Documentation ¶
Index ¶
- func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule
- func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error)
- func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, ...) error
- func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, ...) error
- func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule)
- func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, ...) (AuthorizationRuleResolver, *StaticRoles)
- type AuthorizationRuleResolver
- type ClusterRoleBindingLister
- type ClusterRoleGetter
- type DefaultRuleResolver
- func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)
- func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
- func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, ...)
- type RoleBindingLister
- type RoleGetter
- type StaticRoles
- func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
- func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
- func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
- func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BreakdownRule ¶
func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule
BreadownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name
func CompactRules ¶
func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error)
CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.
func ConfirmNoEscalation ¶
func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error
ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
func ConfirmNoEscalationInternal ¶
func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, inRules []rbac.PolicyRule) error
func Covers ¶
func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule)
Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
func NewTestRuleResolver ¶
func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles)
NewTestRuleResolver returns a rule resolver from lists of role objects.
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface { // GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namespace // of the role binding, the empty string if a cluster role binding. GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error) // RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error) // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. // If visitor() returns false, visiting is short-circuited. VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) }
type ClusterRoleBindingLister ¶
type ClusterRoleBindingLister interface {
ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}
type ClusterRoleGetter ¶
type ClusterRoleGetter interface {
GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}
type DefaultRuleResolver ¶
type DefaultRuleResolver struct {
// contains filtered or unexported fields
}
func NewDefaultRuleResolver ¶
func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver
func (*DefaultRuleResolver) GetRoleReferenceRules ¶
func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)
GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.
func (*DefaultRuleResolver) RulesFor ¶
func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
type RoleBindingLister ¶
type RoleBindingLister interface {
ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}
type RoleGetter ¶
type StaticRoles ¶
type StaticRoles struct {
// contains filtered or unexported fields
}
StaticRoles is a rule resolver that resolves from lists of role objects.
func (*StaticRoles) GetClusterRole ¶
func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
func (*StaticRoles) GetRole ¶
func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
func (*StaticRoles) ListClusterRoleBindings ¶
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
func (*StaticRoles) ListRoleBindings ¶
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)