Skip to content

A library to allow the querying of up-to-date cluster resources and objects designed to provide library users better resiliency and error flow options.

License

Notifications You must be signed in to change notification settings

kubefun/k8s-resource-client

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

k8s-resource-client

codecov

The goals of the k8s-resource-client library is to create an out-of-cluster client experience that enables easily querying up-to-date resources from a Kubernetes cluster while dealing with the class of concerns around API authorization. To do this, the client has two modes of operation auto and explicit. In both cases, the auth.v1.SelfSubjectAccessReview API will be used to validate that a minimal set of access is provided for a resource. If that minimal access is not allowed with the currently configured credentials the resource will be marked as FailedSubjectAccessReview and attempts to fetch object(s) for that resource endpoint will return an nil response and a typed error containing the details of the failure.

Draft Spec

Namespaces

Namespaces are treated as a special resource and can have their mode set to auto (default) or explicit indpendently of the mode set for other resources.

Modes of Operation

Minimal RBAC requirements for this client are the List and Watch verbs for the resource you wish to view objects for. By default, the client will attempt to validate the minimal RBAC requirements by issuing a SelfSubjectAccessReview request for a resource. This behavior may be explictily skippend by the user.

Auto (default)

In auto mode the client will do best effort to discover Kubernetes resources. After discovering the resources a subject access review will be created for every discovered resource unless that behavior has been explicitly disabled.

Explicit

In explicit mode the client will be provided a list of resources. An attempt to query any resources not configured when in explict mode will produce a ResourceNotSynced error. For each resource listed a subject access review will be created unless that behavior has been explicitly disabled.

Configurable Options

  • namespaces: auto, explicit
  • namespace-scoped-resources: auto, explicit
  • cluster-scoped-resources: auto, explicit
  • refresh-subject-access-interval: default 5m

About

A library to allow the querying of up-to-date cluster resources and objects designed to provide library users better resiliency and error flow options.

Resources

License

Stars

Watchers

Forks