Documentation
¶
Index ¶
- Constants
- func ExtractNodeNameFromSAToken(token string) (string, error)
- func GenerateHMACKey() ([]byte, error)
- type Claims
- type TokenIssuer
- func (ti *TokenIssuer) IssueNodeToken(subject, nodeName string, lifetime time.Duration) (string, time.Time, error)
- func (ti *TokenIssuer) IssueViewerToken(subject string, groups []string, lifetime time.Duration) (string, time.Time, error)
- func (ti *TokenIssuer) Validate(tokenStr string) (*Claims, error)
Constants ¶
const ( // RoleNode is the role for node agent tokens. RoleNode = "node" // RoleViewer is the role for viewer tokens. RoleViewer = "viewer" // HMACKeySize is the minimum key size in bytes for HMAC-SHA256 signing. HMACKeySize = 32 )
Variables ¶
This section is empty.
Functions ¶
func ExtractNodeNameFromSAToken ¶
ExtractNodeNameFromSAToken decodes the payload of a Kubernetes service account JWT token (without verifying the signature -- the caller must verify via TokenReview first) and extracts the kubernetes.io.node.name claim. Returns ("", nil) if the claim is not present.
func GenerateHMACKey ¶
GenerateHMACKey returns HMACKeySize cryptographically random bytes suitable for use as an HMAC signing key.
Types ¶
type Claims ¶
type Claims struct {
Subject string `json:"sub"` // e.g. "system:serviceaccount:unbounded-net:unbounded-net-node"
Role string `json:"role"` // "node" or "viewer"
NodeName string `json:"node,omitempty"` // node name (node tokens only)
Groups []string `json:"groups,omitempty"` // user groups (for SAR checks)
IssuedAt int64 `json:"iat"` // Unix timestamp
ExpiresAt int64 `json:"exp"` // Unix timestamp
}
Claims holds the payload of an HMAC-signed token.
type TokenIssuer ¶
type TokenIssuer struct {
// contains filtered or unexported fields
}
TokenIssuer generates and validates HMAC-signed tokens.
func NewTokenIssuer ¶
func NewTokenIssuer(hmacKey []byte) (*TokenIssuer, error)
NewTokenIssuer creates a TokenIssuer after validating that the key is at least HMACKeySize bytes.
func (*TokenIssuer) IssueNodeToken ¶
func (ti *TokenIssuer) IssueNodeToken(subject, nodeName string, lifetime time.Duration) (string, time.Time, error)
IssueNodeToken creates an HMAC-signed token with RoleNode and the given node name. It returns the token string, its expiry time, and any error.
func (*TokenIssuer) IssueViewerToken ¶
func (ti *TokenIssuer) IssueViewerToken(subject string, groups []string, lifetime time.Duration) (string, time.Time, error)
IssueViewerToken creates an HMAC-signed token with RoleViewer. It returns the token string, its expiry time, and any error. Groups are included in the token claims so downstream SAR checks can evaluate group-based RBAC.
Source Files