kubernetesk8s.io/kubernetes/plugin/pkg/admission/serviceaccount Index | Files

package serviceaccount

import "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"

Package serviceaccount enforces all pods having an associated serviceaccount, and all containers mounting the API token for that serviceaccount at a known location

Index

Constants 

const (
	// DefaultServiceAccountName is the name of the default service account to set on pods which do not specify a service account
	DefaultServiceAccountName = "default"

	// EnforceMountableSecretsAnnotation is a default annotation that indicates that a service account should enforce mountable secrets.
	// The value must be true to have this annotation take effect
	EnforceMountableSecretsAnnotation = "kubernetes.io/enforce-mountable-secrets"

	// ServiceAccountVolumeName is the prefix name that will be added to volumes that mount ServiceAccount secrets
	ServiceAccountVolumeName = "kube-api-access"

	// DefaultAPITokenMountPath is the path that ServiceAccountToken secrets are automounted to.
	// The token file would then be accessible at /var/run/secrets/kubernetes.io/serviceaccount
	DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"

	// PluginName is the name of this admission plugin
	PluginName = "ServiceAccount"
)

Functions

func Register 

func Register(plugins *admission.Plugins)

Register registers a plugin

func TokenVolumeSource 

func TokenVolumeSource() *api.ProjectedVolumeSource

TokenVolumeSource returns the projected volume source for service account token.

Types

type Plugin 

type Plugin struct {
	*admission.Handler

	// LimitSecretReferences rejects pods that reference secrets their service accounts do not reference
	LimitSecretReferences bool
	// MountServiceAccountToken creates Volume and VolumeMounts for the first referenced ServiceAccountToken for the pod's service account
	MountServiceAccountToken bool
	// contains filtered or unexported fields
}

Plugin contains the client used by the admission controller

func NewServiceAccount 

func NewServiceAccount() *Plugin

NewServiceAccount returns an admission.Interface implementation which limits admission of Pod CREATE requests based on the pod's ServiceAccount: 1. If the pod does not specify a ServiceAccount, it sets the pod's ServiceAccount to "default" 2. It ensures the ServiceAccount referenced by the pod exists 3. If LimitSecretReferences is true, it rejects the pod if the pod references Secret objects which the pod's ServiceAccount does not reference 4. If the pod does not contain any ImagePullSecrets, the ImagePullSecrets of the service account are added. 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers

func (*Plugin) Admit 

func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)

Admit verifies if the pod should be admitted

func (*Plugin) SetExternalKubeClientSet 

func (s *Plugin) SetExternalKubeClientSet(cl kubernetes.Interface)

SetExternalKubeClientSet sets the client for the plugin

func (*Plugin) SetExternalKubeInformerFactory 

func (s *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory)

SetExternalKubeInformerFactory registers informers with the plugin

func (*Plugin) Validate 

func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) (err error)

Validate the data we obtained

func (*Plugin) ValidateInitialization 

func (s *Plugin) ValidateInitialization() error

ValidateInitialization ensures an authorizer is set.

Source Files

admission.go doc.go

Version
v1.33.0 (latest)
Published
Apr 23, 2025
Platform
linux/amd64
Imports
21 packages
Last checked
5 hours ago

Tools for package owners.