Documentation ¶
Index ¶
- func DescribeSubject(s *rbacv1.Subject, bindingNamespace string) string
- func ReplaceToCore(l []string)
- func ReplaceToWildCard(l []string)
- type ClusterRoleBindingDescriber
- type NamespacedPolicyRule
- type Permissions
- type PolicyRule
- type RoleBindingDescriber
- type StaticRoles
- func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
- func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
- func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
- func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
- type SubjectPermissions
- type SubjectPolicyList
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ReplaceToCore ¶ added in v0.8.0
func ReplaceToCore(l []string)
func ReplaceToWildCard ¶ added in v0.8.0
func ReplaceToWildCard(l []string)
Types ¶
type ClusterRoleBindingDescriber ¶
type ClusterRoleBindingDescriber struct {
// contains filtered or unexported fields
}
func (*ClusterRoleBindingDescriber) String ¶
func (d *ClusterRoleBindingDescriber) String() string
type NamespacedPolicyRule ¶ added in v0.8.0
type NamespacedPolicyRule struct { Namespace string `json:"namespace,omitempty"` // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. Verb string `json:"verb"` // The name of the APIGroup that contains the resources. APIGroup string `json:"apiGroup,omitempty"` // Resources is a list of resources this rule applies to. ResourceAll represents all resources. Resource string `json:"resource,omitempty"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. ResourceNames []string `json:"resourceNames,omitempty"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. NonResourceURLs []string `json:"nonResourceURLs,omitempty"` //The Role/ClusterRole rule references OriginatedFrom []v1.RoleRef `json:"originatedFrom,omitempty"` }
type Permissions ¶ added in v0.5.0
type Permissions struct { ServiceAccounts map[string]map[string]v1.ServiceAccount // Roles & RoleBinding maps captures Cluster & ClusterRoleBinding in namespace "" // - ClusterRoles are stored in Roles[""] // - ClusterRoleBindings are stored in RoleBindings[""] Roles map[string]map[string]rbacv1.Role RoleBindings map[string]map[string]rbacv1.RoleBinding PodSecurityPolicies map[string]policy.PodSecurityPolicy }
func NewPermissionsFromCluster ¶ added in v0.5.0
func NewPermissionsFromCluster(client *kube.KubeClient) (*Permissions, error)
func NewPermissionsFromResourceList ¶ added in v0.5.0
func NewPermissionsFromResourceList(objs []runtime.Object) (*Permissions, error)
type PolicyRule ¶ added in v1.6.0
type PolicyRule struct { v1.PolicyRule //Specify the Roles or ClusterRoles this rule originated from OriginatedFrom []v1.RoleRef }
type RoleBindingDescriber ¶
type RoleBindingDescriber struct {
// contains filtered or unexported fields
}
func (*RoleBindingDescriber) String ¶
func (d *RoleBindingDescriber) String() string
type StaticRoles ¶
type StaticRoles struct {
// contains filtered or unexported fields
}
StaticRoles is a rule resolver that resolves from lists of role objects.
func (*StaticRoles) GetClusterRole ¶
func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
func (*StaticRoles) GetRole ¶
func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
func (*StaticRoles) ListClusterRoleBindings ¶
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
func (*StaticRoles) ListRoleBindings ¶
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
type SubjectPermissions ¶ added in v0.8.0
type SubjectPermissions struct { Subject v1.Subject //Rules Per Namespace ... "" means cluster-wide Rules map[string][]PolicyRule }
func NewSubjectPermissions ¶ added in v0.8.0
func NewSubjectPermissions(perms *Permissions) []SubjectPermissions
type SubjectPolicyList ¶ added in v0.8.0
type SubjectPolicyList struct { v1.Subject AllowedTo []NamespacedPolicyRule `json:"allowedTo,omitempty"` }
func NewSubjectPermissionsList ¶ added in v0.8.0
func NewSubjectPermissionsList(policies []SubjectPermissions) []SubjectPolicyList
Click to show internal directories.
Click to hide internal directories.