Documentation ¶
Index ¶
- func APIResourcesToExpandedRules(resourceLists []*metav1.APIResourceList) []v1.PolicyRule
- func ApplyDenyRulesToExpandedRuleset(fullRuleSet []v1.PolicyRule, denyRules []v1.PolicyRule) []v1.PolicyRule
- func BuildPolicyRules(client client.Client, cache ResourceCache, roleType RoleType, ...) (*[]v1.PolicyRule, error)
- func CreateOrUpdateClusterRole(role *v1.ClusterRole, c client.Client) (err error)
- func CreateOrUpdateRole(role *v1.Role, c client.Client) (err error)
- func DiscoverClusterResources(config *rest.Config) (apiGroupList []*metav1.APIGroup, apiResourceList []*metav1.APIResourceList, ...)
- func EnumeratePolicyRules(inputRules []v1.PolicyRule, cache *ResourceCache) ([]v1.PolicyRule, error)
- func ExpandPolicyRules(inputRules []v1.PolicyRule) []v1.PolicyRule
- func MergeExpandedPolicyRules(first []v1.PolicyRule, second []v1.PolicyRule) []v1.PolicyRule
- func StripNonResourceURLs(rules []v1.PolicyRule) []v1.PolicyRule
- type ResourceCache
- type RoleType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func APIResourcesToExpandedRules ¶
func APIResourcesToExpandedRules(resourceLists []*metav1.APIResourceList) []v1.PolicyRule
APIResourcesToExpandedRules converts an APIResourceList into a list of PolicyRules with all verbs allowed
func ApplyDenyRulesToExpandedRuleset ¶
func ApplyDenyRulesToExpandedRuleset(fullRuleSet []v1.PolicyRule, denyRules []v1.PolicyRule) []v1.PolicyRule
ApplyDenyRulesToExpandedRuleset takes in an expanded ruleset (see func `ExpandPolicyRules`) and removes anything matching the deny rules
func BuildPolicyRules ¶
func BuildPolicyRules(client client.Client, cache ResourceCache, roleType RoleType, forNamespace string, inherit *[]v1alpha1.InheritedRole, allow *[]v1.PolicyRule, deny *[]v1.PolicyRule) (*[]v1.PolicyRule, error)
BuildPolicyRules takes an inherited role, an allow list, and a deny list; and processes everything into a list of policy rules
func CreateOrUpdateClusterRole ¶
func CreateOrUpdateClusterRole(role *v1.ClusterRole, c client.Client) (err error)
CreateOrUpdateClusterRole ensures that a clusterrole exists in the specified state in the cluster, whether it has to be created or updated to ensure that
func CreateOrUpdateRole ¶
CreateOrUpdateRole ensures that a role exists in the specified state in the cluster, whether it has to be created or updated to ensure that
func DiscoverClusterResources ¶
func DiscoverClusterResources(config *rest.Config) (apiGroupList []*metav1.APIGroup, apiResourceList []*metav1.APIResourceList, err error)
DiscoverClusterResources returns a list of all known resources and groups known to this API server
func EnumeratePolicyRules ¶
func EnumeratePolicyRules(inputRules []v1.PolicyRule, cache *ResourceCache) ([]v1.PolicyRule, error)
EnumeratePolicyRules takes a list of rules with wildcards and returns a list of policy rules with resources explicitly enumerated
func ExpandPolicyRules ¶
func ExpandPolicyRules(inputRules []v1.PolicyRule) []v1.PolicyRule
ExpandPolicyRules ensures that multiple resources with the same verbs are not grouped together in the same rule definition (makes it easier to edit individual verbs later)
func MergeExpandedPolicyRules ¶
func MergeExpandedPolicyRules(first []v1.PolicyRule, second []v1.PolicyRule) []v1.PolicyRule
MergeExpandedPolicyRules takes two expanded rulesets (see func `ExpandPolicyRules`) and returns one merged expanded ruleset
func StripNonResourceURLs ¶
func StripNonResourceURLs(rules []v1.PolicyRule) []v1.PolicyRule
StripNonResourceURLs takes a list of PolicyRules that may specify NonResourceURLs and returns the same list without any NonResourceURLs
Types ¶
type ResourceCache ¶
type ResourceCache struct { CRDs map[string]string AllPolicies *[]rbacv1.PolicyRule WatchedRoles map[types.NamespacedName]bool WatchedClusterRoles map[types.NamespacedName]bool }
ResourceCache holds information about the kube cluster state and its policies so that it doesn't need to be queried for every reconciliation.
func GetCacheInstance ¶
func GetCacheInstance() *ResourceCache
GetCacheInstance returns or instantiates a ResourceCache