github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

Add auth API to get self subject attributes

Browse Source 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh 2022-07-22 04:01:52 +04:00
parent 178f246bbc
commit 00dfba473b
68 changed files with 3417 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
api/openapi-spec/swagger.json generated
View File

@ -1670,6 +1670,45 @@
},
"type": "object"
},
"io.k8s.api.authentication.v1alpha1.SelfSubjectReview": {
"description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
"description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"status": {
"$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus",
"description": "Status is filled in by the server with the user attributes."
}
},
"type": "object",
"x-kubernetes-group-version-kind": [
{
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1alpha1"
}
]
},
"io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": {
"description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"properties": {
"userInfo": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo",
"description": "User attributes of the user making this request."
}
},
"type": "object"
},
"io.k8s.api.authorization.v1.LocalSubjectAccessReview": {
"description": "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.",
"properties": {
@ -13486,6 +13525,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -14164,6 +14208,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
@ -45965,6 +46014,128 @@
}
}
},
"/apis/authentication.k8s.io/v1alpha1/": {
"get": {
"consumes": [
"application/json",
"application/yaml",
"application/vnd.kubernetes.protobuf"
],
"description": "get available resources",
"operationId": "getAuthenticationV1alpha1APIResources",
"produces": [
"application/json",
"application/yaml",
"application/vnd.kubernetes.protobuf"
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
}
},
"401": {
"description": "Unauthorized"
}
},
"schemes": [
"https"
],
"tags": [
"authentication_v1alpha1"
]
}
},
"/apis/authentication.k8s.io/v1alpha1/selfsubjectreviews": {
"parameters": [
{
"description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
"in": "query",
"name": "dryRun",
"type": "string",
"uniqueItems": true
},
{
"description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
"in": "query",
"name": "fieldManager",
"type": "string",
"uniqueItems": true
},
{
"description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
"in": "query",
"name": "fieldValidation",
"type": "string",
"uniqueItems": true
},
{
"description": "If 'true', then the output is pretty printed.",
"in": "query",
"name": "pretty",
"type": "string",
"uniqueItems": true
}
],
"post": {
"consumes": [
"*/*"
],
"description": "create a SelfSubjectReview",
"operationId": "createAuthenticationV1alpha1SelfSubjectReview",
"parameters": [
{
"in": "body",
"name": "body",
"required": true,
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
}
],
"produces": [
"application/json",
"application/yaml",
"application/vnd.kubernetes.protobuf"
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"201": {
"description": "Created",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"202": {
"description": "Accepted",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"401": {
"description": "Unauthorized"
}
},
"schemes": [
"https"
],
"tags": [
"authentication_v1alpha1"
],
"x-kubernetes-action": "post",
"x-kubernetes-group-version-kind": {
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1alpha1"
}
}
},
"/apis/authorization.k8s.io/": {
"get": {
"consumes": [

10
api/openapi-spec/v3/api__v1_openapi.json
View File

@ -8069,6 +8069,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -8774,6 +8779,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json
View File

@ -654,6 +654,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1354,6 +1359,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json
View File

@ -1043,6 +1043,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1686,6 +1691,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__apps__v1_openapi.json
View File

@ -5066,6 +5066,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -5766,6 +5771,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

580
api/openapi-spec/v3/apis__authentication.k8s.io__v1alpha1_openapi.json Normal file
View File

