policy

package
v3.10.0-0.51.0+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 24, 2018 License: Apache-2.0 Imports: 48 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AddRoleToGroupRecommendedName      = "add-role-to-group"
	AddRoleToUserRecommendedName       = "add-role-to-user"
	RemoveRoleFromGroupRecommendedName = "remove-role-from-group"
	RemoveRoleFromUserRecommendedName  = "remove-role-from-user"

	AddClusterRoleToGroupRecommendedName      = "add-cluster-role-to-group"
	AddClusterRoleToUserRecommendedName       = "add-cluster-role-to-user"
	RemoveClusterRoleFromGroupRecommendedName = "remove-cluster-role-from-group"
	RemoveClusterRoleFromUserRecommendedName  = "remove-cluster-role-from-user"
)
View Source
const (
	AddSCCToGroupRecommendedName      = "add-scc-to-group"
	AddSCCToUserRecommendedName       = "add-scc-to-user"
	RemoveSCCFromGroupRecommendedName = "remove-scc-from-group"
	RemoveSCCFromUserRecommendedName  = "remove-scc-from-user"
)
View Source
const (
	RemoveGroupRecommendedName = "remove-group"
	RemoveUserRecommendedName  = "remove-user"
)
View Source
const CanIRecommendedName = "can-i"
View Source
const PolicyRecommendedName = "policy"
View Source
const ReconcileClusterRoleBindingsRecommendedName = "reconcile-cluster-role-bindings"

ReconcileClusterRoleBindingsRecommendedName is the recommended command name

View Source
const ReconcileClusterRolesRecommendedName = "reconcile-cluster-roles"

ReconcileClusterRolesRecommendedName is the recommended command name

View Source
const ReconcileProtectAnnotation = "openshift.io/reconcile-protect"

ReconcileProtectAnnotation is the name of an annotation which prevents reconciliation if set to "true"

View Source
const ReconcileSCCRecommendedName = "reconcile-sccs"

ReconcileSCCRecommendedName is the recommended command name

View Source
const ReviewRecommendedName = "scc-review"
View Source
const SubjectReviewRecommendedName = "scc-subject-review"
View Source
const WhoCanRecommendedName = "who-can"

Variables

This section is empty.

Functions

func CheckStatefulSetWithWolumeClaimTemplates

func CheckStatefulSetWithWolumeClaimTemplates(obj runtime.Object) error

CheckStatefulSetWithWolumeClaimTemplates checks whether a supplied object is a statefulSet with volumeClaimTemplates Currently scc-review and scc-subject-review commands cannot handle correctly this case since validation is not based only on podTemplateSpec.

func DiffSubjects

func DiffSubjects(list1 []rbac.Subject, list2 []rbac.Subject) (list1Only []rbac.Subject, list2Only []rbac.Subject)

DiffSubjects returns lists containing the items unique to each provided list:

list1Only = list1 - list2
list2Only = list2 - list1

if both returned lists are empty, the provided lists are equal

func GetPodTemplateForObject

func GetPodTemplateForObject(obj runtime.Object) (*kapi.PodTemplateSpec, error)

func IsClusterRoleBindingLookupError

func IsClusterRoleBindingLookupError(err error) bool

func MergeMaps

func MergeMaps(a, b map[string]string) map[string]string

MergeMaps will merge to map[string]string instances, with keys from the second argument overwriting keys from the first argument, in case of duplicates.

func NewClusterRoleBindingLookupError

func NewClusterRoleBindingLookupError(rolesNotFound []string) error

func NewCmdAddClusterRoleToGroup

func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToGroup implements the OpenShift cli add-cluster-role-to-group command

func NewCmdAddClusterRoleToUser

func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToUser implements the OpenShift cli add-cluster-role-to-user command

func NewCmdAddRoleToGroup

func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToGroup implements the OpenShift cli add-role-to-group command

func NewCmdAddRoleToUser

func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToUser implements the OpenShift cli add-role-to-user command

func NewCmdAddSCCToGroup

func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdAddSCCToUser

func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdCanI

func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdPolicy

func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdPolicy implements the OpenShift cli policy command

func NewCmdReconcileClusterRoleBindings

func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Factory, out, err io.Writer) *cobra.Command

NewCmdReconcileClusterRoleBindings implements the OpenShift cli reconcile-cluster-role-bindings command

func NewCmdReconcileClusterRoles

func NewCmdReconcileClusterRoles(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdReconcileClusterRoles implements the OpenShift cli reconcile-cluster-roles command

func NewCmdReconcileSCC

func NewCmdReconcileSCC(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdReconcileSCC implements the OpenShift cli reconcile-sccs command.

