kubernetes

package

v1.2.2 Latest Latest Go to latest Published: Jan 27, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/akuity/kargo

Links

Documentation ¶

Index ¶

func GetRestConfig(ctx context.Context, path string) (*rest.Config, error)
type Client
- func NewClient(ctx context.Context, restCfg *rest.Config, opts ClientOptions) (Client, error)
type ClientOptions

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetRestConfig ¶

func GetRestConfig(ctx context.Context, path string) (*rest.Config, error)

Types ¶

type Client ¶

type Client interface {
	libClient.Client

	// Authorize attempts to authorize the user to perform the desired operation
	// on the specified resource. If the user is not authorized, an error is
	// returned.
	Authorize(
		ctx context.Context,
		verb string,
		gvr schema.GroupVersionResource,
		subresource string,
		key libClient.ObjectKey,
	) error

	// InternalClient returns the internal controller-runtime client used by this
	// client. This is useful for cases where the API server needs to bypass
	// the extra authorization checks performed by this client.
	InternalClient() libClient.Client

	// Watch returns a suitable implementation of the watch.Interface for
	// subscribing to the resources described by the provided arguments.
	Watch(
		ctx context.Context,
		obj libClient.Object,
		namespace string,
		opts metav1.ListOptions,
	) (watch.Interface, error)
}

The Client interface combines the familiar controller-runtime Client interface with helpful Authorized and Watch functions that are absent from that interface.

func NewClient ¶

func NewClient(
	ctx context.Context,
	restCfg *rest.Config,
	opts ClientOptions,
) (Client, error)

NewClient returns an implementation of the Client interface. The interface and implementation offer two key advantages:

The Client interface combines the familiar controller-runtime Client interface with a helpful Watch function that is absent from that interface.
The implementation enforces RBAC by retrieving context-bound user.Info and using it to conduct a SubjectAccessReview or SelfSubjectAccessReview before (if successful) performing the desired operation. This permits this client to retain the benefits of using a single underlying client (typically with a built-in cache), while still enforcing RBAC as if the operation had been performed with a user-specific client constructed ad-hoc using the user's own credentials.

type ClientOptions ¶

type ClientOptions struct {
	// SkipAuthorization, if true, will cause the implementation of the Client
	// interface to bypass efforts to authorize the Kargo API user's authority to
	// perform any desired operation, in which case, such operations are
	// unconditionally executed using the implementation's own internal client.
	// This does NOT bypass authorization entirely. The Kargo API server will
	// still be constrained by the permissions of the Kubernetes user from whose
	// configuration the internal client was constructed. This option is useful
	// for scenarios where the Kargo API server is executed locally on a user's
	// system and the user wished to provide the API server with their own
	// Kubernetes client configuration. This is used, for instance, by the
	// `kargo server` command.
	SkipAuthorization bool
	// GlobalServiceAccountNamespaces is a list of namespaces in which we should
	// always look for ServiceAccounts when attempting to authorize a user.
	GlobalServiceAccountNamespaces []string
	// NewInternalClient may be used to take control of how the client's own
	// internal/underlying controller-runtime client is created. This is mainly
	// useful for tests wherein one may, for instance, wish to inject a custom
	// implementation of that interface created using fake.NewClientBuilder().
	// Ordinarily, the value of this field should be left as nil/unspecified, in
	// which case, the NewClient function to which this struct is passed will
	// supply its own default implementation.
	NewInternalClient func(
		context.Context,
		*rest.Config,
		*runtime.Scheme,
	) (libClient.Client, error)
	// NewInternalDynamicClient may be used to take control of how the client's
	// own internal/underlying client-go dynamic client is created. This is mainly
	// useful for tests wherein one may wish to inject a custom implementation of
	// that interface. Ordinarily, the value of this field should be left as
	// nil/unspecified, in which case, the NewClient function to which this struct
	// is passed will supply its own default implementation.
	NewInternalDynamicClient func(*rest.Config) (dynamic.Interface, error)
	// Scheme may be used to take control of the scheme used by the client's own
	// internal/underlying controller-runtime client. Ordinarily, the value of
	// this field should be left as nil/unspecified, in which case, the NewClient
	// function to which this struct is passed will supply a default scheme that
	// includes all Kubernetes APIs used by the Kargo API server.
	Scheme *runtime.Scheme
}

ClientOptions specifies options for customizing the client returned by the NewClient function.

Source Files ¶

View all Source files

client.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL