Dependencies for the affinity router and the
affinity routing daemon.
Change-Id: Icda72c3594ef7f8f0bc0c33dc03087a4c25529ca
diff --git a/vendor/k8s.io/api/authorization/v1/types.go b/vendor/k8s.io/api/authorization/v1/types.go
new file mode 100644
index 0000000..86b05c5
--- /dev/null
+++ b/vendor/k8s.io/api/authorization/v1/types.go
@@ -0,0 +1,268 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+ "fmt"
+
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+type SubjectAccessReview struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec holds information about the request being evaluated
+ Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+ // Status is filled in by the server and indicates whether the request is allowed or not
+ // +optional
+ Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
+// spec.namespace means "in all namespaces". Self is a special case, because users should always be able
+// to check whether they can perform an action
+type SelfSubjectAccessReview struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec holds information about the request being evaluated. user and groups must be empty
+ Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+ // Status is filled in by the server and indicates whether the request is allowed or not
+ // +optional
+ Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+type LocalSubjectAccessReview struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
+ // you made the request against. If empty, it is defaulted.
+ Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+ // Status is filled in by the server and indicates whether the request is allowed or not
+ // +optional
+ Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+type ResourceAttributes struct {
+ // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
+ // "" (empty) is defaulted for LocalSubjectAccessReviews
+ // "" (empty) is empty for cluster-scoped resources
+ // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+ // +optional
+ Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+ // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
+ // +optional
+ Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+ // Group is the API Group of the Resource. "*" means all.
+ // +optional
+ Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
+ // Version is the API Version of the Resource. "*" means all.
+ // +optional
+ Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
+ // Resource is one of the existing resource types. "*" means all.
+ // +optional
+ Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
+ // Subresource is one of the existing resource types. "" means none.
+ // +optional
+ Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
+ // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+ // +optional
+ Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+type NonResourceAttributes struct {
+ // Path is the URL path of the request
+ // +optional
+ Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+ // Verb is the standard HTTP verb
+ // +optional
+ Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+}
+
+// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SubjectAccessReviewSpec struct {
+ // ResourceAuthorizationAttributes describes information for a resource access request
+ // +optional
+ ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+ // NonResourceAttributes describes information for a non-resource access request
+ // +optional
+ NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+
+ // User is the user you're testing for.
+ // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+ // +optional
+ User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
+ // Groups is the groups you're testing for.
+ // +optional
+ Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
+ // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
+ // it needs a reflection here.
+ // +optional
+ Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
+ // UID information about the requesting user.
+ // +optional
+ UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+ return fmt.Sprintf("%v", []string(t))
+}
+
+// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SelfSubjectAccessReviewSpec struct {
+ // ResourceAuthorizationAttributes describes information for a resource access request
+ // +optional
+ ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+ // NonResourceAttributes describes information for a non-resource access request
+ // +optional
+ NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+}
+
+// SubjectAccessReviewStatus
+type SubjectAccessReviewStatus struct {
+ // Allowed is required. True if the action would be allowed, false otherwise.
+ Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+ // Denied is optional. True if the action would be denied, otherwise
+ // false. If both allowed is false and denied is false, then the
+ // authorizer has no opinion on whether to authorize the action. Denied
+ // may not be true if Allowed is true.
+ // +optional
+ Denied bool `json:"denied,omitempty" protobuf:"varint,4,opt,name=denied"`
+ // Reason is optional. It indicates why a request was allowed or denied.
+ // +optional
+ Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
+ // EvaluationError is an indication that some error occurred during the authorization check.
+ // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+ // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+ // +optional
+ EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+type SelfSubjectRulesReview struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec holds information about the request being evaluated.
+ Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+ // Status is filled in by the server and indicates the set of actions a user can perform.
+ // +optional
+ Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+type SelfSubjectRulesReviewSpec struct {
+ // Namespace to evaluate rules for. Required.
+ Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+type SubjectRulesReviewStatus struct {
+ // ResourceRules is the list of actions the subject is allowed to perform on resources.
+ // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+ ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
+ // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+ // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+ NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
+ // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+ // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+ Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
+ // EvaluationError can appear in combination with Rules. It indicates an error occurred during
+ // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+ // ResourceRules and/or NonResourceRules may be incomplete.
+ // +optional
+ EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"`
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+type ResourceRule struct {
+ // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
+ Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+ // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
+ // the enumerated resources in any API group will be allowed. "*" means all.
+ // +optional
+ APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
+ // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
+ // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
+ // +optional
+ Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+ // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
+ // +optional
+ ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+type NonResourceRule struct {
+ // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
+ Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+ // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
+ // final step in the path. "*" means all.
+ // +optional
+ NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
+}