Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClusterRoleSubjectQuerier ¶
type ClusterRoleSubjectQuerier struct{}
ClusterRoleSubjectQuerier queries the API for role subjects.
func (ClusterRoleSubjectQuerier) Compatible ¶
func (q ClusterRoleSubjectQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (ClusterRoleSubjectQuerier) Do ¶
func (q ClusterRoleSubjectQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (ClusterRoleSubjectQuerier) String ¶
func (q ClusterRoleSubjectQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type ConfigUserQuerier ¶
type ConfigUserQuerier struct{}
ConfigUserQuerier queries a kubectl context for its user value.
func (ConfigUserQuerier) Compatible ¶
func (q ConfigUserQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (ConfigUserQuerier) Do ¶
func (q ConfigUserQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (ConfigUserQuerier) String ¶
func (q ConfigUserQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type CoreGroupQuerier ¶
type CoreGroupQuerier struct{}
CoreGroupQuerier queries a hard-coded set of group names enumerated in the API server source code.
They're included as string literals instead of imported constants in order to avoid k8s.io/apiserver and its transitive dependencies.
https://github.com/kubernetes/apiserver/blob/kubernetes-1.17.0/pkg/authentication/user/user.go#L69
func (CoreGroupQuerier) Compatible ¶
func (q CoreGroupQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (CoreGroupQuerier) Do ¶
func (q CoreGroupQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (CoreGroupQuerier) String ¶
func (q CoreGroupQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type CoreUserQuerier ¶
type CoreUserQuerier struct{}
CoreGroupQuerier queries a hard-coded set of user names enumerated in the API server source code.
They're included as string literals instead of imported constants in order to avoid k8s.io/apiserver and its transitive dependencies.
https://github.com/kubernetes/apiserver/blob/kubernetes-1.17.0/pkg/authentication/user/user.go#L69
func (CoreUserQuerier) Compatible ¶
func (q CoreUserQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (CoreUserQuerier) Do ¶
func (q CoreUserQuerier) Do(ctx context.Context, _ *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (CoreUserQuerier) String ¶
func (q CoreUserQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type Identity ¶
type Identity struct {
meta.TypeMeta
meta.ObjectMeta
// Source describes the object (if any) in which this Identity was found, e.g. RoleBinding.
Source *IdentitySource
// Querier indicates which IdentityQuerier implementation produced this value.
Querier string
}
Identity describes an object which may have RBAC grants.
type IdentityList ¶
type IdentityList struct {
// Items holds the collection elements.
Items []Identity
}
IdentityList is a collection of Identity values.
Its structure ("Items") aligns with the list collections in k8s.io/api/rbac/v1.
func (*IdentityList) Add ¶
func (i *IdentityList) Add(namespace, kind, name string, source *IdentitySource)
Add appends and returns a new list item.
type IdentitySource ¶
type IdentitySource struct {
meta.TypeMeta
meta.ObjectMeta
}
IdentitySource describes where an Idenity was found, e.g. RoleBinding.
func (IdentitySource) String ¶
func (i IdentitySource) String() (s string)
String returns the relevant fields in a human-readable format for use in info/error messages.
type Querier ¶
type Querier interface {
// String returns a unique description of the type of result provided by the querier.
String() string
// Compatible returns true if the implementation can serve the query.
//
// For example, a query may specify an object kind, e.g. ClusterRole, but a querier may not
// know how to query it because it only supports Group.
Compatible(*Query) bool
// Do performs the query.
Do(context.Context, *cage_k8s_core.Clientset, *Query) (*IdentityList, error)
}
Querier implementations perform queries of an identity-related object kind, e.g. ServiceAccount.
This decomposition makes a trade-off between more Go types/files and the ability to define the sub-queries independently in a more maintainable way.
type Query ¶
type Query struct {
// Kind determines which Querier implementations are used by only running those which support this kind.
Kind string
// Name limits which identities are returned from Querier implementations. If it matches a candidate's
// name, or if it is empty, the candidate is included the returned List.
