Documentation
¶
Index ¶
- func BumpClusterImageRoleAuthorizations(req router.Request, _ router.Response) error
- func BumpImageRoleAuthorizations(req router.Request, _ router.Response) error
- func CheckConsumerPermsAuthorized(ctx context.Context, c kclient.Client, appInstance *v1.AppInstance, ...) ([]v1.Permissions, error)
- func CheckPermissions(req router.Request, _ router.Response) error
- func ConsumerPermissions(req router.Request, resp router.Response) error
- func CopyPromoteStagedAppImage(req router.Request, resp router.Response) error
- func GetAppScopedPermissions(app *v1.AppInstance, appSpec *v1.AppSpec) []v1.Permissions
- func GetConsumerPermissions(ctx context.Context, c kclient.Client, appInstance *v1.AppInstance, ...) (result v1.Permissions, _ error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BumpClusterImageRoleAuthorizations ¶ added in v0.9.0
BumpClusterImageRoleAuthorizations will bump the failing apps covered by a cluster image role authorization such that the app will be re-evaluated for image permissions.
func BumpImageRoleAuthorizations ¶ added in v0.9.0
BumpImageRoleAuthorizations will bump the failing apps covered by an image role authorization such that the app will be re-evaluated for image permissions.
func CheckConsumerPermsAuthorized ¶ added in v0.9.0
func CheckConsumerPermsAuthorized(ctx context.Context, c kclient.Client, appInstance *v1.AppInstance, consumedPerms []v1.Permissions) ([]v1.Permissions, error)
func CheckPermissions ¶ added in v0.9.0
CheckPermissions checks various things related to permissions
a) if the image is allowed by the image allow rules (if enabled) b) [if ImageRoleAuthorizations are enabled] if the authorized permissions for the appImage cover the permissions granted explicitly by the user or implicitly to the image (Authorized >= Granted) c) if the permissions granted by the user or implicitly to the image cover the permissions requested by the app (Granted >= Requested) *Note*: One thing that we do not cover here is permissions consumed from a service. Since that's dynamic and we cannot know the generated permissions at this point, the IRA check (if enabled) will happen later, just before the actual Kubernetes resources get applied (once the service instances are ready).
func ConsumerPermissions ¶ added in v0.9.0
func CopyPromoteStagedAppImage ¶
CopyPromoteStagedAppImage copies the staged app image to the app image if - the staged app image is set - the permissions have been checked - there are no missing permissions - there are no image permissions denied (if ImageRoleAuthorizations are enabled) - the image is allowed by the image allow rules (if enabled)
func GetAppScopedPermissions ¶ added in v0.9.0
func GetAppScopedPermissions(app *v1.AppInstance, appSpec *v1.AppSpec) []v1.Permissions
func GetConsumerPermissions ¶ added in v0.9.0
func GetConsumerPermissions(ctx context.Context, c kclient.Client, appInstance *v1.AppInstance, containerName string, container v1.Container) (result v1.Permissions, _ error)
GetConsumerPermissions returns the permissions for a given container augmented with permissions from any services it depends on that expose consumer permissions
Types ¶
This section is empty.
Source Files