Documentation
¶
Index ¶
- func APIGroupMatches(rule *rbacv1.PolicyRule, requestedGroup string) bool
- func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, ...) (AuthorizationRuleResolver, *StaticRoles)
- func NonResourceURLMatches(rule *rbacv1.PolicyRule, requestedURL string) bool
- func ResourceMatches(rule *rbacv1.PolicyRule, ...) bool
- func ResourceNameMatches(rule *rbacv1.PolicyRule, requestedName string) bool
- func RoleRefGroupKind(roleRef rbacv1.RoleRef) schema.GroupKind
- func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool
- func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbacv1.PolicyRule) bool
- func SubjectsStrings(subjects []rbacv1.Subject) ([]string, []string, []string, []string)
- func VerbMatches(rule *rbacv1.PolicyRule, requestedVerb string) bool
- type AuthorizationRuleResolver
- type ClusterRoleBindingLister
- type ClusterRoleGetter
- type DefaultRuleResolver
- func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)
- func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
- func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, ...)
- type RoleBindingLister
- type RoleGetter
- type RoleToRuleMapper
- type StaticRoles
- func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
- func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
- func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
- func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
- type SubjectAccessEvaluator
- type SubjectLocator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func APIGroupMatches ¶
func APIGroupMatches(rule *rbacv1.PolicyRule, requestedGroup string) bool
func NewTestRuleResolver ¶
func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles)
NewTestRuleResolver returns a rule resolver from lists of role objects.
func NonResourceURLMatches ¶
func NonResourceURLMatches(rule *rbacv1.PolicyRule, requestedURL string) bool
func ResourceMatches ¶
func ResourceMatches(rule *rbacv1.PolicyRule, combinedRequestedResource, requestedSubresource string) bool
func ResourceNameMatches ¶
func ResourceNameMatches(rule *rbacv1.PolicyRule, requestedName string) bool
func RuleAllows ¶
func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool
func RulesAllow ¶
func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbacv1.PolicyRule) bool
func SubjectsStrings ¶
subjectsStrings returns users, groups, serviceaccounts, unknown for display purposes.
func VerbMatches ¶
func VerbMatches(rule *rbacv1.PolicyRule, requestedVerb string) bool
Types ¶
type AuthorizationRuleResolver ¶
type AuthorizationRuleResolver interface {
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namepsace
// of the role binding, the empty string if a cluster role binding.
GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
// RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of
// PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations
// can be made on the basis of those rules that are found.
RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
// If visitor() returns false, visiting is short-circuited.
VisitRulesFor(user user.Info, namespace string, visitor func(rule *rbacv1.PolicyRule, err error) bool)
}
type ClusterRoleBindingLister ¶
type ClusterRoleBindingLister interface {
ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}
type ClusterRoleGetter ¶
type ClusterRoleGetter interface {
GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}
type DefaultRuleResolver ¶
type DefaultRuleResolver struct {
// contains filtered or unexported fields
}
func NewDefaultRuleResolver ¶
func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver
func (*DefaultRuleResolver) GetRoleReferenceRules ¶
func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)
GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.
func (*DefaultRuleResolver) RulesFor ¶
func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
func (*DefaultRuleResolver) VisitRulesFor ¶
func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(rule *rbacv1.PolicyRule, err error) bool)
type RoleBindingLister ¶
type RoleBindingLister interface {
ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}
type RoleGetter ¶
type RoleToRuleMapper ¶
type RoleToRuleMapper interface {
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namespace
// of the role binding, the empty string if a cluster role binding.
GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
}
type StaticRoles ¶
type StaticRoles struct {
// contains filtered or unexported fields
}
StaticRoles is a rule resolver that resolves from lists of role objects.
func (*StaticRoles) GetClusterRole ¶
func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)
func (*StaticRoles) GetRole ¶
func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)
func (*StaticRoles) ListClusterRoleBindings ¶
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
func (*StaticRoles) ListRoleBindings ¶
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
type SubjectAccessEvaluator ¶
type SubjectAccessEvaluator struct {
// contains filtered or unexported fields
}
func NewSubjectAccessEvaluator ¶
func NewSubjectAccessEvaluator(roles RoleGetter, roleBindings RoleBindingLister, clusterRoles ClusterRoleGetter, clusterRoleBindings ClusterRoleBindingLister, superUser string) *SubjectAccessEvaluator
func (*SubjectAccessEvaluator) AllowedSubjects ¶
func (r *SubjectAccessEvaluator) AllowedSubjects(requestAttributes authorizer.Attributes) ([]rbacv1.Subject, error)
AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list. It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.
type SubjectLocator ¶
type SubjectLocator interface {
AllowedSubjects(attributes authorizer.Attributes) ([]rbacv1.Subject, error)
}
Source Files
Click to show internal directories.
Click to hide internal directories.