rbac

package
v1.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 8, 2017 License: Apache-2.0, Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

+groupName=rbac.authorization.k8s.io

Index

Constants

View Source
const (
	APIGroupAll    = "*"
	ResourceAll    = "*"
	VerbAll        = "*"
	NonResourceAll = "*"

	GroupKind          = "Group"
	ServiceAccountKind = "ServiceAccount"
	UserKind           = "User"

	UserAll = "*"
)
View Source
const GroupName = "rbac.authorization.k8s.io"

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func APIGroupMatches

func APIGroupMatches(rule PolicyRule, requestedGroup string) bool

func DeepCopy_rbac_ClusterRole

func DeepCopy_rbac_ClusterRole(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_ClusterRoleBinding

func DeepCopy_rbac_ClusterRoleBinding(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_ClusterRoleBindingList

func DeepCopy_rbac_ClusterRoleBindingList(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_ClusterRoleList

func DeepCopy_rbac_ClusterRoleList(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_PolicyRule

func DeepCopy_rbac_PolicyRule(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_Role

func DeepCopy_rbac_Role(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_RoleBinding

func DeepCopy_rbac_RoleBinding(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_RoleBindingList

func DeepCopy_rbac_RoleBindingList(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_RoleList

func DeepCopy_rbac_RoleList(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_RoleRef

func DeepCopy_rbac_RoleRef(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_rbac_Subject

func DeepCopy_rbac_Subject(in interface{}, out interface{}, c *conversion.Cloner) error

func Kind

func Kind(kind string) unversioned.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func NonResourceURLMatches

func NonResourceURLMatches(rule PolicyRule, requestedURL string) bool

func RegisterDeepCopies

func RegisterDeepCopies(scheme *runtime.Scheme) error

RegisterDeepCopies adds deep-copy functions to the given scheme. Public to allow building arbitrary schemes.

func Resource

func Resource(resource string) unversioned.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ResourceMatches

func ResourceMatches(rule PolicyRule, requestedResource string) bool

func ResourceNameMatches

func ResourceNameMatches(rule PolicyRule, requestedName string) bool

func RoleRefGroupKind

func RoleRefGroupKind(roleRef RoleRef) unversioned.GroupKind

func VerbMatches

func VerbMatches(rule PolicyRule, requestedVerb string) bool

Types

type ClusterRole

type ClusterRole struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	api.ObjectMeta

	// Rules holds all the PolicyRules for this ClusterRole
	Rules []PolicyRule
}

ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.

type ClusterRoleBinding

type ClusterRoleBinding struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	api.ObjectMeta

	// Subjects holds references to the objects the role applies to.
	Subjects []Subject

	// RoleRef can only reference a ClusterRole in the global namespace.
	// If the RoleRef cannot be resolved, the Authorizer must return an error.
	RoleRef RoleRef
}

ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.

type ClusterRoleBindingList

type ClusterRoleBindingList struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	unversioned.ListMeta

	// Items is a list of ClusterRoleBindings
	Items []ClusterRoleBinding
}

ClusterRoleBindingList is a collection of ClusterRoleBindings

type ClusterRoleList

type ClusterRoleList struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	unversioned.ListMeta

	// Items is a list of ClusterRoles
	Items []ClusterRole
}

ClusterRoleList is a collection of ClusterRoles

type PolicyRule

type PolicyRule struct {
	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
	Verbs []string
	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
	AttributeRestrictions runtime.Object

	APIGroups []string
	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
	Resources []string
	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
	ResourceNames []string

	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
	// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
	NonResourceURLs []string
}

PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.

type PolicyRuleBuilder

type PolicyRuleBuilder struct {
	PolicyRule PolicyRule
}

+k8s:deepcopy-gen=false PolicyRuleBuilder let's us attach methods. A no-no for API types. We use it to construct rules in code. It's more compact than trying to write them out in a literal and allows us to perform some basic checking during construction

func NewRule

func NewRule(verbs ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Groups

func (r *PolicyRuleBuilder) Groups(groups ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Names

func (r *PolicyRuleBuilder) Names(names ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Resources

func (r *PolicyRuleBuilder) Resources(resources ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Rule

func (r *PolicyRuleBuilder) Rule() (PolicyRule, error)

func (*PolicyRuleBuilder) RuleOrDie

func (r *PolicyRuleBuilder) RuleOrDie() PolicyRule

func (*PolicyRuleBuilder) URLs

func (r *PolicyRuleBuilder) URLs(urls ...string) *PolicyRuleBuilder

type Role

type Role struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	api.ObjectMeta

	// Rules holds all the PolicyRules for this Role
	Rules []PolicyRule
}

Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.

type RoleBinding

type RoleBinding struct {
	unversioned.TypeMeta
	api.ObjectMeta

	// Subjects holds references to the objects the role applies to.
	Subjects []Subject

	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
	// If the RoleRef cannot be resolved, the Authorizer must return an error.
	RoleRef RoleRef
}

RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.

type RoleBindingList

type RoleBindingList struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	unversioned.ListMeta

	// Items is a list of roleBindings
	Items []RoleBinding
}

RoleBindingList is a collection of RoleBindings

type RoleList

type RoleList struct {
	unversioned.TypeMeta
	// Standard object's metadata.
	unversioned.ListMeta

	// Items is a list of roles
	Items []Role
}

RoleList is a collection of Roles

type RoleRef

type RoleRef struct {
	// APIGroup is the group for the resource being referenced
	APIGroup string
	// Kind is the type of resource being referenced
	Kind string
	// Name is the name of resource being referenced
	Name string
}

RoleRef contains information that points to the role being used

type Subject

type Subject struct {
	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
	Kind string
	// APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
	// expected to be API version of this API group. For example, "rbac/v1alpha1".
	APIVersion string
	// Name of the object being referenced.
	Name string
	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
	// the Authorizer should report an error.
	Namespace string
}

Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.

Directories

Path Synopsis
Package install installs the batch API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the batch API group, making it available as an option to all of the API encoding/decoding machinery.
+groupName=rbac.authorization.k8s.io
+groupName=rbac.authorization.k8s.io

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL