helpers

package
v0.0.0-...-1d6255f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 4, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func APIResourcesToExpandedRules 

func APIResourcesToExpandedRules(resourceLists []*metav1.APIResourceList) []v1.PolicyRule

APIResourcesToExpandedRules converts an APIResourceList into a list of PolicyRules with all verbs allowed

func ApplyDenyRulesToExpandedRuleset 

func ApplyDenyRulesToExpandedRuleset(fullRuleSet []v1.PolicyRule, denyRules []v1.PolicyRule) []v1.PolicyRule

ApplyDenyRulesToExpandedRuleset takes in an expanded ruleset (see func `ExpandPolicyRules`) and removes anything matching the deny rules

func BuildPolicyRules 

func BuildPolicyRules(client client.Client, cache ResourceCache, roleType RoleType, forNamespace string, inherit *[]v1alpha1.InheritedRole, allow *[]v1.PolicyRule, deny *[]v1.PolicyRule) (*[]v1.PolicyRule, error)

BuildPolicyRules takes an inherited role, an allow list, and a deny list; and processes everything into a list of policy rules

func CreateOrUpdateClusterRole 

func CreateOrUpdateClusterRole(role *v1.ClusterRole, c client.Client) (err error)

CreateOrUpdateClusterRole ensures that a clusterrole exists in the specified state in the cluster, whether it has to be created or updated to ensure that

func CreateOrUpdateRole 

func CreateOrUpdateRole(role *v1.Role, c client.Client) (err error)

CreateOrUpdateRole ensures that a role exists in the specified state in the cluster, whether it has to be created or updated to ensure that

func DiscoverClusterResources 

func DiscoverClusterResources(config *rest.Config) (apiGroupList []*metav1.APIGroup, apiResourceList []*metav1.APIResourceList, err error)

DiscoverClusterResources returns a list of all known resources and groups known to this API server

func EnumeratePolicyRules 

func EnumeratePolicyRules(inputRules []v1.PolicyRule, cache *ResourceCache) ([]v1.PolicyRule, error)

EnumeratePolicyRules takes a list of rules with wildcards and returns a list of policy rules with resources explicitly enumerated

func ExpandPolicyRules 

func ExpandPolicyRules(inputRules []v1.PolicyRule) []v1.PolicyRule

ExpandPolicyRules ensures that multiple resources with the same verbs are not grouped together in the same rule definition (makes it easier to edit individual verbs later)

func MergeExpandedPolicyRules 

func MergeExpandedPolicyRules(first []v1.PolicyRule, second []v1.PolicyRule) []v1.PolicyRule

MergeExpandedPolicyRules takes two expanded rulesets (see func `ExpandPolicyRules`) and returns one merged expanded ruleset

func StripNonResourceURLs 

func StripNonResourceURLs(rules []v1.PolicyRule) []v1.PolicyRule

StripNonResourceURLs takes a list of PolicyRules that may specify NonResourceURLs and returns the same list without any NonResourceURLs

Types

type ResourceCache 

type ResourceCache struct {
	CRDs                map[string]string
	AllPolicies         *[]rbacv1.PolicyRule
	WatchedRoles        map[types.NamespacedName]bool
	WatchedClusterRoles map[types.NamespacedName]bool
}

ResourceCache holds information about the kube cluster state and its policies so that it doesn't need to be queried for every reconciliation.

func GetCacheInstance 

func GetCacheInstance() *ResourceCache

GetCacheInstance returns or instantiates a ResourceCache

type RoleType 

type RoleType int
const (
	Role RoleType = iota
	ClusterRole
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.