Documentation ¶
Index ¶
- Constants
- func NamespaceValidator(ops ...string) func(*ACL, string) bool
- type ACL
- func (a *ACL) AllowAgentRead() bool
- func (a *ACL) AllowAgentWrite() bool
- func (a *ACL) AllowHostVolume(ns string) bool
- func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool
- func (a *ACL) AllowNamespace(ns string) bool
- func (a *ACL) AllowNamespaceOperation(ns string, op string) bool
- func (a *ACL) AllowNodePool(pool string) bool
- func (a *ACL) AllowNodePoolOperation(pool string, op string) bool
- func (a *ACL) AllowNodePoolSearch() bool
- func (a *ACL) AllowNodeRead() bool
- func (a *ACL) AllowNodeWrite() bool
- func (a *ACL) AllowNsOp(ns string, op string) bool
- func (a *ACL) AllowNsOpFunc(ops ...string) func(string) bool
- func (a *ACL) AllowOperatorRead() bool
- func (a *ACL) AllowOperatorWrite() bool
- func (a *ACL) AllowPluginList() bool
- func (a *ACL) AllowPluginRead() bool
- func (a *ACL) AllowQuotaRead() bool
- func (a *ACL) AllowQuotaWrite() bool
- func (a *ACL) AllowVariableOperation(ns, path, op string, claim *ACLClaim) bool
- func (a *ACL) AllowVariableSearch(ns string) bool
- func (a *ACL) IsManagement() bool
- type ACLClaim
- type AgentPolicy
- type HostVolumePolicy
- type NamespacePolicy
- type NodePolicy
- type NodePoolPolicy
- type OperatorPolicy
- type PluginPolicy
- type Policy
- type QuotaPolicy
- type VariablesPathPolicy
- type VariablesPolicy
Constants ¶
const ( // The following levels are the only valid values for the `policy = "read"` block. // When policies are merged together, the most privilege is granted, except for deny // which always takes precedence and supersedes. PolicyDeny = "deny" PolicyRead = "read" PolicyList = "list" PolicyWrite = "write" PolicyScale = "scale" )
const ( NamespaceCapabilityDeny = "deny" NamespaceCapabilityListJobs = "list-jobs" NamespaceCapabilityParseJob = "parse-job" NamespaceCapabilityReadJob = "read-job" NamespaceCapabilitySubmitJob = "submit-job" NamespaceCapabilityDispatchJob = "dispatch-job" NamespaceCapabilityReadLogs = "read-logs" NamespaceCapabilityReadFS = "read-fs" NamespaceCapabilityAllocExec = "alloc-exec" NamespaceCapabilityAllocNodeExec = "alloc-node-exec" NamespaceCapabilityAllocLifecycle = "alloc-lifecycle" NamespaceCapabilitySentinelOverride = "sentinel-override" NamespaceCapabilityCSIRegisterPlugin = "csi-register-plugin" NamespaceCapabilityCSIWriteVolume = "csi-write-volume" NamespaceCapabilityCSIReadVolume = "csi-read-volume" NamespaceCapabilityCSIListVolume = "csi-list-volume" NamespaceCapabilityCSIMountVolume = "csi-mount-volume" NamespaceCapabilityListScalingPolicies = "list-scaling-policies" NamespaceCapabilityReadScalingPolicy = "read-scaling-policy" NamespaceCapabilityReadJobScaling = "read-job-scaling" NamespaceCapabilityScaleJob = "scale-job" NamespaceCapabilitySubmitRecommendation = "submit-recommendation" )
const ( NodePoolCapabilityDelete = "delete" NodePoolCapabilityDeny = "deny" NodePoolCapabilityRead = "read" NodePoolCapabilityWrite = "write" )
const ( HostVolumeCapabilityDeny = "deny" HostVolumeCapabilityMountReadOnly = "mount-readonly" HostVolumeCapabilityMountReadWrite = "mount-readwrite" )
const ( // The following are the fine-grained capabilities that can be // granted for a variables path. When capabilities are // combined we take the union of all capabilities. VariablesCapabilityList = "list" VariablesCapabilityRead = "read" VariablesCapabilityWrite = "write" VariablesCapabilityDestroy = "destroy" VariablesCapabilityDeny = "deny" )
const AllNamespacesSentinel = "*"
Redefine this value from structs to avoid circular dependency.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.
var ManagementACL *ACL
ManagementACL is a singleton used for management tokens
func (*ACL) AllowAgentRead ¶
AllowAgentRead checks if read operations are allowed for an agent
func (*ACL) AllowAgentWrite ¶
AllowAgentWrite checks if write operations are allowed for an agent
func (*ACL) AllowHostVolume ¶ added in v0.10.0
AllowHostVolume checks if any operations are allowed for a HostVolume
func (*ACL) AllowHostVolumeOperation ¶ added in v0.10.0
AllowHostVolumeOperation checks if a given operation is allowed for a host volume
func (*ACL) AllowNamespace ¶
AllowNamespace checks if any operations are allowed for a namespace
func (*ACL) AllowNamespaceOperation ¶
AllowNamespaceOperation checks if a given operation is allowed for a namespace.
func (*ACL) AllowNodePool ¶ added in v1.6.105
AllowNodePool returns true if any operation is allowed for the node pool.
func (*ACL) AllowNodePoolOperation ¶ added in v1.6.105
AllowNodePoolOperation returns true if the given operation is allowed in the node pool specified.
func (*ACL) AllowNodePoolSearch ¶ added in v1.6.105
AllowNodePoolSearch returns true if any operation is allowed in at least one node pool.
This is a very loose check and is expected that callers perform more precise verification later.
func (*ACL) AllowNodeRead ¶
AllowNodeRead checks if read operations are allowed for a node
func (*ACL) AllowNodeWrite ¶
AllowNodeWrite checks if write operations are allowed for a node
func (*ACL) AllowNsOpFunc ¶ added in v1.6.105
AllowNsOpFunc is a helper that returns a function that can be used to check namespace permissions.
func (*ACL) AllowOperatorRead ¶
AllowOperatorRead checks if read operations are allowed for a operator
func (*ACL) AllowOperatorWrite ¶
AllowOperatorWrite checks if write operations are allowed for a operator
func (*ACL) AllowPluginList ¶ added in v0.11.0
AllowPluginList checks if list operations are allowed for all plugins
func (*ACL) AllowPluginRead ¶ added in v0.11.0
AllowPluginRead checks if read operations are allowed for all plugins
func (*ACL) AllowQuotaRead ¶
AllowQuotaRead checks if read operations are allowed for all quotas
func (*ACL) AllowQuotaWrite ¶
AllowQuotaWrite checks if write operations are allowed for quotas
func (*ACL) AllowVariableOperation ¶ added in v1.6.105
func (*ACL) AllowVariableSearch ¶ added in v1.6.105
AllowVariableSearch is a very loose check that the token has *any* access to a variables path for the namespace, with an expectation that the actual search result will be filtered by specific paths
func (*ACL) IsManagement ¶
IsManagement checks if this represents a management token
type AgentPolicy ¶
type AgentPolicy struct {
Policy string
}
type HostVolumePolicy ¶ added in v0.10.0
HostVolumePolicy is the policy for a specific named host volume
type NamespacePolicy ¶
type NamespacePolicy struct { Name string `hcl:",key"` Policy string Capabilities []string Variables *VariablesPolicy `hcl:"variables"` }
NamespacePolicy is the policy for a specific namespace
type NodePolicy ¶
type NodePolicy struct {
Policy string
}
type NodePoolPolicy ¶ added in v1.6.105
NodePoolPolicy is the policfy for a specific node pool.
type OperatorPolicy ¶
type OperatorPolicy struct {
Policy string
}
type PluginPolicy ¶ added in v0.11.0
type PluginPolicy struct {
Policy string
}
type Policy ¶
type Policy struct { Namespaces []*NamespacePolicy `hcl:"namespace,expand"` NodePools []*NodePoolPolicy `hcl:"node_pool,expand"` HostVolumes []*HostVolumePolicy `hcl:"host_volume,expand"` Agent *AgentPolicy `hcl:"agent"` Node *NodePolicy `hcl:"node"` Operator *OperatorPolicy `hcl:"operator"` Quota *QuotaPolicy `hcl:"quota"` Plugin *PluginPolicy `hcl:"plugin"` Raw string `hcl:"-"` }
Policy represents a parsed HCL or JSON policy.
type QuotaPolicy ¶
type QuotaPolicy struct {
Policy string
}
type VariablesPathPolicy ¶ added in v1.6.105
type VariablesPolicy ¶ added in v1.6.105
type VariablesPolicy struct {
Paths []*VariablesPathPolicy `hcl:"path"`
}