k8schain

package
v0.0.0-...-0cfc503 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 12, 2019 License: Apache-2.0 Imports: 11 Imported by: 0

README

k8schain

This is an implementation of the github.com/flant/go-containerregistry library's authn.Keychain interface based on the authentication semantics used by the Kubelet when performing the pull of a Pod's images.

Usage

Creating a keychain

A k8schain keychain can be built via one of:

// client is a kubernetes.Interface
kc, err := k8schain.New(client, k8schain.Options{})
...

// This method is suitable for use by controllers or other in-cluster processes.
kc, err := k8schain.NewInCluster(k8schain.Options{})
...
Using the keychain

The k8schain keychain can be used directly as an authn.Keychain, e.g.

	auth, err := kc.Resolve(registry)
	if err != nil {
		...
	}

Or, it can be used to override the default keychain used by this process, which by default follows Docker's keychain semantics:

func init() {
	// Override the default keychain used by this process to follow the
	// Kubelet's keychain semantics.
	authn.DefaultKeychain = kc
}

Documentation

Overview

Package k8schain exposes an implementation of the authn.Keychain interface based on the semantics the Kubelet follows when pulling the images for a Pod in Kubernetes.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func New

func New(client kubernetes.Interface, opt Options) (authn.Keychain, error)

New returns a new authn.Keychain suitable for resolving image references as scoped by the provided Options. It speaks to Kubernetes through the provided client interface.

func NewInCluster

func NewInCluster(opt Options) (authn.Keychain, error)

NewInCluster returns a new authn.Keychain suitable for resolving image references as scoped by the provided Options, constructing a kubernetes.Interface based on in-cluster authentication.

func NewNoClient

func NewNoClient() (authn.Keychain, error)

NewNoClient returns a new authn.Keychain that supports the portions of the K8s keychain that don't read ImagePullSecrets. This limits it to roughly the Node-identity-based authentication schemes in Kubernetes pkg/credentialprovider. This version of the k8schain drops the requirement that we run as a K8s serviceaccount with access to all of the on-cluster secrets. This drop in fidelity also diminishes its value as a stand-in for Kubernetes authentication, but this actually targets a different use-case. What remains is an interesting sweet spot: this variant can serve as a credential provider for all of the major public clouds, but in library form (vs. an executable you exec).

Types

type Options

type Options struct {
	// Namespace holds the namespace inside of which we are resolving the
	// image reference.  If empty, "default" is assumed.
	Namespace string
	// ServiceAccountName holds the serviceaccount as which the container
	// will run (scoped to Namespace).  If empty, "default" is assumed.
	ServiceAccountName string
	// ImagePullSecrets holds the names of the Kubernetes secrets (scoped to
	// Namespace) containing credential data to use for the image pull.
	ImagePullSecrets []string
}

Options holds configuration data for guiding credential resolution.

Directories

Path Synopsis
tests

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL