rbac

package
v1.1.2-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 23, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildNormalizedPolicyRulesMap

func BuildNormalizedPolicyRulesMap(
	rules []rbacv1.PolicyRule,
	opts *PolicyRuleNormalizationOptions,
) (map[string]rbacv1.PolicyRule, error)

BuildNormalizedPolicyRulesMap returns a map of Normalized PolicyRules built from the the provided slice of PolicyRules. The map is keyed by the combination of group, resource, and if applicable, resourceName, as derived by the RuleKey() function. If the provided PolicyRules include wildcards in their APIGroups or Resources, this function will produce an error. Provided PolicyRules will be split or combined as necessary such that each rule references a single APIGroup, a single Resource, and at most a single ResourceName, with wildcard verbs expanded and all applicable verbs de-duplicated and sorted.

func NormalizePolicyRules

func NormalizePolicyRules(
	rules []rbacv1.PolicyRule,
	opts *PolicyRuleNormalizationOptions,
) ([]rbacv1.PolicyRule, error)

NormalizePolicyRules returns a predictably ordered slice of Normalized PolicyRules built from the the provided slice of PolicyRules. If the provided PolicyRules include wildcards in their APIGroups or Resources, this function will produce an error. Provided PolicyRules will be split or combined as necessary such that each rule references a single APIGroup, a single Resource, and at most a single ResourceName, with wildcard verbs expanded and all applicable verbs de-duplicated and sorted.

func PolicyRulesMapToSlice

func PolicyRulesMapToSlice(rulesMap map[string]rbacv1.PolicyRule) []rbacv1.PolicyRule

PolicyRulesMapToSlice returns a slice of PolicyRules built from the provided map.

func ResourcesToRole

func ResourcesToRole(
	sa *corev1.ServiceAccount,
	roles []rbacv1.Role,
	rbs []rbacv1.RoleBinding,
) (*rbacapi.Role, error)

ResourcesToRole converts the provided ServiceAccount, Role, and RoleBinding into a Kargo Role with normalized policy rules. If the ServiceAccount is nil, the Kargo Role will be nil.

func RoleToResources

func RoleToResources(
	kargoRole *rbacapi.Role,
) (*corev1.ServiceAccount, *rbacv1.Role, *rbacv1.RoleBinding, error)

RoleToResources converts the provided Kargo Role into a ServiceAccount/Role/RoleBinding trio.

func RuleKey

func RuleKey(group, resource, resourceName string) string

RuleKey returns a single string that combines the provided group, resource, and if non-empty, resourceName. This key is suitable for use as a key in a map of RBAC PolicyRules.

Types

type PolicyRuleNormalizationOptions added in v1.1.0

type PolicyRuleNormalizationOptions struct {
	// IncludeCustomVerbsInExpansion indicates whether custom verbs (like
	// "promote" for Stages) should be included in the expansion of the "*"
	// wildcard verb. This is optional because when normalizing PolicyRules with
	// the intent to create or update a Role, this is how we would like "*" to be
	// interpreted. However, when normalizing PolicyRules with the intent to
	// display them to the user, we will not want to expand "*" to include custom
	// verbs because Kubernetes own interpretation of "*" does not include custom
	// verbs.
	IncludeCustomVerbsInExpansion bool
}

type RolesDatabase

type RolesDatabase interface {
	// Create creates the ServiceAccount, Role, and RoleBinding underlying a new
	// Kargo Role. It will return an error if any of those resources already
	// exist.
	Create(context.Context, *rbacapi.Role) (*rbacapi.Role, error)
	// Delete deletes a Kargo Role's underlying ServiceAccount, Role, and
	// RoleBinding. It will return an error if no underlying resources exist or if
	// any underlying resources are not Kargo-manageable.
	Delete(ctx context.Context, project, name string) error
	// Get returns a Kargo Role representation of an underlying ServiceAccount
	// and any Roles it is associated with. It will return an error if no
	// underlying ServiceAccount exists.
	Get(ctx context.Context, project, name string) (*rbacapi.Role, error)
	// GetAsResources returns the ServiceAccount and any Roles and RoleBindings
	// underlying a Kargo Role. It will return an error if no underlying
	// ServiceAccount exists. It is valid for the Roles and/or RoleBindings to be
	// missing, in which case they will be returned as nil.
	GetAsResources(
		ctx context.Context,
		project string,
		name string,
	) (*corev1.ServiceAccount, []rbacv1.Role, []rbacv1.RoleBinding, error)
	// GrantPermissionsToRole amends the Role underlying a Kargo Role with new
	// rules. It will return an error if no underlying ServiceAccount exists or
	// any underlying resources are not Kargo-manageable. It will create
	// underlying Role and RoleBinding resources if they do not exist.
	GrantPermissionsToRole(
		ctx context.Context,
		project string,
		name string,
		resourceDetails *rbacapi.ResourceDetails,
	) (*rbacapi.Role, error)
	// GrantRoleToUsers amends claim annotations of the ServiceAccount underlying
	// a Kargo Role. It will return an error if no underlying ServiceAccount
	// exists or any underlying resources are not Kargo-manageable.
	GrantRoleToUsers(
		ctx context.Context,
		project string,
		name string,
		claims []rbacapi.Claim,
	) (*rbacapi.Role, error)
	// List returns Kargo Role representations of underlying ServiceAccounts and
	// andy Roles and RoleBindings associated with them.
	List(ctx context.Context, project string) ([]*rbacapi.Role, error)
	// ListNames returns names of Kargo Roles..
	ListNames(ctx context.Context, project string) ([]string, error)
	// RevokePermissionFromRole removes select rules from the Role underlying a
	// Kargo Role. It will return an error if no underlying ServiceAccount exists
	// or any underlying resources are not Kargo-manageable.
	RevokePermissionsFromRole(
		ctx context.Context,
		project string,
		name string,
		resourceDetails *rbacapi.ResourceDetails,
	) (*rbacapi.Role, error)
	// RevokeRoleFromUsers removes select claims from claim annotations of the
	// ServiceAccount underlying a Kargo Role. It will return an error if no
	// underlying ServiceAccount exists or any underlying resources are not
	// Kargo-manageable.
	RevokeRoleFromUsers(
		ctx context.Context,
		project string,
		name string,
		claims []rbacapi.Claim,
	) (*rbacapi.Role, error)
	// Update updates the underlying ServiceAccount and Role resources underlying
	// a Kargo Role. It will return an error if no underlying ServiceAccount
	// exists or any underlying resources are not Kargo-manageable. It will create
	// underlying Role and RoleBinding resources if they do not exist.
	Update(context.Context, *rbacapi.Role) (*rbacapi.Role, error)
}

RolesDatabase is an interface for the Kargo Roles store.

func NewKubernetesRolesDatabase

func NewKubernetesRolesDatabase(c client.Client) RolesDatabase

NewKubernetesRolesDatabase returns an implementation of the RolesDatabase interface that utilizes a Kubernetes controller runtime client to store and retrieve Kargo Roles stored Kubernetes in the form of ServiceAccount/Role/RoleBinding trios.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL