Documentation ¶
Overview ¶
Package resolvers resolves what rules different users and roleTemplates our bound to
Index ¶
- type AggregateRuleResolver
- func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
- func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)
- func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, ...)
- type CRTBRuleResolver
- func (c *CRTBRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
- func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)
- func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, ...)
- type PRTBRuleResolver
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AggregateRuleResolver ¶
type AggregateRuleResolver struct {
// contains filtered or unexported fields
}
AggregateRuleResolver conforms to the rbac/validation.AuthorizationRuleResolver interface and is used to aggregate multiple other AuthorizationRuleResolver into one resolver.
func NewAggregateRuleResolver ¶
func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver
NewAggregateRuleResolver creates a new AggregateRuleResolver that will combine the outputs of all resolvers provided.
func (*AggregateRuleResolver) GetRoleReferenceRules ¶
func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors.
func (*AggregateRuleResolver) RulesFor ¶
func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)
RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.
func (*AggregateRuleResolver) VisitRulesFor ¶
func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
VisitRulesFor invokes VisitRulesFor() on each resolver. If visitor() returns false, visiting is short-circuited for that resolver.
type CRTBRuleResolver ¶
type CRTBRuleResolver struct { ClusterRoleTemplateBindings v3.ClusterRoleTemplateBindingCache RoleTemplateResolver *auth.RoleTemplateResolver }
CRTBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface.
func NewCRTBRuleResolver ¶
func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *CRTBRuleResolver
NewCRTBRuleResolver returns a new resolver for resolving rules given through ClusterRoleTemplateBindings.
func (*CRTBRuleResolver) GetRoleReferenceRules ¶
func (c *CRTBRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.
func (*CRTBRuleResolver) RulesFor ¶
func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)
RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.
func (*CRTBRuleResolver) VisitRulesFor ¶
func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.
type PRTBRuleResolver ¶
type PRTBRuleResolver struct { ProjectRoleTemplateBindings v3.ProjectRoleTemplateBindingCache RoleTemplateResolver *auth.RoleTemplateResolver }
PRTBRuleResolver implements the validation.AuthorizationRuleResolver interface.
func NewPRTBRuleResolver ¶
func NewPRTBRuleResolver(prtb v3.ProjectRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *PRTBRuleResolver
NewPRTBRuleResolver will create a new PRTBRuleResolver.
func (*PRTBRuleResolver) GetRoleReferenceRules ¶
func (p *PRTBRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.
func (*PRTBRuleResolver) RulesFor ¶
func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.
func (*PRTBRuleResolver) VisitRulesFor ¶
func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.