roles

package

v0.2.23 Latest Latest Go to latest Published: Jun 5, 2022 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/yndd/ndd-core

Documentation ¶

Index ¶

func ClusterRolesDiffer(current, desired runtime.Object) bool
func RenderClusterRoles(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
func SetupProvider(mgr ctrl.Manager, log logging.Logger, allowClusterRole string) error
func SystemClusterIntentMetricRoleName(revisionName string) string
func SystemClusterIntentRoleName(revisionName string) string
func SystemClusterProviderMetricRoleName(revisionName string) string
func SystemClusterProviderRoleName(revisionName string) string
type ClusterRoleBackedValidator
- func NewClusterRoleBackedValidator(c client.Client, roleName string) *ClusterRoleBackedValidator
- func (v *ClusterRoleBackedValidator) ValidatePermissionRequests(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)
type ClusterRoleRenderFn
- func (fn ClusterRoleRenderFn) RenderClusterRoles(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
type ClusterRoleRenderer
type EnqueueRequestForAllRevisionsWithRequests
- func (e *EnqueueRequestForAllRevisionsWithRequests) Create(evt event.CreateEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Delete(evt event.DeleteEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Generic(evt event.GenericEvent, q workqueue.RateLimitingInterface)
- func (e *EnqueueRequestForAllRevisionsWithRequests) Update(evt event.UpdateEvent, q workqueue.RateLimitingInterface)
type PermissionRequestsValidator
type PermissionRequestsValidatorFn
- func (fn PermissionRequestsValidatorFn) ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)
type Reconciler
- func NewReconciler(mgr manager.Manager, opts ...ReconcilerOption) *Reconciler
- func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)
type ReconcilerOption
- func WithClusterRoleRenderer(rr ClusterRoleRenderer) ReconcilerOption
- func WithLogger(log logging.Logger) ReconcilerOption
- func WithNewPackageFn(f func() v1.Package) ReconcilerOption
- func WithNewPackageRevisionFn(f func() v1.PackageRevision) ReconcilerOption
- func WithNewPackageRevisionListFn(f func() v1.PackageRevisionList) ReconcilerOption
- func WithPermissionRequestsValidator(rv PermissionRequestsValidator) ReconcilerOption
- func WithRecorder(er event.Recorder) ReconcilerOption
type Rule
- func Expand(rs ...rbacv1.PolicyRule) []Rule
- func VerySecureValidator(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)
- func (r Rule) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ClusterRolesDiffer ¶

func ClusterRolesDiffer(current, desired runtime.Object) bool

ClusterRolesDiffer returns true if the supplied objects are different ClusterRoles. We consider ClusterRoles to be different if their labels and rules do not match.

func RenderClusterRoles ¶

func RenderClusterRoles(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

RenderClusterRoles returns ClusterRoles for the supplied PackageRevision.

func SetupProvider ¶ added in v0.1.3

func SetupProvider(mgr ctrl.Manager, log logging.Logger, allowClusterRole string) error

Setup adds a controller that reconciles a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

func SystemClusterIntentMetricRoleName ¶ added in v0.1.4

func SystemClusterIntentMetricRoleName(revisionName string) string

SystemClusterIntentMetricRoleName returns the name of the 'system' cluster role - i.e. the role that a intent's ServiceAccount should be bound to.

func SystemClusterIntentRoleName ¶ added in v0.1.3

func SystemClusterIntentRoleName(revisionName string) string

SystemClusterIntentRoleName returns the name of the 'system' cluster role - i.e. the role that a intent's ServiceAccount should be bound to.

func SystemClusterProviderMetricRoleName ¶ added in v0.1.4

func SystemClusterProviderMetricRoleName(revisionName string) string

SystemClusterProviderMetricRoleName returns the name of the 'system' cluster role - i.e. the role that a provider's ServiceAccount should be bound to.

func SystemClusterProviderRoleName ¶ added in v0.1.3

func SystemClusterProviderRoleName(revisionName string) string

SystemClusterProviderRoleName returns the name of the 'system' cluster role - i.e. the role that a provider's ServiceAccount should be bound to.

Types ¶

type ClusterRoleBackedValidator ¶

type ClusterRoleBackedValidator struct {
	// contains filtered or unexported fields
}

A ClusterRoleBackedValidator is a PermissionRequestsValidator that validates permission requests by comparing them to an RBAC ClusterRole. The validator will reject any permission that is not permitted by the ClusterRole.

func NewClusterRoleBackedValidator ¶

func NewClusterRoleBackedValidator(c client.Client, roleName string) *ClusterRoleBackedValidator

NewClusterRoleBackedValidator creates a ClusterRoleBackedValidator backed by the named RBAC ClusterRole.

func (*ClusterRoleBackedValidator) ValidatePermissionRequests ¶

func (v *ClusterRoleBackedValidator) ValidatePermissionRequests(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests against the ClusterRole.

type ClusterRoleRenderFn ¶

type ClusterRoleRenderFn func(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

A ClusterRoleRenderFn renders ClusterRoles for the supplied CRDs.

func (ClusterRoleRenderFn) RenderClusterRoles ¶

func (fn ClusterRoleRenderFn) RenderClusterRoles(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole

RenderClusterRoles renders ClusterRoles for the supplied CRDs.

