permissions

package
v0.62.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewPreflight 

func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check

func RulesForBinding 

func RulesForBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, res ctlres.Resource) ([]rbacv1.PolicyRule, error)

RulesForBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a (Cluster)RoleBinding references. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is

func RulesForClusterRoleBinding 

func RulesForClusterRoleBinding(ctx context.Context, crGetter rbacv1client.ClusterRolesGetter, crb *rbacv1.ClusterRoleBinding) ([]rbacv1.PolicyRule, error)

RulesForClusterRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the ClusterRole rules that a ClusterRoleBinding references. It returns an error if one occurs during the process of fetching this information.

func RulesForRole 

func RulesForRole(res ctlres.Resource) ([]rbacv1.PolicyRule, error)

RulesForRole will return a slice of rbacv1.PolicyRule objects that are representative of a provided (Cluster)Role's rules. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is

func RulesForRoleBinding 

func RulesForRoleBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, rb *rbacv1.RoleBinding) ([]rbacv1.PolicyRule, error)

RulesForRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a RoleBinding references. It returns an error if one occurs during the process of fetching this information.

func ValidatePermissions 

func ValidatePermissions(ctx context.Context, ssarClient authv1client.SelfSubjectAccessReviewInterface, resourceAttributes *authv1.ResourceAttributes) error

ValidatePermissons takes in all the parameters necessary to validate permissions using a SelfSubjectAccessReview. It returns an error if the SelfSubjectAccessReview indicates that the permissions are not present or are unable to be determined. A nil error is returned if the SelfSubjectAccessReview indicates that the permissions are present. TODO: Look into using SelfSubjectRulesReview instead of SelfSubjectAccessReview

Types

type BasicValidator 

type BasicValidator struct {
	// contains filtered or unexported fields
}

BasicValidator is a basic validator useful for validating basic CRUD permissions for resources. It has no knowledge of how to handle permission evaluation for specific GroupVersionKinds

func NewBasicValidator 

func NewBasicValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *BasicValidator

func (*BasicValidator) Validate 

func (bv *BasicValidator) Validate(ctx context.Context, res ctlres.Resource, verb string) error

type BindingValidator 

type BindingValidator struct {
	// contains filtered or unexported fields
}

BindingValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)RoleBinding resources

func NewBindingValidator 

func NewBindingValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator

func (*BindingValidator) Validate 

func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, verb string) error

type CompositeValidator 

type CompositeValidator struct {
	// contains filtered or unexported fields
}

CompositeValidator implements Validator and is used for composing multiple validators into a single validator that can handle specifying unique validators for different GroupVersionKinds

func NewCompositeValidator 

func NewCompositeValidator(defaultValidator Validator, validators map[schema.GroupVersionKind]Validator) *CompositeValidator

func (*CompositeValidator) Validate 

func (cv *CompositeValidator) Validate(ctx context.Context, res ctlres.Resource, verb string) error

type Preflight 

type Preflight struct {
	// contains filtered or unexported fields
}

Preflight is an implementation of preflight.Check to make it easier to add permission validation as a preflight check

func (*Preflight) Enabled 

func (p *Preflight) Enabled() bool

func (*Preflight) Run 

func (p *Preflight) Run(ctx context.Context, changeGraph *ctldgraph.ChangeGraph) error

func (*Preflight) SetConfig 

func (p *Preflight) SetConfig(_ preflight.CheckConfig) error

func (*Preflight) SetEnabled 

func (p *Preflight) SetEnabled(enabled bool)

type RoleValidator 

type RoleValidator struct {
	// contains filtered or unexported fields
}

RoleValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)Role resources

func NewRoleValidator 

func NewRoleValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *RoleValidator

func (*RoleValidator) Validate 

func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb string) error

type Validator 

type Validator interface {
	Validate(context.Context, ctlres.Resource, string) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.