Documentation
¶
Index ¶
Constants ¶
View Source
const ( SystemNodesGroup = "system:nodes" SystemNodeUserPrefix = "system:node:" BootstrapUserPrefix = "system:bootstrap:" )
View Source
const (
DefaultControllerCertificateSignerName = "kubernetes.io/kube-apiserver-client"
)
Variables ¶
This section is empty.
Functions ¶
func HasApprovalDecision ¶
func HasApprovalDecision(csr *certificatesv1.CertificateSigningRequest) bool
Types ¶
type CSRApprover ¶
type CSRApprover struct {
// contains filtered or unexported fields
}
CSRApprover validates daemon-controller CertificateSigningRequests and returns approval decisions. It enforces generic certificate shape and requester checks; callers provide resource-binding checks through callbacks.
func NewCSRApprover ¶
func NewCSRApprover(opts CSRApproverOptions) (*CSRApprover, error)
func (*CSRApprover) Evaluate ¶
func (a *CSRApprover) Evaluate(ctx context.Context, csr *certificatesv1.CertificateSigningRequest) (CSRDecision, error)
type CSRApproverOptions ¶
type CSRApproverOptions struct {
// SignerName is the certificates.k8s.io signerName this approver handles.
// Defaults to kubernetes.io/kube-apiserver-client when empty.
SignerName string
// DaemonGroup is the non-privileged group requested in the issued certificate
// alongside system:nodes. It is required and must not use reserved names.
DaemonGroup string
// BootstrapGroup is the bootstrap-token requester group allowed to request
// initial daemon-controller certificates. It is required and intentionally not
// derived from DaemonGroup so integrations can choose their own bootstrap group.
BootstrapGroup string
// MaxExpirationSeconds is the maximum allowed spec.expirationSeconds value.
// Defaults to 365 days when unset.
MaxExpirationSeconds int32
// AuthorizeBootstrap validates implementation-specific bootstrap-token to node
// binding after the generic CSR shape and requester group checks pass.
AuthorizeBootstrap RequestAuthorizationFunc
// AuthorizeRenewal validates implementation-specific existing-cert to node
// binding after the generic CSR shape and requester identity checks pass.
AuthorizeRenewal RequestAuthorizationFunc
}
CSRApproverOptions configures daemon-controller CSR validation.
type CSRApproverReconciler ¶
type CSRApproverReconciler struct {
// Client reads CertificateSigningRequest objects from the controller cache.
client.Client
// KubeClient updates the CSR approval subresource.
KubeClient kubernetes.Interface
// Approver evaluates daemon-controller CSR requests.
Approver *CSRApprover
// EventFilter optionally customizes which CSR events enqueue reconcile work.
// When nil, create, update, and generic events are processed and deletes are ignored.
EventFilter predicate.Predicate
}
CSRApproverReconciler watches CertificateSigningRequest objects and writes approval or denial conditions for requests evaluated by CSRApprover.
func NewCSRApproverReconciler ¶
func NewCSRApproverReconciler( c client.Client, kubeClient kubernetes.Interface, approver *CSRApprover, ) (*CSRApproverReconciler, error)
func (*CSRApproverReconciler) SetupWithManager ¶
func (r *CSRApproverReconciler) SetupWithManager(mgr ctrl.Manager) error
type CSRDecision ¶
type CSRDecision struct {
// Ignore is true when the CSR is for another signer and should not be touched.
Ignore bool
// AlreadyDecided is true when the CSR already has a terminal approval state or certificate.
AlreadyDecided bool
// Approve is true for approval decisions and false for denial decisions.
Approve bool
// Message is written to the CSR approval or denial condition.
Message string
}
CSRDecision describes the outcome of evaluating one CertificateSigningRequest.
func Approve ¶
func Approve(format string, args ...any) CSRDecision
func Deny ¶
func Deny(format string, args ...any) CSRDecision
type ControllerCertificateOptions ¶
type ControllerCertificateOptions struct {
// Name identifies this certificate manager in logs.
Name string
// SignerName is the certificates.k8s.io signerName used for daemon-controller CSRs.
// Defaults to kubernetes.io/kube-apiserver-client when empty.
SignerName string
// DaemonGroup is the additional group requested alongside system:nodes.
// It is required and must not use reserved or privileged group names.
DaemonGroup string
// CredentialDir stores the daemon-controller certificate material.
// It is required.
CredentialDir string
// WaitTimeout is how long initial certificate issuance waits before failing.
// Defaults to 10 seconds when unset.
WaitTimeout time.Duration
// WaitPoll is the polling interval used while waiting for initial issuance.
// Defaults to 500 milliseconds when unset.
WaitPoll time.Duration
// ExpirationDuration is the requested lifetime for issued certificates.
// Defaults to 365 days when unset.
ExpirationDuration time.Duration
// ReloadPeriod is how often the REST config provider checks for rotation.
// Defaults to 10 seconds when unset.
ReloadPeriod time.Duration
}
ControllerCertificateOptions configures daemon-controller client certificate issuance, storage, and REST client rotation.
type RESTConfigProvider ¶
type RESTConfigProvider struct {
// contains filtered or unexported fields
}
func NewRESTConfigProvider ¶
func NewRESTConfigProvider( ctx context.Context, base *rest.Config, nodeName string, opts ControllerCertificateOptions, ) (*RESTConfigProvider, error)
func (*RESTConfigProvider) RESTConfig ¶
func (p *RESTConfigProvider) RESTConfig() *rest.Config
func (*RESTConfigProvider) Run ¶
func (p *RESTConfigProvider) Run(ctx context.Context)
type RequestAuthorizationFunc ¶
type RequestAuthorizationFunc func(context.Context, *certificatesv1.CertificateSigningRequest, string) (bool, error)
RequestAuthorizationFunc authorizes a parsed daemon-controller CSR request for the requested node name. Callers provide implementation-specific binding checks, such as bootstrap token to Machine/Node validation.
Source Files
Click to show internal directories.
Click to hide internal directories.