rulevalidation

package
v3.10.0-rc.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2018 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BreakdownRule added in v1.3.0

BreakdownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name

func CompactRules added in v1.3.0

func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)

CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.

func ConfirmNoEscalation added in v1.1.4

func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ruleResolver, cachedRuleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error

func Covers

func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)

Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.

func EscalationAllowed

func EscalationAllowed(ctx apirequest.Context) bool

EscalationAllowed returns true if a particular user is allowed to escalate his powers

Types

type AuthorizationRuleResolver

type AuthorizationRuleResolver interface {
	GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error)
	GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
	// RulesFor returns the list of rules that apply to a given user in a given namespace and error.  If an error is returned, the slice of
	// PolicyRules may not be complete, but it contains all retrievable rules.  This is done because policy rules are purely additive and policy determinations
	// can be made on the basis of those rules that are found.
	RulesFor(info user.Info, namespace string) ([]authorizationapi.PolicyRule, error)
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL