Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AttestorConfig ¶
type AttestorConfig struct {
Clusters map[string]*ClusterConfig `hcl:"clusters"`
}
AttestorConfig contains a map of clusters that uses cluster name as key
type AttestorPlugin ¶
type AttestorPlugin struct {
nodeattestorv1.UnsafeNodeAttestorServer
configv1.UnsafeConfigServer
// contains filtered or unexported fields
}
AttestorPlugin is a PSAT (Projected SAT) node attestor plugin
func (*AttestorPlugin) Attest ¶
func (p *AttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error
func (*AttestorPlugin) Configure ¶
func (p *AttestorPlugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error)
func (*AttestorPlugin) SetLogger ¶
func (p *AttestorPlugin) SetLogger(log hclog.Logger)
SetLogger sets up plugin logging
type ClusterConfig ¶
type ClusterConfig struct {
// Array of allowed service accounts names
// Attestation is denied if coming from a service account that is not in the list
ServiceAccountAllowList []string `hcl:"service_account_allow_list"`
// Audience for PSAT token validation
// If audience is not configured, defaultAudience will be used
// If audience value is set to an empty slice, k8s apiserver audience will be used
Audience *[]string `hcl:"audience"`
// Kubernetes configuration file path
// Used to create a k8s client to query the API server. If string is empty, in-cluster configuration is used
KubeConfigFile string `hcl:"kube_config_file"`
// Node labels that are allowed to use as selectors
AllowedNodeLabelKeys []string `hcl:"allowed_node_label_keys"`
// Pod labels that are allowed to use as selectors
AllowedPodLabelKeys []string `hcl:"allowed_pod_label_keys"`
}
ClusterConfig holds a single cluster configuration
Source Files
Click to show internal directories.
Click to hide internal directories.