kubernetes

package
v2.14.13+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2021 License: Apache-2.0 Imports: 50 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NamespacePrefix is the prefix for the cluster namespace
	NamespacePrefix = "cluster-"
)
View Source 
const (
	ServiceAccountLabelGroup = "initialGroup"
)

Variables

This section is empty.

Functions

func AddonProviderFactory 

func AddonProviderFactory(mapper meta.RESTMapper, seedKubeconfigGetter provider.SeedKubeconfigGetter, accessibleAddons sets.String) provider.AddonProviderGetter

func CreateOrUpdateCredentialSecretForCluster 

func CreateOrUpdateCredentialSecretForCluster(ctx context.Context, seedClient ctrlruntimeclient.Client, cluster *kubermaticv1.Cluster) error

CreateCredentialSecretForCluster creates a new secret for a credential

func IsServiceAccount 

func IsServiceAccount(email string) bool

IsServiceAccounts determines whether the given email address belongs to a service account

func LoadPresets 

func LoadPresets(yamlContent []byte) (*kubermaticv1.PresetList, error)

LoadPresets loads the custom presets for supported providers

func LoadPresetsFromFile 

func LoadPresetsFromFile(path string) (*kubermaticv1.PresetList, error)

LoadPresetsFromFile loads the custom presets for supported providers

func NamespaceName 

func NamespaceName(clusterName string) string

NamespaceName returns the namespace name for a cluster

Types

type AddonConfigProvider 

type AddonConfigProvider struct {
	// contains filtered or unexported fields
}

AddonConfigProvider struct that holds required components of the AddonConfigProvider

func NewAddonConfigProvider 

func NewAddonConfigProvider(client ctrlruntimeclient.Client) *AddonConfigProvider

NewAddonConfigProvider returns a new AddonConfigProvider

func (*AddonConfigProvider) Get 

func (p *AddonConfigProvider) Get(addonName string) (*kubermaticv1.AddonConfig, error)

Get addon configuration

func (*AddonConfigProvider) List 

func (p *AddonConfigProvider) List() (*kubermaticv1.AddonConfigList, error)

List available addon configurations

type AddonProvider 

type AddonProvider struct {
	// contains filtered or unexported fields
}

AddonProvider struct that holds required components of the AddonProvider implementation

func NewAddonProvider 

func NewAddonProvider(
	clientPrivileged ctrlruntimeclient.Client,
	createSeedImpersonatedClient impersonationClient,
	accessibleAddons sets.String) *AddonProvider

NewAddonProvider returns a new addon provider that respects RBAC policies it uses createSeedImpersonatedClient to create a connection that uses user impersonation

func (*AddonProvider) Delete 

func (p *AddonProvider) Delete(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string) error

Delete deletes the given addon

func (*AddonProvider) DeleteUnsecured 

func (p *AddonProvider) DeleteUnsecured(cluster *kubermaticv1.Cluster, addonName string) error

DeleteUnsecured deletes the given addon

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*AddonProvider) Get 

func (p *AddonProvider) Get(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string) (*kubermaticv1.Addon, error)

Get returns the given addon, it uses the projectInternalName to determine the group the user belongs to

func (*AddonProvider) GetUnsecured 

func (p *AddonProvider) GetUnsecured(cluster *kubermaticv1.Cluster, addonName string) (*kubermaticv1.Addon, error)

GetUnsecured returns the given addon

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*AddonProvider) List 

func (p *AddonProvider) List(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster) ([]*kubermaticv1.Addon, error)

List returns all addons in the given cluster

func (*AddonProvider) ListUnsecured 

func (p *AddonProvider) ListUnsecured(cluster *kubermaticv1.Cluster) ([]*kubermaticv1.Addon, error)

func (*AddonProvider) New 

func (p *AddonProvider) New(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addonName string, variables *runtime.RawExtension) (*kubermaticv1.Addon, error)

New creates a new addon in the given cluster

func (*AddonProvider) NewUnsecured 

func (p *AddonProvider) NewUnsecured(cluster *kubermaticv1.Cluster, addonName string, variables *runtime.RawExtension) (*kubermaticv1.Addon, error)

NewUnsecured creates a new addon in the given cluster

Note that this function: is unsafe in a sense that it uses privileged account to create the resource

func (*AddonProvider) Update 

func (p *AddonProvider) Update(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster, addon *kubermaticv1.Addon) (*kubermaticv1.Addon, error)