Name string
// Namespace limits which are returned from Querier implementations. For example, if the querier
// consumes a RoleBinding list, only bindings from the selected namespace are considered.
Namespace string
// ClientCmdConfig provides kubectl config values from which to seek query matches.
ClientCmdConfig *clientcmdapi.Config
}
Query holds facets which limit an RBAC related query's result set.
func NewQuery ¶
func NewQuery(options ...QueryOption) *Query
NewQuery returns a Query initialized with all input options.
type QueryOption ¶
type QueryOption func(*Query)
QueryOption implementations accept the current Query state and update it based on option-specific logic.
It supports a functional option API based on https://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis.
func QueryClientCmdConfig ¶
func QueryClientCmdConfig(val *clientcmdapi.Config) QueryOption
QueryClientCmdConfig expands the query scope of an RBAC related query to seek matches from the config's identity-related entities.
func QueryKind ¶
func QueryKind(val string) QueryOption
QueryKind limits the query scope of an RBAC related query to a specific object kind.
func QueryName ¶
func QueryName(val string) QueryOption
QueryName limits the query scope of an RBAC related query to a specific name.
func QueryNamespace ¶
func QueryNamespace(val string) QueryOption
QueryNamespace limits the query scope of an RBAC related query to this namespace.
To align with kubectl's --namespace/--all-namespaces behavior, if this option is set to a non-empty value, Querier implementations will ignore it if the queried dataset is namespace agnostic, e.g. cluster roles. In other words, if the selected namespace is "frontend" and cluster roles are queried, any cluster role will be included in query results as long as it matchesj other criteria.
type Registry ¶
type Registry struct {
CoreGroup Querier
CoreUser Querier
RoleSubject Querier
ClusterRoleSubject Querier
ServiceAccountUser Querier
ServiceAccountGroup Querier
ConfigUser Querier
Clientset *cage_k8s_core.Clientset
}
func NewRegistry ¶
func NewRegistry(clientset *cage_k8s_core.Clientset) *Registry
NewRegistry builds a registry of known and discovered users.
func (*Registry) Query ¶
func (reg *Registry) Query(ctx context.Context, options ...QueryOption) (*IdentityList, error)
type RoleSubjectQuerier ¶
type RoleSubjectQuerier struct{}
RoleSubjectQuerier queries the API for role subjects.
func (RoleSubjectQuerier) Compatible ¶
func (q RoleSubjectQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (RoleSubjectQuerier) Do ¶
func (q RoleSubjectQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (RoleSubjectQuerier) String ¶
func (q RoleSubjectQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type ServiceAccountGroupQuerier ¶
type ServiceAccountGroupQuerier struct{}
ServiceAccountGroupQuerier detects valid names of service account based groups and queries the API to validate their namespaces if needed. If all validation checks pass, the group is returned in the identity list.
func (ServiceAccountGroupQuerier) Compatible ¶
func (q ServiceAccountGroupQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (ServiceAccountGroupQuerier) Do ¶
func (q ServiceAccountGroupQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (ServiceAccountGroupQuerier) String ¶
func (q ServiceAccountGroupQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
type ServiceAccountUserQuerier ¶
type ServiceAccountUserQuerier struct{}
ServiceAccountUserQuerier queries the API for service account based users.
func (ServiceAccountUserQuerier) Compatible ¶
func (q ServiceAccountUserQuerier) Compatible(query *Query) bool
Compatible returns true if the implementation can serve the query.
It implements Querier.
func (ServiceAccountUserQuerier) Do ¶
func (q ServiceAccountUserQuerier) Do(ctx context.Context, clientset *cage_k8s_core.Clientset, query *Query) (*IdentityList, error)
Do performs the query.
It implements Querier.
func (ServiceAccountUserQuerier) String ¶
func (q ServiceAccountUserQuerier) String() string
String returns a unique description of the type of result provided by the querier.
It implements Querier.
Source Files
Directories