policy

package
v3.11.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 15, 2018 License: Apache-2.0 Imports: 48 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AddRoleToGroupRecommendedName      = "add-role-to-group"
	AddRoleToUserRecommendedName       = "add-role-to-user"
	RemoveRoleFromGroupRecommendedName = "remove-role-from-group"
	RemoveRoleFromUserRecommendedName  = "remove-role-from-user"

	AddClusterRoleToGroupRecommendedName      = "add-cluster-role-to-group"
	AddClusterRoleToUserRecommendedName       = "add-cluster-role-to-user"
	RemoveClusterRoleFromGroupRecommendedName = "remove-cluster-role-from-group"
	RemoveClusterRoleFromUserRecommendedName  = "remove-cluster-role-from-user"
)
View Source 
const (
	AddSCCToGroupRecommendedName      = "add-scc-to-group"
	AddSCCToUserRecommendedName       = "add-scc-to-user"
	RemoveSCCFromGroupRecommendedName = "remove-scc-from-group"
	RemoveSCCFromUserRecommendedName  = "remove-scc-from-user"
)
View Source 
const (
	RemoveGroupRecommendedName = "remove-group"
	RemoveUserRecommendedName  = "remove-user"
)
View Source 
const CanIRecommendedName = "can-i"
View Source 
const PolicyRecommendedName = "policy"
View Source 
const ReconcileClusterRoleBindingsRecommendedName = "reconcile-cluster-role-bindings"

ReconcileClusterRoleBindingsRecommendedName is the recommended command name

View Source 
const ReconcileClusterRolesRecommendedName = "reconcile-cluster-roles"

ReconcileClusterRolesRecommendedName is the recommended command name

View Source 
const ReconcileProtectAnnotation = "openshift.io/reconcile-protect"

ReconcileProtectAnnotation is the name of an annotation which prevents reconciliation if set to "true"

View Source 
const ReconcileSCCRecommendedName = "reconcile-sccs"

ReconcileSCCRecommendedName is the recommended command name

View Source 
const ReviewRecommendedName = "scc-review"
View Source 
const SubjectReviewRecommendedName = "scc-subject-review"
View Source 
const WhoCanRecommendedName = "who-can"

Variables

This section is empty.

Functions

func CheckStatefulSetWithWolumeClaimTemplates 

func CheckStatefulSetWithWolumeClaimTemplates(obj runtime.Object) error

CheckStatefulSetWithWolumeClaimTemplates checks whether a supplied object is a statefulSet with volumeClaimTemplates Currently scc-review and scc-subject-review commands cannot handle correctly this case since validation is not based only on podTemplateSpec.

func DiffSubjects 

func DiffSubjects(list1 []rbac.Subject, list2 []rbac.Subject) (list1Only []rbac.Subject, list2Only []rbac.Subject)

DiffSubjects returns lists containing the items unique to each provided list: 

list1Only = list1 - list2
list2Only = list2 - list1

if both returned lists are empty, the provided lists are equal

func GetPodTemplateForObject 

func GetPodTemplateForObject(obj runtime.Object) (*kapi.PodTemplateSpec, error)

func IsClusterRoleBindingLookupError 

func IsClusterRoleBindingLookupError(err error) bool

func MergeMaps 

func MergeMaps(a, b map[string]string) map[string]string

MergeMaps will merge to map[string]string instances, with keys from the second argument overwriting keys from the first argument, in case of duplicates.

func NewClusterRoleBindingLookupError 

func NewClusterRoleBindingLookupError(rolesNotFound []string) error

func NewCmdAddClusterRoleToGroup 

func NewCmdAddClusterRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToGroup implements the OpenShift cli add-cluster-role-to-group command

func NewCmdAddClusterRoleToUser 

func NewCmdAddClusterRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddClusterRoleToUser implements the OpenShift cli add-cluster-role-to-user command

func NewCmdAddRoleToGroup 

func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToGroup implements the OpenShift cli add-role-to-group command

func NewCmdAddRoleToUser 

func NewCmdAddRoleToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdAddRoleToUser implements the OpenShift cli add-role-to-user command

func NewCmdAddSCCToGroup 

func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdAddSCCToUser 

func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdCanI 

func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdPolicy 

func NewCmdPolicy(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdPolicy implements the OpenShift cli policy command

func NewCmdReconcileClusterRoleBindings 

func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Factory, out, err io.Writer) *cobra.Command

NewCmdReconcileClusterRoleBindings implements the OpenShift cli reconcile-cluster-role-bindings command

func NewCmdReconcileClusterRoles 

func NewCmdReconcileClusterRoles(name, fullName string, f *clientcmd.Factory, out, errout io.Writer) *cobra.Command

NewCmdReconcileClusterRoles implements the OpenShift cli reconcile-cluster-roles command

func NewCmdReconcileSCC 

func NewCmdReconcileSCC(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdReconcileSCC implements the OpenShift cli reconcile-sccs command.

func NewCmdRemoveClusterRoleFromGroup 

func NewCmdRemoveClusterRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromGroup implements the OpenShift cli remove-cluster-role-from-group command

func NewCmdRemoveClusterRoleFromUser 

func NewCmdRemoveClusterRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveClusterRoleFromUser implements the OpenShift cli remove-cluster-role-from-user command

func NewCmdRemoveGroupFromProject 

func NewCmdRemoveGroupFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveGroupFromProject implements the OpenShift cli remove-group command

func NewCmdRemoveRoleFromGroup 

func NewCmdRemoveRoleFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromGroup implements the OpenShift cli remove-role-from-group command

func NewCmdRemoveRoleFromUser 

func NewCmdRemoveRoleFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveRoleFromUser implements the OpenShift cli remove-role-from-user command

func NewCmdRemoveSCCFromGroup 

func NewCmdRemoveSCCFromGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveSCCFromUser 

func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdRemoveUserFromProject 

func NewCmdRemoveUserFromProject(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdRemoveUserFromProject implements the OpenShift cli remove-user command

func NewCmdSccReview 

func NewCmdSccReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdSccSubjectReview 

func NewCmdSccSubjectReview(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

func NewCmdWhoCan 

func NewCmdWhoCan(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command

NewCmdWhoCan implements the OpenShift cli who-can command

Types

type ClusterRoleBindingAccessor 

type ClusterRoleBindingAccessor struct {
	Client authorizationtypedclient.ClusterRoleBindingsGetter
}

ClusterRoleBindingAccessor operates against cluster scoped role bindings

func NewClusterRoleBindingAccessor 

func NewClusterRoleBindingAccessor(client authorizationtypedclient.ClusterRoleBindingsGetter) ClusterRoleBindingAccessor

func (ClusterRoleBindingAccessor) CreateRoleBinding 

func (a ClusterRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (ClusterRoleBindingAccessor) DeleteRoleBinding added in v3.10.0 

func (a ClusterRoleBindingAccessor) DeleteRoleBinding(name string) error

func (ClusterRoleBindingAccessor) GetExistingRoleBindingNames 

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole 

func (a ClusterRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (ClusterRoleBindingAccessor) GetRoleBinding 

func (a ClusterRoleBindingAccessor) GetRoleBinding(name string) (*authorizationapi.RoleBinding, error)

func (ClusterRoleBindingAccessor) UpdateRoleBinding 

func (a ClusterRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type LocalRoleBindingAccessor 

type LocalRoleBindingAccessor struct {
	BindingNamespace string
	Client           authorizationtypedclient.RoleBindingsGetter
}

LocalRoleBindingAccessor operates against role bindings in namespace

func NewLocalRoleBindingAccessor 

func NewLocalRoleBindingAccessor(bindingNamespace string, client authorizationtypedclient.RoleBindingsGetter) LocalRoleBindingAccessor

func (LocalRoleBindingAccessor) CreateRoleBinding 

func (a LocalRoleBindingAccessor) CreateRoleBinding(binding *authorizationapi.RoleBinding) error

func (LocalRoleBindingAccessor) DeleteRoleBinding added in v3.10.0 

func (a LocalRoleBindingAccessor) DeleteRoleBinding(name string) error

func (LocalRoleBindingAccessor) GetExistingRoleBindingNames 

func (a LocalRoleBindingAccessor) GetExistingRoleBindingNames() (*sets.String, error)

func (LocalRoleBindingAccessor) GetExistingRoleBindingsForRole 

func (a LocalRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)

func (LocalRoleBindingAccessor) GetRoleBinding 

func (a LocalRoleBindingAccessor) GetRoleBinding(name string) (*authorizationapi.RoleBinding, error)

func (LocalRoleBindingAccessor) UpdateRoleBinding 

func (a LocalRoleBindingAccessor) UpdateRoleBinding(binding *authorizationapi.RoleBinding) error

type ReconcileClusterRoleBindingsOptions 

type ReconcileClusterRoleBindingsOptions struct {
	// RolesToReconcile says which roles should have their default bindings reconciled.
	// An empty or nil slice means reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	ExcludeSubjects []rbac.Subject

	Out    io.Writer
	Err    io.Writer
	Output string

	RoleBindingClient authorizationtypedclient.ClusterRoleBindingInterface
}

ReconcileClusterRoleBindingsOptions contains all the necessary functionality for the OpenShift cli reconcile-cluster-role-bindings command

func (*ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings 

func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*rbac.ClusterRoleBinding, []*rbac.ClusterRoleBinding, error)

ChangedClusterRoleBindings returns the role bindings that must be created and/or updated to match the recommended bootstrap policy. If roles to reconcile are provided, but not all are found, all partial results are returned.

func (*ReconcileClusterRoleBindingsOptions) Complete 

func (o *ReconcileClusterRoleBindingsOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string, excludeUsers, excludeGroups []string) error

func (*ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings 

func (o *ReconcileClusterRoleBindingsOptions) ReplaceChangedRoleBindings(changedRoleBindings []*rbac.ClusterRoleBinding) error

ReplaceChangedRoleBindings will reconcile all the changed system role bindings back to the recommended bootstrap policy

func (*ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings 

func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cmd *cobra.Command, f *clientcmd.Factory) error

func (*ReconcileClusterRoleBindingsOptions) Validate 

func (o *ReconcileClusterRoleBindingsOptions) Validate() error

type ReconcileClusterRolesOptions 

type ReconcileClusterRolesOptions struct {
	// RolesToReconcile says which roles should be reconciled.  An empty or nil slice means
	// reconcile all of them.
	RolesToReconcile []string

	Confirmed bool
	Union     bool

	Out    io.Writer
	ErrOut io.Writer
	Output string

	RoleClient authorizationtypedclient.ClusterRoleInterface
}

func (*ReconcileClusterRolesOptions) ChangedClusterRoles 

func (o *ReconcileClusterRolesOptions) ChangedClusterRoles() ([]*rbac.ClusterRole, []*rbac.ClusterRole, error)

ChangedClusterRoles returns the roles that must be created and/or updated to match the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) Complete 

func (o *ReconcileClusterRolesOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileClusterRolesOptions) ReplaceChangedRoles 

func (o *ReconcileClusterRolesOptions) ReplaceChangedRoles(changedRoles []*rbac.ClusterRole) error

ReplaceChangedRoles will reconcile all the changed roles back to the recommended bootstrap policy

func (*ReconcileClusterRolesOptions) RunReconcileClusterRoles 

func (o *ReconcileClusterRolesOptions) RunReconcileClusterRoles(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileClusterRoles contains all the necessary functionality for the OpenShift cli reconcile-cluster-roles command

func (*ReconcileClusterRolesOptions) Validate 

func (o *ReconcileClusterRolesOptions) Validate() error

type ReconcileSCCOptions 

type ReconcileSCCOptions struct {
	// confirmed indicates that the data should be persisted
	Confirmed bool
	// union controls if we make additive changes to the users/groups/labels/annotations fields
	// or overwrite them as well as preserving existing priorities (unset priorities will
	// always be reconciled)
	Union bool
	// is the name of the openshift infrastructure namespace.  It is provided here so that
	// the command doesn't need to try and parse the policy config.
	InfraNamespace string

	Out    io.Writer
	Output string

	SCCClient securitytypedclient.SecurityContextConstraintsInterface
	NSClient  kcoreclient.NamespaceInterface
}

func NewDefaultReconcileSCCOptions 

func NewDefaultReconcileSCCOptions() *ReconcileSCCOptions

NewDefaultReconcileSCCOptions provides a ReconcileSCCOptions with default settings.

func (*ReconcileSCCOptions) ChangedSCCs 

func (o *ReconcileSCCOptions) ChangedSCCs() ([]*securityapi.SecurityContextConstraints, error)

ChangedSCCs returns the SCCs that must be created and/or updated to match the recommended bootstrap SCCs.

func (*ReconcileSCCOptions) Complete 

func (o *ReconcileSCCOptions) Complete(cmd *cobra.Command, f *clientcmd.Factory, args []string) error

func (*ReconcileSCCOptions) ReplaceChangedSCCs 

func (o *ReconcileSCCOptions) ReplaceChangedSCCs(changedSCCs []*securityapi.SecurityContextConstraints) error

ReplaceChangedSCCs persists the changed SCCs.

func (*ReconcileSCCOptions) RunReconcileSCCs 

func (o *ReconcileSCCOptions) RunReconcileSCCs(cmd *cobra.Command, f *clientcmd.Factory) error

RunReconcileSCCs contains the functionality for the reconcile-sccs command for making or previewing changes.

func (*ReconcileSCCOptions) Validate 

func (o *ReconcileSCCOptions) Validate() error

type RemoveFromProjectOptions 

type RemoveFromProjectOptions struct {
	BindingNamespace string
	Client           oauthorizationtypedclient.RoleBindingsGetter

	Groups []string
	Users  []string

	DryRun bool

	PrintObject func(runtime.Object) error
	Output      string
	Out         io.Writer
}

func (*RemoveFromProjectOptions) Complete 

func (o *RemoveFromProjectOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, target *[]string, targetName string) error

func (*RemoveFromProjectOptions) Run 

func (o *RemoveFromProjectOptions) Run() error

func (*RemoveFromProjectOptions) Validate 

func (o *RemoveFromProjectOptions) Validate(f *clientcmd.Factory, cmd *cobra.Command, args []string) error

type RoleBindingAccessor 

type RoleBindingAccessor interface {
	GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error)
	GetExistingRoleBindingNames() (*sets.String, error)
	GetRoleBinding(name string) (*authorizationapi.RoleBinding, error)
	UpdateRoleBinding(binding *authorizationapi.RoleBinding) error
	CreateRoleBinding(binding *authorizationapi.RoleBinding) error
	DeleteRoleBinding(name string) error
}

RoleBindingAccessor is used by role modification commands to access and modify roles

type RoleModificationOptions 

type RoleModificationOptions struct {
	RoleNamespace       string
	RoleName            string
	RoleBindingName     string
	RoleBindingAccessor RoleBindingAccessor

	Targets  []string
	Users    []string
	Groups   []string
	Subjects []kapi.ObjectReference

	DryRun bool
	Output string

	PrintObj func(obj runtime.Object) error
}

func (*RoleModificationOptions) AddRole 

func (o *RoleModificationOptions) AddRole() error

func (*RoleModificationOptions) Complete 

func (o *RoleModificationOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args []string, target *[]string, targetName string, isNamespaced bool, out io.Writer) error

func (*RoleModificationOptions) CompleteUserWithSA 

func (o *RoleModificationOptions) CompleteUserWithSA(f *clientcmd.Factory, cmd *cobra.Command, args []string, saNames []string, isNamespaced bool, out io.Writer) error

func (*RoleModificationOptions) RemoveRole 

func (o *RoleModificationOptions) RemoveRole() error

type SCCModificationOptions 

type SCCModificationOptions struct {
	SCCName      string
	SCCInterface securitytypedclient.SecurityContextConstraintsInterface

	DefaultSubjectNamespace string
	Subjects                []kapi.ObjectReference

	IsGroup bool
	DryRun  bool
	Output  string

	PrintObj func(runtime.Object) error
	Out      io.Writer
}

func (*SCCModificationOptions) AddSCC 

func (o *SCCModificationOptions) AddSCC() error

func (*SCCModificationOptions) CompleteGroups 

func (o *SCCModificationOptions) CompleteGroups(f *clientcmd.Factory, cmd *cobra.Command, args []string, out io.Writer) error

func (*SCCModificationOptions) CompleteUsers 

func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, cmd *cobra.Command, args []string, saNames []string, out io.Writer) error

func (*SCCModificationOptions) RemoveSCC 

func (o *SCCModificationOptions) RemoveSCC() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.