kubernetes

Documentation

Index

• func GetRestConfig(ctx context.Context, path string) (*rest.Config, error)
• type Client
  • func NewClient(ctx context.Context, restCfg *rest.Config, opts ClientOptions) (Client, error)
• type ClientOptions

Functions

func GetRestConfig

func GetRestConfig(ctx context.Context, path string) (*rest.Config, error)

Types

type Client

type Client interface {
	libClient.Client

	// Authorize attempts to authorize the user to perform the desired operation
	// on the specified resource. If the user is not authorized, an error is
	// returned.
	Authorize(
		ctx context.Context,
		verb string,
		gvr schema.GroupVersionResource,
		subresource string,
		key libClient.ObjectKey,
	) error

	// Watch returns a suitable implementation of the watch.Interface for
	// subscribing to the resources described by the provided arguments.
	Watch(
		ctx context.Context,
		obj libClient.Object,
		namespace string,
		opts metav1.ListOptions,
	) (watch.Interface, error)
}

The Client interface combines the familiar controller-runtime Client interface with helpful Authorized and Watch functions that are absent from that interface.

func NewClient

func NewClient(
	ctx context.Context,
	restCfg *rest.Config,
	opts ClientOptions,
) (Client, error)

NewClient returns an implementation of the Client interface. The interface and implementation offer two key advantages:

1. The Client interface combines the familiar controller-runtime Client interface with a helpful Watch function that is absent from that interface.
2. The implementation enforces RBAC by retrieving context-bound user.Info and using it to conduct a SubjectAccessReview or SelfSubjectAccessReview before (if successful) performing the desired operation. This permits this client to retain the benefits of using a single underlying client (typically with a built-in cache), while still enforcing RBAC as if the operation had been performed with a user-specific client constructed ad-hoc using the user's own credentials.

type ClientOptions

type ClientOptions struct {
	// GlobalServiceAccountNamespaces is a list of namespaces in which we should
	// always look for ServiceAccounts when attempting to authorize a user.
	GlobalServiceAccountNamespaces []string
	// NewInternalClient may be used to take control of how the client's own
	// internal/underlying controller-runtime client is created. This is mainly
	// useful for tests wherein one may, for instance, wish to inject a custom
	// implementation of that interface created using fake.NewClientBuilder().
	// Ordinarily, the value of this field should be left as nil/unspecified, in
	// which case, the NewClient function to which this struct is passed will
	// supply its own default implementation.
	NewInternalClient func(
		context.Context,
		*rest.Config,
		*runtime.Scheme,
	) (libClient.Client, error)
	// NewInternalDynamicClient may be used to take control of how the client's
	// own internal/underlying client-go dynamic client is created. This is mainly
	// useful for tests wherein one may wish to inject a custom implementation of
	// that interface. Ordinarily, the value of this field should be left as
	// nil/unspecified, in which case, the NewClient function to which this struct
	// is passed will supply its own default implementation.
	NewInternalDynamicClient func(*rest.Config) (dynamic.Interface, error)
	// Scheme may be used to take control of the scheme used by the client's own
	// internal/underlying controller-runtime client. Ordinarily, the value of
	// this field should be left as nil/unspecified, in which case, the NewClient
	// function to which this struct is passed will supply a default scheme that
	// includes all Kubernetes APIs used by the Kargo API server.
	Scheme *runtime.Scheme
}

ClientOptions specifies options for customizing the client returned by the NewClient function.