common

package
v0.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// CreatorIDAnn is an annotation key for the id of the creator.
	CreatorIDAnn = "field.cattle.io/creatorId"
	// CreatorPrincipalNameAnn is an annotation key for the principal name of the creator.
	CreatorPrincipalNameAnn = "field.cattle.io/creator-principal-name"
	// NoCreatorRBACAnn is an annotation key to indicate that a cluster doesn't need
	NoCreatorRBACAnn = "field.cattle.io/no-creator-rbac"
)
View Source
const (
	// EnforceLabel is a that governs the PSS that is enforced for a namespace
	EnforceLabel = "pod-security.kubernetes.io/enforce"
	// EnforceVersionLabel is a label  that governs the PSS version that is enforced for a namespace
	EnforceVersionLabel = "pod-security.kubernetes.io/enforce-version"
	// AuditLabel is a label  that governs the PSS that is used for auditing a namespace
	AuditLabel = "pod-security.kubernetes.io/audit"
	// AuditVersionLabel is a label  that governs the PSS version that is used for auditing a namespace
	AuditVersionLabel = "pod-security.kubernetes.io/audit-version"
	// WarnLabel is a label  that governs the PSS that is used for warning about PSA violations in a namespace
	WarnLabel = "pod-security.kubernetes.io/warn"
	// WarnVersionLabel is a label  that governs the PSS version that is used for warning about PSA violations in a namespace
	WarnVersionLabel = "pod-security.kubernetes.io/warn-version"
)

Variables

This section is empty.

Functions

func CheckCreatorAnnotationsOnUpdate added in v0.6.1

func CheckCreatorAnnotationsOnUpdate(oldObj, newObj metav1.Object) *field.Error

CheckCreatorAnnotationsOnUpdate checks that the creatorId, creator-principal-name, and no-creator-rbac annotations are immutable. The only allowed update is removing the annotations. This function should only be called for the update operation.

func CheckCreatorID

func CheckCreatorID(request *admission.Request, oldObj, newObj metav1.Object) *metav1.Status

CheckCreatorID validates the creatorID annotation

func CheckCreatorIDAndNoCreatorRBAC added in v0.6.1

func CheckCreatorIDAndNoCreatorRBAC(obj metav1.Object) *field.Error

CheckCreatorIDAndNoCreatorRBAC checks that only one of no-creator-rbac or creatorID annotation is set

func CheckCreatorPrincipalName added in v0.6.1

func CheckCreatorPrincipalName(userCache controllerv3.UserCache, obj metav1.Object) (*field.Error, error)

CheckCreatorPrincipalName checks that if creator-principal-name annotation is set then creatorId annotation must be set as well. The value of creator-principal-name annotation should match the creator's user principal id.

func ConvertAuthnExtras

func ConvertAuthnExtras(extra map[string]authnv1.ExtraValue) map[string]authzv1.ExtraValue

ConvertAuthnExtras converts authnv1 type extras to authzv1 extras. Technically these are both type alias to string, so the conversion is straightforward

func IsCreatingPSAConfig

func IsCreatingPSAConfig(new map[string]string) bool

IsCreatingPSAConfig will indicate whether or not the labels being passed in are attempting to create PSA-related configuration.

func IsModifyingLabel added in v0.5.0

func IsModifyingLabel(oldLabels, newLabels map[string]string, label string) bool

ValidateLabel checks if a user is removing or modifying a label. If the label is newly added, return false.

func IsUpdatingPSAConfig

func IsUpdatingPSAConfig(old map[string]string, new map[string]string) bool

IsUpdatingPSAConfig will indicate whether or not the labels being passed in are attempting to update PSA-related configuration.

func SetCreatorIDAnnotation

func SetCreatorIDAnnotation(request *admission.Request, obj metav1.Object)

SetCreatorIDAnnotation sets the creatorID Annotation on the newObj based on the user specified in the request. If the noCreatorRBAC annotation is set, don't set the creator

func ValidateRules added in v0.3.10

func ValidateRules(rules []rbacv1.PolicyRule, isNamespaced bool, fldPath *field.Path) error

ValidateRules calls on standard kubernetes RBAC functionality for the validation of policy rules to validate Rancher rules. This is currently used in the validation of globalroles and roletemplates.

Types

type CachedVerbChecker added in v0.5.0

type CachedVerbChecker struct {
	// contains filtered or unexported fields
}

CachedVerbChecker is used for caching if a request for a non-namespaced gvr with specified name has the given overrideVerb. This is meant to eliminate the need to perform multiple calls to the provided SubjectAccessReview for the overrideVerb. Each CachedVerbChecker is unique to the initial set up. If the caller needs to change what it is checking (different verb, resource name, resource type) a new CachedVerbChecker must be created. A CachedVerbChecker should not be shared between admitters. Each admitter must request a new CachedVerbChecker. Additionally, the CachedVerbChecker should not be shared between requests, even for the same admitter.

func NewCachedVerbChecker added in v0.5.0

NewCachedVerbChecker creates a new CachedVerbChecker

func (*CachedVerbChecker) HasVerb added in v0.5.0

func (c *CachedVerbChecker) HasVerb() bool

HasVerb returns if the request has the overrideVerb. Only checks the request the first time called, after that it returns the cached value.

func (*CachedVerbChecker) IsRulesAllowed added in v0.5.0

func (c *CachedVerbChecker) IsRulesAllowed(rules []v1.PolicyRule, resolver validation.AuthorizationRuleResolver, namespace string) error

IsRulesAllowed checks if the request has permissions to create the rules provided. Returns nil if the rules are allowed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL