Documentation ¶
Index ¶
- func ConfirmNoEscalation(ctx api.Context, ruleResolver AuthorizationRuleResolver, ...) error
- func Covers(ownerRules, servantRules []rbac.PolicyRule) (bool, []rbac.PolicyRule)
- func ValidateClusterRole(policy *rbac.ClusterRole) field.ErrorList
- func ValidateClusterRoleBinding(policy *rbac.ClusterRoleBinding) field.ErrorList
- func ValidateClusterRoleBindingUpdate(policy *rbac.ClusterRoleBinding, oldRoleBinding *rbac.ClusterRoleBinding) field.ErrorList
- func ValidateClusterRoleUpdate(policy *rbac.ClusterRole, oldRole *rbac.ClusterRole) field.ErrorList
- func ValidateRole(policy *rbac.Role) field.ErrorList
- func ValidateRoleBinding(policy *rbac.RoleBinding) field.ErrorList
- func ValidateRoleBindingUpdate(policy *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding) field.ErrorList
- func ValidateRoleUpdate(policy *rbac.Role, oldRole *rbac.Role) field.ErrorList
- type AuthorizationRuleResolver
- type ClusterRoleBindingLister
- type ClusterRoleGetter
- type DefaultRuleResolver
- type RoleBindingLister
- type RoleGetter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConfirmNoEscalation ¶
func ConfirmNoEscalation(ctx api.Context, ruleResolver AuthorizationRuleResolver, rules []rbac.PolicyRule) error
ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
func Covers ¶
func Covers(ownerRules, servantRules []rbac.PolicyRule) (bool, []rbac.PolicyRule)
Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
func ValidateClusterRole ¶
func ValidateClusterRole(policy *rbac.ClusterRole) field.ErrorList
func ValidateClusterRoleBinding ¶
func ValidateClusterRoleBinding(policy *rbac.ClusterRoleBinding) field.ErrorList
func ValidateClusterRoleBindingUpdate ¶
func ValidateClusterRoleBindingUpdate(policy *rbac.ClusterRoleBinding, oldRoleBinding *rbac.ClusterRoleBinding) field.ErrorList
func ValidateClusterRoleUpdate ¶
func ValidateClusterRoleUpdate(policy *rbac.ClusterRole, oldRole *rbac.ClusterRole) field.ErrorList
func ValidateRoleBinding ¶
func ValidateRoleBinding(policy *rbac.RoleBinding) field.ErrorList
func ValidateRoleBindingUpdate ¶
func ValidateRoleBindingUpdate(policy *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding) field.ErrorList
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface { // GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namepsace // of the role binding, the empty string if a cluster role binding. GetRoleReferenceRules(ctx api.Context, roleRef api.ObjectReference, namespace string) ([]rbac.PolicyRule, error) // GetEffectivePolicyRules returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. GetEffectivePolicyRules(ctx api.Context) ([]rbac.PolicyRule, error) }
func NewTestRuleResolver ¶
func NewTestRuleResolver(roles []rbac.Role, roleBindings []rbac.RoleBinding, clusterRoles []rbac.ClusterRole, clusterRoleBindings []rbac.ClusterRoleBinding) AuthorizationRuleResolver
NewTestRuleResolver returns a rule resolver from lists of role objects.
type ClusterRoleBindingLister ¶
type ClusterRoleBindingLister interface {
ListClusterRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleBindingList, error)
}
type ClusterRoleGetter ¶
type DefaultRuleResolver ¶
type DefaultRuleResolver struct {
// contains filtered or unexported fields
}
func NewDefaultRuleResolver ¶
func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver
func (*DefaultRuleResolver) GetEffectivePolicyRules ¶
func (r *DefaultRuleResolver) GetEffectivePolicyRules(ctx api.Context) ([]rbac.PolicyRule, error)
func (*DefaultRuleResolver) GetRoleReferenceRules ¶
func (r *DefaultRuleResolver) GetRoleReferenceRules(ctx api.Context, roleRef api.ObjectReference, bindingNamespace string) ([]rbac.PolicyRule, error)
GetRoleReferenceRules attempts resolve the RoleBinding or ClusterRoleBinding.
type RoleBindingLister ¶
type RoleBindingLister interface {
ListRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.RoleBindingList, error)
}
Click to show internal directories.
Click to hide internal directories.