proxyrule

package

v0.1.2 Latest Latest Go to latest Published: Mar 19, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/authzed/spicedb-kubeapi-proxy

Links

Open Source Insights

Documentation ¶

Index ¶

type Config
- func Parse(reader io.Reader) ([]Config, error)
type LockMode
type Match
type ObjectTemplate
type PreFilter
type RelationshipTemplate
type Spec
type StringOrTemplate

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	metav1.TypeMeta `json:",inline"`
	Spec            `json:",inline"`
}

Config is a typed wrapper around a Spec. In the future Spec may be exposed as a real kube api; this type is meant for an on-disk representation given to the proxy on start and omits spec/status and other common kube trimmings.

func Parse ¶

func Parse(reader io.Reader) ([]Config, error)

type LockMode ¶

type LockMode string

const (
	PessimisticLockMode LockMode = "Pessimistic"
	OptimisticLockMode  LockMode = "Optimistic"
)

type Match ¶

type Match struct {
	GroupVersion string   `json:"apiVersion"`
	Resource     string   `json:"resource"`
	Verbs        []string `json:"verbs"`
}

Match determines which requests the rule applies to

type ObjectTemplate ¶

type ObjectTemplate struct {
	Type     string `json:"type"`
	ID       string `json:"id"`
	Relation string `json:"relation,omitempty"`
}

ObjectTemplate represents a component of a relationship where some fields may be omitted or templated.

type PreFilter ¶

type PreFilter struct {
	// Name is a jmespath defining how to construct an allowed Name from an
	// LR or LS response.
	Name string `json:"name"`

	// Namespace is a jmespath defining how to construct an allowed Namespace
	// from an LR or LS response.
	Namespace string `json:"namespace,omitempty"`

	// ByResource is a template defining a LookupResources request to filter on.
	// The resourceID will be ignored; unused fields should be set to `*`.
	ByResource *StringOrTemplate `json:"byResource,optional"`

	// BySubject is a template defining a LookupSubjects request to filter on.
	// The subjectID will be ignored; unused fields should be set to `*`.
	BySubject *StringOrTemplate `json:"bySubject,optional"`
}

PreFilter defines a LookupResources or LookupSubjects request the results of which are used to filter responses. Prefilters work by generating a list of allowed object (name, namespace) pairs ahead of / in parallel with the kube request.

type RelationshipTemplate ¶

type RelationshipTemplate struct {
	Resource ObjectTemplate `json:"resource"`
	Subject  ObjectTemplate `json:"subject"`
}

RelationshipTemplate represents a relationship where some fields may be omitted or templated.

type Spec ¶

type Spec struct {
	Locking    LockMode           `json:"lock,omitempty"`
	Matches    []Match            `json:"match"`
	Checks     []StringOrTemplate `json:"check,omitempty"`
	Must       []StringOrTemplate `json:"must,omitempty"`
	MustNot    []StringOrTemplate `json:"mustNot,omitempty"`
	Writes     []StringOrTemplate `json:"write,omitempty"`
	PreFilters []PreFilter        `json:"prefilter,omitempty"`
}

Spec defines a single rule for the proxy that matches incoming requests to an optional set of checks, an optional set of writes, and an optional filter.

type StringOrTemplate ¶

type StringOrTemplate struct {
	Template              string `json:"tpl,inline"`
	*RelationshipTemplate `json:",inline"`
}

StringOrTemplate either contains a string representing a relationship template, or a full RelationshipTemplate definition.

Source Files ¶

View all Source files

rule.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL