Documentation
¶
Index ¶
Constants ¶
View Source
const ( // Policy is a singleton and this is its name PolicyName = "default" ResourceAll = "*" VerbAll = "*" )
View Source
const ( // ResourceGroupPrefix is the prefix for indicating that a resource entry is actually a group of resources. The groups are defined in code and indicate resources that are commonly permissioned together ResourceGroupPrefix = "resourcegroup" BuildGroupName = ResourceGroupPrefix + ":builds" DeploymentGroupName = ResourceGroupPrefix + ":deployments" ImageGroupName = ResourceGroupPrefix + ":images" OAuthGroupName = ResourceGroupPrefix + ":oauth" UserGroupName = ResourceGroupPrefix + ":users" // PolicyOwnerGroupName includes the physical resources behind the PermissionGrantingGroupName. Unless these physical objects are created first, users with privileges to PermissionGrantingGroupName will // only be able to bind to global roles PolicyOwnerGroupName = ResourceGroupPrefix + ":policy" // PermissionGrantingGroupName includes resources that are necessary to maintain authorization roles and bindings. By itself, this group is insufficient to create anything except for bindings // to master roles. If a local Policy already exists, then privileges to this group will allow for modification of local roles. PermissionGrantingGroupName = ResourceGroupPrefix + ":granter" // OpenshiftExposedGroupName includes resources that are commonly viewed and modified by end users of the system. It does not include any sensitive resources that control authentication or authorization OpenshiftExposedGroupName = ResourceGroupPrefix + ":exposedopenshift" OpenshiftAllGroupName = ResourceGroupPrefix + ":allopenshift" QuotaGroupName = ResourceGroupPrefix + ":quota" // KubeInternalsGroupName includes those resources that should reasonably be viewable to end users, but that most users should probably not modify. Kubernetes herself will maintain these resources KubeInternalsGroupName = ResourceGroupPrefix + ":privatekube" // KubeExposedGroupName includes resources that are commonly viewed and modified by end users of the system. KubeExposedGroupName = ResourceGroupPrefix + ":exposedkube" KubeAllGroupName = ResourceGroupPrefix + ":allkube" )
Variables ¶
View Source
var ( GroupsToResources = map[string][]string{ BuildGroupName: {"builds", "buildconfigs", "buildlogs"}, ImageGroupName: {"images", "imagerepositories", "imagerepositorymappings", "imagerepositorytags"}, DeploymentGroupName: {"deployments", "deploymentconfigs", "generatedeploymentconfigs", "deploymentconfigrollbacks"}, UserGroupName: {"users", "useridentitymappings"}, OAuthGroupName: {"oauthauthorizetokens", "oauthaccesstokens", "oauthclients", "oauthclientauthorizations"}, PolicyOwnerGroupName: {"policies", "policybindings"}, PermissionGrantingGroupName: {"roles", "rolebindings"}, OpenshiftExposedGroupName: {BuildGroupName, ImageGroupName, DeploymentGroupName, "templateconfigs", "routes", "projects"}, OpenshiftAllGroupName: {OpenshiftExposedGroupName, UserGroupName, OAuthGroupName, PolicyOwnerGroupName, PermissionGrantingGroupName}, QuotaGroupName: {"limitranges", "resourcequotas", "resourcequotausages"}, KubeInternalsGroupName: {"endpoints", "minions", "nodes", "bindings", "events"}, KubeExposedGroupName: {"pods", "replicationcontrollers", "services"}, KubeAllGroupName: {KubeInternalsGroupName, KubeExposedGroupName, QuotaGroupName}, } )
Functions ¶
This section is empty.
Types ¶
type Policy ¶
type Policy struct {
kapi.TypeMeta
kapi.ObjectMeta
// LastModified is the last time that any part of the Policy was created, updated, or deleted
LastModified kutil.Time
// Roles holds all the Roles held by this Policy, mapped by Role.Name
Roles map[string]Role
}
Policy is a object that holds all the Roles for a particular namespace. There is at most one Policy document per namespace.
func (*Policy) IsAnAPIObject ¶
func (*Policy) IsAnAPIObject()
type PolicyBinding ¶
type PolicyBinding struct {
kapi.TypeMeta
kapi.ObjectMeta
// LastModified is the last time that any part of the PolicyBinding was created, updated, or deleted
LastModified kutil.Time
// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference
PolicyRef kapi.ObjectReference
// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name
RoleBindings map[string]RoleBinding
}
PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is one PolicyBinding document per referenced Policy namespace
func (*PolicyBinding) IsAnAPIObject ¶
func (*PolicyBinding) IsAnAPIObject()
type PolicyBindingList ¶
type PolicyBindingList struct {
kapi.TypeMeta
kapi.ListMeta
Items []PolicyBinding
}
PolicyBindingList is a collection of PolicyBindings
func (*PolicyBindingList) IsAnAPIObject ¶
func (*PolicyBindingList) IsAnAPIObject()
type PolicyList ¶
PolicyList is a collection of Policies
func (*PolicyList) IsAnAPIObject ¶
func (*PolicyList) IsAnAPIObject()
type PolicyRule ¶
type PolicyRule struct {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
Verbs []string
// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
AttributeRestrictions kruntime.EmbeddedObject
// Resources is a list of resources this rule applies to. ResourceAll represents all resources.
Resources []string
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
ResourceNames kutil.StringSet
}
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
type ResourceAccessReview ¶ added in v0.3.1
type ResourceAccessReview struct {
kapi.TypeMeta
// Verb is one of: get, list, watch, create, update, delete
Verb string
// Resource is one of the existing resource types
Resource string
// Content is the actual content of the request for create and update
Content kruntime.EmbeddedObject
// ResourceName is the name of the resource being requested for a "get" or deleted for a "delete"
ResourceName string
}
ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec
func (*ResourceAccessReview) IsAnAPIObject ¶ added in v0.3.1
func (*ResourceAccessReview) IsAnAPIObject()
type ResourceAccessReviewResponse ¶ added in v0.3.1
type ResourceAccessReviewResponse struct {
kapi.TypeMeta
// Namespace is the namespace used for the access review
Namespace string
// Users is the list of users who can perform the action
Users []string
// Groups is the list of groups who can perform the action
Groups []string
}
ResourceAccessReviewResponse describes who can perform the action
func (*ResourceAccessReviewResponse) IsAnAPIObject ¶ added in v0.3.1
func (*ResourceAccessReviewResponse) IsAnAPIObject()
type Role ¶
type Role struct {
kapi.TypeMeta
kapi.ObjectMeta
// Rules holds all the PolicyRules for this Role
Rules []PolicyRule
}
Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.
func (*Role) IsAnAPIObject ¶
func (*Role) IsAnAPIObject()
type RoleBinding ¶
type RoleBinding struct {
kapi.TypeMeta
kapi.ObjectMeta
// UserNames holds all the usernames directly bound to the role
UserNames []string
// GroupNames holds all the groups directly bound to the role
GroupNames []string
// Since Policy is a singleton, this is sufficient knowledge to locate a role
// RoleRefs can only reference the current namespace and the global namespace
// If the RoleRef cannot be resolved, the Authorizer must return an error.
RoleRef kapi.ObjectReference
}
RoleBinding references a Role, but not contain it. It adds who and namespace information. It can reference any Role in the same namespace or in the global namespace.
func (*RoleBinding) IsAnAPIObject ¶
func (*RoleBinding) IsAnAPIObject()
type SubjectAccessReview ¶ added in v0.3.1
type SubjectAccessReview struct {
kapi.TypeMeta
// Verb is one of: get, list, watch, create, update, delete
Verb string
// Resource is one of the existing resource types
Resource string
// User is optional. If both User and Groups are empty, the current authenticated user is used.
User string
// Groups is optional. Groups is the list of groups to which the User belongs.
Groups []string
// Content is the actual content of the request for create and update
Content kruntime.EmbeddedObject
// ResourceName is the name of the resource being requested for a "get" or deleted for a "delete"
ResourceName string
}
SubjectAccessReview is an object for requesting information about whether a user or group can perform an action
func (*SubjectAccessReview) IsAnAPIObject ¶ added in v0.3.1
func (*SubjectAccessReview) IsAnAPIObject()
type SubjectAccessReviewResponse ¶ added in v0.3.1
type SubjectAccessReviewResponse struct {
kapi.TypeMeta
// Namespace is the namespace used for the access review
Namespace string
// Allowed is required. True if the action would be allowed, false otherwise.
Allowed bool
// Reason is optional. It indicates why a request was allowed or denied.
Reason string
}
SubjectAccessReviewResponse describes whether or not a user or group can perform an action
func (*SubjectAccessReviewResponse) IsAnAPIObject ¶ added in v0.3.1
func (*SubjectAccessReviewResponse) IsAnAPIObject()
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.