Documentation ¶
Overview ¶
Package v1 contains API Schema definitions for the RBAC v1 API group +groupName=rbac.kvdi.io
Package v1 contains API Schema definitions for the rbac v1 API group +kubebuilder:object:generate=true +groupName=rbac.kvdi.io
Index ¶
- Constants
- Variables
- type Resource
- type Rule
- func (in *Rule) DeepCopy() *Rule
- func (in *Rule) DeepCopyInto(out *Rule)
- func (r *Rule) DeepEqual(rule Rule) bool
- func (r *Rule) HasNamespace(ns string) bool
- func (r *Rule) HasResourceType(resource Resource) bool
- func (r *Rule) HasVerb(verb Verb) bool
- func (r *Rule) IsEmpty() bool
- func (r *Rule) MatchesResourceName(name string) bool
- type VDIRole
- type VDIRoleList
- type Verb
Constants ¶
const NamespaceAll = "*"
NamespaceAll represents all namespaces
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "rbac.kvdi.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type Resource ¶
type Resource string
Resource represents the target of an API action +kubebuilder:validation:Enum=users;roles;templates;serviceaccounts;*
const ( // ResourceUsers represents users of kVDI. This action would only apply // when using local auth. ResourceUsers Resource = "users" // ResourceRoles represents the auth roles in kVDI. This would allow a user // to manipulate policies via the app API. ResourceRoles Resource = "roles" // ResourceTeemplates represents desktop templates in kVDI. Mainly the ability // to launch seessions from them and connect to them. The "launch" verb can used // in this context when referring to launching templates, and the "use" verb for // connecting to them via the UI. ResourceTemplates Resource = "templates" // ResourceServiceAccounts represents kubernetes service accounts. Specifically, // the ability to launch desktops that assume them. The API does not expose any // CRUD operations on these, but the "use" verb can be used to signal that a user // is allowed to assume the given service accounts. ResourceServiceAccounts Resource = "serviceaccounts" // ResourceAll matches all resources ResourceAll Resource = "*" )
Resource options
type Rule ¶
type Rule struct { // The actions this rule applies for. VerbAll matches all actions. // Recognized options are: `["create", "read", "update", "delete", "use", "launch", "*"]` Verbs []Verb `json:"verbs,omitempty"` // Resources this rule applies to. ResourceAll matches all resources. // Recognized options are: `["users", "roles", "templates", "serviceaccounts", "*"]` Resources []Resource `json:"resources,omitempty"` // Resource regexes that match this rule. This can be template patterns, role // names or user names. There is no All representation because * will have // that effect on its own when the regex is evaluated. When referring to "serviceaccounts", // only the "use" verb is evaluated in the context of assuming those accounts in // desktop sessions. // // **NOTE**: The `kvdi-manager` is responsible for launching pods with a service account // requested for a given Desktop. If the service account itself contains more permissions // than the manager itself, the Kubernetes API will deny the request. The way to remedy this // would be to either mirror permissions to that ClusterRole, or make the `kvdi-manager` itself a // cluster admin, both of which come with inherent risks. In the end, you can decide the best // approach for your use case with regards to exposing access to the Kubernetes APIs via kvdi sessions. ResourcePatterns []string `json:"resourcePatterns,omitempty"` // Namespaces this rule applies to. Only evaluated for template launching // permissions. Including "*" as an option matches all namespaces. Namespaces []string `json:"namespaces,omitempty"` }
Rule represents a set of permissions applied to a VDIRole. It mostly resembles an rbacv1.PolicyRule, with resources being a regex and the addition of a namespace selector.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Rule) DeepEqual ¶
DeepEqual returns true if the provided rule matches this one exactly. All values in both rules are first sorted and then equality is derived from whether all fields pass reflect.DeepEqual.
func (*Rule) HasNamespace ¶
HasNamespace returns true if this rule includes the given namespace.
func (*Rule) HasResourceType ¶
HasResourceType returns true if this rule has the given resource type.
func (*Rule) MatchesResourceName ¶
MatchesResourceName returns true if any of the resource patterns in this rule match the given name.
type VDIRole ¶
type VDIRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // A list of rules granting access to resources in the VDICluster. Rules []Rule `json:"rules,omitempty"` }
VDIRole is the Schema for the vdiroles API
func (*VDIRole) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIRole.
func (*VDIRole) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VDIRole) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VDIRoleList ¶
type VDIRoleList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []VDIRole `json:"items"` }
VDIRoleList contains a list of VDIRole
func (*VDIRoleList) DeepCopy ¶
func (in *VDIRoleList) DeepCopy() *VDIRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIRoleList.
func (*VDIRoleList) DeepCopyInto ¶
func (in *VDIRoleList) DeepCopyInto(out *VDIRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VDIRoleList) DeepCopyObject ¶
func (in *VDIRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*VDIRoleList) Trim ¶
func (v *VDIRoleList) Trim() []*VDIRole
Trim will trim the managed fields and other metadata not used in processing. It has the benefit of producing less data when sending over the wire. Note that the objects returned by this method should NOT be used when sending later Update requests.
type Verb ¶
type Verb string
Verb represents an API action +kubebuilder:validation:Enum=create;read;update;delete;use;launch;*
const ( // Create operations VerbCreate Verb = "create" // Read operations VerbRead Verb = "read" // Update operations VerbUpdate Verb = "update" // Delete operations VerbDelete Verb = "delete" // Use operations VerbUse Verb = "use" // Launch operations VerbLaunch Verb = "launch" // VerbAll matches all actions VerbAll Verb = "*" )
Verb options