func NewCmdRemoveClusterRoleFromGroup

func NewCmdRemoveClusterRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromGroup implements the OpenShift cli remove-cluster-role-from-group command

func NewCmdRemoveClusterRoleFromUser

func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromUser implements the OpenShift cli remove-cluster-role-from-user command

func NewCmdRemoveGroupFromProject

func NewCmdRemoveGroupFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveGroupFromProject implements the OpenShift cli remove-group command

func NewCmdRemoveRoleFromGroup

func NewCmdRemoveRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromGroup implements the OpenShift cli remove-role-from-group command

func NewCmdRemoveRoleFromUser

func NewCmdRemoveRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromUser implements the OpenShift cli remove-role-from-user command

func NewCmdRemoveSCCFromGroup

func NewCmdRemoveSCCFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveSCCFromUser

func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveUserFromProject

func NewCmdRemoveUserFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveUserFromProject implements the OpenShift cli remove-user command

func NewCmdSccReview

func NewCmdSccReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdSccSubjectReview

func NewCmdSccSubjectReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdWhoCan

func NewCmdWhoCan(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdWhoCan implements the OpenShift cli who-can command

Types

type ClusterRoleBindingAccessor

type ClusterRoleBindingAccessor struct {
	Client authorizationtypedclient.ClusterRoleBindingsGetter
}

ClusterRoleBindingAccessor operates against cluster scoped role bindings

func (ClusterRoleBindingAccessor) CreateRoleBinding

func (a ClusterRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (ClusterRoleBindingAccessor) DeleteRoleBinding

func (a ClusterRoleBindingAccessor) DeleteRoleBinding(name string) error

func (ClusterRoleBindingAccessor) GetExistingRoleBindingNames

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (ClusterRoleBindingAccessor) GetRoleBinding

func (ClusterRoleBindingAccessor) UpdateRoleBinding

func (a ClusterRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type LocalRoleBindingAccessor

type LocalRoleBindingAccessor struct {
	BindingNamespace string
	Client           authorizationtypedclient.RoleBindingsGetter
}

LocalRoleBindingAccessor operates against role bindings in namespace

func NewLocalRoleBindingAccessor

func NewLocalRoleBindingAccessor(bindingNamespace string, client authorizationtypedclient.RoleBindingsGetter) LocalRoleBindingAccessor

func (LocalRoleBindingAccessor) CreateRoleBinding

func (a LocalRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (LocalRoleBindingAccessor) DeleteRoleBinding

func (a LocalRoleBindingAccessor) DeleteRoleBinding(name string) error

func (LocalRoleBindingAccessor) GetExistingRoleBindingNames

func (a LocalRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (LocalRoleBindingAccessor) GetExistingRoleBindingsForRole

func (a LocalRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (LocalRoleBindingAccessor) GetRoleBinding

func (LocalRoleBindingAccessor) UpdateRoleBinding

func (a LocalRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type ReconcileClusterRoleBindingsOptions

type ReconcileClusterRoleBindingsOptions struct {
	// RolesToReconcile says which roles should have their default bindings reconciled.
	// An empty or nil slice means reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	ExcludeSubjects []rbac.Subject

	Out    io.Writer
	Err    io.Writer
	Output string

	RoleBindingClient authorizationtypedclient.ClusterRoleBindingInterface
}

ReconcileClusterRoleBindingsOptions contains all the necessary functionality for the OpenShift cli reconcile-cluster-role-bindings command

func (*ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings

func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*rbac.ClusterRoleBinding, []*rbac.ClusterRoleBinding, error)

ChangedClusterRoleBindings returns the role bindings that must be created and/or updated to match the recommended bootstrap policy. If roles to reconcile are provided, but not all are found, all partial results are returned.

func (*ReconcileClusterRoleBindingsOptions) Complete

func (o *ReconcileClusterRoleBindingsOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string, excludeUsers, excludeGroups []string) error

func (*ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings

func (o *ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings(changedRoleBindings []*rbac.ClusterRoleBinding) error

ReplaceChangedRoleBindings will reconcile all the changed system role bindings back to the recommended bootstrap policy

func (*ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings

func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cmd *cobra.Command, f *clientcmd.Factory) error

func (*ReconcileClusterRoleBindingsOptions) Validate

type ReconcileClusterRolesOptions

type ReconcileClusterRolesOptions struct {
	// RolesToReconcile says which roles should be reconciled.  An empty or nil slice means
	// reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	Out    io.Writer
	ErrOut io.Writer
	Output string

	RoleClient authorizationtypedclient.ClusterRoleInterface
}

func (*ReconcileClusterRolesOptions) ChangedClusterRoles

func (o *ReconcileClusterRolesOptions) ChangedClusterRoles() ([]*rbac.ClusterRole, []*rbac.ClusterRole, error)

ChangedClusterRoles returns the roles that must be created and/or updated to match the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) Complete

func (o *ReconcileClusterRolesOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileClusterRolesOptions) ReplaceChangedRoles

func (o *ReconcileClusterRolesOptions) ReplaceChangedRoles(changedRoles []*rbac.ClusterRole) error

ReplaceChangedRoles will reconcile all the changed roles back to the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) RunReconcileClusterRoles

func (o *ReconcileClusterRolesOptions) RunReconcileClusterRoles(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileClusterRoles contains all the necessary functionality for the OpenShift cli reconcile-cluster-roles command

func (*ReconcileClusterRolesOptions) Validate

func (o *ReconcileClusterRolesOptions) Validate() error

type ReconcileSCCOptions

type ReconcileSCCOptions struct {
	// confirmed indicates that the data should be persisted
	Confirmed bool
	// union controls if we make additive changes to the users/groups/labels/annotations fields
	// or overwrite them as well as preserving existing priorities (unset priorities will
	// always be reconciled)
	Union bool
	// is the name of the openshift infrastructure namespace.  It is provided here so that
	// the command doesn't need to try and parse the policy config.
	InfraNamespace string

	Out    io.Writer
	Output string

	SCCClient securitytypedclient.SecurityContextConstraintsInterface
	NSClient  kcoreclient.NamespaceInterface
}

func NewDefaultReconcileSCCOptions

func NewDefaultReconcileSCCOptions() *ReconcileSCCOptions

NewDefaultReconcileSCCOptions provides a ReconcileSCCOptions with default settings.

func (*ReconcileSCCOptions) ChangedSCCs

ChangedSCCs returns the SCCs that must be created and/or updated to match the recommended bootstrap SCCs.

func (*ReconcileSCCOptions) Complete

func (o *ReconcileSCCOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileSCCOptions) ReplaceChangedSCCs

func (o *ReconcileSCCOptions) ReplaceChangedSCCs(changedSCCs []*securityapi.SecurityContextConstraints) error

ReplaceChangedSCCs persists the changed SCCs.

func (*ReconcileSCCOptions) RunReconcileSCCs

func (o *ReconcileSCCOptions) RunReconcileSCCs(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileSCCs contains the functionality for the reconcile-sccs command for making or previewing changes.

func (*ReconcileSCCOptions) Validate

func (o *ReconcileSCCOptions) Validate() error

type RemoveFromProjectOptions

type RemoveFromProjectOptions struct {
	BindingNamespace string
	Client           oauthorizationtypedclient.RoleBindingsGetter

	Groups []string
	Users  []string

	DryRun bool

	PrintObject func(runtime.Object) error
	Output      string
	Out         io.Writer
}

func (*RemoveFromProjectOptions) Complete

func (o *RemoveFromProjectOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, target *[]string, targetName string) error

func (*RemoveFromProjectOptions) Run

func (*RemoveFromProjectOptions) Validate

func (o *RemoveFromProjectOptions) Validate(f *clientcmd.Factory, cmd *cobra.Command, args []string) error

type RoleBindingAccessor

type RoleBindingAccessor interface {
	GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)
	GetExistingRoleBindingNames() (*sets.String, error)
	GetRoleBinding(name string) (*authorizationapi.RoleBinding, error)
	UpdateRoleBinding(binding *authorizationapi.RoleBinding) error
	CreateRoleBinding(binding *authorizationapi.RoleBinding) error
	DeleteRoleBinding(name string) error
}

RoleBindingAccessor is used by role modification commands to access and modify roles

type RoleModificationOptions

type RoleModificationOptions struct {
	RoleNamespace       string
	RoleName            string
	RoleBindingName     string
	RoleBindingAccessor RoleBindingAccessor

	Targets  []string
	Users    []string
	Groups   []string
	Subjects []kapi.ObjectReference

	DryRun bool
	Output string

	PrintObj func(obj runtime.Object) error
}

func (*RoleModificationOptions) AddRole

func (o *RoleModificationOptions) AddRole() error

func (*RoleModificationOptions) Complete

func (o *RoleModificationOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, target *[]string, targetName string, isNamespaced bool, out io.Writer) error

func (*RoleModificationOptions) CompleteUserWithSA

func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, cmd *cobra.Command, args []string, saNames []string, isNamespaced bool, out io.Writer) error

func (*RoleModificationOptions) RemoveRole

func (o *RoleModificationOptions) RemoveRole() error

type SCCModificationOptions

type SCCModificationOptions struct {
	SCCName      string
	SCCInterface securitytypedclient.SecurityContextConstraintsInterface

	DefaultSubjectNamespace string
	Subjects                []kapi.ObjectReference

	IsGroup bool
	DryRun  bool
	Output  string

	PrintObj func(runtime.Object) error
	Out      io.Writer
}

func (*SCCModificationOptions) AddSCC

func (o *SCCModificationOptions) AddSCC() error

func (*SCCModificationOptions) CompleteGroups

func (o *SCCModificationOptions) CompleteGroups(f *clientcmd.Factory, cmd *cobra.Command, args []string, out io.Writer) error

func (*SCCModificationOptions) CompleteUsers

func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, cmd *cobra.Command, args []string, saNames []string, out io.Writer) error

func (*SCCModificationOptions) RemoveSCC

func (o *SCCModificationOptions) RemoveSCC() error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL