authcheck

package

v0.23.0 Latest Latest Go to latest Published: May 25, 2021 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/knative-gcp

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.

Package authcheck provides utilities to check authentication configuration for data plane resources. File authtype contains functions to differentiate authentication mode.

Package authcheck provides utilities to check authentication configuration for data plane resources. enqueue.go contains customized EventHandlers to enqueue resources for authentication check.

Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.

Package authcheck provides utilities to check authentication configuration for data plane resources. list.go contains functions to get a list of resources based on label selector and get information from a list of resources.

Package authcheck provides utilities to check authentication configuration for data plane resources. probechecker.go utilities to perform a probe check for liviness and readiness.

Index ¶

Constants
Variables
func AuthenticationCheckForSecret(ctx context.Context) error
func AuthenticationCheckForWorkloadIdentityGSA(resource string, client *http.Client) error
func EnqueueBrokerCell(impl *controller.Impl, brokerCellLister v1alpha1.BrokerCellLister) cache.ResourceEventHandler
func EnqueuePullSubscription(impl *controller.Impl, pullSubscriptionLister listers.PullSubscriptionLister) cache.ResourceEventHandler
func EnqueueTopic(impl *controller.Impl, topicLister listers.TopicLister) cache.ResourceEventHandler
func GetEventList(ctx context.Context, kubeClientSet kubernetes.Interface, pod, namespace string) (*corev1.EventList, error)
func GetMountFailureMessageFromEventList(el *corev1.EventList, secret *corev1.SecretKeySelector) string
func GetPodList(ctx context.Context, ls labels.Selector, kubeClientSet kubernetes.Interface, ...) (*corev1.PodList, error)
func GetTerminationLogFromPodList(pl *corev1.PodList) string
type AuthType
- func GetAuthTypeForBrokerCell(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, ...) (AuthType, error)
- func GetAuthTypeForSources(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, ...) (AuthType, error)
type AuthTypeArgs
type AuthenticationCheck
- func NewDefault(authType AuthType) AuthenticationCheck
type FakeAuthenticationCheck
- func (ac *FakeAuthenticationCheck) Check(ctx context.Context) error
type ProbeChecker
- func NewProbeChecker(logger *zap.Logger, authType AuthType) ProbeChecker
- func (pc *ProbeChecker) ServeHTTP(w http.ResponseWriter, req *http.Request)
- func (pc *ProbeChecker) Start(ctx context.Context)

Constants ¶

View Source

const (
	AuthenticationCheckUnknownReason = "AuthenticationCheckPending"
	ControlPlaneNamespace            = "cloud-run-events"
	BrokerServiceAccountName         = "broker"
)

View Source

const DefaultProbeCheckPort = 8080

DefaultProbeCheckPort is the default port for checking sync pool health.

Variables ¶

View Source

var (
	BrokerSecret = &corev1.SecretKeySelector{
		LocalObjectReference: corev1.LocalObjectReference{Name: "google-broker-key"},
		Key:                  "key.json",
	}
)

Functions ¶

func AuthenticationCheckForSecret ¶

func AuthenticationCheckForSecret(ctx context.Context) error

AuthenticationCheckForSecret performs the authentication check for Pod in secret mode.

func AuthenticationCheckForWorkloadIdentityGSA ¶

func AuthenticationCheckForWorkloadIdentityGSA(resource string, client *http.Client) error

AuthenticationCheckForWorkloadIdentityGSA performs the authentication check for Pod in workload-identity-gsa mode.

func EnqueueBrokerCell ¶

func EnqueueBrokerCell(impl *controller.Impl, brokerCellLister v1alpha1.BrokerCellLister) cache.ResourceEventHandler

EnqueueBrokerCell returns an event handler for resources which are not created/owned by brokercell. It is used for serviceAccountInformer and secretinformer.

func EnqueuePullSubscription ¶

func EnqueuePullSubscription(impl *controller.Impl, pullSubscriptionLister listers.PullSubscriptionLister) cache.ResourceEventHandler

EnqueuePullSubscription returns an event handler for resources which are not created/owned by pullsubscription. It is used for serviceAccountInformer.

func EnqueueTopic ¶

func EnqueueTopic(impl *controller.Impl, topicLister listers.TopicLister) cache.ResourceEventHandler

EnqueueTopic returns an event handler for resources which are not created/owned by topic. It is used for serviceAccountInformer.

func GetEventList ¶

func GetEventList(ctx context.Context, kubeClientSet kubernetes.Interface, pod, namespace string) (*corev1.EventList, error)

GetEventList get a list of k8s event in a certain namespace with certain field selector related to Pod.

func GetMountFailureMessageFromEventList ¶

func GetMountFailureMessageFromEventList(el *corev1.EventList, secret *corev1.SecretKeySelector) string

GetMountFailureMessageFromEventList gets the k8s events message that related to secret errors. It returns the first relevant k8s event message from any Event in the list.

func GetPodList ¶

func GetPodList(ctx context.Context, ls labels.Selector, kubeClientSet kubernetes.Interface, namespace string) (*corev1.PodList, error)

GetPodList get a list of Pods in a certain namespace with certain label selector.

func GetTerminationLogFromPodList ¶

func GetTerminationLogFromPodList(pl *corev1.PodList) string

GetTerminationLogFromPodList gets the termination log from Pods that failed due to authentication check errors. It returns the first authentication termination log from any Pods in the list.

Types ¶

type AuthType ¶

type AuthType string

const (
	// Secret option is referring to authentication configuration for secret.
	// https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform#importing_credentials_as_a_secret
	Secret AuthType = "secret"
	// WorkloadIdentityGSA option is referring to authentication configuration for Workload Identity using GSA
	// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
	WorkloadIdentityGSA AuthType = "workload-identity-gsa"
	WorkloadIdentity    AuthType = "workload-identity"
)

func GetAuthTypeForBrokerCell ¶

func GetAuthTypeForBrokerCell(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister,
	secretLister corev1listers.SecretLister, args AuthTypeArgs) (AuthType, error)

GetAuthTypeForBrokerCell will get authType for BrokerCell.

func GetAuthTypeForSources ¶

func GetAuthTypeForSources(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, args AuthTypeArgs) (AuthType, error)

GetAuthTypeForSources will get authType for Sources.

type AuthTypeArgs ¶

type AuthTypeArgs struct {
	Namespace          string
	ServiceAccountName string
	Secret             *corev1.SecretKeySelector
}

type AuthenticationCheck ¶

type AuthenticationCheck interface {
	Check(ctx context.Context) error
}

func NewDefault ¶

func NewDefault(authType AuthType) AuthenticationCheck

type FakeAuthenticationCheck ¶

type FakeAuthenticationCheck struct {
	Err error
}

func (*FakeAuthenticationCheck) Check ¶

func (ac *FakeAuthenticationCheck) Check(ctx context.Context) error

type ProbeChecker ¶

type ProbeChecker struct {
	// contains filtered or unexported fields
}

func NewProbeChecker ¶

func NewProbeChecker(logger *zap.Logger, authType AuthType) ProbeChecker

NewProbeChecker returns ProbeChecker with default probe checker port.

func (*ProbeChecker) ServeHTTP ¶

func (pc *ProbeChecker) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServerHTTP will perform the authentication check if the request path is /healthz.

func (*ProbeChecker) Start ¶

func (pc *ProbeChecker) Start(ctx context.Context)

Start will initialize an http server and start to listen.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL