Documentation
¶
Overview ¶
Package identities provides the Identity type which represents the identity of a user in the cluster. It also provides the AuthenticateToken and AuthenticateClient functions which are used to authenticate a token or client certificate using the Kubernetes API server. Additionally, it can determine the authorization of the user using the [Authorize] function.
Index ¶
Constants ¶
const ( // TokenAudienceCrawler is the audience for the crawler service account. TokenAudienceCrawler Audience = "crashoverride.run/crawler" // TokenAudienceKubernetesDefaultLocal is the audience for the Kubernetes API server using the // 'svc.cluster.local' domain. TokenAudienceKubernetesDefaultLocal Audience = "https://kubernetes.default.svc.cluster.local" // #nosec G101 // TokenAudienceKubernetesDefault is the audience for the Kubernetes API server using the // 'svc' domain. TokenAudienceKubernetesDefault Audience = "https://kubernetes.default.svc" // #nosec G101 // TokenMountPath is the mount path for the token volume. TokenMountPath = "/var/run/secrets" // #nosec G101 // TokenFileName is the name of the token file. TokenFileName = "ocular-api-token" // #nosec G101 // TokenFilePath is the full path to the token file. TokenFilePath = TokenMountPath + "/" + TokenFileName // TokenValiditySeconds is the number of seconds the token will be valid for. TokenValiditySeconds = int(time.Minute * 60 / time.Second) )
Variables ¶
This section is empty.
Functions ¶
func CreateTokenVolume ¶
CreateTokenVolume creates a projected service account token volume for the specified audience. The token will be mounted as the file TokenFilePath and will be valid for TokenValiditySeconds seconds. The function returns the tokenpath, the volume, and the volume mount for the token.
Types ¶
type Audience ¶
type Audience string
Audience represents the audience for which the token is intended.
type Authorizer ¶
type Authorizer = func(ctx context.Context, clusterCtx cluster.Context, identity Identity) (bool, error)
Authorizer is a function that checks if a user is authorized to access a resource. It is used in middleware to check if a user is authorized to access a resource.
func AudienceAuthorizer ¶
func AudienceAuthorizer(audience Audience) Authorizer
AudienceAuthorizer checks if the user has the specified audience. This should be used by generating projected service account tokens via the method CreateTokenVolume.
func PermissionAuthorizer ¶
func PermissionAuthorizer(permissions ...PermissionSet) Authorizer
PermissionAuthorizer checks if the user has the specified permissions by creating a SubjectAccessReview for each permission.
type Identity ¶
Identity represents the identity of a user in the cluster and contains the user information.
func AuthenticateClient ¶
func AuthenticateClient( ctx context.Context, clusterCtx cluster.Context, cert *x509.Certificate, ) (Identity, error)
AuthenticateClient authenticates a client certificate using the Kubernetes API server. It returns the identity of the user and their audiences. It will also check if the certificate is valid and not expired.
func AuthenticateToken ¶
func AuthenticateToken( ctx context.Context, reviewInterface v1.TokenReviewInterface, token string, ) (Identity, error)
AuthenticateToken authenticates a token using the Kubernetes API server. It returns the identity of the user and their audiences. It will
type PermissionSet ¶
PermissionSet represents a set of permissions to check against
Source Files