Documentation ¶
Index ¶
- func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
- func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
- func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ...) error
- func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
- func EscalationAllowed(ctx apirequest.Context) bool
- type AuthorizationRuleResolver
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BreakdownRule ¶
func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule
BreakdownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name
func CompactRules ¶
func CompactRules(rules []authorizationapi.PolicyRule) ([]authorizationapi.PolicyRule, error)
CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.
func ConfirmNoEscalation ¶
func ConfirmNoEscalation(ctx apirequest.Context, resource schema.GroupResource, name string, ruleResolver, cachedRuleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error
func Covers ¶
func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []authorizationapi.PolicyRule)
Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
func EscalationAllowed ¶
func EscalationAllowed(ctx apirequest.Context) bool
EscalationAllowed returns true if a particular user is allowed to escalate his powers
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface { GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error) GetRole(roleBinding authorizationinterfaces.RoleBinding) (authorizationinterfaces.Role, error) // RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. RulesFor(info user.Info, namespace string) ([]authorizationapi.PolicyRule, error) }
Click to show internal directories.
Click to hide internal directories.