iam

package

v1.10.0 Latest Latest Go to latest Published: Aug 16, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/tsuna/kops

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func WriteableVFSPaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]vfs.Path, error)
type Condition
type Policy
- func (p *Policy) AsJSON() (string, error)
type PolicyBuilder
type PolicyResource
- func (b *PolicyResource) GetDependencies(tasks map[string]fi.Task) []fi.Task
- func (b *PolicyResource) Open() (io.Reader, error)
type Statement
- func (l *Statement) Equal(r *Statement) bool
type StatementEffect

Constants ¶

View Source

const PolicyDefaultVersion = "2012-10-17"

PolicyDefaultVersion is the default version included in all policy documents

Variables ¶

This section is empty.

Functions ¶

func WriteableVFSPaths ¶

func WriteableVFSPaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]vfs.Path, error)

Types ¶

type Condition ¶

type Condition map[string]interface{}

Condition is a map of Conditions to be evaluated for a given IAM Statement

type Policy ¶

type Policy struct {
	Version   string
	Statement []*Statement
}

Policy Struct is a collection of fields that form a valid AWS policy document

func (*Policy) AsJSON ¶

func (p *Policy) AsJSON() (string, error)

AsJSON converts the policy document to JSON format (parsable by AWS)

type PolicyBuilder ¶

type PolicyBuilder struct {
	Cluster      *kops.Cluster
	HostedZoneID string
	KMSKeys      []string
	Region       string
	ResourceARN  *string
	Role         kops.InstanceGroupRole
}

PolicyBuilder struct defines all valid fields to be used when building the AWS IAM policy document for a given instance group role.

func (*PolicyBuilder) AddS3Permissions ¶

func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error)

AddS3Permissions updates an IAM Policy with statements granting tailored access to S3 assets, depending on the instance group role

func (*PolicyBuilder) BuildAWSPolicy ¶

func (b *PolicyBuilder) BuildAWSPolicy() (*Policy, error)

BuildAWSPolicy builds a set of IAM policy statements based on the instance group type and IAM Legacy flag within the Cluster Spec

func (*PolicyBuilder) BuildAWSPolicyBastion ¶

func (b *PolicyBuilder) BuildAWSPolicyBastion() (*Policy, error)

BuildAWSPolicyBastion generates a custom policy for a bastion host.

func (*PolicyBuilder) BuildAWSPolicyMaster ¶

func (b *PolicyBuilder) BuildAWSPolicyMaster() (*Policy, error)

BuildAWSPolicyMaster generates a custom policy for a Kubernetes master.

func (*PolicyBuilder) BuildAWSPolicyNode ¶

func (b *PolicyBuilder) BuildAWSPolicyNode() (*Policy, error)

BuildAWSPolicyNode generates a custom policy for a Kubernetes node.

func (*PolicyBuilder) IAMPrefix ¶

func (b *PolicyBuilder) IAMPrefix() string

IAMPrefix returns the prefix for AWS ARNs in the current region, for use with IAM it is arn:aws everywhere but in cn-north and us-gov-west-1

func (*PolicyBuilder) UseBootstrapTokens ¶

func (b *PolicyBuilder) UseBootstrapTokens() bool

UseBootstrapTokens check if we are using bootstrap tokens - @TODO, i don't like this we should probably pass in the kops model into the builder rather than duplicating the code. I'll leave for anothe PR

type PolicyResource ¶

type PolicyResource struct {
	Builder *PolicyBuilder
	DNSZone *awstasks.DNSZone
}

PolicyResource defines the PolicyBuilder and DNSZone to use when building the IAM policy document for a given instance group role

func (*PolicyResource) GetDependencies ¶

func (b *PolicyResource) GetDependencies(tasks map[string]fi.Task) []fi.Task

GetDependencies adds the DNSZone task to the list of dependencies if set

func (*PolicyResource) Open ¶

func (b *PolicyResource) Open() (io.Reader, error)

Open produces the AWS IAM policy for the given role

type Statement ¶

type Statement struct {
	Effect    StatementEffect
	Action    stringorslice.StringOrSlice
	Resource  stringorslice.StringOrSlice
	Condition Condition `json:",omitempty"`
}

Statement is an AWS IAM Policy Statement Object: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Statement

func (*Statement) Equal ¶

func (l *Statement) Equal(r *Statement) bool

Equal compares two IAM Statements and returns a bool TODO: Extend to support Condition Keys

type StatementEffect ¶

type StatementEffect string

StatementEffect is required and specifies what type of access the statement results in

const StatementEffectAllow StatementEffect = "Allow"

StatementEffectAllow allows access for the given resources in the statement (based on conditions)

const StatementEffectDeny StatementEffect = "Deny"

StatementEffectDeny allows access for the given resources in the statement (based on conditions)

Source Files ¶

View all Source files

iam_builder.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL