rbac

package
v1.16.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 9, 2022 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source
const (
	APIGroupAll    = "*"
	ResourceAll    = "*"
	VerbAll        = "*"
	NonResourceAll = "*"

	GroupKind          = "Group"
	ServiceAccountKind = "ServiceAccount"
	UserKind           = "User"

	// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
	AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate"
)
View Source
const GroupName = "rbac.authorization.k8s.io"

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ResourceMatches

func ResourceMatches(rule *PolicyRule, combinedRequestedResource, requestedSubresource string) bool

func SubjectsStrings

func SubjectsStrings(subjects []Subject) ([]string, []string, []string, []string)

subjectsStrings returns users, groups, serviceaccounts, unknown for display purposes.

Types

type AggregationRule

type AggregationRule struct {
	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
	// If any of the selectors match, then the ClusterRole's permissions will be added
	ClusterRoleSelectors []metav1.LabelSelector
}

AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole

func (*AggregationRule) DeepCopy

func (in *AggregationRule) DeepCopy() *AggregationRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AggregationRule.

func (*AggregationRule) DeepCopyInto

func (in *AggregationRule) DeepCopyInto(out *AggregationRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterRole

type ClusterRole struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ObjectMeta

	// Rules holds all the PolicyRules for this ClusterRole
	Rules []PolicyRule

	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
	// stomped by the controller.
	AggregationRule *AggregationRule
}

ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.

func (*ClusterRole) DeepCopy

func (in *ClusterRole) DeepCopy() *ClusterRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRole.

func (*ClusterRole) DeepCopyInto

func (in *ClusterRole) DeepCopyInto(out *ClusterRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRole) DeepCopyObject

func (in *ClusterRole) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterRoleBinding

type ClusterRoleBinding struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ObjectMeta

	// Subjects holds references to the objects the role applies to.
	Subjects []Subject

	// RoleRef can only reference a ClusterRole in the global namespace.
	// If the RoleRef cannot be resolved, the Authorizer must return an error.
	RoleRef RoleRef
}

ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.

func (*ClusterRoleBinding) DeepCopy

func (in *ClusterRoleBinding) DeepCopy() *ClusterRoleBinding

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBinding.

func (*ClusterRoleBinding) DeepCopyInto

func (in *ClusterRoleBinding) DeepCopyInto(out *ClusterRoleBinding)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRoleBinding) DeepCopyObject

func (in *ClusterRoleBinding) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterRoleBindingBuilder

type ClusterRoleBindingBuilder struct {
	ClusterRoleBinding ClusterRoleBinding
}

+k8s:deepcopy-gen=false ClusterRoleBindingBuilder let's us attach methods. A no-no for API types. We use it to construct bindings in code. It's more compact than trying to write them out in a literal.

func NewClusterBinding

func NewClusterBinding(clusterRoleName string) *ClusterRoleBindingBuilder

func (*ClusterRoleBindingBuilder) Binding

func (*ClusterRoleBindingBuilder) BindingOrDie

func (*ClusterRoleBindingBuilder) Groups

func (*ClusterRoleBindingBuilder) SAs

func (r *ClusterRoleBindingBuilder) SAs(namespace string, serviceAccountNames ...string) *ClusterRoleBindingBuilder

func (*ClusterRoleBindingBuilder) Users

type ClusterRoleBindingList

type ClusterRoleBindingList struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ListMeta

	// Items is a list of ClusterRoleBindings
	Items []ClusterRoleBinding
}

ClusterRoleBindingList is a collection of ClusterRoleBindings

func (*ClusterRoleBindingList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBindingList.

func (*ClusterRoleBindingList) DeepCopyInto

func (in *ClusterRoleBindingList) DeepCopyInto(out *ClusterRoleBindingList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRoleBindingList) DeepCopyObject

func (in *ClusterRoleBindingList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterRoleList

type ClusterRoleList struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ListMeta

	// Items is a list of ClusterRoles
	Items []ClusterRole
}

ClusterRoleList is a collection of ClusterRoles

func (*ClusterRoleList) DeepCopy

func (in *ClusterRoleList) DeepCopy() *ClusterRoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleList.

func (*ClusterRoleList) DeepCopyInto

func (in *ClusterRoleList) DeepCopyInto(out *ClusterRoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterRoleList) DeepCopyObject

func (in *ClusterRoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyRule

type PolicyRule struct {
	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
	Verbs []string

	// APIGroups is the name of the APIGroup that contains the resources.
	// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
	APIGroups []string
	// Resources is a list of resources this rule applies to.  '*' represents all resources in the specified apiGroups.
	// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
	Resources []string
	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
	ResourceNames []string

	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
	// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
	NonResourceURLs []string
}

PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.

func (PolicyRule) CompactString

func (r PolicyRule) CompactString() string

CompactString exposes a compact string representation for use in escalation error messages

func (*PolicyRule) DeepCopy

func (in *PolicyRule) DeepCopy() *PolicyRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.

func (*PolicyRule) DeepCopyInto

func (in *PolicyRule) DeepCopyInto(out *PolicyRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (PolicyRule) String

func (r PolicyRule) String() string

type PolicyRuleBuilder

type PolicyRuleBuilder struct {
	PolicyRule PolicyRule
}

+k8s:deepcopy-gen=false PolicyRuleBuilder let's us attach methods. A no-no for API types. We use it to construct rules in code. It's more compact than trying to write them out in a literal and allows us to perform some basic checking during construction

func NewRule

func NewRule(verbs ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Groups

func (r *PolicyRuleBuilder) Groups(groups ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Names

func (r *PolicyRuleBuilder) Names(names ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Resources

func (r *PolicyRuleBuilder) Resources(resources ...string) *PolicyRuleBuilder

func (*PolicyRuleBuilder) Rule

func (r *PolicyRuleBuilder) Rule() (PolicyRule, error)

func (*PolicyRuleBuilder) RuleOrDie

func (r *PolicyRuleBuilder) RuleOrDie() PolicyRule

func (*PolicyRuleBuilder) URLs

func (r *PolicyRuleBuilder) URLs(urls ...string) *PolicyRuleBuilder

type Role

type Role struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ObjectMeta

	// Rules holds all the PolicyRules for this Role
	Rules []PolicyRule
}

Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.

func (*Role) DeepCopy

func (in *Role) DeepCopy() *Role

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Role.

func (*Role) DeepCopyInto

func (in *Role) DeepCopyInto(out *Role)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Role) DeepCopyObject

func (in *Role) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RoleBinding

type RoleBinding struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Subjects holds references to the objects the role applies to.
	Subjects []Subject

	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
	// If the RoleRef cannot be resolved, the Authorizer must return an error.
	RoleRef RoleRef
}

RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.

func (*RoleBinding) DeepCopy

func (in *RoleBinding) DeepCopy() *RoleBinding

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.

func (*RoleBinding) DeepCopyInto

func (in *RoleBinding) DeepCopyInto(out *RoleBinding)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RoleBinding) DeepCopyObject

func (in *RoleBinding) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RoleBindingBuilder

type RoleBindingBuilder struct {
	RoleBinding RoleBinding
}

+k8s:deepcopy-gen=false RoleBindingBuilder let's us attach methods. It is similar to ClusterRoleBindingBuilder above.

func NewRoleBinding

func NewRoleBinding(roleName, namespace string) *RoleBindingBuilder

NewRoleBinding creates a RoleBinding builder that can be used to define the subjects of a role binding. At least one of the `Groups`, `Users` or `SAs` method must be called before calling the `Binding*` methods.

func NewRoleBindingForClusterRole

func NewRoleBindingForClusterRole(roleName, namespace string) *RoleBindingBuilder

func (*RoleBindingBuilder) Binding

func (r *RoleBindingBuilder) Binding() (RoleBinding, error)

Binding builds and returns the RoleBinding API object from the builder object.

func (*RoleBindingBuilder) BindingOrDie

func (r *RoleBindingBuilder) BindingOrDie() RoleBinding

BindingOrDie calls the binding method and panics if there is an error.

func (*RoleBindingBuilder) Groups

func (r *RoleBindingBuilder) Groups(groups ...string) *RoleBindingBuilder

Groups adds the specified groups as the subjects of the RoleBinding.

func (*RoleBindingBuilder) SAs

func (r *RoleBindingBuilder) SAs(namespace string, serviceAccountNames ...string) *RoleBindingBuilder

SAs adds the specified service accounts as the subjects of the RoleBinding.

func (*RoleBindingBuilder) Users

func (r *RoleBindingBuilder) Users(users ...string) *RoleBindingBuilder

Users adds the specified users as the subjects of the RoleBinding.

type RoleBindingList

type RoleBindingList struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ListMeta

	// Items is a list of roleBindings
	Items []RoleBinding
}

RoleBindingList is a collection of RoleBindings

func (*RoleBindingList) DeepCopy

func (in *RoleBindingList) DeepCopy() *RoleBindingList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingList.

func (*RoleBindingList) DeepCopyInto

func (in *RoleBindingList) DeepCopyInto(out *RoleBindingList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RoleBindingList) DeepCopyObject

func (in *RoleBindingList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RoleList

type RoleList struct {
	metav1.TypeMeta
	// Standard object's metadata.
	metav1.ListMeta

	// Items is a list of roles
	Items []Role
}

RoleList is a collection of Roles

func (*RoleList) DeepCopy

func (in *RoleList) DeepCopy() *RoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleList.

func (*RoleList) DeepCopyInto

func (in *RoleList) DeepCopyInto(out *RoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RoleList) DeepCopyObject

func (in *RoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RoleRef

type RoleRef struct {
	// APIGroup is the group for the resource being referenced
	APIGroup string
	// Kind is the type of resource being referenced
	Kind string
	// Name is the name of resource being referenced
	Name string
}

RoleRef contains information that points to the role being used

func (*RoleRef) DeepCopy

func (in *RoleRef) DeepCopy() *RoleRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.

func (*RoleRef) DeepCopyInto

func (in *RoleRef) DeepCopyInto(out *RoleRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SortableRuleSlice

type SortableRuleSlice []PolicyRule

func (SortableRuleSlice) DeepCopy

func (in SortableRuleSlice) DeepCopy() SortableRuleSlice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SortableRuleSlice.

func (SortableRuleSlice) DeepCopyInto

func (in SortableRuleSlice) DeepCopyInto(out *SortableRuleSlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (SortableRuleSlice) Len

func (s SortableRuleSlice) Len() int

func (SortableRuleSlice) Less

func (s SortableRuleSlice) Less(i, j int) bool

func (SortableRuleSlice) Swap

func (s SortableRuleSlice) Swap(i, j int)

type Subject

type Subject struct {
	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
	Kind string
	// APIGroup holds the API group of the referenced subject.
	// Defaults to "" for ServiceAccount subjects.
	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
	APIGroup string
	// Name of the object being referenced.
	Name string
	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
	// the Authorizer should report an error.
	Namespace string
}

Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.

func (*Subject) DeepCopy

func (in *Subject) DeepCopy() *Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.

func (*Subject) DeepCopyInto

func (in *Subject) DeepCopyInto(out *Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Directories

Path Synopsis
Package install installs the batch API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the batch API group, making it available as an option to all of the API encoding/decoding machinery.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL