Documentation
¶
Index ¶
- Constants
- func NewWhoCanCommand(streams clioptions.IOStreams) (*cobra.Command, error)
- func PrintChecks(out io.Writer, action Action, roleBindings []rbac.RoleBinding, ...)
- func PrintWarnings(out io.Writer, warnings []string)
- type AccessChecker
- type Action
- type NamespaceValidator
- type PolicyRuleMatcher
- type ResourceResolver
- type WhoCan
Constants ¶
const ( // RoleKind is the RoleRef's Kind referencing a Role. RoleKind = "Role" // ClusterRoleKind is the RoleRef's Kind referencing a ClusterRole. ClusterRoleKind = "ClusterRole" )
Variables ¶
This section is empty.
Functions ¶
func NewWhoCanCommand ¶
func NewWhoCanCommand(streams clioptions.IOStreams) (*cobra.Command, error)
NewWhoCanCommand constructs the WhoCan command with the specified IOStreams.
func PrintChecks ¶
func PrintChecks(out io.Writer, action Action, roleBindings []rbac.RoleBinding, clusterRoleBindings []rbac.ClusterRoleBinding)
PrintChecks prints permission checks returned by Check()
func PrintWarnings ¶
PrintWarnings prints warnings, if any, returned by CheckAPIAccess.
Types ¶
type AccessChecker ¶
AccessChecker wraps the IsAllowedTo method.
IsAllowedTo checks whether the current user is allowed to perform the given action in the specified namespace. Specifying "" as namespace performs check in all namespaces.
func NewAccessChecker ¶
func NewAccessChecker(client clientauthz.SelfSubjectAccessReviewInterface) AccessChecker
NewAccessChecker constructs the default AccessChecker.
type Action ¶
type Action struct {
Verb string
Resource string
ResourceName string
SubResource string
NonResourceURL string
Namespace string
AllNamespaces bool
}
Action represents an action a subject can be given permission to.
func ActionFrom ¶
func ActionFrom(clientConfig clientcmd.ClientConfig, flags *pflag.FlagSet, args []string) (action Action, err error)
ActionFrom sets all information required to check who can perform the specified action.
type NamespaceValidator ¶
NamespaceValidator wraps the Validate method.
Validate checks whether the given namespace exists or not. Returns nil if it exists, an error otherwise.
func NewNamespaceValidator ¶
func NewNamespaceValidator(client clientcore.NamespaceInterface) NamespaceValidator
NewNamespaceValidator constructs the default NamespaceValidator.
type PolicyRuleMatcher ¶
type PolicyRuleMatcher interface {
MatchesRole(role rbac.Role, action resolvedAction) bool
MatchesClusterRole(role rbac.ClusterRole, action resolvedAction) bool
}
PolicyRuleMatcher wraps the Matches* methods.
MatchesRole returns `true` if any PolicyRule defined by the given Role matches the specified Action, `false` otherwise.
MatchesClusterRole returns `true` if any PolicyRule defined by the given ClusterRole matches the specified Action, `false` otherwise.
func NewPolicyRuleMatcher ¶
func NewPolicyRuleMatcher() PolicyRuleMatcher
NewPolicyRuleMatcher constructs the default PolicyRuleMatcher.
type ResourceResolver ¶
type ResourceResolver interface {
Resolve(verb, resource, subResource string) (schema.GroupResource, error)
}
ResourceResolver wraps the Resolve method.
Resolve attempts to resolve a GroupResource by `resource` and `subResource`. It also validates that the specified `verb` is supported by the resolved resource.
func NewResourceResolver ¶
func NewResourceResolver(client discovery.DiscoveryInterface, mapper meta.RESTMapper) ResourceResolver
NewResourceResolver constructs the default ResourceResolver.
type WhoCan ¶
type WhoCan struct {
// contains filtered or unexported fields
}
func NewWhoCan ¶
NewWhoCan constructs a new WhoCan checker with the specified rest.Config and RESTMapper.
func (*WhoCan) Check ¶
func (w *WhoCan) Check(action Action) (roleBindings []rbac.RoleBinding, clusterRoleBindings []rbac.ClusterRoleBinding, err error)
Check checks who can perform the action specified by WhoCanOptions and returns the role bindings that allows the action to be performed.
Source Files