Documentation ¶
Overview ¶
+k8s:deepcopy-gen=package,register +groupName=authorization.k8s.io
Index ¶
- Constants
- Variables
- func DeepCopy_authorization_LocalSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_NonResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_ResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_SelfSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_SelfSubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_SubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_SubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error
- func DeepCopy_authorization_SubjectAccessReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error
- func Kind(kind string) schema.GroupKind
- func RegisterDeepCopies(scheme *runtime.Scheme) error
- func Resource(resource string) schema.GroupResource
- type ExtraValue
- type LocalSubjectAccessReview
- type NonResourceAttributes
- type ResourceAttributes
- type SelfSubjectAccessReview
- type SelfSubjectAccessReviewSpec
- type SubjectAccessReview
- type SubjectAccessReviewSpec
- type SubjectAccessReviewStatus
Constants ¶
const GroupName = "authorization.k8s.io"
GroupName is the group name use in this package
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func DeepCopy_authorization_LocalSubjectAccessReview ¶
func DeepCopy_authorization_LocalSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_NonResourceAttributes ¶
func DeepCopy_authorization_NonResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_ResourceAttributes ¶
func DeepCopy_authorization_ResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_SelfSubjectAccessReview ¶
func DeepCopy_authorization_SelfSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_SelfSubjectAccessReviewSpec ¶
func DeepCopy_authorization_SelfSubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_SubjectAccessReview ¶
func DeepCopy_authorization_SubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_SubjectAccessReviewSpec ¶
func DeepCopy_authorization_SubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error
func DeepCopy_authorization_SubjectAccessReviewStatus ¶
func DeepCopy_authorization_SubjectAccessReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error
func RegisterDeepCopies ¶
RegisterDeepCopies adds deep-copy functions to the given scheme. Public to allow building arbitrary schemes.
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type ExtraValue ¶
type ExtraValue []string
ExtraValue masks the value so protobuf can generate +protobuf.nullable=true
type LocalSubjectAccessReview ¶
type LocalSubjectAccessReview struct { metav1.TypeMeta metav1.ObjectMeta // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace // you made the request against. If empty, it is defaulted. Spec SubjectAccessReviewSpec // Status is filled in by the server and indicates whether the request is allowed or not Status SubjectAccessReviewStatus }
LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.
type NonResourceAttributes ¶
type NonResourceAttributes struct { // Path is the URL path of the request Path string // Verb is the standard HTTP verb Verb string }
NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
type ResourceAttributes ¶
type ResourceAttributes struct { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces // "" (empty) is defaulted for LocalSubjectAccessReviews // "" (empty) is empty for cluster-scoped resources // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview Namespace string // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. Verb string // Group is the API Group of the Resource. "*" means all. Group string // Version is the API Version of the Resource. "*" means all. Version string // Resource is one of the existing resource types. "*" means all. Resource string // Subresource is one of the existing resource types. "" means none. Subresource string // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. Name string }
ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
type SelfSubjectAccessReview ¶
type SelfSubjectAccessReview struct { metav1.TypeMeta metav1.ObjectMeta // Spec holds information about the request being evaluated. Spec SelfSubjectAccessReviewSpec // Status is filled in by the server and indicates whether the request is allowed or not Status SubjectAccessReviewStatus }
SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action
type SelfSubjectAccessReviewSpec ¶
type SelfSubjectAccessReviewSpec struct { // ResourceAttributes describes information for a resource access request ResourceAttributes *ResourceAttributes // NonResourceAttributes describes information for a non-resource access request NonResourceAttributes *NonResourceAttributes }
SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes and NonResourceAttributes must be set
type SubjectAccessReview ¶
type SubjectAccessReview struct { metav1.TypeMeta metav1.ObjectMeta // Spec holds information about the request being evaluated Spec SubjectAccessReviewSpec // Status is filled in by the server and indicates whether the request is allowed or not Status SubjectAccessReviewStatus }
SubjectAccessReview checks whether or not a user or group can perform an action. Not filling in a spec.namespace means "in all namespaces".
type SubjectAccessReviewSpec ¶
type SubjectAccessReviewSpec struct { // ResourceAttributes describes information for a resource access request ResourceAttributes *ResourceAttributes // NonResourceAttributes describes information for a non-resource access request NonResourceAttributes *NonResourceAttributes // User is the user you're testing for. // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups User string // Groups is the groups you're testing for. Groups []string // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer // it needs a reflection here. Extra map[string]ExtraValue }
SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes and NonResourceAttributes must be set
type SubjectAccessReviewStatus ¶
type SubjectAccessReviewStatus struct { // Allowed is required. True if the action would be allowed, false otherwise. Allowed bool // Reason is optional. It indicates why a request was allowed or denied. Reason string // EvaluationError is an indication that some error occurred during the authorization check. // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. EvaluationError string }
SubjectAccessReviewStatus
Directories ¶
Path | Synopsis |
---|---|
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery. |
+groupName=authorization.k8s.io Package v1 is a generated protocol buffer package.
|
+groupName=authorization.k8s.io Package v1 is a generated protocol buffer package. |
+groupName=authorization.k8s.io Package v1beta1 is a generated protocol buffer package.
|
+groupName=authorization.k8s.io Package v1beta1 is a generated protocol buffer package. |