restrictusers

package
v4.0.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 13, 2018 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewRestrictUsersAdmission

func NewRestrictUsersAdmission() (admission.Interface, error)

NewRestrictUsersAdmission configures an admission plugin that enforces restrictions on adding role bindings in a project.

func Register

func Register(plugins *admission.Plugins)

Types

type GroupCache

type GroupCache interface {
	GroupsFor(string) ([]*userapi.Group, error)
}

type GroupSubjectChecker

type GroupSubjectChecker struct {
	// contains filtered or unexported fields
}

GroupSubjectChecker determines whether a group subject is allowed in rolebindings in the project.

func NewGroupSubjectChecker

func NewGroupSubjectChecker(groupRestriction *authorizationapi.GroupRestriction) GroupSubjectChecker

NewGroupSubjectChecker returns a new GroupSubjectChecker.

func (GroupSubjectChecker) Allowed

func (checker GroupSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)

Allowed determines whether the given group subject is allowed in rolebindings in the project.

type RoleBindingRestrictionContext

type RoleBindingRestrictionContext struct {
	// contains filtered or unexported fields
}

RoleBindingRestrictionContext holds context that is used when determining whether a RoleBindingRestriction allows rolebindings on a particular subject.

func NewRoleBindingRestrictionContext

func NewRoleBindingRestrictionContext(ns string, kc kclientset.Interface, userClient userclient.UserV1Interface, groupCache GroupCache) (*RoleBindingRestrictionContext, error)

NewRoleBindingRestrictionContext returns a new RoleBindingRestrictionContext object.

type ServiceAccountSubjectChecker

type ServiceAccountSubjectChecker struct {
	// contains filtered or unexported fields
}

ServiceAccountSubjectChecker determines whether a serviceaccount subject is allowed in rolebindings in the project.

func NewServiceAccountSubjectChecker

func NewServiceAccountSubjectChecker(serviceAccountRestriction *authorizationapi.ServiceAccountRestriction) ServiceAccountSubjectChecker

NewServiceAccountSubjectChecker returns a new ServiceAccountSubjectChecker.

func (ServiceAccountSubjectChecker) Allowed

Allowed determines whether the given serviceaccount subject is allowed in rolebindings in the project.

type SubjectChecker

type SubjectChecker interface {
	Allowed(rbac.Subject, *RoleBindingRestrictionContext) (bool, error)
}

SubjectChecker determines whether rolebindings on a subject (user, group, or service account) are allowed in a project.

func NewSubjectChecker

NewSubjectChecker returns a new SubjectChecker.

type UnionSubjectChecker

type UnionSubjectChecker []SubjectChecker

UnionSubjectChecker represents the union of zero or more SubjectCheckers.

func NewUnionSubjectChecker

func NewUnionSubjectChecker(checkers []SubjectChecker) UnionSubjectChecker

NewUnionSubjectChecker returns a new UnionSubjectChecker.

func (UnionSubjectChecker) Allowed

func (checkers UnionSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)

Allowed determines whether the given subject is allowed in rolebindings in the project.

type UserSubjectChecker

type UserSubjectChecker struct {
	// contains filtered or unexported fields
}

UserSubjectChecker determines whether a user subject is allowed in rolebindings in the project.

func NewUserSubjectChecker

func NewUserSubjectChecker(userRestriction *authorizationapi.UserRestriction) UserSubjectChecker

NewUserSubjectChecker returns a new UserSubjectChecker.

func (UserSubjectChecker) Allowed

func (checker UserSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindingRestrictionContext) (bool, error)

Allowed determines whether the given user subject is allowed in rolebindings in the project.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL