Version: v0.0.0-...-d88c8b5 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Feb 9, 2021 License: Apache-2.0 Imports: 25 Imported by: 0




This section is empty.


This section is empty.


func NewAuthorizer

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer

NewAuthorizer returns a new node authorizer


type Graph

type Graph struct {
	// contains filtered or unexported fields

Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

func NewGraph

func NewGraph() *Graph

func (*Graph) AddPV

func (g *Graph) AddPV(pv *corev1.PersistentVolume)

AddPV sets up edges for the following relationships:

secret -> pv

pv -> pvc

func (*Graph) AddPod

func (g *Graph) AddPod(pod *corev1.Pod)

AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

pod -> node

secret    -> pod
configmap -> pod
pvc       -> pod
svcacct   -> pod

func (*Graph) AddVolumeAttachment

func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)

AddVolumeAttachment sets up edges for the following relationships:

volume attachment -> node

func (*Graph) DeletePV

func (g *Graph) DeletePV(name string)

func (*Graph) DeletePod

func (g *Graph) DeletePod(name, namespace string)

func (*Graph) DeleteVolumeAttachment

func (g *Graph) DeleteVolumeAttachment(name string)

func (*Graph) SetNodeConfigMap

func (g *Graph) SetNodeConfigMap(nodeName, configMapName, configMapNamespace string)

SetNodeConfigMap sets up edges for the Node.Spec.ConfigSource.ConfigMap relationship:

configmap -> node

type NodeAuthorizer

type NodeAuthorizer struct {
	// contains filtered or unexported fields

NodeAuthorizer authorizes requests from kubelets, with the following logic:

  1. If a request is not from a node (NodeIdentity() returns isNode=false), reject
  2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
  3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- configmap node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret
  4. For other resources, authorize all nodes uniformly using statically defined rules

func (*NodeAuthorizer) Authorize

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL