kuberbacreconciliation

package

v0.0.0-...-5b87a2c Latest Latest Go to latest Published: Jan 22, 2024 License: Apache-2.0, Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/luxas/kube-rebac-authorizer

Links

Open Source Insights

README ¶

RBAC reconciliation

Upon API server startup, it creates default RBAC rules, if the RBAC authorizer is enabled. These rules are more or less required for Kubernetes controllers themselves to have access to the required things, and for commonly-expected operations to work. That's why we want those rules in our case as well, as we still use RBAC rules as the "source of truth".

However, when we demo running the API server without RBAC, there will be no ClusterRoles reconciled to etcd by the API server. That's why I wanted to vendor that code into this project. However, at the moment this code exists as a poststarthook in kubernetes/pkg/registry/rbac/rest/storage_rbac.go, which if we vendor this, we vendor essentially the whole Kubernetes project, which is not fun to do, essentially not in a project we where we want to show how to innovate outside of Kubernetes :D

I extracted the relevant code from storage_rbac.go and put it here. The dependencies of this package are not, bad, 5 packages or si. I think this small refactor could be done upstream, but I'll check with sig-auth what they think. Until that, I carry this code here. I have attached the Kubernetes license in this folder; this file is not covered by the kube-rebac-authorizer's license.

Documentation ¶

Overview ¶

NOTE! This file is forked from kubernetes/pkg/registry/rbac/rest/storage_rbac.go, as it is otherwise very hard to import without importing the whole Kubernetes project.

Index ¶

func PostStartHook() genericapiserver.PostStartHookFunc
type PolicyData
- func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func PostStartHook ¶

func PostStartHook() genericapiserver.PostStartHookFunc

Types ¶

type PolicyData ¶

type PolicyData struct {
	ClusterRoles        []rbacapiv1.ClusterRole
	ClusterRoleBindings []rbacapiv1.ClusterRoleBinding
	Roles               map[string][]rbacapiv1.Role
	RoleBindings        map[string][]rbacapiv1.RoleBinding
	// ClusterRolesToAggregate maps from previous clusterrole name to the new clusterrole name
	ClusterRolesToAggregate map[string]string
	// ClusterRoleBindingsToSplit maps from previous ClusterRoleBinding Name to a template for the new ClusterRoleBinding
	ClusterRoleBindingsToSplit map[string]rbacapiv1.ClusterRoleBinding
}

func (*PolicyData) EnsureRBACPolicy ¶

func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc

Source Files ¶

View all Source files

rbacreconcile.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL