controllers

package

v0.0.0-...-bd7f250 Latest Latest Go to latest Published: Mar 14, 2024 License: Apache-2.0 Imports: 41 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubeflow/kubeflow

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetEnvDefault(variable string, defaultVal string) string
func IncRequestCounter(kind string)
func IncRequestErrorCounter(kind string, severity string)
type AwsIAMForServiceAccount
- func (aws *AwsIAMForServiceAccount) ApplyPlugin(r *ProfileReconciler, profile *profilev1.Profile) error
- func (aws *AwsIAMForServiceAccount) RevokePlugin(r *ProfileReconciler, profile *profilev1.Profile) error
type ConditionExistError
- func (e *ConditionExistError) Error() string
type GcpWorkloadIdentity
type IAMRole
type MapOfInterfaces
- func MakeAssumeRoleWithWebIdentityPolicyDocument(providerARN string, condition MapOfInterfaces) MapOfInterfaces
- func MakePolicyDocument(statements ...MapOfInterfaces) MapOfInterfaces
type Plugin
type ProfileReconciler

Constants ¶

View Source

const (
	// plugin kind
	KIND_AWS_IAM_FOR_SERVICE_ACCOUNT = "AwsIamForServiceAccount"
	AWS_ANNOTATION_KEY               = "eks.amazonaws.com/role-arn"
	AWS_TRUST_IDENTITY_SUBJECT       = "system:serviceaccount:%s:%s"
	AWS_DEFAULT_AUDIENCE             = "sts.amazonaws.com"
	DEFAULT_SERVICE_ACCOUNT          = DEFAULT_EDITOR
)

View Source

const ACTION = "action"

View Source

const ADMIN = "admin"

View Source

const AUTHZPOLICYISTIO = "ns-owner-access-istio"

View Source

const COMPONENT = "component"

View Source

const DEFAULT_EDITOR = "default-editor"

View Source

const DEFAULT_VIEWER = "default-viewer"

View Source

const GCP_ANNOTATION_KEY = "iam.gke.io/gcp-service-account"

View Source

const GCP_SA_SUFFIX = ".iam.gserviceaccount.com"

View Source

const ISTIOALLOWALL = "allow-all"

Istio constants

View Source

const KFQUOTA = "kf-resource-quota"

View Source

const KIND = "kind"

View Source

const KIND_WORKLOAD_IDENTITY = "WorkloadIdentity"

plugin kind

View Source

const MAX_TAG_LEN = 30

View Source

const PATH = "path"

View Source

const PROFILE = "profile_controller"

View Source

const PROFILEFINALIZER = "profile-finalizer"

View Source

const REQUSER = "user"

User that make the request

View Source

const ROLE = "role"

View Source

const SEVERITY = "severity"

View Source

const SEVERITY_CRITICAL = "critical"

View Source

const SEVERITY_MAJOR = "major"

View Source

const SEVERITY_MINOR = "minor"

View Source

const USER = "user"

annotation key, consumed by kfam API

View Source

const WORKLOAD_IDENTITY_ROLE = "roles/iam.workloadIdentityUser"

Variables ¶

This section is empty.

Functions ¶

func GetEnvDefault ¶

func GetEnvDefault(variable string, defaultVal string) string

func IncRequestCounter ¶

func IncRequestCounter(kind string)

func IncRequestErrorCounter ¶

func IncRequestErrorCounter(kind string, severity string)

Types ¶

type AwsIAMForServiceAccount ¶

type AwsIAMForServiceAccount struct {
	AwsIAMRole   string `json:"awsIamRole,omitempty"`
	AnnotateOnly bool   `json:"annotateOnly,omitempty"`
}

func (*AwsIAMForServiceAccount) ApplyPlugin ¶

func (aws *AwsIAMForServiceAccount) ApplyPlugin(r *ProfileReconciler, profile *profilev1.Profile) error

ApplyPlugin annotate service account with the ARN of the IAM role and update trust relationship of IAM role

func (*AwsIAMForServiceAccount) RevokePlugin ¶

func (aws *AwsIAMForServiceAccount) RevokePlugin(r *ProfileReconciler, profile *profilev1.Profile) error

