Documentation
¶
Index ¶
- Constants
- func NewAPIBindingAccessAuthorizer(kubeInformers clientgoinformers.SharedInformerFactory, ...) (authorizer.Authorizer, error)
- func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
- func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
- func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer
- func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
- func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
- type LocalAuthorizer
- type SystemCRDAuthorizer
Constants ¶
const WorkspaceAcccessNotPermittedReason = "workspace access not permitted"
Variables ¶
This section is empty.
Functions ¶
func NewAPIBindingAccessAuthorizer ¶ added in v0.6.0
func NewAPIBindingAccessAuthorizer(kubeInformers clientgoinformers.SharedInformerFactory, kcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) (authorizer.Authorizer, error)
NewAPIBindingAccessAuthorizer returns an authorizer that checks if the the request is for a bound resource or not. If the resource is bound we will check the user has RBAC access in the exported resources workspace. If it is not allowed we will return NoDecision, if allowed we will call the delegate authorizer.
func NewBootstrapPolicyAuthorizer ¶
func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewLocalAuthorizer ¶
func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewSystemCRDAuthorizer ¶ added in v0.6.0
func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer
func NewTopLevelOrganizationAccessAuthorizer ¶ added in v0.6.0
func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer
NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.
func NewWorkspaceContentAuthorizer ¶
func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyalphav1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer
Types ¶
type LocalAuthorizer ¶
type LocalAuthorizer struct {
// contains filtered or unexported fields
}
func (*LocalAuthorizer) Authorize ¶
func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)
func (*LocalAuthorizer) RulesFor ¶
func (a *LocalAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
type SystemCRDAuthorizer ¶ added in v0.6.0
type SystemCRDAuthorizer struct {
// contains filtered or unexported fields
}
SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.
func (*SystemCRDAuthorizer) Authorize ¶ added in v0.6.0
func (a *SystemCRDAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)
Source Files
Directories