diff options
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/apis/authorization/v1beta1/types.go')
| -rw-r--r-- | vendor/k8s.io/kubernetes/pkg/apis/authorization/v1beta1/types.go | 176 |
1 files changed, 176 insertions, 0 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/apis/authorization/v1beta1/types.go b/vendor/k8s.io/kubernetes/pkg/apis/authorization/v1beta1/types.go new file mode 100644 index 000000000..8a1727423 --- /dev/null +++ b/vendor/k8s.io/kubernetes/pkg/apis/authorization/v1beta1/types.go @@ -0,0 +1,176 @@ +/* +Copyright 2015 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "fmt" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient=true +// +nonNamespaced=true +// +noMethods=true + +// SubjectAccessReview checks whether or not a user or group can perform an action. +type SubjectAccessReview struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Spec holds information about the request being evaluated + Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// +genclient=true +// +nonNamespaced=true +// +noMethods=true + +// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a +// spec.namespace means "in all namespaces". Self is a special case, because users should always be able +// to check whether they can perform an action +type SelfSubjectAccessReview struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Spec holds information about the request being evaluated. user and groups must be empty + Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// +genclient=true +// +noMethods=true + +// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. +// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions +// checking. +type LocalSubjectAccessReview struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace + // you made the request against. If empty, it is defaulted. + Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface +type ResourceAttributes struct { + // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces + // "" (empty) is defaulted for LocalSubjectAccessReviews + // "" (empty) is empty for cluster-scoped resources + // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview + // +optional + Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` + // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +optional + Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"` + // Group is the API Group of the Resource. "*" means all. + // +optional + Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"` + // Version is the API Version of the Resource. "*" means all. + // +optional + Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"` + // Resource is one of the existing resource types. "*" means all. + // +optional + Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"` + // Subresource is one of the existing resource types. "" means none. + // +optional + Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"` + // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. + // +optional + Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"` +} + +// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface +type NonResourceAttributes struct { + // Path is the URL path of the request + // +optional + Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"` + // Verb is the standard HTTP verb + // +optional + Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"` +} + +// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +type SubjectAccessReviewSpec struct { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"` + // NonResourceAttributes describes information for a non-resource access request + // +optional + NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"` + + // User is the user you're testing for. + // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups + // +optional + User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=verb"` + // Groups is the groups you're testing for. + // +optional + Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"` + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + // +optional + Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"` +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +type ExtraValue []string + +func (t ExtraValue) String() string { + return fmt.Sprintf("%v", []string(t)) +} + +// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +type SelfSubjectAccessReviewSpec struct { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"` + // NonResourceAttributes describes information for a non-resource access request + // +optional + NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"` +} + +// SubjectAccessReviewStatus +type SubjectAccessReviewStatus struct { + // Allowed is required. True if the action would be allowed, false otherwise. + Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"` + // Reason is optional. It indicates why a request was allowed or denied. + // +optional + Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` + // EvaluationError is an indication that some error occurred during the authorization check. + // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. + // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. + // +optional + EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"` +} |