rulevalidation

package
v3.6.0-rc.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 13, 2017 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BreakdownRule added in v1.3.0 

func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule

BreakdownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name

func CompactRules added in v1.3.0 

func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)

CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.

func ConfirmNoEscalation added in v1.1.4 

func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ruleResolver, cachedRuleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error

func Covers 

func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)

Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.

func EscalationAllowed 

func EscalationAllowed(ctx apirequest.Context) bool

EscalationAllowed returns true if a particular user is allowed to escalate his powers

Types

type AuthorizationRuleResolver 

type AuthorizationRuleResolver interface {
	GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error)
	GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)
	// RulesFor returns the list of rules that apply to a given user in a given namespace and error.  If an error is returned, the slice of
	// PolicyRules may not be complete, but it contains all retrievable rules.  This is done because policy rules are purely additive and policy determinations
	// can be made on the basis of those rules that are found.
	RulesFor(info user.Info, namespace string) ([]authorizationapi.PolicyRule, error)
}

type DefaultRuleResolver 

type DefaultRuleResolver struct {
	// contains filtered or unexported fields
}

func NewDefaultRuleResolver 

func NewDefaultRuleResolver(policyGetter authorizationlister.PolicyLister, bindingLister authorizationlister.PolicyBindingLister, clusterPolicyGetter authorizationlister.ClusterPolicyLister, clusterBindingLister authorizationlister.ClusterPolicyBindingLister) *DefaultRuleResolver

func (*DefaultRuleResolver) GetRole 

func (a *DefaultRuleResolver) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error)

func (*DefaultRuleResolver) GetRoleBindings 

func (a *DefaultRuleResolver) GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error)

func (*DefaultRuleResolver) RulesFor added in v1.4.0 

func (a *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]authorizationapi.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.