Documentation
¶
Index ¶
- type NotAllowedError
- type SarValidator
- func (v *SarValidator) CheckEscalation(ctx context.Context, sa *workapiv1.ManifestWorkSubjectServiceAccount, ...) error
- func (v *SarValidator) CheckSubjectAccessReviews(ctx context.Context, sa *workapiv1.ManifestWorkSubjectServiceAccount, ...) error
- func (v *SarValidator) ExecutorBasicCheck(executor *workapiv1.ManifestWorkExecutor) error
- func (v *SarValidator) Validate(ctx context.Context, executor *workapiv1.ManifestWorkExecutor, ...) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type NotAllowedError ¶
func (*NotAllowedError) Error ¶
func (e *NotAllowedError) Error() string
type SarValidator ¶
type SarValidator struct {
// contains filtered or unexported fields
}
func NewSARValidator ¶
func NewSARValidator(config *rest.Config, kubeClient kubernetes.Interface) *SarValidator
NewSARValidator creates a SARValidator
func (*SarValidator) CheckEscalation ¶
func (v *SarValidator) CheckEscalation(ctx context.Context, sa *workapiv1.ManifestWorkSubjectServiceAccount, gvr schema.GroupVersionResource, namespace, name string, obj *unstructured.Unstructured) error
CheckEscalation checks whether the sa is escalated to operate the gvr(RBAC) resources.
func (*SarValidator) CheckSubjectAccessReviews ¶
func (v *SarValidator) CheckSubjectAccessReviews(ctx context.Context, sa *workapiv1.ManifestWorkSubjectServiceAccount, gvr schema.GroupVersionResource, namespace, name string, ownedByTheWork bool) error
CheckSubjectAccessReviews checks if the sa has permission to operate the gvr resource by subjectAccessReview requests
func (*SarValidator) ExecutorBasicCheck ¶
func (v *SarValidator) ExecutorBasicCheck(executor *workapiv1.ManifestWorkExecutor) error
ExecutorBasicCheck do some basic checks for the executor
func (*SarValidator) Validate ¶
func (v *SarValidator) Validate(ctx context.Context, executor *workapiv1.ManifestWorkExecutor, gvr schema.GroupVersionResource, namespace, name string, ownedByTheWork bool, obj *unstructured.Unstructured) error
Validate checks whether the executor has permission to operate the specific gvr resource by sending sar requests to the api server.
Source Files
Click to show internal directories.
Click to hide internal directories.