This section is empty.


This section is empty.


func NewAuthorizer

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer

    NewAuthorizer returns a new node authorizer


    type Graph

    type Graph struct {
    	// contains filtered or unexported fields

      Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

      node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

      func NewGraph

      func NewGraph() *Graph

      func (*Graph) AddPV

      func (g *Graph) AddPV(pv *corev1.PersistentVolume)

        AddPV sets up edges for the following relationships:

        secret -> pv
        pv -> pvc

        func (*Graph) AddPod

        func (g *Graph) AddPod(pod *corev1.Pod)

          AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

          pod -> node
          secret    -> pod
          configmap -> pod
          pvc       -> pod
          svcacct   -> pod

          func (*Graph) AddVolumeAttachment

          func (g *Graph) AddVolumeAttachment(attachmentName, nodeName string)

            AddVolumeAttachment sets up edges for the following relationships:

            volume attachment -> node

            func (*Graph) DeletePV

            func (g *Graph) DeletePV(name string)

            func (*Graph) DeletePod

            func (g *Graph) DeletePod(name, namespace string)

            func (*Graph) DeleteVolumeAttachment

            func (g *Graph) DeleteVolumeAttachment(name string)

            func (*Graph) SetNodeConfigMap

            func (g *Graph) SetNodeConfigMap(nodeName, configMapName, configMapNamespace string)

              SetNodeConfigMap sets up edges for the Node.Spec.ConfigSource.ConfigMap relationship:

              configmap -> node

              type NodeAuthorizer

              type NodeAuthorizer struct {
              	// contains filtered or unexported fields

                NodeAuthorizer authorizes requests from kubelets, with the following logic: 1. If a request is not from a node (NodeIdentity() returns isNode=false), reject 2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject 3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node:

                node <- configmap
                node <- pod
                node <- pod <- secret
                node <- pod <- configmap
                node <- pod <- pvc
                node <- pod <- pvc <- pv
                node <- pod <- pvc <- pv <- secret

                4. For other resources, authorize all nodes uniformly using statically defined rules

                func (*NodeAuthorizer) Authorize