kubernetes: k8s.io/kubernetes/plugin/pkg/auth/authorizer/node Index | Files

package node

import "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"


Package Files

graph.go graph_populator.go intset.go node_authorizer.go

func AddGraphEventHandlers Uses

func AddGraphEventHandlers(
    graph *Graph,
    nodes corev1informers.NodeInformer,
    pods corev1informers.PodInformer,
    pvs corev1informers.PersistentVolumeInformer,
    attachments storageinformers.VolumeAttachmentInformer,

func NewAuthorizer Uses

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer

NewAuthorizer returns a new node authorizer

type Graph Uses

type Graph struct {
    // contains filtered or unexported fields

Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

func NewGraph Uses

func NewGraph() *Graph

func (*Graph) AddPV Uses

func (g *Graph) AddPV(pv *corev1.PersistentVolume)

AddPV sets up edges for the following relationships:

secret -> pv

pv -> pvc

func (*Graph) AddPod Uses

func (g *Graph) AddPod(pod *corev1.Pod)

AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

pod -> node

secret    -> pod
configmap -> pod
pvc       -> pod
svcacct   -> pod

func (*Graph) AddVolumeAttachment Uses

func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)

AddVolumeAttachment sets up edges for the following relationships:

volume attachment -> node

func (*Graph) DeletePV Uses

func (g *Graph) DeletePV(name string)

func (*Graph) DeletePod Uses

func (g *Graph) DeletePod(name, namespace string)

func (*Graph) DeleteVolumeAttachment Uses

func (g *Graph) DeleteVolumeAttachment(name string)

func (*Graph) SetNodeConfigMap Uses

func (g *Graph) SetNodeConfigMap(nodeName, configMapName, configMapNamespace string)

SetNodeConfigMap sets up edges for the Node.Spec.ConfigSource.ConfigMap relationship:

configmap -> node

type NodeAuthorizer Uses

type NodeAuthorizer struct {
    // contains filtered or unexported fields

NodeAuthorizer authorizes requests from kubelets, with the following logic: 1. If a request is not from a node (NodeIdentity() returns isNode=false), reject 2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject 3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node:

node <- configmap
node <- pod
node <- pod <- secret
node <- pod <- configmap
node <- pod <- pvc
node <- pod <- pvc <- pv
node <- pod <- pvc <- pv <- secret

4. For other resources, authorize all nodes uniformly using statically defined rules

func (*NodeAuthorizer) Authorize Uses

func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error)

Package node imports 25 packages (graph) and is imported by 68 packages. Updated 2020-02-16. Refresh now. Tools for package owners.