Documentation
¶
Index ¶
Constants ¶
View Source
const ( // SystemKcpAdminGroup is global admin group. Members of this group have all permissions across all workspaces. SystemKcpAdminGroup = "system:kcp:admin" // SystemKcpWorkspaceBootstrapper is the group used to bootstrap resources, both during the root setup, as well // as when the default APIBinding initializing controller performs its bootstrapping for initializing workspaces. // We need a separate group (not the privileged system group) for this because system-owned workspaces (e.g. root:users) need // a workspace owner annotation set, and the owner annotation is skipped/not set for the privileged system group. SystemKcpWorkspaceBootstrapper = "system:kcp:tenancy:workspace-bootstrapper" // SystemLogicalClusterAdmin is a group used by the workspace scheduler to create LogicalCluster resources. // This group allows it to skip the entire authorization stack except the bootstrap policy authorizer. // Otherwise, the requests would be rejected because the LogicalCluster resource does not exist yet. SystemLogicalClusterAdmin = "system:kcp:logical-cluster-admin" // SystemExternalLogicalClusterAdmin is a group used by the workspace controllers to manage LogicalCluster // resources after creation, using a subset of permissions allowed for the internal logical-cluster-admin. SystemExternalLogicalClusterAdmin = "system:kcp:external-logical-cluster-admin" // SystemKcpWorkspaceAccessGroup is a group that gives a user system:authenticated access to a workspace. SystemKcpWorkspaceAccessGroup = "system:kcp:workspace:access" )
View Source
const ( // SystemMastersGroup is the group inherited from k8s codebase - all powerful, all knowing! // Users should not be added to this group. SystemMastersGroup = user.SystemPrivilegedGroup )
Variables ¶
This section is empty.
Functions ¶
func Policy ¶
func Policy() *rbacrest.PolicyData
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.