Zack Williams | e940c7a | 2019-08-21 14:25:39 -0700 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2017 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1beta1 |
| 18 | |
| 19 | import ( |
| 20 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 21 | ) |
| 22 | |
| 23 | // Authorization is calculated against |
| 24 | // 1. evaluation of ClusterRoleBindings - short circuit on match |
| 25 | // 2. evaluation of RoleBindings in the namespace requested - short circuit on match |
| 26 | // 3. deny by default |
| 27 | |
| 28 | const ( |
| 29 | APIGroupAll = "*" |
| 30 | ResourceAll = "*" |
| 31 | VerbAll = "*" |
| 32 | NonResourceAll = "*" |
| 33 | |
| 34 | GroupKind = "Group" |
| 35 | ServiceAccountKind = "ServiceAccount" |
| 36 | UserKind = "User" |
| 37 | |
| 38 | // AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" |
| 39 | AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate" |
| 40 | ) |
| 41 | |
| 42 | // Authorization is calculated against |
| 43 | // 1. evaluation of ClusterRoleBindings - short circuit on match |
| 44 | // 2. evaluation of RoleBindings in the namespace requested - short circuit on match |
| 45 | // 3. deny by default |
| 46 | |
| 47 | // PolicyRule holds information that describes a policy rule, but does not contain information |
| 48 | // about who the rule applies to or which namespace the rule applies to. |
| 49 | type PolicyRule struct { |
| 50 | // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. |
| 51 | Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` |
| 52 | |
| 53 | // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of |
| 54 | // the enumerated resources in any API group will be allowed. |
| 55 | // +optional |
| 56 | APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` |
| 57 | // Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. |
| 58 | // '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups. |
| 59 | // +optional |
| 60 | Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` |
| 61 | // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. |
| 62 | // +optional |
| 63 | ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` |
| 64 | |
| 65 | // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path |
| 66 | // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. |
| 67 | // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. |
| 68 | // +optional |
| 69 | NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"` |
| 70 | } |
| 71 | |
| 72 | // Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, |
| 73 | // or a value for non-objects such as user and group names. |
| 74 | type Subject struct { |
| 75 | // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". |
| 76 | // If the Authorizer does not recognized the kind value, the Authorizer should report an error. |
| 77 | Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"` |
| 78 | // APIGroup holds the API group of the referenced subject. |
| 79 | // Defaults to "" for ServiceAccount subjects. |
| 80 | // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. |
| 81 | // +optional |
| 82 | APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt.name=apiGroup"` |
| 83 | // Name of the object being referenced. |
| 84 | Name string `json:"name" protobuf:"bytes,3,opt,name=name"` |
| 85 | // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty |
| 86 | // the Authorizer should report an error. |
| 87 | // +optional |
| 88 | Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"` |
| 89 | } |
| 90 | |
| 91 | // RoleRef contains information that points to the role being used |
| 92 | type RoleRef struct { |
| 93 | // APIGroup is the group for the resource being referenced |
| 94 | APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"` |
| 95 | // Kind is the type of resource being referenced |
| 96 | Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"` |
| 97 | // Name is the name of resource being referenced |
| 98 | Name string `json:"name" protobuf:"bytes,3,opt,name=name"` |
| 99 | } |
| 100 | |
| 101 | // +genclient |
| 102 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 103 | |
| 104 | // Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. |
| 105 | type Role struct { |
| 106 | metav1.TypeMeta `json:",inline"` |
| 107 | // Standard object's metadata. |
| 108 | // +optional |
| 109 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 110 | |
| 111 | // Rules holds all the PolicyRules for this Role |
| 112 | // +optional |
| 113 | Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` |
| 114 | } |
| 115 | |
| 116 | // +genclient |
| 117 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 118 | |
| 119 | // RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. |
| 120 | // It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given |
| 121 | // namespace only have effect in that namespace. |
| 122 | type RoleBinding struct { |
| 123 | metav1.TypeMeta `json:",inline"` |
| 124 | // Standard object's metadata. |
| 125 | // +optional |
| 126 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 127 | |
| 128 | // Subjects holds references to the objects the role applies to. |
| 129 | // +optional |
| 130 | Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` |
| 131 | |
| 132 | // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. |
| 133 | // If the RoleRef cannot be resolved, the Authorizer must return an error. |
| 134 | RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"` |
| 135 | } |
| 136 | |
| 137 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 138 | |
| 139 | // RoleBindingList is a collection of RoleBindings |
| 140 | type RoleBindingList struct { |
| 141 | metav1.TypeMeta `json:",inline"` |
| 142 | // Standard object's metadata. |
| 143 | // +optional |
| 144 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 145 | |
| 146 | // Items is a list of RoleBindings |
| 147 | Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 148 | } |
| 149 | |
| 150 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 151 | |
| 152 | // RoleList is a collection of Roles |
| 153 | type RoleList struct { |
| 154 | metav1.TypeMeta `json:",inline"` |
| 155 | // Standard object's metadata. |
| 156 | // +optional |
| 157 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 158 | |
| 159 | // Items is a list of Roles |
| 160 | Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 161 | } |
| 162 | |
| 163 | // +genclient |
| 164 | // +genclient:nonNamespaced |
| 165 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 166 | |
| 167 | // ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. |
| 168 | type ClusterRole struct { |
| 169 | metav1.TypeMeta `json:",inline"` |
| 170 | // Standard object's metadata. |
| 171 | // +optional |
| 172 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 173 | |
| 174 | // Rules holds all the PolicyRules for this ClusterRole |
| 175 | // +optional |
| 176 | Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` |
| 177 | // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. |
| 178 | // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be |
| 179 | // stomped by the controller. |
| 180 | // +optional |
| 181 | AggregationRule *AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"` |
| 182 | } |
| 183 | |
| 184 | // AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole |
| 185 | type AggregationRule struct { |
| 186 | // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. |
| 187 | // If any of the selectors match, then the ClusterRole's permissions will be added |
| 188 | // +optional |
| 189 | ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"` |
| 190 | } |
| 191 | |
| 192 | // +genclient |
| 193 | // +genclient:nonNamespaced |
| 194 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 195 | |
| 196 | // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, |
| 197 | // and adds who information via Subject. |
| 198 | type ClusterRoleBinding struct { |
| 199 | metav1.TypeMeta `json:",inline"` |
| 200 | // Standard object's metadata. |
| 201 | // +optional |
| 202 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 203 | |
| 204 | // Subjects holds references to the objects the role applies to. |
| 205 | // +optional |
| 206 | Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` |
| 207 | |
| 208 | // RoleRef can only reference a ClusterRole in the global namespace. |
| 209 | // If the RoleRef cannot be resolved, the Authorizer must return an error. |
| 210 | RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"` |
| 211 | } |
| 212 | |
| 213 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 214 | |
| 215 | // ClusterRoleBindingList is a collection of ClusterRoleBindings |
| 216 | type ClusterRoleBindingList struct { |
| 217 | metav1.TypeMeta `json:",inline"` |
| 218 | // Standard object's metadata. |
| 219 | // +optional |
| 220 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 221 | |
| 222 | // Items is a list of ClusterRoleBindings |
| 223 | Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 224 | } |
| 225 | |
| 226 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 227 | |
| 228 | // ClusterRoleList is a collection of ClusterRoles |
| 229 | type ClusterRoleList struct { |
| 230 | metav1.TypeMeta `json:",inline"` |
| 231 | // Standard object's metadata. |
| 232 | // +optional |
| 233 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 234 | |
| 235 | // Items is a list of ClusterRoles |
| 236 | Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 237 | } |