust relationship of IAM role
func (*AwsIAMForServiceAccount) RevokePlugin ¶
func (aws *AwsIAMForServiceAccount) RevokePlugin(r *ProfileReconciler, profile *profilev1.Profile) error
RevokePlugin remove role in service account annotation and delete service account record in IAM trust relationship.
type ConditionExistError ¶
type ConditionExistError struct {
// contains filtered or unexported fields
}
func (*ConditionExistError) Error ¶
func (e *ConditionExistError) Error() string
type GcpWorkloadIdentity ¶
type GcpWorkloadIdentity struct {
GcpServiceAccount string `json:"gcpServiceAccount,omitempty"`
}
GcpWorkloadIdentity: plugin that setup GKE workload identity (credentials for GCP API) for target profile namespace.
func (*GcpWorkloadIdentity) ApplyPlugin ¶
func (gcp *GcpWorkloadIdentity) ApplyPlugin(r *ProfileReconciler, profile *profilev1.Profile) error
ApplyPlugin will grant GCP workload identity to service account DEFAULT_EDITOR
func (*GcpWorkloadIdentity) GetProjectID ¶
func (gcp *GcpWorkloadIdentity) GetProjectID() (string, error)
GetProjectID will return GCP project id of GcpServiceAccount. Will return empty string if cannot parse GcpServiceAccount
func (*GcpWorkloadIdentity) RevokePlugin ¶
func (gcp *GcpWorkloadIdentity) RevokePlugin(r *ProfileReconciler, profile *profilev1.Profile) error
RevokePlugin: undo changes made by ApplyPlugin.
type IAMRole ¶
type IAMRole struct {
AssumeRolePolicyDocument MapOfInterfaces `json:",omitempty"`
}
type MapOfInterfaces ¶
type MapOfInterfaces = map[string]interface{}
MapOfInterfaces is an alias for map[string]interface{}
func MakeAssumeRoleWithWebIdentityPolicyDocument ¶
func MakeAssumeRoleWithWebIdentityPolicyDocument(providerARN string, condition MapOfInterfaces) MapOfInterfaces
MakeAssumeRoleWithWebIdentityPolicyDocument constructs a trust policy for given a web identity provider with given conditions
func MakePolicyDocument ¶
func MakePolicyDocument(statements ...MapOfInterfaces) MapOfInterfaces
MakePolicyDocument constructs a policy with given statements
type Plugin ¶
type Plugin interface { // Called when profile CR is created / updated ApplyPlugin(*ProfileReconciler, *profilev1.Profile) error // Called when profile CR is being deleted, to cleanup any non-k8s resources created via ApplyPlugin // RevokePlugin logic need to be IDEMPOTENT RevokePlugin(*ProfileReconciler, *profilev1.Profile) error }
type ProfileReconciler ¶
type ProfileReconciler struct { client.Client Scheme *runtime.Scheme Log logr.Logger UserIdHeader string UserIdPrefix string WorkloadIdentity string DefaultNamespaceLabelsPath string }
ProfileReconciler reconciles a Profile object
func (*ProfileReconciler) GetPluginSpec ¶
func (r *ProfileReconciler) GetPluginSpec(profileIns *profilev1.Profile) ([]Plugin, error)
GetPluginSpec will try to unmarshal the plugin spec inside profile for the specified plugin Returns an error if the plugin isn't defined or if there is a problem
func (*ProfileReconciler) PatchDefaultPluginSpec ¶
func (r *ProfileReconciler) PatchDefaultPluginSpec(ctx context.Context, profileIns *profilev1.Profile) error
PatchDefaultPluginSpec patch default plugins to profile CR instance if user doesn't specify plugin of same kind in CR.
func (*ProfileReconciler) Reconcile ¶
func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)
Reconcile reads that state of the cluster for a Profile object and makes changes based on the state read and what is in the Profile.Spec Automatically generate RBAC rules to allow the Controller to read and write Deployments
func (*ProfileReconciler) SetupWithManager ¶
func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error