Update updates an addon

func (*AddonProvider) UpdateUnsecured 

func (p *AddonProvider) UpdateUnsecured(cluster *kubermaticv1.Cluster, addon *kubermaticv1.Addon) (*kubermaticv1.Addon, error)

UpdateUnsecured updates an addon

Note that this function: is unsafe in a sense that it uses privileged account to update the resource

type AdminProvider 

type AdminProvider struct {
	// contains filtered or unexported fields
}

AdminProvider manages admin resources

func NewAdminProvider 

func NewAdminProvider(client ctrlruntimeclient.Client) *AdminProvider

NewAdminProvider returns a admin provider

func (*AdminProvider) GetAdmins 

func (a *AdminProvider) GetAdmins(userInfo *provider.UserInfo) ([]kubermaticv1.User, error)

GetAdmins return all users with admin rights

func (*AdminProvider) SetAdmin 

func (a *AdminProvider) SetAdmin(userInfo *provider.UserInfo, email string, isAdmin bool) (*kubermaticv1.User, error)

SetAdmin set/clear admin rights

type AdmissionPluginsProvider 

type AdmissionPluginsProvider struct {
	// contains filtered or unexported fields
}

AdmissionPluginsProvider is a object to handle admission plugins

func NewAdmissionPluginsProvider 

func NewAdmissionPluginsProvider(ctx context.Context, client ctrlruntimeclient.Client) *AdmissionPluginsProvider

func (*AdmissionPluginsProvider) Delete 

func (p *AdmissionPluginsProvider) Delete(userInfo *provider.UserInfo, name string) error

func (*AdmissionPluginsProvider) Get 

func (p *AdmissionPluginsProvider) Get(userInfo *provider.UserInfo, name string) (*kubermaticv1.AdmissionPlugin, error)

func (*AdmissionPluginsProvider) List 

func (p *AdmissionPluginsProvider) List(userInfo *provider.UserInfo) ([]kubermaticv1.AdmissionPlugin, error)

func (*AdmissionPluginsProvider) ListPluginNamesFromVersion 

func (p *AdmissionPluginsProvider) ListPluginNamesFromVersion(fromVersion string) ([]string, error)

func (*AdmissionPluginsProvider) Update 

func (p *AdmissionPluginsProvider) Update(userInfo *provider.UserInfo, admissionPlugin *kubermaticv1.AdmissionPlugin) (*kubermaticv1.AdmissionPlugin, error)

type ClusterProvider 

type ClusterProvider struct {
	// contains filtered or unexported fields
}

ClusterProvider struct that holds required components in order to provide cluster provided that is RBAC compliant

func NewClusterProvider 

func NewClusterProvider(
	cfg *restclient.Config,
	createSeedImpersonatedClient impersonationClient,
	userClusterConnProvider UserClusterConnectionProvider,
	workerName string,
	extractGroupPrefix extractGroupPrefixFunc,
	client ctrlruntimeclient.Client,
	k8sClient kubernetes.Interface,
	oidcKubeConfEndpoint bool) *ClusterProvider

NewClusterProvider returns a new cluster provider that respects RBAC policies it uses createSeedImpersonatedClient to create a connection that uses user impersonation

func (*ClusterProvider) Delete 

func (p *ClusterProvider) Delete(userInfo *provider.UserInfo, clusterName string) error

Delete deletes the given cluster

func (*ClusterProvider) DeleteUnsecured 

func (p *ClusterProvider) DeleteUnsecured(cluster *kubermaticv1.Cluster) error

DeleteUnsecured deletes a cluster.

Note that the admin privileges are used to delete cluster

func (*ClusterProvider) Get 

func (p *ClusterProvider) Get(userInfo *provider.UserInfo, clusterName string, options *provider.ClusterGetOptions) (*kubermaticv1.Cluster, error)

Get returns the given cluster, it uses the projectInternalName to determine the group the user belongs to

func (*ClusterProvider) GetAdminClientForCustomerCluster 

func (p *ClusterProvider) GetAdminClientForCustomerCluster(c *kubermaticv1.Cluster) (ctrlruntimeclient.Client, error)

GetAdminClientForCustomerCluster returns a client to interact with all resources in the given cluster

Note that the client you will get has admin privileges

func (*ClusterProvider) GetAdminKubeconfigForCustomerCluster 

func (p *ClusterProvider) GetAdminKubeconfigForCustomerCluster(c *kubermaticv1.Cluster) (*clientcmdapi.Config, error)

