kubernetesk8s.io/kubernetes/pkg/controller/serviceaccount Index | Files | Directories

package serviceaccount

import "k8s.io/kubernetes/pkg/controller/serviceaccount"

Package serviceaccount provides implementations to manage service accounts and service account tokens

Index

Constants 

const (
	DefaultCleanerSyncInterval = 24 * time.Hour
)

Variables 

var RemoveTokenBackoff = wait.Backoff{
	Steps:    10,
	Duration: 100 * time.Millisecond,
	Jitter:   1.0,
}

RemoveTokenBackoff is the recommended (empirical) retry interval for removing a secret reference from a service account when the secret is deleted. It is exported for use by custom secret controllers.

Functions

func NewGetterFromClient 

func NewGetterFromClient(c clientset.Interface, secretLister v1listers.SecretLister, serviceAccountLister v1listers.ServiceAccountLister, podLister v1listers.PodLister, nodeLister v1listers.NodeLister) serviceaccount.ServiceAccountTokenGetter

NewGetterFromClient returns a ServiceAccountTokenGetter that uses the specified client to retrieve service accounts, pods, secrets and nodes. The client should NOT authenticate using a service account token the returned getter will be used to retrieve, or recursion will result.

Types

type LegacySATokenCleaner 

type LegacySATokenCleaner struct {
	// contains filtered or unexported fields
}

LegacySATokenCleaner is a controller that deletes legacy serviceaccount tokens that are not in use for a specified period of time.

func NewLegacySATokenCleaner 

func NewLegacySATokenCleaner(saInformer coreinformers.ServiceAccountInformer, secretInformer coreinformers.SecretInformer, podInformer coreinformers.PodInformer, client clientset.Interface, cl clock.Clock, options LegacySATokenCleanerOptions) (*LegacySATokenCleaner, error)

NewLegacySATokenCleaner returns a new *NewLegacySATokenCleaner.

func (*LegacySATokenCleaner) Run 

func (tc *LegacySATokenCleaner) Run(ctx context.Context)

type LegacySATokenCleanerOptions 

type LegacySATokenCleanerOptions struct {
	// CleanUpPeriod is the period of time since the last usage of an legacy token before it can be deleted.
	CleanUpPeriod time.Duration
	SyncInterval  time.Duration
}

TokenCleanerOptions contains options for the LegacySATokenCleaner

type ServiceAccountsController 

type ServiceAccountsController struct {
	// contains filtered or unexported fields
}

ServiceAccountsController manages ServiceAccount objects inside Namespaces

func NewServiceAccountsController 

func NewServiceAccountsController(saInformer coreinformers.ServiceAccountInformer, nsInformer coreinformers.NamespaceInformer, cl clientset.Interface, options ServiceAccountsControllerOptions) (*ServiceAccountsController, error)

NewServiceAccountsController returns a new *ServiceAccountsController.

func (*ServiceAccountsController) Run 

func (c *ServiceAccountsController) Run(ctx context.Context, workers int)

Run runs the ServiceAccountsController blocks until receiving signal from stopCh.

type ServiceAccountsControllerOptions 

type ServiceAccountsControllerOptions struct {
	// ServiceAccounts is the list of service accounts to ensure exist in every namespace
	ServiceAccounts []v1.ServiceAccount

	// ServiceAccountResync is the interval between full resyncs of ServiceAccounts.
	// If non-zero, all service accounts will be re-listed this often.
	// Otherwise, re-list will be delayed as long as possible (until the watch is closed or times out).
	ServiceAccountResync time.Duration

	// NamespaceResync is the interval between full resyncs of Namespaces.
	// If non-zero, all namespaces will be re-listed this often.
	// Otherwise, re-list will be delayed as long as possible (until the watch is closed or times out).
	NamespaceResync time.Duration
}

ServiceAccountsControllerOptions contains options for running a ServiceAccountsController

func DefaultServiceAccountsControllerOptions 

func DefaultServiceAccountsControllerOptions() ServiceAccountsControllerOptions

DefaultServiceAccountsControllerOptions returns the default options for creating a ServiceAccountsController.

type TokensController 

type TokensController struct {
	// contains filtered or unexported fields
}

TokensController manages ServiceAccountToken secrets for ServiceAccount objects

func NewTokensController 

func NewTokensController(logger klog.Logger, serviceAccounts informers.ServiceAccountInformer, secrets informers.SecretInformer, cl clientset.Interface, options TokensControllerOptions) (*TokensController, error)

NewTokensController returns a new *TokensController.

func (*TokensController) Run 

func (e *TokensController) Run(ctx context.Context, workers int)

Run runs controller blocks until stopCh is closed

type TokensControllerOptions 

type TokensControllerOptions struct {
	// TokenGenerator is the generator to use to create new tokens
	TokenGenerator serviceaccount.TokenGenerator
	// ServiceAccountResync is the time.Duration at which to fully re-list service accounts.
	// If zero, re-list will be delayed as long as possible
	ServiceAccountResync time.Duration
	// SecretResync is the time.Duration at which to fully re-list secrets.
	// If zero, re-list will be delayed as long as possible
	SecretResync time.Duration
	// This CA will be added in the secrets of service accounts
	RootCA []byte

	// MaxRetries controls the maximum number of times a particular key is retried before giving up
	// If zero, a default max is used
	MaxRetries int
}

TokensControllerOptions contains options for the TokensController

Source Files

doc.go legacy_serviceaccount_token_cleaner.go serviceaccounts_controller.go tokengetter.go tokens_controller.go

Directories

PathSynopsis
pkg/controller/serviceaccount/config
pkg/controller/serviceaccount/config/v1alpha1
Version
v1.33.0 (latest)
Published
Apr 23, 2025
Platform
linux/amd64
Imports
27 packages
Last checked
3 hours ago

Tools for package owners.