package node

import "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"

Index ¶

• func AddGraphEventHandlers(graph *Graph, pods coreinformers.PodInformer, pvs coreinformers.PersistentVolumeInformer)
• func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacapi.PolicyRule) authorizer.Authorizer
• type Graph
• func NewGraph() *Graph
• func (g *Graph) AddPV(pv *api.PersistentVolume)
• func (g *Graph) AddPod(pod *api.Pod)
• func (g *Graph) DeletePV(name string)
• func (g *Graph) DeletePod(name, namespace string)
• type NodeAuthorizer
• func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)

Functions ¶

func AddGraphEventHandlers ¶

func AddGraphEventHandlers(graph *Graph, pods coreinformers.PodInformer, pvs coreinformers.PersistentVolumeInformer)

func NewAuthorizer ¶

func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacapi.PolicyRule) authorizer.Authorizer

NewAuthorizer returns a new node authorizer

Types ¶

type Graph ¶

type Graph struct {
	// contains filtered or unexported fields
}

Graph holds graph vertices and a way to look up a vertex for a particular API type/namespace/name. All edges point toward the vertices representing Kubernetes nodes:

node <- pod pod <- secret,configmap,pvc pvc <- pv pv <- secret

func NewGraph ¶

func NewGraph() *Graph

func (*Graph) AddPV ¶

func (g *Graph) AddPV(pv *api.PersistentVolume)

AddPV sets up edges for the following relationships:

secret -> pv

pv -> pvc

func (*Graph) AddPod ¶

func (g *Graph) AddPod(pod *api.Pod)

AddPod should only be called once spec.NodeName is populated. It sets up edges for the following relationships (which are immutable for a pod once bound to a node):

pod -> node

secret    -> pod
configmap -> pod
pvc       -> pod

func (*Graph) DeletePV ¶

func (g *Graph) DeletePV(name string)

func (*Graph) DeletePod ¶

func (g *Graph) DeletePod(name, namespace string)

type NodeAuthorizer ¶

type NodeAuthorizer struct {
	// contains filtered or unexported fields
}

NodeAuthorizer authorizes requests from kubelets, with the following logic:

1. If a request is not from a node (IdentifyNode() returns isNode=false), reject
2. If a specific node cannot be identified (IdentifyNode() returns nodeName=""), reject
3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node: node <- pod node <- pod <- secret node <- pod <- configmap node <- pod <- pvc node <- pod <- pvc <- pv node <- pod <- pvc <- pv <- secret
4. For other resources, authorize all nodes uniformly using statically defined rules

func (*NodeAuthorizer) Authorize ¶

func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (bool, string, error)

Source Files ¶

graph.go graph_populator.go node_authorizer.go