Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the validation v1alpha1 API group +kubebuilder:object:generate=true +groupName=validation.spectrocloud.labs
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "validation.spectrocloud.labs", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type ActionStr ¶ added in v0.0.5
type ActionStr string
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable kubebuilder max string length validation for arrays of these. +kubebuilder:validation:MaxLength=200
type AzureAuth ¶
type AzureAuth struct {
// If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
// Set to true if using WorkloadIdentityCredentials.
Implicit bool `json:"implicit" yaml:"implicit"`
// Name of a Secret in the same namespace as the AzureValidator that contains Azure credentials.
// The secret data's keys and values are expected to align with valid Azure environment variable credentials,
// per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
}
func (*AzureAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureAuth.
func (*AzureAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureValidator ¶
type AzureValidator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec AzureValidatorSpec `json:"spec,omitempty"`
Status AzureValidatorStatus `json:"status,omitempty"`
}
AzureValidator is the Schema for the azurevalidators API
func (*AzureValidator) DeepCopy ¶
func (in *AzureValidator) DeepCopy() *AzureValidator
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidator.
func (*AzureValidator) DeepCopyInto ¶
func (in *AzureValidator) DeepCopyInto(out *AzureValidator)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidator) DeepCopyObject ¶
func (in *AzureValidator) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AzureValidatorList ¶
type AzureValidatorList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AzureValidator `json:"items"`
}
AzureValidatorList contains a list of AzureValidator
func (*AzureValidatorList) DeepCopy ¶
func (in *AzureValidatorList) DeepCopy() *AzureValidatorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorList.
func (*AzureValidatorList) DeepCopyInto ¶
func (in *AzureValidatorList) DeepCopyInto(out *AzureValidatorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidatorList) DeepCopyObject ¶
func (in *AzureValidatorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AzureValidatorSpec ¶
type AzureValidatorSpec struct {
// Rules for validating that the correct role assignments have been created in Azure RBAC to
// provide needed permissions.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="RBACRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
RBACRules []RBACRule `json:"rbacRules" yaml:"rbacRules"`
Auth AzureAuth `json:"auth" yaml:"auth"`
}
AzureValidatorSpec defines the desired state of AzureValidator
func (*AzureValidatorSpec) DeepCopy ¶
func (in *AzureValidatorSpec) DeepCopy() *AzureValidatorSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorSpec.
func (*AzureValidatorSpec) DeepCopyInto ¶
func (in *AzureValidatorSpec) DeepCopyInto(out *AzureValidatorSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (AzureValidatorSpec) ResultCount ¶
func (s AzureValidatorSpec) ResultCount() int
type AzureValidatorStatus ¶
type AzureValidatorStatus struct{}
AzureValidatorStatus defines the observed state of AzureValidator
func (*AzureValidatorStatus) DeepCopy ¶
func (in *AzureValidatorStatus) DeepCopy() *AzureValidatorStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorStatus.
func (*AzureValidatorStatus) DeepCopyInto ¶
func (in *AzureValidatorStatus) DeepCopyInto(out *AzureValidatorStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PermissionSet ¶ added in v0.0.3
type PermissionSet struct {
// If provided, the actions that the role must be able to perform. Must not contain any
// wildcards. If not specified, the role is assumed to already be able to perform all required
// actions.
//+kubebuilder:validation:MaxItems=1000
//+kubebuilder:validation:XValidation:message="Actions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
Actions []ActionStr `json:"actions,omitempty" yaml:"actions,omitempty"`
// If provided, the data actions that the role must be able to perform. Must not contain any
// wildcards. If not provided, the role is assumed to already be able to perform all required
// data actions.
//+kubebuilder:validation:MaxItems=1000
//+kubebuilder:validation:XValidation:message="DataActions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
DataActions []ActionStr `json:"dataActions,omitempty" yaml:"dataActions,omitempty"`
// The minimum scope of the role. Role assignments found at higher level scopes will satisfy
// this. For example, a role assignment found with subscription scope will satisfy a permission
// set where the role scope specified is a resource group within that subscription.
Scope string `json:"scope" yaml:"scope"`
}
Conveys that the security principal should be the member of a role assignment that provides the specified role for the specified scope. Scope can be either subscription, resource group, or resource.
func (*PermissionSet) DeepCopy ¶ added in v0.0.3
func (in *PermissionSet) DeepCopy() *PermissionSet
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionSet.
func (*PermissionSet) DeepCopyInto ¶ added in v0.0.3
func (in *PermissionSet) DeepCopyInto(out *PermissionSet)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RBACRule ¶ added in v0.0.3
type RBACRule struct {
// Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
// each other.
Name string `json:"name" yaml:"name"`
// The permissions that the principal must have. If the principal has permissions less than
// this, validation will fail. If the principal has permissions equal to or more than this
// (e.g., inherited permissions from higher level scope, more roles than needed) validation
// will pass.
//+kubebuilder:validation:MinItems=1
//+kubebuilder:validation:MaxItems=20
//+kubebuilder:validation:XValidation:message="Each permission set must have Actions, DataActions, or both defined",rule="self.all(item, size(item.actions) > 0 || size(item.dataActions) > 0)"
Permissions []PermissionSet `json:"permissionSets" yaml:"permissionSets"`
// The principal being validated. This can be any type of principal - Device, ForeignGroup,
// Group, ServicePrincipal, or User.
PrincipalID string `json:"principalId" yaml:"principalId"`
}
Conveys that a specified security principal (aka principal) should have the specified permissions, via roles. It doesn't matter which roles provide the permissions as long as enough role assignments exist that the principal has all of the permissions and no deny assignments exist that deny the permissions.
func (*RBACRule) DeepCopy ¶ added in v0.0.3
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACRule.
func (*RBACRule) DeepCopyInto ¶ added in v0.0.3
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files