clusteraccess

package
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 23, 2025 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeTokenRenewalTime 

func ComputeTokenRenewalTime(creationTime, expirationTime time.Time) time.Time

ComputeTokenRenewalTime computes the time for the renewal of a token, given its creation and expiration time. Returns the zero time if either of the given times is zero. The returned time is when 80% of the validity duration is reached. If another percentage is desired, use ComputeTokenRenewalTimeWithRatio instead.

func ComputeTokenRenewalTimeWithRatio 

func ComputeTokenRenewalTimeWithRatio(creationTime, expirationTime time.Time, ratio float64) time.Time

ComputeTokenRenewalTime computes the time for the renewal of a token, given its creation and expiration time. Returns the zero time if either of the given times is zero. Ratio must be between 0 and 1. The returned time is when this percentage of the validity duration is reached.

func CreateTokenKubeconfig 

func CreateTokenKubeconfig(user, host string, caData []byte, token string) ([]byte, error)

CreateTokenKubeconfig generates a kubeconfig based on the given values. The 'user' arg is used as key for the auth configuration and can be chosen freely.

func EnsureClusterRole 

func EnsureClusterRole(ctx context.Context, c client.Client, name string, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.ClusterRole, error)

EnsureClusterRole ensures that the specified ClusterRole exists with the specified rules. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ClusterRole is returned.

func EnsureClusterRoleAndBinding 

func EnsureClusterRoleAndBinding(ctx context.Context, c client.Client, name string, subjects []rbacv1.Subject, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.ClusterRoleBinding, *rbacv1.ClusterRole, error)

EnsureClusterRoleAndBinding combines EnsureClusterRole and EnsureClusterRoleBinding. The name is used for both the ClusterRole and ClusterRoleBinding.

func EnsureClusterRoleBinding 

func EnsureClusterRoleBinding(ctx context.Context, c client.Client, name, clusterRoleName string, subjects []rbacv1.Subject, expectedLabels ...Label) (*rbacv1.ClusterRoleBinding, error)

EnsureClusterRoleBinding ensures that the specified ClusterRoleBinding exists with the specified subjects. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ClusterRoleBinding is returned.

func EnsureNamespace 

func EnsureNamespace(ctx context.Context, c client.Client, nsName string, expectedLabels ...Label) (*corev1.Namespace, error)

EnsureNamespace ensures that the specified Namespace exists. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The namespace is returned.

func EnsureRole 

func EnsureRole(ctx context.Context, c client.Client, name, namespace string, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.Role, error)

EnsureRole ensures that the specified Role exists with the specified rules. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The Role is returned.

func EnsureRoleAndBinding 

func EnsureRoleAndBinding(ctx context.Context, c client.Client, name, namespace string, subjects []rbacv1.Subject, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.RoleBinding, *rbacv1.Role, error)

EnsureRoleAndBinding combines EnsureRole and EnsureRoleBinding. The name is used for both the Role and RoleBinding.

func EnsureRoleBinding 

func EnsureRoleBinding(ctx context.Context, c client.Client, name, namespace, roleName string, subjects []rbacv1.Subject, expectedLabels ...Label) (*rbacv1.RoleBinding, error)

EnsureRoleBinding ensures that the specified RoleBinding exists with the specified subjects. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The RoleBinding is returned.

func EnsureServiceAccount 

func EnsureServiceAccount(ctx context.Context, c client.Client, saName, saNamespace string, expectedLabels ...Label) (*corev1.ServiceAccount, error)

EnsureServiceAccount ensures that the specified ServiceAccount exists. If it doesn't exist, it is created with the expected labels (the namespace has to exist). If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ServiceAccount is returned.

func FailIfNotManaged 

func FailIfNotManaged(obj client.Object, expectedLabels ...Label) error

FailIfNotManaged takes an object and a list of expected labels. It returns an ResourceNotManagedError, if any of the expected labels is missing on the object or has a different value. If the object is nil or the expected labels are empty, it returns nil.

func IsResourceNotManagedError 

func IsResourceNotManagedError(err error) bool

IsResourceNotManagedError returns true if the error is non-nil and of type *ResourceNotManagedError.

func WriteKubeconfigFromRESTConfig added in v0.11.0 

func WriteKubeconfigFromRESTConfig(restConfig *rest.Config) ([]byte, error)

WriteKubeconfigFromRESTConfig converts the RESTConfig to a kubeconfig format. Supported authentication methods are Bearer Token, Username/Password and Client Certificate.

func WriteOIDCConfigFromRESTConfig added in v0.11.0 

func WriteOIDCConfigFromRESTConfig(restConfig *rest.Config) ([]byte, error)

WriteOIDCConfigFromRESTConfig converts a RESTConfig to an OIDC trust configuration format. When creating a Kubernetes deployment, this configuration is used to set up the trust relationship to the target cluster. Example:

spec: 

template:
  spec:
    volumes:
    - name: oidc-trust-config
      projected:
        sources:
        - secret:
          name: oidc-trust-config
          items:
          - key: host
            path: cluster/host
          - key: caData
            path: cluster/ca.crt
        - serviceAccountToken:
            audience: target-cluster
            path: cluster/token
            expirationSeconds: 3600

    volumeMounts:
    - name: oidc-trust-config
      mountPath: /var/run/secrets/oidc-trust-config
      readOnly: true

Types

type Label 

type Label = pairs.Pair[string, string]

type ResourceNotManagedError 

type ResourceNotManagedError struct {
	Obj            client.Object
	ExpectedLabels []Label
}

func NewResourceNotManagedError 

func NewResourceNotManagedError(obj client.Object, expectedLabels ...Label) *ResourceNotManagedError

NewResourceNotManagedError creates a new ResourceNotManagedError.

func (*ResourceNotManagedError) Error 

func (e *ResourceNotManagedError) Error() string

type ServiceAccountToken 

type ServiceAccountToken struct {
	Token               string
	CreationTimestamp   time.Time
	ExpirationTimestamp time.Time
}

ServiceAccountToken is a helper struct that bundles a ServiceAccount token together with its creation and expiration timestamps.

func CreateTokenForServiceAccount 

func CreateTokenForServiceAccount(ctx context.Context, c client.Client, sa *corev1.ServiceAccount, desiredDuration *time.Duration) (*ServiceAccountToken, error)

CreateTokenForServiceAccount generates a token for the given ServiceAccount.

func GetTokenBasedAccess 

func GetTokenBasedAccess(ctx context.Context, c client.Client, restCfg *rest.Config, name, namespace string, namespaceScoped bool, rolePrefix string, rules []rbacv1.PolicyRule, expectedLabels ...Label) ([]byte, *ServiceAccountToken, error)

GetTokenBasedAccess is a convenience function that wraps the flow of ensuring namespace, serviceaccount, (cluster)role(binding), and creating the token. It returns a kubeconfig, the token with expiration timestamp, and an error if any of the steps fail. The name will be used for all resources except the namespace (serviceaccount, (cluster)role, (cluster)rolebinding), with anything role-related additionally being prefixed with rolePrefix. The namespace holds the serviceaccount and, if namespaceScoped is true, the role and rolebinding. If namespaceScoped is false, clusterrole and clusterrolebinding are used.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.