Documentation ¶
Index ¶
- func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
- func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
- func ConfirmNoEscalation(ctx kapi.Context, resource unversioned.GroupResource, name string, ...) error
- func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
- type AuthorizationRuleResolver
- type BindingLister
- type ClusterBindingLister
- type ClusterPolicyGetter
- type DefaultRuleResolver
- func (a *DefaultRuleResolver) GetEffectivePolicyRules(ctx kapi.Context) ([]authorizationapi.PolicyRule, error)
- func (a *DefaultRuleResolver) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
- func (a *DefaultRuleResolver) GetRoleBindings(ctx kapi.Context) ([]authorizationinterfaces.RoleBinding, error)
- type PolicyGetter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BreakdownRule ¶ added in v1.3.0
func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
BreakdownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name
func CompactRules ¶ added in v1.3.0
func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.
func ConfirmNoEscalation ¶ added in v1.1.4
func ConfirmNoEscalation(ctx kapi.Context, resource unversioned.GroupResource, name string, ruleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error
func Covers ¶
func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface { GetRoleBindings(ctx kapi.Context) ([]authorizationinterfaces.RoleBinding, error) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error) // GetEffectivePolicyRules returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. GetEffectivePolicyRules(ctx kapi.Context) ([]authorizationapi.PolicyRule, error) }
type BindingLister ¶
type BindingLister interface {
ListPolicyBindings(ctx kapi.Context, options *kapi.ListOptions) (*authorizationapi.PolicyBindingList, error)
}
type ClusterBindingLister ¶ added in v0.6.2
type ClusterBindingLister interface {
ListClusterPolicyBindings(ctx kapi.Context, options *kapi.ListOptions) (*authorizationapi.ClusterPolicyBindingList, error)
}
type ClusterPolicyGetter ¶ added in v0.6.2
type ClusterPolicyGetter interface {
GetClusterPolicy(ctx kapi.Context, id string) (*authorizationapi.ClusterPolicy, error)
}
type DefaultRuleResolver ¶
type DefaultRuleResolver struct {
// contains filtered or unexported fields
}
func NewDefaultRuleResolver ¶
func NewDefaultRuleResolver(policyGetter PolicyGetter, bindingLister BindingLister, clusterPolicyGetter ClusterPolicyGetter, clusterBindingLister ClusterBindingLister) *DefaultRuleResolver
func (*DefaultRuleResolver) GetEffectivePolicyRules ¶
func (a *DefaultRuleResolver) GetEffectivePolicyRules(ctx kapi.Context) ([]authorizationapi.PolicyRule, error)
GetEffectivePolicyRules returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.
func (*DefaultRuleResolver) GetRole ¶
func (a *DefaultRuleResolver) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
func (*DefaultRuleResolver) GetRoleBindings ¶
func (a *DefaultRuleResolver) GetRoleBindings(ctx kapi.Context) ([]authorizationinterfaces.RoleBinding, error)