Documentation
¶
Overview ¶
Package auth is holds common webhook code used during authentication
Index ¶
- Constants
- func ConfirmNoEscalation(request *admission.Request, rules []rbacv1.PolicyRule, namespace string, ...) error
- func RequestUserHasVerb(request *admission.Request, gvr schema.GroupVersionResource, ...) (bool, error)
- func SetEscalationResponse(response *admissionv1.AdmissionResponse, err error)
- func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string
- type GlobalRoleResolver
- func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error)
- func (g *GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
- func (g *GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
- func (g *GlobalRoleResolver) GetRoleTemplatesForGlobalRole(gr *v3.GlobalRole) ([]*v3.RoleTemplate, error)
- func (g *GlobalRoleResolver) GlobalRoleCache() controllerv3.GlobalRoleCache
- func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
- type RBACRestGetter
- func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
- func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error)
- func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
- func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
- type RoleTemplateResolver
Constants ¶
const (
// CreatorIDAnn is an annotation key for the id of the creator.
CreatorIDAnn = "field.cattle.io/creatorId"
)
Variables ¶
This section is empty.
Functions ¶
func ConfirmNoEscalation ¶ added in v0.1.6
func ConfirmNoEscalation(request *admission.Request, rules []rbacv1.PolicyRule, namespace string, ruleResolver validation.AuthorizationRuleResolver) error
ConfirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting to grant.
func RequestUserHasVerb ¶ added in v0.4.0
func RequestUserHasVerb(request *admission.Request, gvr schema.GroupVersionResource, sar authorizationv1.SubjectAccessReviewInterface, verb, name, namespace string) (bool, error)
RequestUserHasVerb checks if the user associated with the context has a given verb on a given gvr for a specified name/namespace
func SetEscalationResponse ¶ added in v0.1.6
func SetEscalationResponse(response *admissionv1.AdmissionResponse, err error)
SetEscalationResponse will update the given webhook response based on the provided error from an escalation request. Deprecated: use admission.ResponseFailedEscalation() instead.
func ToExtraString ¶
func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string
ToExtraString will convert a map of map[string]authenticationv1.ExtraValue to map[string]string.
Types ¶
type GlobalRoleResolver ¶ added in v0.4.0
type GlobalRoleResolver struct {
// contains filtered or unexported fields
}
GlobalRoleResolver provides utilities to determine which rules a globalRoles gives in various contexts.
func NewGlobalRoleResolver ¶ added in v0.4.0
func NewGlobalRoleResolver(roleTemplateResolver *RoleTemplateResolver, grCache controllerv3.GlobalRoleCache) *GlobalRoleResolver
NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches
func (*GlobalRoleResolver) ClusterRulesFromRole ¶ added in v0.4.0
func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error)
ClusterRulesFromRole finds all rules which this gr gives on downstream clusters.
func (*GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole ¶ added in v0.5.0
func (g *GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
FleetWorkspacePermissionsResourceRulesFromRole finds rules which this GlobalRole gives on fleet resources in the workspace backing namespace. This is assuming a user has permissions in all workspaces (including fleet-local), which is not true. That's fine if we use it to evaluate InheritedFleetWorkspacePermissions.ResourceRules. However, it shouldn't be used in a more generic evaluation of permissions on the workspace backing namespace.
func (*GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole ¶ added in v0.5.0
func (g *GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
FleetWorkspacePermissionsWorkspaceVerbsFromRole finds rules which this GlobalRole gives on the fleetworkspace cluster-wide resources. This is assuming a user has permissions in all workspaces (including fleet-local), which is not true. That's fine if we use it to evaluate InheritedFleetWorkspacePermissions.WorkspaceVerbs. However, it shouldn't be used in a more generic evaluation of permissions on the workspace object.
func (*GlobalRoleResolver) GetRoleTemplatesForGlobalRole ¶ added in v0.4.0
func (g *GlobalRoleResolver) GetRoleTemplatesForGlobalRole(gr *v3.GlobalRole) ([]*v3.RoleTemplate, error)
GetRoleTemplate allows the caller to retrieve the roleTemplates in use by a given global role. Does not recursively evaluate roleTemplates - only returns the top-level resources.
func (*GlobalRoleResolver) GlobalRoleCache ¶ added in v0.4.0
func (g *GlobalRoleResolver) GlobalRoleCache() controllerv3.GlobalRoleCache
GlobalRoleCache allows caller to retrieve the globalRoleCache used by the resolver.
func (*GlobalRoleResolver) GlobalRulesFromRole ¶ added in v0.4.0
func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule
GlobalRulesFromRole finds all rules which apply globally - meaning valid for escalation checks at the cluster scope in the local cluster.
type RBACRestGetter ¶
type RBACRestGetter struct {
Roles wranglerv1.RoleCache
RoleBindings wranglerv1.RoleBindingCache
ClusterRoles wranglerv1.ClusterRoleCache
ClusterRoleBindings wranglerv1.ClusterRoleBindingCache
}
RBACRestGetter is used to encapsulate Getters for core RBAC resource types.
func (RBACRestGetter) GetClusterRole ¶
func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
GetClusterRole gets the clusterRole with the given name.
func (RBACRestGetter) GetRole ¶
func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error)
GetRole gets role within the given namespace that matches the provided name.
func (RBACRestGetter) ListClusterRoleBindings ¶
func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
ListClusterRoleBindings list all clusterRoleBindings.
func (RBACRestGetter) ListRoleBindings ¶
func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
ListRoleBindings list all roleBindings in the given namespace.
type RoleTemplateResolver ¶ added in v0.1.6
type RoleTemplateResolver struct {
// contains filtered or unexported fields
}
RoleTemplateResolver provides an interface to flatten role templates into slice of rules.
func NewRoleTemplateResolver ¶ added in v0.1.6
func NewRoleTemplateResolver(roleTemplates v3.RoleTemplateCache, clusterRoles v1.ClusterRoleCache) *RoleTemplateResolver
NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches
func (*RoleTemplateResolver) RoleTemplateCache ¶ added in v0.1.6
func (r *RoleTemplateResolver) RoleTemplateCache() v3.RoleTemplateCache
RoleTemplateCache allows caller to retrieve the roleTemplateCache used by the resolver.
func (*RoleTemplateResolver) RulesFromTemplate ¶ added in v0.1.6
func (r *RoleTemplateResolver) RulesFromTemplate(roleTemplate *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error)
RulesFromTemplate gets all rules from the template and all referenced templates.
func (*RoleTemplateResolver) RulesFromTemplateName ¶ added in v0.1.6
func (r *RoleTemplateResolver) RulesFromTemplateName(name string) ([]rbacv1.PolicyRule, error)
RulesFromTemplateName gets the rules for a roleTemplate with a given name. Simple wrapper around RulesFromTemplate.
Source Files