validation

package
v1.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: Apache-2.0 Imports: 15 Imported by: 415

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CompactRules added in v1.7.0

func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error)

CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.

func ConfirmNoEscalation

func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error

ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.

func ConfirmNoEscalationInternal added in v1.11.0

func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, inRules []rbac.PolicyRule) error

func NewTestRuleResolver

func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles)

NewTestRuleResolver returns a rule resolver from lists of role objects.

Types

type AuthorizationRuleResolver

type AuthorizationRuleResolver interface {
	// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding.  The passed namespace should be the namespace
	// of the role binding, the empty string if a cluster role binding.
	GetRoleReferenceRules(ctx context.Context, roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

	// RulesFor returns the list of rules that apply to a given user in a given namespace and error.  If an error is returned, the slice of
	// PolicyRules may not be complete, but it contains all retrievable rules.  This is done because policy rules are purely additive and policy determinations
	// can be made on the basis of those rules that are found.
	RulesFor(ctx context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

	// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
	// If visitor() returns false, visiting is short-circuited.
	VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}

type ClusterRoleBindingLister

type ClusterRoleBindingLister interface {
	ListClusterRoleBindings(ctx context.Context) ([]*rbacv1.ClusterRoleBinding, error)
}

type ClusterRoleGetter

type ClusterRoleGetter interface {
	GetClusterRole(ctx context.Context, name string) (*rbacv1.ClusterRole, error)
}

type DefaultRuleResolver

type DefaultRuleResolver struct {
	// contains filtered or unexported fields
}

func NewDefaultRuleResolver

func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver

func (*DefaultRuleResolver) GetRoleReferenceRules

func (r *DefaultRuleResolver) GetRoleReferenceRules(ctx context.Context, roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.

func (*DefaultRuleResolver) RulesFor

func (r *DefaultRuleResolver) RulesFor(ctx context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

func (*DefaultRuleResolver) VisitRulesFor added in v1.7.0

func (r *DefaultRuleResolver) VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

type RoleBindingLister

type RoleBindingLister interface {
	ListRoleBindings(ctx context.Context, namespace string) ([]*rbacv1.RoleBinding, error)
}

type RoleGetter

type RoleGetter interface {
	GetRole(ctx context.Context, namespace, name string) (*rbacv1.Role, error)
}

type StaticRoles

type StaticRoles struct {
	// contains filtered or unexported fields
}

StaticRoles is a rule resolver that resolves from lists of role objects.

func (*StaticRoles) GetClusterRole

func (r *StaticRoles) GetClusterRole(ctx context.Context, name string) (*rbacv1.ClusterRole, error)

func (*StaticRoles) GetRole

func (r *StaticRoles) GetRole(ctx context.Context, namespace, name string) (*rbacv1.Role, error)

func (*StaticRoles) ListClusterRoleBindings

func (r *StaticRoles) ListClusterRoleBindings(ctx context.Context) ([]*rbacv1.ClusterRoleBinding, error)

func (*StaticRoles) ListRoleBindings

func (r *StaticRoles) ListRoleBindings(ctx context.Context, namespace string) ([]*rbacv1.RoleBinding, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL