Documentation ¶
Index ¶
- func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
- func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
- func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ...) error
- func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
- type AuthorizationRuleResolver
- type DefaultRuleResolver
- func (a *DefaultRuleResolver) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
- func (a *DefaultRuleResolver) GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error)
- func (a *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]authorizationapi.PolicyRule, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BreakdownRule ¶ added in v1.3.0
func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
BreakdownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name
func CompactRules ¶ added in v1.3.0
func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.
func ConfirmNoEscalation ¶ added in v1.1.4
func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ruleResolver, cachedRuleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error
func Covers ¶
func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface { GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error) // RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. RulesFor(info user.Info, namespace string) ([]authorizationapi.PolicyRule, error) }
type DefaultRuleResolver ¶
type DefaultRuleResolver struct {
// contains filtered or unexported fields
}
func NewDefaultRuleResolver ¶
func NewDefaultRuleResolver(policyGetter client.PoliciesListerNamespacer, bindingLister client.PolicyBindingsListerNamespacer, clusterPolicyGetter client.ClusterPolicyLister, clusterBindingLister client.ClusterPolicyBindingLister) *DefaultRuleResolver
func (*DefaultRuleResolver) GetRole ¶
func (a *DefaultRuleResolver) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
func (*DefaultRuleResolver) GetRoleBindings ¶
func (a *DefaultRuleResolver) GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error)
func (*DefaultRuleResolver) RulesFor ¶ added in v1.4.0
func (a *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]authorizationapi.PolicyRule, error)
RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.