kubernetes: k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac Index | Files | Directories

package rbac

import "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"

Package rbac implements the authorizer.Authorizer interface using roles base access control.

Package rbac implements the authorizer.Authorizer interface using roles base access control.

Index

Package Files

rbac.go subject_locator.go

func RuleAllows Uses

func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool

func RulesAllow Uses

func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbacv1.PolicyRule) bool

type ClusterRoleBindingLister Uses

type ClusterRoleBindingLister struct {
    Lister rbaclisters.ClusterRoleBindingLister
}

func (*ClusterRoleBindingLister) ListClusterRoleBindings Uses

func (l *ClusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

type ClusterRoleGetter Uses

type ClusterRoleGetter struct {
    Lister rbaclisters.ClusterRoleLister
}

func (*ClusterRoleGetter) GetClusterRole Uses

func (g *ClusterRoleGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

type RBACAuthorizer Uses

type RBACAuthorizer struct {
    // contains filtered or unexported fields
}

func New Uses

func New(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister) *RBACAuthorizer

func (*RBACAuthorizer) Authorize Uses

func (r *RBACAuthorizer) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error)

func (*RBACAuthorizer) RulesFor Uses

func (r *RBACAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type RequestToRuleMapper Uses

type RequestToRuleMapper interface {
    // RulesFor returns all known PolicyRules and any errors that happened while locating those rules.
    // Any rule returned is still valid, since rules are deny by default.  If you can pass with the rules
    // supplied, you do not have to fail the request.  If you cannot, you should indicate the error along
    // with your denial.
    RulesFor(subject user.Info, namespace string) ([]rbacv1.PolicyRule, error)

    // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace,
    // and each error encountered resolving those rules. Rule may be nil if err is non-nil.
    // If visitor() returns false, visiting is short-circuited.
    VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}

type RoleBindingLister Uses

type RoleBindingLister struct {
    Lister rbaclisters.RoleBindingLister
}

func (*RoleBindingLister) ListRoleBindings Uses

func (l *RoleBindingLister) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

type RoleGetter Uses

type RoleGetter struct {
    Lister rbaclisters.RoleLister
}

func (*RoleGetter) GetRole Uses

func (g *RoleGetter) GetRole(namespace, name string) (*rbacv1.Role, error)

type RoleToRuleMapper Uses

type RoleToRuleMapper interface {
    // GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding.  The passed namespace should be the namespace
    // of the role binding, the empty string if a cluster role binding.
    GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
}

type SubjectAccessEvaluator Uses

type SubjectAccessEvaluator struct {
    // contains filtered or unexported fields
}

func NewSubjectAccessEvaluator Uses

func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister, superUser string) *SubjectAccessEvaluator

func (*SubjectAccessEvaluator) AllowedSubjects Uses

func (r *SubjectAccessEvaluator) AllowedSubjects(requestAttributes authorizer.Attributes) ([]rbacv1.Subject, error)

AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list. It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.

type SubjectLocator Uses

type SubjectLocator interface {
    AllowedSubjects(attributes authorizer.Attributes) ([]rbacv1.Subject, error)
}

Directories

PathSynopsis
bootstrappolicy

Package rbac imports 12 packages (graph) and is imported by 107 packages. Updated 2019-11-21. Refresh now. Tools for package owners.