RevokePlugin remove role in service account annotation and delete service account record in IAM trust relationship.

type ConditionExistError ¶

type ConditionExistError struct {
	// contains filtered or unexported fields
}

func (*ConditionExistError) Error ¶

func (e *ConditionExistError) Error() string

type GcpWorkloadIdentity ¶

type GcpWorkloadIdentity struct {
	GcpServiceAccount string `json:"gcpServiceAccount,omitempty"`
}

GcpWorkloadIdentity: plugin that setup GKE workload identity (credentials for GCP API) for target profile namespace.

func (*GcpWorkloadIdentity) ApplyPlugin ¶

func (gcp *GcpWorkloadIdentity) ApplyPlugin(r *ProfileReconciler, profile *profilev1.Profile) error

ApplyPlugin will grant GCP workload identity to service account DEFAULT_EDITOR

func (*GcpWorkloadIdentity) GetProjectID ¶

func (gcp *GcpWorkloadIdentity) GetProjectID() (string, error)

GetProjectID will return GCP project id of GcpServiceAccount. Will return empty string if cannot parse GcpServiceAccount

func (*GcpWorkloadIdentity) RevokePlugin ¶

func (gcp *GcpWorkloadIdentity) RevokePlugin(r *ProfileReconciler, profile *profilev1.Profile) error

RevokePlugin: undo changes made by ApplyPlugin.

type IAMRole ¶

type IAMRole struct {
	AssumeRolePolicyDocument MapOfInterfaces `json:",omitempty"`
}

type MapOfInterfaces ¶

type MapOfInterfaces = map[string]interface{}

MapOfInterfaces is an alias for map[string]interface{}

func MakeAssumeRoleWithWebIdentityPolicyDocument ¶

func MakeAssumeRoleWithWebIdentityPolicyDocument(providerARN string, condition MapOfInterfaces) MapOfInterfaces

MakeAssumeRoleWithWebIdentityPolicyDocument constructs a trust policy for given a web identity provider with given conditions

func MakePolicyDocument ¶

func MakePolicyDocument(statements ...MapOfInterfaces) MapOfInterfaces

MakePolicyDocument constructs a policy with given statements

type Plugin ¶

type Plugin interface {
	// Called when profile CR is created / updated
	ApplyPlugin(*ProfileReconciler, *profilev1.Profile) error
	// Called when profile CR is being deleted, to cleanup any non-k8s resources created via ApplyPlugin
	// RevokePlugin logic need to be IDEMPOTENT
	RevokePlugin(*ProfileReconciler, *profilev1.Profile) error
}

type ProfileReconciler ¶

type ProfileReconciler struct {
	client.Client
	Scheme                     *runtime.Scheme
	Log                        logr.Logger
	UserIdHeader               string
	UserIdPrefix               string
	WorkloadIdentity           string
	DefaultNamespaceLabelsPath string
}

ProfileReconciler reconciles a Profile object

func (*ProfileReconciler) GetPluginSpec ¶

func (r *ProfileReconciler) GetPluginSpec(profileIns *profilev1.Profile) ([]Plugin, error)

GetPluginSpec will try to unmarshal the plugin spec inside profile for the specified plugin Returns an error if the plugin isn't defined or if there is a problem

func (*ProfileReconciler) PatchDefaultPluginSpec ¶

func (r *ProfileReconciler) PatchDefaultPluginSpec(ctx context.Context, profileIns *profilev1.Profile) error

PatchDefaultPluginSpec patch default plugins to profile CR instance if user doesn't specify plugin of same kind in CR.

func (*ProfileReconciler) Reconcile ¶

func (r *ProfileReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)

Reconcile reads that state of the cluster for a Profile object and makes changes based on the state read and what is in the Profile.Spec Automatically generate RBAC rules to allow the Controller to read and write Deployments

func (*ProfileReconciler) SetupWithManager ¶

func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL