guardkubemgr

package

v0.4.1 Latest Latest Go to latest Published: Jan 16, 2023 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/knative-sandbox/security-guard

Links

Open Source Insights

README ¶

Guard Kube Manager

This package stores and controls Guardians via KubeApi

Guardians which are composed of a set of micro-rules are used to control a guard-gate.

Guardians are stored either as a CRD or in a ConfigMap depending on the system used. Guardians are based on the guard.security.knative.dev package.

This package exports methods for reading and setting Guardians using either a ConfigMap or a Guardian CRD.

Documentation ¶

Constants ¶

View Source

const ServiceAudience = "guard-service"

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type KubeMgr ¶

type KubeMgr struct {
	// contains filtered or unexported fields
}

KubeMgr manages Guardian CRDs and Guardian CMs

func (*KubeMgr) Create ¶

func (k *KubeMgr) Create(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error

Create - Create a new Guardian resource (ConfigMap or CRD) Uses delete and create sequence In rare cases, the resource may be created by another entity after the delete and before the create which will result in failure to write the data. This may happen for example when a manual update is performed in parallel to an update from the guard-service. Lose of manual updates is reported to the user which will normally retry. Lose guard-service updates occurs periodically such that data is not lost

func (*KubeMgr) GetGuardian ¶

func (k *KubeMgr) GetGuardian(ns string, sid string, cm bool, autoActivate bool) *spec.GuardianSpec

GetGuardian - Returns a Guardian that was read from Crd or from ConfigMap or an auto-activated Guardian Never returns nil ns is the namespace being used sid is the service identifier being used cm if true a ConfigMap, otherwise a CRD autoActivate - if true, when a default guardian is returned, set it to auto activate mod

func (*KubeMgr) InitConfigs ¶

func (k *KubeMgr) InitConfigs()

Initialize the Kubernetes client and CRD client to communicate with the KubeApi

func (*KubeMgr) Read ¶

func (k *KubeMgr) Read(ns string, sid string, isCm bool) (*spec.GuardianSpec, error)

Read - Reads a Guardian ConfigMap or CRD from KubeApi Returns a Guardian Returns error if can't read a well structured Guardian

func (*KubeMgr) Set ¶

func (k *KubeMgr) Set(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error

Set - Set a Guardian resource (Config Map or CRD) Use update if exists, create if not In case the resource read is corrupted, try to update using a well structured one Using a client side Read then Write sequence. In rare cases, the resource may be updated after the read and before the write which will result in failure to write the data. This may happen for example when a manual update is performed in parallel to an update from the guard-service. Lose of manual updates is reported to the user which will normally retry. Lose guard-service updates occurs periodically such that data is not lost

func (*KubeMgr) TokenData ¶ added in v0.2.0

func (k *KubeMgr) TokenData(token string, labels []string) (sid string, ns string, err error)

func (*KubeMgr) Watch ¶

func (k *KubeMgr) Watch(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec))

Watch never returns - use with a goroutine Watch for changes in Guardian CRDs and Guardian ConfigMaps No matter how we get an update, cmFlag is used when calling set() as this is what the guard-gate is configured for!

func (*KubeMgr) WatchOnce ¶

func (k *KubeMgr) WatchOnce(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec)) (e error)

Watch for changes in Guardian CRDs and Guardian ConfigMaps No matter how we get an update, cmFlag is used when calling set() as this is what the guard-gate is configured for!

type KubeMgrInterface ¶

type KubeMgrInterface interface {
	InitConfigs()
	Read(ns string, sid string, isCm bool) (*spec.GuardianSpec, error)
	Create(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
	Set(ns string, sid string, isCm bool, guardianSpec *spec.GuardianSpec) error
	GetGuardian(ns string, sid string, cm bool, autoActivate bool) *spec.GuardianSpec
	Watch(ns string, cmFlag bool, set func(ns string, sid string, cmFlag bool, g *spec.GuardianSpec))
	TokenData(token string, labels []string) (sid string, ns string, err error)
}

func NewKubeMgr ¶

func NewKubeMgr() KubeMgrInterface

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL