kubernetes: k8s.io/kubernetes/pkg/registry/rbac/validation Index | Files

package validation

import "k8s.io/kubernetes/pkg/registry/rbac/validation"

Index

Package Files

internal_version_adapter.go policy_compact.go policy_comparator.go rule.go

func BreakdownRule Uses

func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule

BreadownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name

func CompactRules Uses

func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error)

CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.

func ConfirmNoEscalation Uses

func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error

ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.

func ConfirmNoEscalationInternal Uses

func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, inRules []rbac.PolicyRule) error

func Covers Uses

func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule)

Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.

func NewTestRuleResolver Uses

func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles)

NewTestRuleResolver returns a rule resolver from lists of role objects.

type AuthorizationRuleResolver Uses

type AuthorizationRuleResolver interface {
    // GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding.  The passed namespace should be the namepsace
    // of the role binding, the empty string if a cluster role binding.
    GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

    // RulesFor returns the list of rules that apply to a given user in a given namespace and error.  If an error is returned, the slice of
    // PolicyRules may not be complete, but it contains all retrievable rules.  This is done because policy rules are purely additive and policy determinations
    // can be made on the basis of those rules that are found.
    RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

    // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
    // If visitor() returns false, visiting is short-circuited.
    VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}

type ClusterRoleBindingLister Uses

type ClusterRoleBindingLister interface {
    ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}

type ClusterRoleGetter Uses

type ClusterRoleGetter interface {
    GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}

type DefaultRuleResolver Uses

type DefaultRuleResolver struct {
    // contains filtered or unexported fields
}

func NewDefaultRuleResolver Uses

func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver

func (*DefaultRuleResolver) GetRoleReferenceRules Uses

func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.

func (*DefaultRuleResolver) RulesFor Uses

func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

func (*DefaultRuleResolver) VisitRulesFor Uses

func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

type RoleBindingLister Uses

type RoleBindingLister interface {
    ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}

type RoleGetter Uses

type RoleGetter interface {
    GetRole(namespace, name string) (*rbacv1.Role, error)
}

type StaticRoles Uses

type StaticRoles struct {
    // contains filtered or unexported fields
}

StaticRoles is a rule resolver that resolves from lists of role objects.

func (*StaticRoles) GetClusterRole Uses

func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

func (*StaticRoles) GetRole Uses

func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)

func (*StaticRoles) ListClusterRoleBindings Uses

func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

func (*StaticRoles) ListRoleBindings Uses

func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

Package validation imports 14 packages (graph) and is imported by 46 packages. Updated 2019-04-02. Refresh now. Tools for package owners.