Documentation
¶
Index ¶
- Constants
- func CheckCreatorAnnotationsOnUpdate(oldObj, newObj metav1.Object) *field.Error
- func CheckCreatorID(request *admission.Request, oldObj, newObj metav1.Object) *metav1.Status
- func CheckCreatorPrincipalName(userCache controllerv3.UserCache, obj metav1.Object) (*field.Error, error)
- func ConvertAuthnExtras(extra map[string]authnv1.ExtraValue) map[string]authzv1.ExtraValue
- func IsCreatingPSAConfig(new map[string]string) bool
- func IsModifyingLabel(oldLabels, newLabels map[string]string, label string) bool
- func IsUpdatingPSAConfig(old map[string]string, new map[string]string) bool
- func SetCreatorIDAnnotation(request *admission.Request, response *v1.AdmissionResponse, ...) error
- func ValidateRules(rules []rbacv1.PolicyRule, isNamespaced bool, fldPath *field.Path) error
- type CachedVerbChecker
Constants ¶
const ( // EnforceLabel is a that governs the PSS that is enforced for a namespace EnforceLabel = "pod-security.kubernetes.io/enforce" // EnforceVersionLabel is a label that governs the PSS version that is enforced for a namespace EnforceVersionLabel = "pod-security.kubernetes.io/enforce-version" // AuditLabel is a label that governs the PSS that is used for auditing a namespace AuditLabel = "pod-security.kubernetes.io/audit" // AuditVersionLabel is a label that governs the PSS version that is used for auditing a namespace AuditVersionLabel = "pod-security.kubernetes.io/audit-version" // WarnLabel is a label that governs the PSS that is used for warning about PSA violations in a namespace WarnLabel = "pod-security.kubernetes.io/warn" // WarnVersionLabel is a label that governs the PSS version that is used for warning about PSA violations in a namespace WarnVersionLabel = "pod-security.kubernetes.io/warn-version" )
Variables ¶
This section is empty.
Functions ¶
func CheckCreatorAnnotationsOnUpdate ¶ added in v0.6.1
CheckCreatorAnnotationsOnUpdate checks that the creatorId and creator-principal-name annotations are immutable. The only allowed update is removing the annotations. This function should only be called for the update operation.
func CheckCreatorID ¶
func CheckCreatorPrincipalName ¶ added in v0.6.1
func CheckCreatorPrincipalName(userCache controllerv3.UserCache, obj metav1.Object) (*field.Error, error)
CheckCreatorPrincipalName checks that if creator-principal-name annotation is set then creatorId annotation must be set as well. The value of creator-principal-name annotation should match the creator's user principal id.
func ConvertAuthnExtras ¶
func ConvertAuthnExtras(extra map[string]authnv1.ExtraValue) map[string]authzv1.ExtraValue
ConvertAuthnExtras converts authnv1 type extras to authzv1 extras. Technically these are both type alias to string, so the conversion is straightforward
func IsCreatingPSAConfig ¶
IsCreatingPSAConfig will indicate whether or not the labels being passed in are attempting to create PSA-related configuration.
func IsModifyingLabel ¶ added in v0.5.0
ValidateLabel checks if a user is removing or modifying a label. If the label is newly added, return false.
func IsUpdatingPSAConfig ¶
IsUpdatingPSAConfig will indicate whether or not the labels being passed in are attempting to update PSA-related configuration.
func SetCreatorIDAnnotation ¶
func SetCreatorIDAnnotation(request *admission.Request, response *v1.AdmissionResponse, obj runtime.RawExtension, newObj metav1.Object) error
SetCreatorIDAnnotation sets the creatorID Annotation on the newObj based on the user specified in the request.
func ValidateRules ¶ added in v0.3.10
ValidateRules calls on standard kubernetes RBAC functionality for the validation of policy rules to validate Rancher rules. This is currently used in the validation of globalroles and roletemplates.
Types ¶
type CachedVerbChecker ¶ added in v0.5.0
type CachedVerbChecker struct {
// contains filtered or unexported fields
}
CachedVerbChecker is used for caching if a request for a non-namespaced gvr with specified name has the given overrideVerb. This is meant to eliminate the need to perform multiple calls to the provided SubjectAccessReview for the overrideVerb. Each CachedVerbChecker is unique to the initial set up. If the caller needs to change what it is checking (different verb, resource name, resource type) a new CachedVerbChecker must be created. A CachedVerbChecker should not be shared between admitters. Each admitter must request a new CachedVerbChecker. Additionally, the CachedVerbChecker should not be shared between requests, even for the same admitter.
func NewCachedVerbChecker ¶ added in v0.5.0
func NewCachedVerbChecker(req *admission.Request, name string, sar authorizationv1.SubjectAccessReviewInterface, gvr schema.GroupVersionResource, verb string) *CachedVerbChecker
NewCachedVerbChecker creates a new CachedVerbChecker
func (*CachedVerbChecker) HasVerb ¶ added in v0.5.0
func (c *CachedVerbChecker) HasVerb() bool
HasVerb returns if the request has the overrideVerb. Only checks the request the first time called, after that it returns the cached value.
func (*CachedVerbChecker) IsRulesAllowed ¶ added in v0.5.0
func (c *CachedVerbChecker) IsRulesAllowed(rules []v1.PolicyRule, resolver validation.AuthorizationRuleResolver, namespace string) error
IsRulesAllowed checks if the request has permissions to create the rules provided. Returns nil if the rules are allowed.
Source Files