Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewRestrictUsersAdmission ¶
NewRestrictUsersAdmission configures an admission plugin that enforces restrictions on adding role bindings in a project.
Types ¶
type GroupSubjectChecker ¶
type GroupSubjectChecker struct {
// contains filtered or unexported fields
}
GroupSubjectChecker determines whether a group subject is allowed in rolebindings in the project.
func NewGroupSubjectChecker ¶
func NewGroupSubjectChecker(groupRestriction *authorizationapi.GroupRestriction) GroupSubjectChecker
NewGroupSubjectChecker returns a new GroupSubjectChecker.
func (GroupSubjectChecker) Allowed ¶
func (checker GroupSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)
Allowed determines whether the given group subject is allowed in rolebindings in the project.
type RoleBindingRestrictionContext ¶
type RoleBindingRestrictionContext struct {
// contains filtered or unexported fields
}
RoleBindingRestrictionContext holds context that is used when determining whether a RoleBindingRestriction allows rolebindings on a particular subject.
func NewRoleBindingRestrictionContext ¶
func NewRoleBindingRestrictionContext(ns string, kc kclientset.Interface, oc oclient.Interface, groupCache GroupCache) (*RoleBindingRestrictionContext, error)
NewRoleBindingRestrictionContext returns a new RoleBindingRestrictionContext object.
type ServiceAccountSubjectChecker ¶
type ServiceAccountSubjectChecker struct {
// contains filtered or unexported fields
}
ServiceAccountSubjectChecker determines whether a serviceaccount subject is allowed in rolebindings in the project.
func NewServiceAccountSubjectChecker ¶
func NewServiceAccountSubjectChecker(serviceAccountRestriction *authorizationapi.ServiceAccountRestriction) ServiceAccountSubjectChecker
NewServiceAccountSubjectChecker returns a new ServiceAccountSubjectChecker.
func (ServiceAccountSubjectChecker) Allowed ¶
func (checker ServiceAccountSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)
Allowed determines whether the given serviceaccount subject is allowed in rolebindings in the project.
type SubjectChecker ¶
type SubjectChecker interface {
Allowed(rbac.Subject, *RoleBindingRestrictionContext) (bool, error)
}
SubjectChecker determines whether rolebindings on a subject (user, group, or service account) are allowed in a project.
func NewSubjectChecker ¶
func NewSubjectChecker(spec *authorizationapi.RoleBindingRestrictionSpec) (SubjectChecker, error)
NewSubjectChecker returns a new SubjectChecker.
type UnionSubjectChecker ¶
type UnionSubjectChecker []SubjectChecker
UnionSubjectChecker represents the union of zero or more SubjectCheckers.
func NewUnionSubjectChecker ¶
func NewUnionSubjectChecker(checkers []SubjectChecker) UnionSubjectChecker
NewUnionSubjectChecker returns a new UnionSubjectChecker.
func (UnionSubjectChecker) Allowed ¶
func (checkers UnionSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)
Allowed determines whether the given subject is allowed in rolebindings in the project.
type UserSubjectChecker ¶
type UserSubjectChecker struct {
// contains filtered or unexported fields
}
UserSubjectChecker determines whether a user subject is allowed in rolebindings in the project.
func NewUserSubjectChecker ¶
func NewUserSubjectChecker(userRestriction *authorizationapi.UserRestriction) UserSubjectChecker
NewUserSubjectChecker returns a new UserSubjectChecker.
func (UserSubjectChecker) Allowed ¶
func (checker UserSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)
Allowed determines whether the given user subject is allowed in rolebindings in the project.