| /* |
| Copyright 2015 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package v1beta1 |
| |
| import ( |
| "fmt" |
| |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| ) |
| |
| // +genclient |
| // +genclient:nonNamespaced |
| // +genclient:onlyVerbs=create |
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| // +k8s:prerelease-lifecycle-gen:introduced=1.2 |
| // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| // +k8s:prerelease-lifecycle-gen:replacement=authorization.k8s.io,v1,SubjectAccessReview |
| |
| // SubjectAccessReview checks whether or not a user or group can perform an action. |
| type SubjectAccessReview struct { |
| metav1.TypeMeta `json:",inline"` |
| // +optional |
| metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| |
| // Spec holds information about the request being evaluated |
| Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` |
| |
| // Status is filled in by the server and indicates whether the request is allowed or not |
| // +optional |
| Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| } |
| |
| // +genclient |
| // +genclient:nonNamespaced |
| // +genclient:onlyVerbs=create |
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| // +k8s:prerelease-lifecycle-gen:introduced=1.2 |
| // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| // +k8s:prerelease-lifecycle-gen:replacement=authorization.k8s.io,v1,SelfSubjectAccessReview |
| |
| // SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a |
| // spec.namespace means "in all namespaces". Self is a special case, because users should always be able |
| // to check whether they can perform an action |
| type SelfSubjectAccessReview struct { |
| metav1.TypeMeta `json:",inline"` |
| // +optional |
| metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| |
| // Spec holds information about the request being evaluated. user and groups must be empty |
| Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` |
| |
| // Status is filled in by the server and indicates whether the request is allowed or not |
| // +optional |
| Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| } |
| |
| // +genclient |
| // +genclient:onlyVerbs=create |
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| // +k8s:prerelease-lifecycle-gen:introduced=1.2 |
| // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| // +k8s:prerelease-lifecycle-gen:replacement=authorization.k8s.io,v1,LocalSubjectAccessReview |
| |
| // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. |
| // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions |
| // checking. |
| type LocalSubjectAccessReview struct { |
| metav1.TypeMeta `json:",inline"` |
| // +optional |
| metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| |
| // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace |
| // you made the request against. If empty, it is defaulted. |
| Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` |
| |
| // Status is filled in by the server and indicates whether the request is allowed or not |
| // +optional |
| Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| } |
| |
| // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface |
| type ResourceAttributes struct { |
| // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces |
| // "" (empty) is defaulted for LocalSubjectAccessReviews |
| // "" (empty) is empty for cluster-scoped resources |
| // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview |
| // +optional |
| Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` |
| // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. |
| // +optional |
| Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"` |
| // Group is the API Group of the Resource. "*" means all. |
| // +optional |
| Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"` |
| // Version is the API Version of the Resource. "*" means all. |
| // +optional |
| Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"` |
| // Resource is one of the existing resource types. "*" means all. |
| // +optional |
| Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"` |
| // Subresource is one of the existing resource types. "" means none. |
| // +optional |
| Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"` |
| // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. |
| // +optional |
| Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"` |
| } |
| |
| // NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface |
| type NonResourceAttributes struct { |
| // Path is the URL path of the request |
| // +optional |
| Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"` |
| // Verb is the standard HTTP verb |
| // +optional |
| Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"` |
| } |
| |
| // SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes |
| // and NonResourceAuthorizationAttributes must be set |
| type SubjectAccessReviewSpec struct { |
| // ResourceAuthorizationAttributes describes information for a resource access request |
| // +optional |
| ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"` |
| // NonResourceAttributes describes information for a non-resource access request |
| // +optional |
| NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"` |
| |
| // User is the user you're testing for. |
| // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups |
| // +optional |
| User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"` |
| // Groups is the groups you're testing for. |
| // +optional |
| Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"` |
| // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer |
| // it needs a reflection here. |
| // +optional |
| Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"` |
| // UID information about the requesting user. |
| // +optional |
| UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"` |
| } |
| |
| // ExtraValue masks the value so protobuf can generate |
| // +protobuf.nullable=true |
| // +protobuf.options.(gogoproto.goproto_stringer)=false |
| type ExtraValue []string |
| |
| func (t ExtraValue) String() string { |
| return fmt.Sprintf("%v", []string(t)) |
| } |
| |
| // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes |
| // and NonResourceAuthorizationAttributes must be set |
| type SelfSubjectAccessReviewSpec struct { |
| // ResourceAuthorizationAttributes describes information for a resource access request |
| // +optional |
| ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"` |
| // NonResourceAttributes describes information for a non-resource access request |
| // +optional |
| NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"` |
| } |
| |
| // SubjectAccessReviewStatus |
| type SubjectAccessReviewStatus struct { |
| // Allowed is required. True if the action would be allowed, false otherwise. |
| Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"` |
| // Denied is optional. True if the action would be denied, otherwise |
| // false. If both allowed is false and denied is false, then the |
| // authorizer has no opinion on whether to authorize the action. Denied |
| // may not be true if Allowed is true. |
| // +optional |
| Denied bool `json:"denied,omitempty" protobuf:"varint,4,opt,name=denied"` |
| // Reason is optional. It indicates why a request was allowed or denied. |
| // +optional |
| Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` |
| // EvaluationError is an indication that some error occurred during the authorization check. |
| // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. |
| // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. |
| // +optional |
| EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"` |
| } |
| |
| // +genclient |
| // +genclient:nonNamespaced |
| // +genclient:onlyVerbs=create |
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| // +k8s:prerelease-lifecycle-gen:introduced=1.8 |
| // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| // +k8s:prerelease-lifecycle-gen:replacement=authorization.k8s.io,v1,SelfSubjectRulesReview |
| |
| // SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. |
| // The returned list of actions may be incomplete depending on the server's authorization mode, |
| // and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, |
| // or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to |
| // drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. |
| // SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. |
| type SelfSubjectRulesReview struct { |
| metav1.TypeMeta `json:",inline"` |
| // +optional |
| metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| |
| // Spec holds information about the request being evaluated. |
| Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` |
| |
| // Status is filled in by the server and indicates the set of actions a user can perform. |
| // +optional |
| Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| } |
| |
| type SelfSubjectRulesReviewSpec struct { |
| // Namespace to evaluate rules for. Required. |
| Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` |
| } |
| |
| // SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on |
| // the set of authorizers the server is configured with and any errors experienced during evaluation. |
| // Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, |
| // even if that list is incomplete. |
| type SubjectRulesReviewStatus struct { |
| // ResourceRules is the list of actions the subject is allowed to perform on resources. |
| // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. |
| ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"` |
| // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. |
| // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. |
| NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"` |
| // Incomplete is true when the rules returned by this call are incomplete. This is most commonly |
| // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. |
| Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"` |
| // EvaluationError can appear in combination with Rules. It indicates an error occurred during |
| // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that |
| // ResourceRules and/or NonResourceRules may be incomplete. |
| // +optional |
| EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"` |
| } |
| |
| // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, |
| // may contain duplicates, and possibly be incomplete. |
| type ResourceRule struct { |
| // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. |
| Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` |
| |
| // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of |
| // the enumerated resources in any API group will be allowed. "*" means all. |
| // +optional |
| APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` |
| // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. |
| // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. |
| // +optional |
| Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` |
| // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. |
| // +optional |
| ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` |
| } |
| |
| // NonResourceRule holds information that describes a rule for the non-resource |
| type NonResourceRule struct { |
| // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. |
| Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` |
| |
| // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, |
| // final step in the path. "*" means all. |
| // +optional |
| NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"` |
| } |