bootstrap

package
v0.32.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2026 License: Apache-2.0 Imports: 11 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// SystemKcpAdminGroup is global admin group. Members of this group have all permissions across all workspaces.
	SystemKcpAdminGroup = "system:kcp:admin"
	// SystemKcpWorkspaceBootstrapper is the group used to bootstrap resources, both during the root setup, as well
	// as when the default APIBinding initializing controller performs its bootstrapping for initializing workspaces.
	// We need a separate group (not the privileged system group) for this because system-owned workspaces (e.g. root:users) need
	// a workspace owner annotation set, and the owner annotation is skipped/not set for the privileged system group.
	SystemKcpWorkspaceBootstrapper = "system:kcp:tenancy:workspace-bootstrapper"
	// SystemLogicalClusterAdmin is a group used by the workspace scheduler to create LogicalCluster resources.
	// This group allows it to skip the entire authorization stack except the bootstrap policy authorizer.
	// Otherwise, the requests would be rejected because the LogicalCluster resource does not exist yet.
	SystemLogicalClusterAdmin = "system:kcp:logical-cluster-admin"
	// SystemExternalLogicalClusterAdmin is a group used by the workspace controllers to manage LogicalCluster
	// resources after creation, using a subset of permissions allowed for the internal logical-cluster-admin.
	SystemExternalLogicalClusterAdmin = "system:kcp:external-logical-cluster-admin"
	// SystemKcpWorkspaceAccessGroup is a group that gives a user system:authenticated access to a workspace.
	SystemKcpWorkspaceAccessGroup = "system:kcp:workspace:access"
	// SystemKcpMetricsReader is a ClusterRole that grants read access to the
	// shard-wide /metrics endpoint. A kcp-admin binds it inside :root to an
	// identity (User, Group, or ServiceAccount) used by prometheus or similar
	// scrapers. The binding is replicated to every shard via the cache server,
	// so a single :root binding authorizes scraping on all shards.
	SystemKcpMetricsReader = "system:kcp:metrics-reader"
	// SystemKcpInitializerGroupPrefix is the group prefix used by the initializing virtual workspace's
	// content proxy to mark a request as already authorized against the WorkspaceType's
	// initializerPermissions. Concrete groups are formed as
	//   system:kcp:initializer:<initializer-name>
	// where <initializer-name> is the fully qualified initializer identifier produced by
	// initialization.InitializerForType (e.g. "root:org:tenant"). Clients cannot self-assert
	// these groups: the front-proxy strips them via --authentication-drop-groups before the
	// request ever reaches a shard, so seeing one inside the workspace content authorizer is
	// a trustworthy signal that a VW proxy has already evaluated the request.
	SystemKcpInitializerGroupPrefix = "system:kcp:initializer:"
	// SystemKcpTerminatorGroupPrefix is the group prefix used by the terminating virtual
	// workspace's content proxy. See SystemKcpInitializerGroupPrefix for semantics.
	SystemKcpTerminatorGroupPrefix = "system:kcp:terminator:"
)
View Source
const (
	// SystemMastersGroup is the group inherited from k8s codebase - all powerful, all knowing!
	// Users should not be added to this group.
	SystemMastersGroup = user.SystemPrivilegedGroup
)

Variables

This section is empty.

Functions

func Policy

func Policy() *rbacrest.PolicyData

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL