Documentation ¶
Index ¶
- Constants
- Variables
- func Allowed() authorizationv1.SubjectAccessReviewStatus
- func AuthorizationAttributesFrom(spec authorizationv1.SubjectAccessReviewSpec) auth.AttributesRecord
- func Denied(reason string) authorizationv1.SubjectAccessReviewStatus
- func Errored(code int32, err error) authorizationv1.SubjectAccessReviewStatus
- func Identity(u user.Info) (string, bool)
- func NewAuthorizer(logger logr.Logger, graph graph.Interface) *authorizer
- func NewHandler(logger logr.Logger, authorizer auth.Authorizer) http.HandlerFunc
- func NoOpinion(reason string) authorizationv1.SubjectAccessReviewStatus
- func NonResourceAttributesFrom(user user.Info, in authorizationv1.NonResourceAttributes) auth.AttributesRecord
- func ResourceAttributesFrom(user user.Info, in authorizationv1.ResourceAttributes) auth.AttributesRecord
Constants ¶
const AuthorizerName = "seedauthorizer"
AuthorizerName is the name of this authorizer.
const WebhookPath = "/webhooks/auth/seed"
WebhookPath is the HTTP handler path for this authorization webhook handler.
Variables ¶
var ( // DecisionTimeout is the maximum time for the authorizer to take a decision. Exposed for testing. DecisionTimeout = 10 * time.Second )
Functions ¶
func Allowed ¶
func Allowed() authorizationv1.SubjectAccessReviewStatus
Allowed constructs a SubjectAccessReview and indicates in its status that the given operation is allowed.
func AuthorizationAttributesFrom ¶
func AuthorizationAttributesFrom(spec authorizationv1.SubjectAccessReviewSpec) auth.AttributesRecord
AuthorizationAttributesFrom takes a spec and returns the proper authz attributes to check it.
func Denied ¶
func Denied(reason string) authorizationv1.SubjectAccessReviewStatus
Denied constructs a SubjectAccessReview and indicates in its status that the given operation is denied and that other authenticators should not be consulted for their opinion.
func Errored ¶
func Errored(code int32, err error) authorizationv1.SubjectAccessReviewStatus
Errored constructs a SubjectAccessReview and indicates in its status that the an error has been occurred during the evaluation of the result.
func Identity ¶
Identity returns the seed name and a boolean indicating whether the provided user has the gardener.cloud:system:seeds group. If the seed name is ambigious then an empty string will be returned.
func NewAuthorizer ¶
NewAuthorizer returns a new authorizer for requests from gardenlets. It never has an opinion on the request.
func NewHandler ¶
func NewHandler(logger logr.Logger, authorizer auth.Authorizer) http.HandlerFunc
NewHandler creates a new HTTP handler for authorizing requests for resources related to a Seed.
func NoOpinion ¶
func NoOpinion(reason string) authorizationv1.SubjectAccessReviewStatus
NoOpinion constructs a SubjectAccessReview and indicates in its status that the authorizer does not have an opinion about the result, i.e., other authenticators should be consulted for their opinion.
func NonResourceAttributesFrom ¶
func NonResourceAttributesFrom(user user.Info, in authorizationv1.NonResourceAttributes) auth.AttributesRecord
NonResourceAttributesFrom combines the API object information and the user.Info from the context to build a full auth.AttributesRecord for non resource access.
func ResourceAttributesFrom ¶
func ResourceAttributesFrom(user user.Info, in authorizationv1.ResourceAttributes) auth.AttributesRecord
ResourceAttributesFrom combines the API object information and the user.Info from the context to build a full auth.AttributesRecord for resource access.
Types ¶
This section is empty.