Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllSubjectAccessReviewsAllowed ¶
func AllSubjectAccessReviewsAllowed(subjectAccessReviews []*v1.SubjectAccessReview) (bool, []*v1.SubjectAccessReview)
AllSubjectAccessReviewsAllowed checks if all of subjectAccessReviews are explicitly allowed. If false, the method returns the reviews that were denied.
func WarningsGroupedByResource ¶ added in v0.100.0
func WarningsGroupedByResource(reviews []*v1.SubjectAccessReview) []string
WarningsGroupedByResource is a helper to take the missing permissions and format them as warnings.
Types ¶
type Reviewer ¶
type Reviewer struct {
// contains filtered or unexported fields
}
func NewReviewer ¶
func NewReviewer(c kubernetes.Interface) *Reviewer
func (*Reviewer) CanAccess ¶
func (r *Reviewer) CanAccess(ctx context.Context, serviceAccount, serviceAccountNamespace string, res *v1.ResourceAttributes, nonResourceAttributes *v1.NonResourceAttributes) (*v1.SubjectAccessReview, error)
CanAccess checks if the given serviceAccount is able to access a single requested resource attribute. The operator uses this functionality to ensure that users have the right RBAC configured for collector related service accounts.
func (*Reviewer) CheckPolicyRules ¶
func (r *Reviewer) CheckPolicyRules(ctx context.Context, serviceAccount, serviceAccountNamespace string, rules ...*rbacv1.PolicyRule) ([]*v1.SubjectAccessReview, error)
CheckPolicyRules is a convenience function that lets the caller check access for a set of PolicyRules.
type SAReviewer ¶ added in v0.113.1
type SAReviewer interface { CheckPolicyRules(ctx context.Context, serviceAccount, serviceAccountNamespace string, rules ...*rbacv1.PolicyRule) ([]*v1.SubjectAccessReview, error) CanAccess(ctx context.Context, serviceAccount, serviceAccountNamespace string, res *v1.ResourceAttributes, nonResourceAttributes *v1.NonResourceAttributes) (*v1.SubjectAccessReview, error) }
Click to show internal directories.
Click to hide internal directories.