Documentation
¶
Index ¶
- Variables
- func GetKubernetesHttpClient() (*http.Client, error)
- func IsAccessAllowed(c IsAccessAllowedCtx, accessTypesSet AccessTypeSet) bool
- func IsReadOnly(method string) bool
- func NewKubernetesAuthz(opts ...KubernetesAuthOption) fiber.Handler
- func NewSuccessHandler(options *KubernetesAuthzOptions) fiber.Handler
- type AccessTokenTransport
- type AccessType
- type AccessTypeSet
- type IsAccessAllowedCtx
- type Kubernetes
- type KubernetesAuthOption
- type KubernetesAuthzOptions
- type NamedObject
- type ServiceAccessConfig
- type ServiceAccountTokenClaims
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ServiceAccountTokenFilepath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec ServiceAccountCAFilepath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" )
View Source
var ( // A list of known paths that Kubernetes uses to expose JWKS. // The order is important, as first available path will be used. KubernetesJwksPaths = []string{ "/keys", "/openid/v1/jwks", } )
View Source
var (
KubernetesWellKnownConfig = "https://kubernetes.default.svc/.well-known/openid-configuration"
)
Functions ¶
func GetKubernetesHttpClient ¶
GetKubernetesHttpClient initializes and returns a Kubernetes HTTP client using the service account token and CA certificate from the Kubernetes environment. It ensures that the client is only initialized once, even if called multiple times.
func IsAccessAllowed ¶
func IsAccessAllowed(c IsAccessAllowedCtx, accessTypesSet AccessTypeSet) bool
IsAccessAllowed checks if the access types set allows the requested access.
func IsReadOnly ¶
IsReadOnly checks if the HTTP method is read-only.
func NewKubernetesAuthz ¶
func NewKubernetesAuthz(opts ...KubernetesAuthOption) fiber.Handler
func NewSuccessHandler ¶
func NewSuccessHandler(options *KubernetesAuthzOptions) fiber.Handler
NewSuccessHandler creates a JWT success handler that performs authorization based on ServiceAccountTokenClaims.
Types ¶
type AccessTokenTransport ¶
type AccessTokenTransport struct {
Token accesstoken.AccessToken
Transport http.RoundTripper
}
type AccessType ¶
type AccessType string
const ( AccessTypeNone AccessType = "none" AccessTypeRead AccessType = "read" AccessTypeWrite AccessType = "write" )
type AccessTypeSet ¶
type AccessTypeSet map[AccessType]struct{}
func (AccessTypeSet) Has ¶
func (ats AccessTypeSet) Has(at AccessType) bool
type IsAccessAllowedCtx ¶
type Kubernetes ¶
type Kubernetes struct {
Namespace string `json:"namespace"`
ServiceAccount NamedObject `json:"serviceaccount"`
Pod NamedObject `json:"pod"`
Node NamedObject `json:"node"`
}
type KubernetesAuthOption ¶
type KubernetesAuthOption func(*KubernetesAuthzOptions)
func WithAccessConfig ¶
func WithAccessConfig(configs ...ServiceAccessConfig) KubernetesAuthOption
func WithAudience ¶
func WithAudience(audience string) KubernetesAuthOption
func WithInClusterIssuer ¶
func WithInClusterIssuer() KubernetesAuthOption
func WithJWKSetURLs ¶
func WithJWKSetURLs(urls ...string) KubernetesAuthOption
func WithTrustedIssuers ¶
func WithTrustedIssuers(issuers ...string) KubernetesAuthOption
type KubernetesAuthzOptions ¶
type KubernetesAuthzOptions struct {
JWKSOpts map[string]keyfunc.Options
TrustedIssuers []string
Audience string
AccessConfig []ServiceAccessConfig
}
func (*KubernetesAuthzOptions) LoadServiceAccessConfig ¶
func (o *KubernetesAuthzOptions) LoadServiceAccessConfig() map[string]ServiceAccessConfig
type NamedObject ¶
type ServiceAccessConfig ¶
type ServiceAccessConfig struct {
ServiceAccountName string `yaml:"service_account_name" json:"service_account_name"`
DeploymentName string `yaml:"deployment_name" json:"deployment_name"`
Namespace string `yaml:"namespace" json:"namespace"`
AllowedAccess []AccessType `yaml:"allowed_access" json:"allowed_access"`
// contains filtered or unexported fields
}
type ServiceAccountTokenClaims ¶
type ServiceAccountTokenClaims struct {
jwt.RegisteredClaims
Kubernetes Kubernetes `json:"kubernetes.io"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.