GetAdminKubeconfigForCustomerCluster returns the admin kubeconfig for the given cluster

func (*ClusterProvider) GetClientForCustomerCluster 

func (p *ClusterProvider) GetClientForCustomerCluster(userInfo *provider.UserInfo, c *kubermaticv1.Cluster) (ctrlruntimeclient.Client, error)

GetClientForCustomerCluster returns a client to interact with all resources in the given cluster

Note that the client doesn't use admin account instead it authn/authz as userInfo(email, group) This implies that you have to make sure the user has the appropriate permissions inside the user cluster

func (*ClusterProvider) GetSeedClusterAdminClient 

func (p *ClusterProvider) GetSeedClusterAdminClient() kubernetes.Interface

GetSeedClusterAdminClient returns a kubernetes client to interact with the seed cluster resources.

Note that this client has admin privileges in the seed cluster.

func (*ClusterProvider) GetSeedClusterAdminRuntimeClient 

func (p *ClusterProvider) GetSeedClusterAdminRuntimeClient() ctrlruntimeclient.Client

GetSeedClusterAdminRuntimeClient returns a runtime client to interact with the seed cluster resources.

Note that this client has admin privileges in the seed cluster.

func (*ClusterProvider) GetTokenForCustomerCluster 

func (p *ClusterProvider) GetTokenForCustomerCluster(userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster) (string, error)

func (*ClusterProvider) GetUnsecured 

func (p *ClusterProvider) GetUnsecured(project *kubermaticv1.Project, clusterName string, options *provider.ClusterGetOptions) (*kubermaticv1.Cluster, error)

GetUnsecured returns a cluster for the project and given name.

Note that the admin privileges are used to get cluster

func (*ClusterProvider) GetViewerKubeconfigForCustomerCluster 

func (p *ClusterProvider) GetViewerKubeconfigForCustomerCluster(c *kubermaticv1.Cluster) (*clientcmdapi.Config, error)

GetViewerKubeconfigForCustomerCluster returns the viewer kubeconfig for the given cluster

func (*ClusterProvider) List 

func (p *ClusterProvider) List(project *kubermaticv1.Project, options *provider.ClusterListOptions) (*kubermaticv1.ClusterList, error)

List gets all clusters that belong to the given project If you want to filter the result please take a look at ClusterListOptions

Note: After we get the list of clusters we could try to get each cluster individually using unprivileged account to see if the user have read access, We don't do this because we assume that if the user was able to get the project (argument) it has to have at least read access.

func (*ClusterProvider) ListAll 

func (p *ClusterProvider) ListAll() (*kubermaticv1.ClusterList, error)

ListAll gets all clusters

Note that the admin privileges are used to list all clusters

func (*ClusterProvider) New 

func (p *ClusterProvider) New(project *kubermaticv1.Project, userInfo *provider.UserInfo, cluster *kubermaticv1.Cluster) (*kubermaticv1.Cluster, error)

New creates a brand new cluster that is bound to the given project

func (*ClusterProvider) NewUnsecured 

func (p *ClusterProvider) NewUnsecured(project *kubermaticv1.Project, cluster *kubermaticv1.Cluster, userEmail string) (*kubermaticv1.Cluster, error)

NewUnsecured creates a brand new cluster that is bound to the given project.

Note that the admin privileges are used to create cluster

func (*ClusterProvider) RevokeAdminKubeconfig 

func (p *ClusterProvider) RevokeAdminKubeconfig(c *kubermaticv1.Cluster) error

RevokeAdminKubeconfig revokes the viewer token and kubeconfig

func (*ClusterProvider) RevokeViewerKubeconfig 

func (p *ClusterProvider) RevokeViewerKubeconfig(c *kubermaticv1.Cluster) error

RevokeViewerKubeconfig revokes the viewer token and kubeconfig

func (*ClusterProvider) SeedAdminConfig 

func (p *ClusterProvider) SeedAdminConfig() *restclient.Config

SeedAdminConfig return an admin kubeconfig for the seed. This function does not perform any kind of access control. Try to not use it.

func (*ClusterProvider) Update 

func (p *ClusterProvider) Update(project *kubermaticv1.Project, userInfo *provider.UserInfo, newCluster *kubermaticv1.Cluster) (*kubermaticv1.Cluster, error)

Update updates a cluster

func (*ClusterProvider) UpdateUnsecured 

func (p *ClusterProvider) UpdateUnsecured(project *kubermaticv1.Project, cluster *kubermaticv1.Cluster) (*kubermaticv1.Cluster, error)

UpdateUnsecured updates a cluster.

Note that the admin privileges are used to update cluster

type DefaultImpersonationClient 

type DefaultImpersonationClient struct {
	// contains filtered or unexported fields
}

DefaultImpersonationClient knows how to create impersonated client set

func NewImpersonationClient 

func NewImpersonationClient(cfg *restclient.Config, restMapper meta.RESTMapper) *DefaultImpersonationClient

NewImpersonationClient creates a new default impersonation client that knows how to create Interface client for a impersonated user

func (*DefaultImpersonationClient) CreateImpersonatedClient 

func (d *DefaultImpersonationClient) CreateImpersonatedClient(impCfg restclient.ImpersonationConfig) (ctrlruntimeclient.Client, error)

CreateImpersonatedClient actually creates impersonated client set for the given user.

type DefaultKubermaticImpersonationClient 

type DefaultKubermaticImpersonationClient struct {
	// contains filtered or unexported fields
}

DefaultKubermaticImpersonationClient knows how to create impersonated client set

func (*DefaultKubermaticImpersonationClient) CreateImpersonatedKubermaticClientSet 

func (d *DefaultKubermaticImpersonationClient) CreateImpersonatedKubermaticClientSet(impCfg restclient.ImpersonationConfig) (kubermaticclientv1.KubermaticV1Interface, error)

CreateImpersonatedKubermaticClientSet actually creates impersonated kubermatic client set for the given user.

type EventRecorder 

type EventRecorder struct {
	// contains filtered or unexported fields
}

EventRecorder gives option to record events for objects. They can be then read from them using K8S API.

func NewEventRecorder 

func NewEventRecorder() *EventRecorder

NewEventRecorder returns a new event recorder provider object. See EventRecorder for more information.

func (*EventRecorder) ClusterRecorderFor 

func (e *EventRecorder) ClusterRecorderFor(client kubernetes.Interface) record.EventRecorder

ClusterRecorderFor returns an event recorder that will be able to record events for objects in the cluster accessible using provided client.

type PresetsProvider 

type PresetsProvider struct {
	// contains filtered or unexported fields
}

PresetsProvider is a object to handle presets from a predefined config

func NewPresetsProvider 

func NewPresetsProvider(ctx context.Context, client ctrlruntimeclient.Client, presetsFile string, dynamicPresets bool) (*PresetsProvider, error)

func (*PresetsProvider) GetPreset 

func (m *PresetsProvider) GetPreset(userInfo *provider.UserInfo, name string) (*kubermaticv1.Preset, error)

GetPreset returns preset with the name which belong to the specific email group

func (*PresetsProvider) GetPresets 

func (m *PresetsProvider) GetPresets(userInfo *provider.UserInfo) ([]kubermaticv1.Preset, error)

GetPresets returns presets which belong to the specific email group and for all users

func (*PresetsProvider) SetCloudCredentials 

func (m *PresetsProvider) SetCloudCredentials(userInfo *provider.UserInfo, presetName string, cloud kubermaticv1.CloudSpec, dc *kubermaticv1.Datacenter) (*kubermaticv1.CloudSpec, error)

type PrivilegedProjectProvider 

type PrivilegedProjectProvider struct {
	// contains filtered or unexported fields
}

PrivilegedProjectProvider represents a data structure that knows how to manage projects in a privileged way

func NewPrivilegedProjectProvider 

func NewPrivilegedProjectProvider(client ctrlruntimeclient.Client) (*PrivilegedProjectProvider, error)

NewPrivilegedProjectProvider returns a privileged project provider

func (*PrivilegedProjectProvider) DeleteUnsecured 

func (p *PrivilegedProjectProvider) DeleteUnsecured(projectInternalName string) error

DeleteUnsecured deletes any given project This function is unsafe in a sense that it uses privileged account to delete project with the given name

Note: Before deletion project's status.phase is set to ProjectTerminating

func (*PrivilegedProjectProvider) GetUnsecured 

func (p *PrivilegedProjectProvider) GetUnsecured(projectInternalName string, options *provider.ProjectGetOptions) (*kubermaticapiv1.Project, error)

GetUnsecured returns the project with the given name This function is unsafe in a sense that it uses privileged account to get project with the given name

func (*PrivilegedProjectProvider) UpdateUnsecured 

func (p *PrivilegedProjectProvider) UpdateUnsecured(project *kubermaticapiv1.Project) (*kubermaticapiv1.Project, error)

UpdateUnsecured update a specific project and returns the updated project This function is unsafe in a sense that it uses privileged account to update the project

type PrivilegedSSHKeyProvider 

type PrivilegedSSHKeyProvider struct {
	// contains filtered or unexported fields
}

PrivilegedSSHKeyProvider represents a data structure that knows how to manage ssh keys in a privileged way

func NewPrivilegedSSHKeyProvider 

func NewPrivilegedSSHKeyProvider(client ctrlruntimeclient.Client) (*PrivilegedSSHKeyProvider, error)

NewPrivilegedSSHKeyProvider returns a privileged ssh key provider

func (*PrivilegedSSHKeyProvider) CreateUnsecured 

func (p *PrivilegedSSHKeyProvider) CreateUnsecured(project *kubermaticapiv1.Project, keyName, pubKey string) (*kubermaticapiv1.UserSSHKey, error)

Create creates a ssh key that belongs to the given project This function is unsafe in a sense that it uses privileged account to create the ssh key

func (*PrivilegedSSHKeyProvider) DeleteUnsecured 

func (p *PrivilegedSSHKeyProvider) DeleteUnsecured(keyName string) error

Delete deletes the given ssh key This function is unsafe in a sense that it uses privileged account to delete the ssh key

func (*PrivilegedSSHKeyProvider) GetUnsecured 

func (p *PrivilegedSSHKeyProvider) GetUnsecured(keyName string) (*kubermaticapiv1.UserSSHKey, error)

GetUnsecured returns a key with the given name This function is unsafe in a sense that it uses privileged account to get the ssh key

func (*PrivilegedSSHKeyProvider) UpdateUnsecured 

func (p *PrivilegedSSHKeyProvider) UpdateUnsecured(sshKey *kubermaticapiv1.UserSSHKey) (*kubermaticapiv1.UserSSHKey, error)

UpdateUnsecured update a specific ssh key and returns the updated ssh key This function is unsafe in a sense that it uses privileged account to update the ssh key

type ProjectMemberProvider 

type ProjectMemberProvider struct {
	// contains filtered or unexported fields
}

ProjectMemberProvider binds users with projects

func NewProjectMemberProvider 

func NewProjectMemberProvider(createMasterImpersonatedClient impersonationClient, clientPrivileged ctrlruntimeclient.Client, isServiceAccountFunc func(string) bool) *ProjectMemberProvider

NewProjectMemberProvider returns a project members provider

func (*ProjectMemberProvider) Create 

func (p *ProjectMemberProvider) Create(userInfo *provider.UserInfo, project *kubermaticapiv1.Project, memberEmail, group string) (*kubermaticapiv1.UserProjectBinding, error)

Create creates a binding for the given member and the given project

func (*ProjectMemberProvider) CreateUnsecured 

func (p *ProjectMemberProvider) CreateUnsecured(project *kubermaticapiv1.Project, memberEmail, group string) (*kubermaticapiv1.UserProjectBinding, error)

CreateUnsecured creates a binding for the given member and the given project This function is unsafe in a sense that it uses privileged account to create the resource

func (*ProjectMemberProvider) Delete 

func (p *ProjectMemberProvider) Delete(userInfo *provider.UserInfo, bindingName string) error

Delete deletes the given binding Note: Use List to get binding for the specific member of the given project

func (*ProjectMemberProvider) DeleteUnsecured 

func (p *ProjectMemberProvider) DeleteUnsecured(bindingName string) error

DeleteUnsecured deletes the given binding Note: Use List to get binding for the specific member of the given project This function is unsafe in a sense that it uses privileged account to delete the resource

func (*ProjectMemberProvider) List 

func (p *ProjectMemberProvider) List(userInfo *provider.UserInfo, project *kubermaticapiv1.Project, options *provider.ProjectMemberListOptions) ([]*kubermaticapiv1.UserProjectBinding, error)

List gets all members of the given project

func (*ProjectMemberProvider) MapUserToGroup 

func (p *ProjectMemberProvider) MapUserToGroup(userEmail string, projectID string) (string, error)

MapUserToGroup maps the given user to a specific group of the given project This function is unsafe in a sense that it uses privileged account to list all members in the system

func (*ProjectMemberProvider) MappingsFor 

func (p *ProjectMemberProvider) MappingsFor(userEmail string) ([]*kubermaticapiv1.UserProjectBinding, error)

MappingsFor returns the list of projects (bindings) for the given user This function is unsafe in a sense that it uses privileged account to list all members in the system

func (*ProjectMemberProvider) Update 

func (p *ProjectMemberProvider) Update(userInfo *provider.UserInfo, binding *kubermaticapiv1.UserProjectBinding) (*kubermaticapiv1.UserProjectBinding, error)

Update updates the given binding

func (*ProjectMemberProvider) UpdateUnsecured 

func (p *ProjectMemberProvider) UpdateUnsecured(binding *kubermaticapiv1.UserProjectBinding) (*kubermaticapiv1.UserProjectBinding, error)

UpdateUnsecured updates the given binding This function is unsafe in a sense that it uses privileged account to update the resource

type ProjectProvider 

type ProjectProvider struct {
	// contains filtered or unexported fields
}

ProjectProvider represents a data structure that knows how to manage projects

func NewProjectProvider 

func NewProjectProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) (*ProjectProvider, error)

NewProjectProvider returns a project provider

func (*ProjectProvider) Delete 

func (p *ProjectProvider) Delete(userInfo *provider.UserInfo, projectInternalName string) error

Delete deletes the given project as the given user

Note: Before deletion project's status.phase is set to ProjectTerminating

func (*ProjectProvider) Get 

func (p *ProjectProvider) Get(userInfo *provider.UserInfo, projectInternalName string, options *provider.ProjectGetOptions) (*kubermaticapiv1.Project, error)

Get returns the project with the given name

func (*ProjectProvider) List 

func (p *ProjectProvider) List(options *provider.ProjectListOptions) ([]*kubermaticapiv1.Project, error)

List gets a list of projects, by default it returns all resources. If you want to filter the result please set ProjectListOptions

Note that the list is taken from the cache

func (*ProjectProvider) New 

func (p *ProjectProvider) New(user *kubermaticapiv1.User, projectName string, labels map[string]string) (*kubermaticapiv1.Project, error)

New creates a brand new project in the system with the given name

Note: a user cannot own more than one project with the given name since we get the list of the current projects from a cache (lister) there is a small time window during which a user can create more that one project with the given name.

func (*ProjectProvider) Update 

func (p *ProjectProvider) Update(userInfo *provider.UserInfo, newProject *kubermaticapiv1.Project) (*kubermaticapiv1.Project, error)

Update update a specific project for a specific user and returns the updated project

type SSHKeyProvider 

type SSHKeyProvider struct {
	// contains filtered or unexported fields
}

SSHKeyProvider struct that holds required components in order to provide ssh key provider that is RBAC compliant

func NewSSHKeyProvider 

func NewSSHKeyProvider(createMasterImpersonatedClient impersonationClient, client ctrlruntimeclient.Client) *SSHKeyProvider

NewSSHKeyProvider returns a new ssh key provider that respects RBAC policies it uses createMasterImpersonatedClient to create a connection that uses User Impersonation

func (*SSHKeyProvider) Create 

func (p *SSHKeyProvider) Create(userInfo *provider.UserInfo, project *kubermaticapiv1.Project, keyName, pubKey string) (*kubermaticapiv1.UserSSHKey, error)

Create creates a ssh key that will belong to the given project

func (*SSHKeyProvider) Delete 

func (p *SSHKeyProvider) Delete(userInfo *provider.UserInfo, keyName string) error

Delete simply deletes the given key

func (*SSHKeyProvider) Get 

func (p *SSHKeyProvider) Get(userInfo *provider.UserInfo, keyName string) (*kubermaticapiv1.UserSSHKey, error)

Get returns a key with the given name

func (*SSHKeyProvider) List 

func (p *SSHKeyProvider) List(project *kubermaticapiv1.Project, options *provider.SSHKeyListOptions) ([]*kubermaticapiv1.UserSSHKey, error)

List gets a list of ssh keys, by default it will get all the keys that belong to the given project. If you want to filter the result please take a look at SSHKeyListOptions

Note: After we get the list of the keys we could try to get each individually using unprivileged account to see if the user have read access, We don't do this because we assume that if the user was able to get the project (argument) it has to have at least read access.

func (*SSHKeyProvider) Update 

func (p *SSHKeyProvider) Update(userInfo *provider.UserInfo, newKey *kubermaticapiv1.UserSSHKey) (*kubermaticapiv1.UserSSHKey, error)

Update simply updates the given key

type ServiceAccountProvider 

type ServiceAccountProvider struct {
	// contains filtered or unexported fields
}

ServiceAccountProvider manages service account resources

func NewServiceAccountProvider 

func NewServiceAccountProvider(createMasterImpersonatedClient impersonationClient, clientPrivileged ctrlruntimeclient.Client, domain string) *ServiceAccountProvider

NewServiceAccountProvider returns a service account provider

func (*ServiceAccountProvider) Create 

func (p *ServiceAccountProvider) Create(userInfo *provider.UserInfo, project *kubermaticv1.Project, name, group string) (*kubermaticv1.User, error)

Create creates a new service account

func (*ServiceAccountProvider) CreateUnsecured 

func (p *ServiceAccountProvider) CreateUnsecured(project *kubermaticv1.Project, name, group string) (*kubermaticv1.User, error)

CreateUnsecured creates a new service accounts

Note that this function: is unsafe in a sense that it uses privileged account to create the resources

func (*ServiceAccountProvider) Delete 

func (p *ServiceAccountProvider) Delete(userInfo *provider.UserInfo, name string) error

Delete simply deletes the given service account

func (*ServiceAccountProvider) DeleteUnsecured 

func (p *ServiceAccountProvider) DeleteUnsecured(name string) error

DeleteUnsecured gets all service accounts

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*ServiceAccountProvider) Get 

func (p *ServiceAccountProvider) Get(userInfo *provider.UserInfo, name string, options *provider.ServiceAccountGetOptions) (*kubermaticv1.User, error)

Get method returns service account with given name

func (*ServiceAccountProvider) GetUnsecured 

func (p *ServiceAccountProvider) GetUnsecured(name string, options *provider.ServiceAccountGetOptions) (*kubermaticv1.User, error)

GetUnsecured gets all service accounts

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*ServiceAccountProvider) List 

func (p *ServiceAccountProvider) List(userInfo *provider.UserInfo, project *kubermaticv1.Project, options *provider.ServiceAccountListOptions) ([]*kubermaticv1.User, error)

List gets service accounts for the project

func (*ServiceAccountProvider) ListUnsecured 

func (p *ServiceAccountProvider) ListUnsecured(project *kubermaticv1.Project, options *provider.ServiceAccountListOptions) ([]*kubermaticv1.User, error)

ListUnsecured gets all service accounts If you want to filter the result please take a look at ServiceAccountListOptions

Note that this function: is unsafe in a sense that it uses privileged account to get the resources

func (*ServiceAccountProvider) Update 

func (p *ServiceAccountProvider) Update(userInfo *provider.UserInfo, serviceAccount *kubermaticv1.User) (*kubermaticv1.User, error)

Update simply updates the given service account

func (*ServiceAccountProvider) UpdateUnsecured 

func (p *ServiceAccountProvider) UpdateUnsecured(serviceAccount *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateUnsecured gets all service accounts

Note that this function: is unsafe in a sense that it uses privileged account to update the resource

type ServiceAccountTokenProvider 

type ServiceAccountTokenProvider struct {
	// contains filtered or unexported fields
}

ServiceAccountProvider manages service account resources

func NewServiceAccountTokenProvider 

func NewServiceAccountTokenProvider(impersonationClient impersonationClient, clientPrivileged ctrlruntimeclient.Client) (*ServiceAccountTokenProvider, error)

NewServiceAccountProvider returns a service account provider

func (*ServiceAccountTokenProvider) Create 

func (p *ServiceAccountTokenProvider) Create(userInfo *provider.UserInfo, sa *kubermaticv1.User, projectID, tokenName, tokenID, token string) (*v1.Secret, error)

Create creates a new token for service account

func (*ServiceAccountTokenProvider) CreateUnsecured 

func (p *ServiceAccountTokenProvider) CreateUnsecured(sa *kubermaticv1.User, projectID, tokenName, tokenID, token string) (*v1.Secret, error)

CreateUnsecured creates a new token

Note that this function: is unsafe in a sense that it uses privileged account to create the resource

func (*ServiceAccountTokenProvider) Delete 

func (p *ServiceAccountTokenProvider) Delete(userInfo *provider.UserInfo, name string) error

Delete method deletes given token

func (*ServiceAccountTokenProvider) DeleteUnsecured 

func (p *ServiceAccountTokenProvider) DeleteUnsecured(name string) error

DeleteUnsecured deletes the token

Note that this function: is unsafe in a sense that it uses privileged account to delete the resource

func (*ServiceAccountTokenProvider) Get 

func (p *ServiceAccountTokenProvider) Get(userInfo *provider.UserInfo, name string) (*v1.Secret, error)

Get method returns token by name

func (*ServiceAccountTokenProvider) GetUnsecured 

func (p *ServiceAccountTokenProvider) GetUnsecured(name string) (*v1.Secret, error)

GetUnsecured gets the token by name

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

func (*ServiceAccountTokenProvider) List 

func (p *ServiceAccountTokenProvider) List(userInfo *provider.UserInfo, project *kubermaticv1.Project, sa *kubermaticv1.User, options *provider.ServiceAccountTokenListOptions) ([]*v1.Secret, error)

List gets tokens for the given service account and project

func (*ServiceAccountTokenProvider) ListUnsecured 

func (p *ServiceAccountTokenProvider) ListUnsecured(options *provider.ServiceAccountTokenListOptions) ([]*v1.Secret, error)

ListUnsecured returns all tokens in kubermatic namespace

Note that this function: is unsafe in a sense that it uses privileged account to get the resource gets resources from the cache

func (*ServiceAccountTokenProvider) Update 

func (p *ServiceAccountTokenProvider) Update(userInfo *provider.UserInfo, secret *v1.Secret) (*v1.Secret, error)

Update method updates given token

func (*ServiceAccountTokenProvider) UpdateUnsecured 

func (p *ServiceAccountTokenProvider) UpdateUnsecured(secret *v1.Secret) (*v1.Secret, error)

UpdateUnsecured updates the token

Note that this function: is unsafe in a sense that it uses privileged account to get the resource

type SettingsProvider 

type SettingsProvider struct {
	// contains filtered or unexported fields
}

UserProvider manages user resources

func NewSettingsProvider 

func NewSettingsProvider(client kubermaticclientset.Interface, runtimeClient ctrlruntimeclient.Client) *SettingsProvider

NewUserProvider returns a user provider

func (*SettingsProvider) GetGlobalSettings 

func (s *SettingsProvider) GetGlobalSettings() (*kubermaticv1.KubermaticSetting, error)

func (*SettingsProvider) UpdateGlobalSettings 

func (s *SettingsProvider) UpdateGlobalSettings(userInfo *provider.UserInfo, settings *kubermaticv1.KubermaticSetting) (*kubermaticv1.KubermaticSetting, error)

func (*SettingsProvider) WatchGlobalSettings 

func (s *SettingsProvider) WatchGlobalSettings() (watch.Interface, error)

type UserClusterConnectionProvider 

type UserClusterConnectionProvider interface {
	GetClient(*kubermaticv1.Cluster, ...k8cuserclusterclient.ConfigOption) (ctrlruntimeclient.Client, error)
}

UserClusterConnectionProvider offers functions to interact with an user cluster

type UserProvider 

type UserProvider struct {
	// contains filtered or unexported fields
}

UserProvider manages user resources

func NewUserProvider 

func NewUserProvider(client ctrlruntimeclient.Client, isServiceAccountFunc func(email string) bool) *UserProvider

NewUserProvider returns a user provider

func (*UserProvider) AddUserTokenToBlacklist 

func (p *UserProvider) AddUserTokenToBlacklist(user *kubermaticv1.User, token string, expiry apiv1.Time) error

func (*UserProvider) CreateUser 

func (p *UserProvider) CreateUser(id, name, email string) (*kubermaticv1.User, error)

CreateUser creates a new user.

Note that: The name of the newly created resource will be unique and it is derived from the user's email address (sha256(email) This prevents creating multiple resources for the same user with the same email address.

In the beginning I was considering to hex-encode the email address as it will produce a unique output because the email address in unique. The only issue I have found with this approach is that the length can get quite long quite fast. Thus decided to use sha256 as it produces fixed output and the hash collisions are very, very, very, very rare.

func (*UserProvider) GetUserBlacklistTokens 

func (p *UserProvider) GetUserBlacklistTokens(user *kubermaticv1.User) ([]string, error)

func (*UserProvider) UpdateUser 

func (p *UserProvider) UpdateUser(user *kubermaticv1.User) (*kubermaticv1.User, error)

UpdateUser updates user.

func (*UserProvider) UserByEmail 

func (p *UserProvider) UserByEmail(email string) (*kubermaticv1.User, error)

UserByEmail returns a user by the given email

func (*UserProvider) UserByID 

func (p *UserProvider) UserByID(id string) (*kubermaticv1.User, error)

UserByID returns a user by the given ID

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.