type ClusterRoleRenderer ¶

type ClusterRoleRenderer interface {
	// RenderClusterRoles for the supplied CRDs.
	RenderClusterRoles(pr *v1.PackageRevision, crds []extv1.CustomResourceDefinition) []rbacv1.ClusterRole
}

A ClusterRoleRenderer renders ClusterRoles for the given CRDs.

type EnqueueRequestForAllRevisionsWithRequests ¶

type EnqueueRequestForAllRevisionsWithRequests struct {
	// contains filtered or unexported fields
}

EnqueueRequestForAllRevisionsWithRequests enqueues a request for all provider revisions with permission requests when the ClusterRole that enumerates allowed permissions changes.

func (*EnqueueRequestForAllRevisionsWithRequests) Create ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Create(evt event.CreateEvent, q workqueue.RateLimitingInterface)

Create enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Delete ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Delete(evt event.DeleteEvent, q workqueue.RateLimitingInterface)

Delete enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Generic ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Generic(evt event.GenericEvent, q workqueue.RateLimitingInterface)

Generic enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

func (*EnqueueRequestForAllRevisionsWithRequests) Update ¶

func (e *EnqueueRequestForAllRevisionsWithRequests) Update(evt event.UpdateEvent, q workqueue.RateLimitingInterface)

Update enqueues a request for all provider revisions with permission requests if the event pertains to the ClusterRole.

type PermissionRequestsValidator ¶

type PermissionRequestsValidator interface {
	// ValidatePermissionRequests validates the supplied slice of RBAC rules. It
	// returns a slice of any rejected (i.e. disallowed) rules. It returns an
	// error if it is unable to validate permission requests.
	ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)
}

A PermissionRequestsValidator validates requested RBAC rules.

type PermissionRequestsValidatorFn ¶

type PermissionRequestsValidatorFn func(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

A PermissionRequestsValidatorFn validates requested RBAC rules.

func (PermissionRequestsValidatorFn) ValidatePermissionRequests ¶

func (fn PermissionRequestsValidatorFn) ValidatePermissionRequests(ctx context.Context, requested ...rbacv1.PolicyRule) ([]Rule, error)

ValidatePermissionRequests validates the supplied slice of RBAC rules. It returns a slice of any rejected (i.e. disallowed) rules. It returns an error if it is unable to validate permission requests.

type Reconciler ¶

type Reconciler struct {
	// contains filtered or unexported fields
}

A Reconciler reconciles PackageRevisions.

func NewReconciler ¶

func NewReconciler(mgr manager.Manager, opts ...ReconcilerOption) *Reconciler

NewReconciler returns a Reconciler of PackageRevisions.

func (*Reconciler) Reconcile ¶

func (r *Reconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile a PackageRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

type ReconcilerOption ¶

type ReconcilerOption func(*Reconciler)

ReconcilerOption is used to configure the Reconciler.

func WithClusterRoleRenderer ¶

func WithClusterRoleRenderer(rr ClusterRoleRenderer) ReconcilerOption

WithClusterRoleRenderer specifies how the Reconciler should render RBAC ClusterRoles.

func WithLogger ¶

func WithLogger(log logging.Logger) ReconcilerOption

WithLogger specifies how the Reconciler should log messages.

func WithNewPackageFn ¶ added in v0.1.3

func WithNewPackageFn(f func() v1.Package) ReconcilerOption

WithNewPackageFn determines the type of package being reconciled.

func WithNewPackageRevisionFn ¶ added in v0.1.3

func WithNewPackageRevisionFn(f func() v1.PackageRevision) ReconcilerOption

WithNewPackageRevisionFn determines the type of package being reconciled.

func WithNewPackageRevisionListFn ¶ added in v0.1.3

func WithNewPackageRevisionListFn(f func() v1.PackageRevisionList) ReconcilerOption

WithNewPackageRevisionListFn determines the type of package being reconciled.

func WithPermissionRequestsValidator ¶

func WithPermissionRequestsValidator(rv PermissionRequestsValidator) ReconcilerOption

WithPermissionRequestsValidator specifies how the Reconciler should validate requests for extra RBAC permissions.

func WithRecorder ¶

func WithRecorder(er event.Recorder) ReconcilerOption

WithRecorder specifies how the Reconciler should record Kubernetes events.

type Rule ¶

type Rule struct {
	// The API group of this resource. The empty string denotes the core
	// Kubernetes API group. '*' represents any API group.
	APIGroup string

	// The resource in question. '*' represents any resource.
	Resource string

	// The name of the resource. Unlike the rbacv1 API, we use '*' to represent
	// any resource name.
	ResourceName string

	// A non-resource URL. Mutually exclusive with the above resource fields.
	NonResourceURL string

	// The verb this rule allows.
	Verb string
}

A Rule represents a single, granular RBAC rule.

func Expand ¶

func Expand(rs ...rbacv1.PolicyRule) []Rule

Expand RBAC policy rules into our granular rules.

func VerySecureValidator ¶

func VerySecureValidator(ctx context.Context, requests ...rbacv1.PolicyRule) ([]Rule, error)

VerySecureValidator is a PermissionRequestsValidatorFn that rejects all requested permissions.

func (Rule) String ¶

func (r Rule) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL