Documentation
¶
Overview ¶
Package capabilities contains the proto enum with our IAM capabilities.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( Capability_name = map[int32]string{ 0: "UNKNOWN", 101: "CAP_IAM_GROUPS_CREATE", 102: "CAP_IAM_GROUPS_UPDATE", 103: "CAP_IAM_GROUPS_LIST", 104: "CAP_IAM_GROUPS_DELETE", 201: "CAP_IAM_GROUP_INVITES_CREATE", 203: "CAP_IAM_GROUP_INVITES_LIST", 204: "CAP_IAM_GROUP_INVITES_DELETE", 301: "CAP_IAM_ROLES_CREATE", 302: "CAP_IAM_ROLES_UPDATE", 303: "CAP_IAM_ROLES_LIST", 304: "CAP_IAM_ROLES_DELETE", 401: "CAP_IAM_ROLE_BINDINGS_CREATE", 402: "CAP_IAM_ROLE_BINDINGS_UPDATE", 403: "CAP_IAM_ROLE_BINDINGS_LIST", 404: "CAP_IAM_ROLE_BINDINGS_DELETE", 501: "CAP_TENANT_CLUSTERS_CREATE", 502: "CAP_TENANT_CLUSTERS_UPDATE", 503: "CAP_TENANT_CLUSTERS_LIST", 504: "CAP_TENANT_CLUSTERS_DELETE", 505: "CAP_TENANT_CLUSTERS_DISCOVER", 603: "CAP_TENANT_RECORDS_LIST", 613: "CAP_TENANT_RECORD_CONTEXTS_LIST", 623: "CAP_TENANT_RECORD_SIGNATURES_LIST", 633: "CAP_TENANT_RECORD_POLICY_RESULTS_LIST", 640: "CAP_TENANT_RISKS_LIST", 650: "CAP_TENANT_SBOMS_LIST", 660: "CAP_TENANT_VULN_REPORTS_LIST", 670: "CAP_TENANT_ATTESTATIONS_LIST", 701: "CAP_IAM_ACCOUNT_ASSOCIATIONS_CREATE", 702: "CAP_IAM_ACCOUNT_ASSOCIATIONS_UPDATE", 703: "CAP_IAM_ACCOUNT_ASSOCIATIONS_LIST", 704: "CAP_IAM_ACCOUNT_ASSOCIATIONS_DELETE", 801: "CAP_IAM_POLICY_CREATE", 802: "CAP_IAM_POLICY_UPDATE", 803: "CAP_IAM_POLICY_LIST", 804: "CAP_IAM_POLICY_DELETE", 901: "CAP_IAM_IDENTITY_CREATE", 902: "CAP_IAM_IDENTITY_UPDATE", 903: "CAP_IAM_IDENTITY_LIST", 904: "CAP_IAM_IDENTITY_DELETE", 1003: "CAP_TENANT_NODES_LIST", 1103: "CAP_TENANT_NAMESPACES_LIST", 1203: "CAP_TENANT_WORKLOADS_LIST", 1301: "CAP_IAM_IDENTITY_PROVIDERS_CREATE", 1302: "CAP_IAM_IDENTITY_PROVIDERS_UPDATE", 1303: "CAP_IAM_IDENTITY_PROVIDERS_LIST", 1304: "CAP_IAM_IDENTITY_PROVIDERS_DELETE", 1501: "CAP_EVENTS_SUBSCRIPTION_CREATE", 1502: "CAP_EVENTS_SUBSCRIPTION_UPDATE", 1503: "CAP_EVENTS_SUBSCRIPTION_LIST", 1504: "CAP_EVENTS_SUBSCRIPTION_DELETE", 1601: "CAP_REGISTRY_PULL", 1602: "CAP_REGISTRY_PUSH", 1603: "CAP_REPO_CREATE", 1604: "CAP_REPO_UPDATE", 1605: "CAP_REPO_LIST", 1606: "CAP_REPO_DELETE", 1607: "CAP_MANIFEST_CREATE", 1608: "CAP_MANIFEST_UPDATE", 1609: "CAP_MANIFEST_LIST", 1610: "CAP_MANIFEST_DELETE", 1611: "CAP_TAG_CREATE", 1612: "CAP_TAG_UPDATE", 1613: "CAP_TAG_LIST", 1614: "CAP_TAG_DELETE", 1701: "CAP_SIGSTORE_CREATE", 1702: "CAP_SIGSTORE_UPDATE", 1703: "CAP_SIGSTORE_LIST", 1704: "CAP_SIGSTORE_DELETE", 1705: "CAP_SIGSTORE_CERTIFICATE_CREATE", 10000: "CAP_GULFSTREAM", } Capability_value = map[string]int32{ "UNKNOWN": 0, "CAP_IAM_GROUPS_CREATE": 101, "CAP_IAM_GROUPS_UPDATE": 102, "CAP_IAM_GROUPS_LIST": 103, "CAP_IAM_GROUPS_DELETE": 104, "CAP_IAM_GROUP_INVITES_CREATE": 201, "CAP_IAM_GROUP_INVITES_LIST": 203, "CAP_IAM_GROUP_INVITES_DELETE": 204, "CAP_IAM_ROLES_CREATE": 301, "CAP_IAM_ROLES_UPDATE": 302, "CAP_IAM_ROLES_LIST": 303, "CAP_IAM_ROLES_DELETE": 304, "CAP_IAM_ROLE_BINDINGS_CREATE": 401, "CAP_IAM_ROLE_BINDINGS_UPDATE": 402, "CAP_IAM_ROLE_BINDINGS_LIST": 403, "CAP_IAM_ROLE_BINDINGS_DELETE": 404, "CAP_TENANT_CLUSTERS_CREATE": 501, "CAP_TENANT_CLUSTERS_UPDATE": 502, "CAP_TENANT_CLUSTERS_LIST": 503, "CAP_TENANT_CLUSTERS_DELETE": 504, "CAP_TENANT_CLUSTERS_DISCOVER": 505, "CAP_TENANT_RECORDS_LIST": 603, "CAP_TENANT_RECORD_CONTEXTS_LIST": 613, "CAP_TENANT_RECORD_SIGNATURES_LIST": 623, "CAP_TENANT_RECORD_POLICY_RESULTS_LIST": 633, "CAP_TENANT_RISKS_LIST": 640, "CAP_TENANT_SBOMS_LIST": 650, "CAP_TENANT_VULN_REPORTS_LIST": 660, "CAP_TENANT_ATTESTATIONS_LIST": 670, "CAP_IAM_ACCOUNT_ASSOCIATIONS_CREATE": 701, "CAP_IAM_ACCOUNT_ASSOCIATIONS_UPDATE": 702, "CAP_IAM_ACCOUNT_ASSOCIATIONS_LIST": 703, "CAP_IAM_ACCOUNT_ASSOCIATIONS_DELETE": 704, "CAP_IAM_POLICY_CREATE": 801, "CAP_IAM_POLICY_UPDATE": 802, "CAP_IAM_POLICY_LIST": 803, "CAP_IAM_POLICY_DELETE": 804, "CAP_IAM_IDENTITY_CREATE": 901, "CAP_IAM_IDENTITY_UPDATE": 902, "CAP_IAM_IDENTITY_LIST": 903, "CAP_IAM_IDENTITY_DELETE": 904, "CAP_TENANT_NODES_LIST": 1003, "CAP_TENANT_NAMESPACES_LIST": 1103, "CAP_TENANT_WORKLOADS_LIST": 1203, "CAP_IAM_IDENTITY_PROVIDERS_CREATE": 1301, "CAP_IAM_IDENTITY_PROVIDERS_UPDATE": 1302, "CAP_IAM_IDENTITY_PROVIDERS_LIST": 1303, "CAP_IAM_IDENTITY_PROVIDERS_DELETE": 1304, "CAP_EVENTS_SUBSCRIPTION_CREATE": 1501, "CAP_EVENTS_SUBSCRIPTION_UPDATE": 1502, "CAP_EVENTS_SUBSCRIPTION_LIST": 1503, "CAP_EVENTS_SUBSCRIPTION_DELETE": 1504, "CAP_REGISTRY_PULL": 1601, "CAP_REGISTRY_PUSH": 1602, "CAP_REPO_CREATE": 1603, "CAP_REPO_UPDATE": 1604, "CAP_REPO_LIST": 1605, "CAP_REPO_DELETE": 1606, "CAP_MANIFEST_CREATE": 1607, "CAP_MANIFEST_UPDATE": 1608, "CAP_MANIFEST_LIST": 1609, "CAP_MANIFEST_DELETE": 1610, "CAP_TAG_CREATE": 1611, "CAP_TAG_UPDATE": 1612, "CAP_TAG_LIST": 1613, "CAP_TAG_DELETE": 1614, "CAP_SIGSTORE_CREATE": 1701, "CAP_SIGSTORE_UPDATE": 1702, "CAP_SIGSTORE_LIST": 1703, "CAP_SIGSTORE_DELETE": 1704, "CAP_SIGSTORE_CERTIFICATE_CREATE": 1705, "CAP_GULFSTREAM": 10000, } )
Enum value maps for Capability.
View Source
var ( // This decorates our capability enumeration values with // the friendly name to show to humans. // // optional string name = 189350643; E_Name = &file_capabilities_proto_extTypes[0] // This decorates our capability enumeration values with // a bit index enabling compacted encodings. // // optional uint32 bit = 20221109; E_Bit = &file_capabilities_proto_extTypes[1] )
Extension fields to descriptorpb.EnumValueOptions.
View Source
var ( // viewerCaps are read-only capabilities that do not affect state. ViewerCaps = sortCaps(append([]Capability{ Capability_CAP_EVENTS_SUBSCRIPTION_LIST, Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_LIST, Capability_CAP_IAM_GROUP_INVITES_LIST, Capability_CAP_IAM_GROUPS_LIST, Capability_CAP_IAM_ROLE_BINDINGS_LIST, Capability_CAP_IAM_ROLES_LIST, Capability_CAP_IAM_POLICY_LIST, Capability_CAP_IAM_IDENTITY_LIST, Capability_CAP_IAM_IDENTITY_PROVIDERS_LIST, Capability_CAP_TENANT_CLUSTERS_DISCOVER, Capability_CAP_TENANT_CLUSTERS_LIST, Capability_CAP_TENANT_NAMESPACES_LIST, Capability_CAP_TENANT_NODES_LIST, Capability_CAP_TENANT_RECORDS_LIST, Capability_CAP_TENANT_RECORD_CONTEXTS_LIST, Capability_CAP_TENANT_RECORD_SIGNATURES_LIST, Capability_CAP_TENANT_RECORD_POLICY_RESULTS_LIST, Capability_CAP_TENANT_RISKS_LIST, Capability_CAP_TENANT_SBOMS_LIST, Capability_CAP_TENANT_VULN_REPORTS_LIST, Capability_CAP_TENANT_WORKLOADS_LIST, Capability_CAP_SIGSTORE_LIST, }, RegistryPullCaps...)) // editorCaps can modify state, but not grant roles/permissions. EditorCaps = sortCaps(append([]Capability{ Capability_CAP_EVENTS_SUBSCRIPTION_CREATE, Capability_CAP_EVENTS_SUBSCRIPTION_DELETE, Capability_CAP_EVENTS_SUBSCRIPTION_UPDATE, Capability_CAP_TENANT_CLUSTERS_CREATE, Capability_CAP_TENANT_CLUSTERS_UPDATE, Capability_CAP_TENANT_CLUSTERS_DELETE, Capability_CAP_SIGSTORE_CERTIFICATE_CREATE, Capability_CAP_SIGSTORE_CREATE, Capability_CAP_SIGSTORE_DELETE, Capability_CAP_SIGSTORE_UPDATE, }, ViewerCaps...)) // ownerCaps includes all capabilities possible by a user. OwnerCaps = sortCaps(append([]Capability{ Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_CREATE, Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_DELETE, Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_UPDATE, Capability_CAP_IAM_GROUP_INVITES_CREATE, Capability_CAP_IAM_GROUP_INVITES_DELETE, Capability_CAP_IAM_GROUPS_CREATE, Capability_CAP_IAM_GROUPS_DELETE, Capability_CAP_IAM_GROUPS_UPDATE, Capability_CAP_IAM_POLICY_CREATE, Capability_CAP_IAM_POLICY_UPDATE, Capability_CAP_IAM_POLICY_DELETE, Capability_CAP_IAM_IDENTITY_CREATE, Capability_CAP_IAM_IDENTITY_DELETE, Capability_CAP_IAM_IDENTITY_UPDATE, Capability_CAP_IAM_IDENTITY_PROVIDERS_CREATE, Capability_CAP_IAM_IDENTITY_PROVIDERS_DELETE, Capability_CAP_IAM_IDENTITY_PROVIDERS_UPDATE, Capability_CAP_IAM_ROLE_BINDINGS_CREATE, Capability_CAP_IAM_ROLE_BINDINGS_DELETE, Capability_CAP_IAM_ROLE_BINDINGS_UPDATE, Capability_CAP_IAM_ROLES_CREATE, Capability_CAP_IAM_ROLES_DELETE, Capability_CAP_IAM_ROLES_UPDATE, Capability_CAP_GULFSTREAM, }, append(EditorCaps, RegistryPushCaps...)...)) RegistryPullCaps = sortCaps([]Capability{ Capability_CAP_IAM_GROUPS_LIST, Capability_CAP_REPO_LIST, Capability_CAP_MANIFEST_LIST, Capability_CAP_TAG_LIST, Capability_CAP_TENANT_RECORD_SIGNATURES_LIST, Capability_CAP_TENANT_SBOMS_LIST, Capability_CAP_TENANT_VULN_REPORTS_LIST, }) RegistryPushCaps = sortCaps(append([]Capability{ Capability_CAP_REPO_CREATE, Capability_CAP_REPO_UPDATE, Capability_CAP_REPO_DELETE, Capability_CAP_MANIFEST_CREATE, Capability_CAP_MANIFEST_UPDATE, Capability_CAP_MANIFEST_DELETE, Capability_CAP_TAG_CREATE, Capability_CAP_TAG_UPDATE, Capability_CAP_TAG_DELETE, Capability_CAP_IAM_GROUPS_CREATE, }, RegistryPullCaps...)) RegistryPullTokenCreatorCaps = sortCaps(append([]Capability{ Capability_CAP_IAM_ROLE_BINDINGS_CREATE, Capability_CAP_IAM_IDENTITY_CREATE, Capability_CAP_IAM_ROLES_LIST, }, RegistryPullCaps...)) SigningViewerCaps = sortCaps([]Capability{ Capability_CAP_SIGSTORE_LIST, }) SigningCertRequesterCaps = sortCaps(append([]Capability{ Capability_CAP_SIGSTORE_CERTIFICATE_CREATE, }, SigningViewerCaps...)) SigningEditorCaps = sortCaps(append([]Capability{ Capability_CAP_SIGSTORE_CREATE, Capability_CAP_SIGSTORE_DELETE, Capability_CAP_SIGSTORE_UPDATE, }, SigningCertRequesterCaps...)) )
View Source
var File_capabilities_proto protoreflect.FileDescriptor
Functions ¶
func Bitify ¶
func Bitify(cap Capability) (uint32, error)
func Names ¶
func Names() []string
Names returns a slice of all capabilities Stringify'd, sans UNKNOWN.
func Stringify ¶
func Stringify(cap Capability) (string, error)
func StringifyAll ¶
func StringifyAll(caps []Capability) ([]string, error)
Types ¶
type Capability ¶
type Capability int32
Capability is an enumeration of the Chainguard IAM capabilities.
const ( Capability_UNKNOWN Capability = 0 Capability_CAP_IAM_GROUPS_CREATE Capability = 101 Capability_CAP_IAM_GROUPS_UPDATE Capability = 102 Capability_CAP_IAM_GROUPS_LIST Capability = 103 Capability_CAP_IAM_GROUPS_DELETE Capability = 104 Capability_CAP_IAM_GROUP_INVITES_CREATE Capability = 201 Capability_CAP_IAM_GROUP_INVITES_LIST Capability = 203 Capability_CAP_IAM_GROUP_INVITES_DELETE Capability = 204 Capability_CAP_IAM_ROLES_CREATE Capability = 301 Capability_CAP_IAM_ROLES_UPDATE Capability = 302 Capability_CAP_IAM_ROLES_LIST Capability = 303 Capability_CAP_IAM_ROLES_DELETE Capability = 304 Capability_CAP_IAM_ROLE_BINDINGS_CREATE Capability = 401 Capability_CAP_IAM_ROLE_BINDINGS_UPDATE Capability = 402 Capability_CAP_IAM_ROLE_BINDINGS_LIST Capability = 403 Capability_CAP_IAM_ROLE_BINDINGS_DELETE Capability = 404 Capability_CAP_TENANT_CLUSTERS_CREATE Capability = 501 Capability_CAP_TENANT_CLUSTERS_UPDATE Capability = 502 Capability_CAP_TENANT_CLUSTERS_LIST Capability = 503 Capability_CAP_TENANT_CLUSTERS_DELETE Capability = 504 Capability_CAP_TENANT_CLUSTERS_DISCOVER Capability = 505 Capability_CAP_TENANT_RECORDS_LIST Capability = 603 Capability_CAP_TENANT_RECORD_CONTEXTS_LIST Capability = 613 Capability_CAP_TENANT_RECORD_SIGNATURES_LIST Capability = 623 Capability_CAP_TENANT_RECORD_POLICY_RESULTS_LIST Capability = 633 Capability_CAP_TENANT_RISKS_LIST Capability = 640 Capability_CAP_TENANT_SBOMS_LIST Capability = 650 Capability_CAP_TENANT_VULN_REPORTS_LIST Capability = 660 Capability_CAP_TENANT_ATTESTATIONS_LIST Capability = 670 Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_CREATE Capability = 701 Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_UPDATE Capability = 702 Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_LIST Capability = 703 Capability_CAP_IAM_ACCOUNT_ASSOCIATIONS_DELETE Capability = 704 Capability_CAP_IAM_POLICY_CREATE Capability = 801 Capability_CAP_IAM_POLICY_UPDATE Capability = 802 Capability_CAP_IAM_POLICY_LIST Capability = 803 Capability_CAP_IAM_POLICY_DELETE Capability = 804 Capability_CAP_IAM_IDENTITY_CREATE Capability = 901 Capability_CAP_IAM_IDENTITY_UPDATE Capability = 902 Capability_CAP_IAM_IDENTITY_LIST Capability = 903 Capability_CAP_IAM_IDENTITY_DELETE Capability = 904 Capability_CAP_TENANT_NODES_LIST Capability = 1003 Capability_CAP_TENANT_NAMESPACES_LIST Capability = 1103 Capability_CAP_TENANT_WORKLOADS_LIST Capability = 1203 Capability_CAP_IAM_IDENTITY_PROVIDERS_CREATE Capability = 1301 Capability_CAP_IAM_IDENTITY_PROVIDERS_UPDATE Capability = 1302 Capability_CAP_IAM_IDENTITY_PROVIDERS_LIST Capability = 1303 Capability_CAP_IAM_IDENTITY_PROVIDERS_DELETE Capability = 1304 Capability_CAP_EVENTS_SUBSCRIPTION_CREATE Capability = 1501 Capability_CAP_EVENTS_SUBSCRIPTION_UPDATE Capability = 1502 Capability_CAP_EVENTS_SUBSCRIPTION_LIST Capability = 1503 Capability_CAP_EVENTS_SUBSCRIPTION_DELETE Capability = 1504 // TODO(jason): Remove these coarse-grained capabilities after they're removed from the roles. Capability_CAP_REGISTRY_PULL Capability = 1601 // Can read tags, blobs, manifests. Capability_CAP_REGISTRY_PUSH Capability = 1602 // Can create and update tags, blobs, manifests. Capability_CAP_REPO_CREATE Capability = 1603 Capability_CAP_REPO_UPDATE Capability = 1604 Capability_CAP_REPO_LIST Capability = 1605 Capability_CAP_REPO_DELETE Capability = 1606 Capability_CAP_MANIFEST_CREATE Capability = 1607 Capability_CAP_MANIFEST_UPDATE Capability = 1608 Capability_CAP_MANIFEST_LIST Capability = 1609 Capability_CAP_MANIFEST_DELETE Capability = 1610 Capability_CAP_TAG_CREATE Capability = 1611 Capability_CAP_TAG_UPDATE Capability = 1612 Capability_CAP_TAG_LIST Capability = 1613 Capability_CAP_TAG_DELETE Capability = 1614 Capability_CAP_SIGSTORE_CREATE Capability = 1701 Capability_CAP_SIGSTORE_UPDATE Capability = 1702 Capability_CAP_SIGSTORE_LIST Capability = 1703 Capability_CAP_SIGSTORE_DELETE Capability = 1704 Capability_CAP_SIGSTORE_CERTIFICATE_CREATE Capability = 1705 // This is orthogonal enough that we should leave // it somewhat separate, so add new capabilities above. // TODO(mattmoor): Think about whether we can encode specific // controller capabilities into our access control here? // e.g. could each logical controller/webhook be its own // capability? Capability_CAP_GULFSTREAM Capability = 10000 )
func Parse ¶
func Parse(name string) (Capability, error)
func (Capability) Descriptor ¶
func (Capability) Descriptor() protoreflect.EnumDescriptor
func (Capability) Enum ¶
func (x Capability) Enum() *Capability
func (Capability) EnumDescriptor
deprecated
func (Capability) EnumDescriptor() ([]byte, []int)
Deprecated: Use Capability.Descriptor instead.
func (Capability) Number ¶
func (x Capability) Number() protoreflect.EnumNumber
func (Capability) String ¶
func (x Capability) String() string
func (Capability) Type ¶
func (Capability) Type() protoreflect.EnumType
type Set ¶
type Set []Capability
Set performs efficient encoding of a list of capabilities.
func (Set) MarshalJSON ¶
MarshalJSON implements json.Marshaler
func (*Set) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler
Source Files
Click to show internal directories.
Click to hide internal directories.