Documentation ¶
Index ¶
- func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check
- func RulesForBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, ...) ([]rbacv1.PolicyRule, error)
- func RulesForClusterRoleBinding(ctx context.Context, crGetter rbacv1client.ClusterRolesGetter, ...) ([]rbacv1.PolicyRule, error)
- func RulesForRole(res ctlres.Resource) ([]rbacv1.PolicyRule, error)
- func RulesForRoleBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, ...) ([]rbacv1.PolicyRule, error)
- func ValidatePermissions(ctx context.Context, ssarClient authv1client.SelfSubjectAccessReviewInterface, ...) error
- type BasicValidator
- type BindingValidator
- type CompositeValidator
- type Preflight
- type RoleValidator
- type Validator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewPreflight ¶
func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check
func RulesForBinding ¶
func RulesForBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, res ctlres.Resource) ([]rbacv1.PolicyRule, error)
RulesForBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a (Cluster)RoleBinding references. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is
func RulesForClusterRoleBinding ¶
func RulesForClusterRoleBinding(ctx context.Context, crGetter rbacv1client.ClusterRolesGetter, crb *rbacv1.ClusterRoleBinding) ([]rbacv1.PolicyRule, error)
RulesForClusterRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the ClusterRole rules that a ClusterRoleBinding references. It returns an error if one occurs during the process of fetching this information.
func RulesForRole ¶
func RulesForRole(res ctlres.Resource) ([]rbacv1.PolicyRule, error)
RulesForRole will return a slice of rbacv1.PolicyRule objects that are representative of a provided (Cluster)Role's rules. It returns an error if one occurs during the process of fetching this information or if it is unable to determine the kind of binding this is
func RulesForRoleBinding ¶
func RulesForRoleBinding(ctx context.Context, rbacClient rbacv1client.RbacV1Interface, rb *rbacv1.RoleBinding) ([]rbacv1.PolicyRule, error)
RulesForRoleBinding will return a slice of rbacv1.PolicyRule objects that are representative of the (Cluster)Role rules that a RoleBinding references. It returns an error if one occurs during the process of fetching this information.
func ValidatePermissions ¶
func ValidatePermissions(ctx context.Context, ssarClient authv1client.SelfSubjectAccessReviewInterface, resourceAttributes *authv1.ResourceAttributes) error
ValidatePermissons takes in all the parameters necessary to validate permissions using a SelfSubjectAccessReview. It returns an error if the SelfSubjectAccessReview indicates that the permissions are not present or are unable to be determined. A nil error is returned if the SelfSubjectAccessReview indicates that the permissions are present. TODO: Look into using SelfSubjectRulesReview instead of SelfSubjectAccessReview
Types ¶
type BasicValidator ¶
type BasicValidator struct {
// contains filtered or unexported fields
}
BasicValidator is a basic validator useful for validating basic CRUD permissions for resources. It has no knowledge of how to handle permission evaluation for specific GroupVersionKinds
func NewBasicValidator ¶
func NewBasicValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *BasicValidator
type BindingValidator ¶
type BindingValidator struct {
// contains filtered or unexported fields
}
BindingValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)RoleBinding resources
func NewBindingValidator ¶
func NewBindingValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator
type CompositeValidator ¶
type CompositeValidator struct {
// contains filtered or unexported fields
}
CompositeValidator implements Validator and is used for composing multiple validators into a single validator that can handle specifying unique validators for different GroupVersionKinds
func NewCompositeValidator ¶
func NewCompositeValidator(defaultValidator Validator, validators map[schema.GroupVersionKind]Validator) *CompositeValidator
type Preflight ¶
type Preflight struct {
// contains filtered or unexported fields
}
Preflight is an implementation of preflight.Check to make it easier to add permission validation as a preflight check
func (*Preflight) SetEnabled ¶
type RoleValidator ¶
type RoleValidator struct {
// contains filtered or unexported fields
}
RoleValidator is a Validator implementation for validating permissions required to CRUD Kubernetes (Cluster)Role resources
func NewRoleValidator ¶
func NewRoleValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *RoleValidator