Documentation
¶
Index ¶
- Constants
- func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check
- func RulesForBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, ...) ([]rbacv1.PolicyRule, error)
- func RulesForClusterRoleBinding(ctx context.Context, crGetter rbacv1client.ClusterRolesGetter, ...) ([]rbacv1.PolicyRule, error)
- func RulesForRole(res ctlres.Resource) ([]rbacv1.PolicyRule, error)
- func RulesForRoleBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, ...) ([]rbacv1.PolicyRule, error)
- type BasicValidator
- type BindingValidator
- type CompositeValidator
- type PermissionValidator
- type Preflight
- type PreflightConfig
- type RoleValidator
- type SelfSubjectAccessReviewValidator
- type SelfSubjectRulesReviewValidator
- type Validator
Constants ¶
const ( PermissionValidatorTypeSelfSubjectAccessReview = "SelfSubjectAccessReview" PermissionValidatorTypeSelfSubjectRulesReview = "SelfSubjectRulesReview" )
Variables ¶
This section is empty.
Functions ¶
func NewPreflight ¶
func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check
func RulesForBinding ¶
func RulesForBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, res ctlres.Resource) ([]rbacv1.PolicyRule, error)
RulesForBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a (Cluster)RoleBinding references. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is
func RulesForClusterRoleBinding ¶
func RulesForClusterRoleBinding(ctx context.Context, crGetter rbacv1client.ClusterRolesGetter, crb *rbacv1.ClusterRoleBinding) ([]rbacv1.PolicyRule, error)
RulesForClusterRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the ClusterRole rules that a ClusterRoleBinding references. It returns an error if one occurs during the process of fetching this information.
func RulesForRole ¶
func RulesForRole(res ctlres.Resource) ([]rbacv1.PolicyRule, error)
RulesForRole will return a slice of rbacv1.PolicyRule objects that are representative of a provided (Cluster)Role's rules. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is
func RulesForRoleBinding ¶
func RulesForRoleBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, rb *rbacv1.RoleBinding) ([]rbacv1.PolicyRule, error)
RulesForRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a RoleBinding references. It returns an error if one occurs during the process of fetching this information.
Types ¶
type BasicValidator ¶
type BasicValidator struct {
// contains filtered or unexported fields
}
BasicValidator is a basic validator useful for validating basic CRUD permissions for resources. It has no knowledge of how to handle permission evaluation for specific GroupVersionKinds
func NewBasicValidator ¶
func NewBasicValidator(pv PermissionValidator, mapper meta.RESTMapper) *BasicValidator
type BindingValidator ¶
type BindingValidator struct {
// contains filtered or unexported fields
}
BindingValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)RoleBinding resources
func NewBindingValidator ¶
func NewBindingValidator(pv PermissionValidator, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator
type CompositeValidator ¶
type CompositeValidator struct {
// contains filtered or unexported fields
}
CompositeValidator implements Validator and is used for composing multiple validators into a single validator that can handle specifying unique validators for different GroupVersionKinds
func NewCompositeValidator ¶
func NewCompositeValidator(defaultValidator Validator, validators map[schema.GroupVersionKind]Validator) *CompositeValidator
type PermissionValidator ¶ added in v0.63.0
type PermissionValidator interface {
ValidatePermissions(context.Context, *authv1.ResourceAttributes) error
}
type Preflight ¶
type Preflight struct {
// contains filtered or unexported fields
}
Preflight is an implementation of preflight.Check to make it easier to add permission validation as a preflight check
func (*Preflight) SetEnabled ¶
type PreflightConfig ¶ added in v0.63.0
type PreflightConfig struct {
PermissionValidatorResource string `json:"permissionValidatorResource"`
}
type RoleValidator ¶
type RoleValidator struct {
// contains filtered or unexported fields
}
RoleValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)Role resources
func NewRoleValidator ¶
func NewRoleValidator(pv PermissionValidator, mapper meta.RESTMapper) *RoleValidator
type SelfSubjectAccessReviewValidator ¶ added in v0.63.0
type SelfSubjectAccessReviewValidator struct {
// contains filtered or unexported fields
}
SelfSubjectAccessReviewValidator is for validating permissions via SelfSubjectAccessReview
func NewSelfSubjectAccessReviewValidator ¶ added in v0.63.0
func NewSelfSubjectAccessReviewValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface) *SelfSubjectAccessReviewValidator
func (*SelfSubjectAccessReviewValidator) ValidatePermissions ¶ added in v0.63.0
func (rv *SelfSubjectAccessReviewValidator) ValidatePermissions(ctx context.Context, resourceAttrib *authv1.ResourceAttributes) error
ValidatePermissons will validate permissions for a ResourceAttributes object using SelfSubjectAccessReview. An error is returned if there are any issues creating a SelfSubjectAccessReview (i.e can't determine permissions) or if the SelfSubjectAccessReview is evaluated and the caller does not have the permission to perform the actions identified in the provided ResourceAttributes.
type SelfSubjectRulesReviewValidator ¶ added in v0.63.0
type SelfSubjectRulesReviewValidator struct {
// contains filtered or unexported fields
}
SelfSubjectRulesReviewValidator is for validating permissions via SelfSubjectRulesReview
func NewSelfSubjectRulesReviewValidator ¶ added in v0.63.0
func NewSelfSubjectRulesReviewValidator(ssrrClient authv1client.SelfSubjectRulesReviewInterface) *SelfSubjectRulesReviewValidator
func (*SelfSubjectRulesReviewValidator) ValidatePermissions ¶ added in v0.63.0
func (rv *SelfSubjectRulesReviewValidator) ValidatePermissions(ctx context.Context, resourceAttrib *authv1.ResourceAttributes) error
ValidatePermissons will validate permissions for a ResourceAttributes object using SelfSubjectRulesReview. An error is returned if there are any issues creating a SelfSubjectRulesReview (i.e can't determine permissions) or if the SelfSubjectRulesReview is evaluated and the caller does not have the permission to perform the actions identified in the provided ResourceAttributes.
Source Files