v1

package
v0.3.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2021 License: GPL-3.0 Imports: 7 Imported by: 0

Documentation

Overview

Package v1 contains API Schema definitions for the RBAC v1 API group +groupName=rbac.kvdi.io

Package v1 contains API Schema definitions for the rbac v1 API group +kubebuilder:object:generate=true +groupName=rbac.kvdi.io

Index

Constants

View Source 
const NamespaceAll = "*"

NamespaceAll represents all namespaces

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "rbac.kvdi.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type Resource 

type Resource string

Resource represents the target of an API action +kubebuilder:validation:Enum=users;roles;templates;serviceaccounts;* 

const (
	// ResourceUsers represents users of kVDI. This action would only apply
	// when using local auth.
	ResourceUsers Resource = "users"
	// ResourceRoles represents the auth roles in kVDI. This would allow a user
	// to manipulate policies via the app API.
	ResourceRoles Resource = "roles"
	// ResourceTeemplates represents desktop templates in kVDI. Mainly the ability
	// to launch seessions from them and connect to them. The "launch" verb can used
	// in this context when referring to launching templates, and the "use" verb for
	// connecting to them via the UI.
	ResourceTemplates Resource = "templates"
	// ResourceServiceAccounts represents kubernetes service accounts. Specifically,
	// the ability to launch desktops that assume them. The API does not expose any
	// CRUD operations on these, but the "use" verb can be used to signal that a user
	// is allowed to assume the given service accounts.
	ResourceServiceAccounts Resource = "serviceaccounts"
	// ResourceAll matches all resources
	ResourceAll Resource = "*"
)

Resource options

type Rule 

type Rule struct {
	// The actions this rule applies for. VerbAll matches all actions.
	// Recognized options are: `["create", "read", "update", "delete", "use", "launch", "*"]`
	Verbs []Verb `json:"verbs,omitempty"`
	// Resources this rule applies to. ResourceAll matches all resources.
	// Recognized options are: `["users", "roles", "templates", "serviceaccounts", "*"]`
	Resources []Resource `json:"resources,omitempty"`
	// Resource regexes that match this rule. This can be template patterns, role
	// names or user names. There is no All representation because * will have
	// that effect on its own when the regex is evaluated. When referring to "serviceaccounts",
	// only the "use" verb is evaluated in the context of assuming those accounts in
	// desktop sessions.
	//
	// **NOTE**: The `kvdi-manager` is responsible for launching pods with a service account
	// requested for a given Desktop. If the service account itself contains more permissions
	// than the manager itself, the Kubernetes API will deny the request. The way to remedy this
	// would be to either mirror permissions to that ClusterRole, or make the `kvdi-manager` itself a
	// cluster admin, both of which come with inherent risks. In the end, you can decide the best
	// approach for your use case with regards to exposing access to the Kubernetes APIs via kvdi sessions.
	ResourcePatterns []string `json:"resourcePatterns,omitempty"`
	// Namespaces this rule applies to. Only evaluated for template launching
	// permissions. Including "*" as an option matches all namespaces.
	Namespaces []string `json:"namespaces,omitempty"`
}

Rule represents a set of permissions applied to a VDIRole. It mostly resembles an rbacv1.PolicyRule, with resources being a regex and the addition of a namespace selector.

func (*Rule) DeepCopy 

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto 

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) DeepEqual 

func (r *Rule) DeepEqual(rule Rule) bool

DeepEqual returns true if the provided rule matches this one exactly. All values in both rules are first sorted and then equality is derived from whether all fields pass reflect.DeepEqual.

func (*Rule) HasNamespace 

func (r *Rule) HasNamespace(ns string) bool

HasNamespace returns true if this rule includes the given namespace.

func (*Rule) HasResourceType 

func (r *Rule) HasResourceType(resource Resource) bool

HasResourceType returns true if this rule has the given resource type.

func (*Rule) HasVerb 

func (r *Rule) HasVerb(verb Verb) bool

HasVerb returns true if this rule contains the given verb.

func (*Rule) IsEmpty 

func (r *Rule) IsEmpty() bool

IsEmpty returns true if this rule is empty.

func (*Rule) MatchesResourceName 

func (r *Rule) MatchesResourceName(name string) bool

MatchesResourceName returns true if any of the resource patterns in this rule match the given name.

type VDIRole 

type VDIRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// A list of rules granting access to resources in the VDICluster.
	Rules []Rule `json:"rules,omitempty"`
}

VDIRole is the Schema for the vdiroles API

func (*VDIRole) DeepCopy 

func (in *VDIRole) DeepCopy() *VDIRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIRole.

func (*VDIRole) DeepCopyInto 

func (in *VDIRole) DeepCopyInto(out *VDIRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*VDIRole) DeepCopyObject 

func (in *VDIRole) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*VDIRole) GetRules 

func (v *VDIRole) GetRules() []Rule

GetRules returns the rules for this VDIRole.

type VDIRoleList 

type VDIRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VDIRole `json:"items"`
}

VDIRoleList contains a list of VDIRole

func (*VDIRoleList) DeepCopy 

func (in *VDIRoleList) DeepCopy() *VDIRoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIRoleList.

func (*VDIRoleList) DeepCopyInto 

func (in *VDIRoleList) DeepCopyInto(out *VDIRoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*VDIRoleList) DeepCopyObject 

func (in *VDIRoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*VDIRoleList) Trim 

func (v *VDIRoleList) Trim() []*VDIRole

Trim will trim the managed fields and other metadata not used in processing. It has the benefit of producing less data when sending over the wire. Note that the objects returned by this method should NOT be used when sending later Update requests.

type Verb 

type Verb string

Verb represents an API action +kubebuilder:validation:Enum=create;read;update;delete;use;launch;* 

const (
	// Create operations
	VerbCreate Verb = "create"
	// Read operations
	VerbRead Verb = "read"
	// Update operations
	VerbUpdate Verb = "update"
	// Delete operations
	VerbDelete Verb = "delete"
	// Use operations
	VerbUse Verb = "use"
	// Launch operations
	VerbLaunch Verb = "launch"
	// VerbAll matches all actions
	VerbAll Verb = "*"
)

Verb options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.