This section is empty.


This section is empty.


func NewAuthorizer

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacapi.PolicyRule) authorizer.Authorizer

    New returns a new node authorizer


    type Graph

    type Graph struct {
    	// contains filtered or unexported fields

      Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

      node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

      func NewGraph

      func NewGraph() *Graph

      func (*Graph) AddPV

      func (g *Graph) AddPV(pv *api.PersistentVolume)

        AddPV sets up edges for the following relationships:

        secret -> pv
        pv -> pvc

        func (*Graph) AddPod

        func (g *Graph) AddPod(pod *api.Pod)

          AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

          pod -> node
          secret    -> pod
          configmap -> pod
          pvc       -> pod

          func (*Graph) DeletePV

          func (g *Graph) DeletePV(name string)

          func (*Graph) DeletePod

          func (g *Graph) DeletePod(name, namespace string)

          type NodeAuthorizer

          type NodeAuthorizer struct {
          	// contains filtered or unexported fields

            NodeAuthorizer authorizes requests from kubelets, with the following logic: 1. If a request is not from a node (IdentifyNode() returns isNode=false), reject 2. If a specific node cannot be identified (IdentifyNode() returns nodeName=""), reject 3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node:

            node <- pod
            node <- pod <- secret
            node <- pod <- configmap
            node <- pod <- pvc
            node <- pod <- pvc <- pv
            node <- pod <- pvc <- pv <- secret

            4. For other resources, authorize all nodes uniformly using statically defined rules

            func (*NodeAuthorizer) Authorize

            func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)