...
There is also support for istio in client go Istio client-go
Code Block | ||||
---|---|---|---|---|
| ||||
package main
import (
"context"
"bytes"
"fmt"
"os"
"log"
"path/filepath"
k8Yaml "k8s.io/apimachinery/pkg/util/yaml"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientcmd "k8s.io/client-go/tools/clientcmd"
versioned "istio.io/client-go/pkg/clientset/versioned"
betav1 "istio.io/client-go/pkg/apis/security/v1beta1"
)
const (
NAMESPACE = "default"
)
const authorizationPolicyManifest = `
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "pms-policy"
namespace: default
spec:
selector:
matchLabels:
apptype: nonrtric-pms
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/goclient"]
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
paths: ["/a1-policy*"]
hosts: ["a1-policy*"]
ports: ["8080"]
when:
- key: request.auth.claims[role]
values: ["pms_admin"]
`
func connectToK8s() *versioned.Clientset {
home, exists := os.LookupEnv("HOME")
if !exists {
home = "/root"
}
configPath := filepath.Join(home, ".kube", "config")
config, err := clientcmd.BuildConfigFromFlags("", configPath)
if err != nil {
log.Fatalln("failed to create K8s config")
}
ic, err := versioned.NewForConfig(config)
if err != nil {
log.Fatalf("Failed to create istio client: %s", err)
return ic
}
func createAuthorizationPolicy(clientset *versioned.Clientset) {
authClient := clientset.SecurityV1beta1().AuthorizationPolicies(NAMESPACE)
auth := &betav1.AuthorizationPolicy{}
dec := k8Yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(authorizationPolicyManifest)), 1000)
if err := dec.Decode(&auth); err != nil {
fmt.Println(err)
}
result, err := authClient.Create(context.TODO(), auth, metav1.CreateOptions{})
if err!=nil {
panic(err.Error())
}
fmt.Printf("Create Authorization Policy %s \n", result.GetName())
}
func main() {
clientset := connectToK8s()
createAuthorizationPolicy(clientset)
} |
keycloak aslo has a client called gocloak
...