@ -0,0 +1,580 @@
{
"components": {
"schemas": {
"io.k8s.api.authentication.v1.UserInfo": {
"description": "UserInfo holds the information about the user needed to implement the user.Info interface.",
"properties": {
"extra": {
"additionalProperties": {
"items": {
"default": "",
"type": "string"
},
"type": "array"
},
"description": "Any additional information provided by the authenticator.",
"type": "object"
},
"groups": {
"description": "The names of groups this user is a part of.",
"items": {
"default": "",
"type": "string"
},
"type": "array"
},
"uid": {
"description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.",
"type": "string"
},
"username": {
"description": "The name that uniquely identifies this user among all active users.",
"type": "string"
}
},
"type": "object"
},
"io.k8s.api.authentication.v1alpha1.SelfSubjectReview": {
"description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
}
],
"default": {},
"description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"status": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus"
}
],
"default": {},
"description": "Status is filled in by the server with the user attributes."
}
},
"type": "object",
"x-kubernetes-group-version-kind": [
{
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1alpha1"
}
]
},
"io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": {
"description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"properties": {
"userInfo": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.UserInfo"
}
],
"default": {},
"description": "User attributes of the user making this request."
}
},
"type": "object"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
"description": "APIResource specifies the name of a resource and whether it is namespaced.",
"properties": {
"categories": {
"description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
"items": {
"default": "",
"type": "string"
},
"type": "array"
},
"group": {
"description": "group is the preferred group of the resource. Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
"type": "string"
},
"kind": {
"default": "",
"description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
"type": "string"
},
"name": {
"default": "",
"description": "name is the plural name of the resource.",
"type": "string"
},
"namespaced": {
"default": false,
"description": "namespaced indicates if a resource is namespaced or not.",
"type": "boolean"
},
"shortNames": {
"description": "shortNames is a list of suggested short names of the resource.",
"items": {
"default": "",
"type": "string"
},
"type": "array"
},
"singularName": {
"default": "",
"description": "singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
"type": "string"
},
"storageVersionHash": {
"description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.",
"type": "string"
},
"verbs": {
"description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
"items": {
"default": "",
"type": "string"
},
"type": "array"
},
"version": {
"description": "version is the preferred version of the resource. Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
"type": "string"
}
},
"required": [
"name",
"singularName",
"namespaced",
"kind",
"verbs"
],
"type": "object"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {
"description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"groupVersion": {
"default": "",
"description": "groupVersion is the group and version this APIResourceList is for.",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"resources": {
"description": "resources contains the name of the resources and if they are namespaced.",
"items": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
}
],
"default": {}
},
"type": "array"
}
},
"required": [
"groupVersion",
"resources"
],
"type": "object",
"x-kubernetes-group-version-kind": [
{
"group": "",
"kind": "APIResourceList",
"version": "v1"
}
]
},
"io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": {
"description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
"type": "object"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": {
"description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.",
"type": "string"
},
"fieldsType": {
"description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"",
"type": "string"
},
"fieldsV1": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
}
],
"description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."
},
"manager": {
"description": "Manager is an identifier of the workflow managing these fields.",
"type": "string"
},
"operation": {
"description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.",
"type": "string"
},
"subresource": {
"description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.",
"type": "string"
},
"time": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
}
],
"description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."
}
},
"type": "object"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": {
"description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
"properties": {
"annotations": {
"additionalProperties": {
"default": "",
"type": "string"
},
"description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations",
"type": "object"
},
"creationTimestamp": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
}
],
"default": {},
"description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"deletionGracePeriodSeconds": {
"description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
"format": "int64",
"type": "integer"
},
"deletionTimestamp": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
}
],
"description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"finalizers": {
"description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.",
"items": {
"default": "",
"type": "string"
},
"type": "array",
"x-kubernetes-patch-strategy": "merge"
},
"generateName": {
"description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency",
"type": "string"
},
"generation": {
"description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
"format": "int64",
"type": "integer"
},
"labels": {
"additionalProperties": {
"default": "",
"type": "string"
},
"description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels",
"type": "object"
},
"managedFields": {
"description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.",
"items": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
}
],
"default": {}
},
"type": "array"
},
"name": {
"description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
"type": "string"
},
"namespace": {
"description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces",
"type": "string"
},
"ownerReferences": {
"description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
"items": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
}
],
"default": {}
},
"type": "array",
"x-kubernetes-patch-merge-key": "uid",
"x-kubernetes-patch-strategy": "merge"
},
"resourceVersion": {
"description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
"type": "string"
},
"selfLink": {
"description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
"type": "string"
},
"uid": {
"description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
"type": "string"
}
},
"type": "object"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": {
"description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.",
"properties": {
"apiVersion": {
"default": "",
"description": "API version of the referent.",
"type": "string"
},
"blockOwnerDeletion": {
"description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
"type": "boolean"
},
"controller": {
"description": "If true, this reference points to the managing controller.",
"type": "boolean"
},
"kind": {
"default": "",
"description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"name": {
"default": "",
"description": "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
"type": "string"
},
"uid": {
"default": "",
"description": "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
"type": "string"
}
},
"required": [
"apiVersion",
"kind",
"name",
"uid"
],
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"io.k8s.apimachinery.pkg.apis.meta.v1.Time": {
"description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.",
"format": "date-time",
"type": "string"
}
},
"securitySchemes": {
"BearerToken": {
"description": "Bearer Token authentication",
"in": "header",
"name": "authorization",
"type": "apiKey"
}
}
},
"info": {
"title": "Kubernetes",
"version": "unversioned"
},
"openapi": "3.0.0",
"paths": {
"/apis/authentication.k8s.io/v1alpha1/": {
"get": {
"description": "get available resources",
"operationId": "getAuthenticationV1alpha1APIResources",
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
}
}
},
"description": "OK"
},
"401": {
"description": "Unauthorized"
}
},
"tags": [
"authentication_v1alpha1"
]
}
},
"/apis/authentication.k8s.io/v1alpha1/selfsubjectreviews": {
"parameters": [
{
"description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
"in": "query",
"name": "dryRun",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
"in": "query",
"name": "fieldManager",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields, provided that the `ServerSideFieldValidation` feature gate is also enabled. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23 and is the default behavior when the `ServerSideFieldValidation` feature gate is disabled. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default when the `ServerSideFieldValidation` feature gate is enabled. - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
"in": "query",
"name": "fieldValidation",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "If 'true', then the output is pretty printed.",
"in": "query",
"name": "pretty",
"schema": {
"type": "string",
"uniqueItems": true
}
}
],
"post": {
"description": "create a SelfSubjectReview",
"operationId": "createAuthenticationV1alpha1SelfSubjectReview",
"requestBody": {
"content": {
"*/*": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
}
}
},
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
}
},
"description": "OK"
},
"201": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
}
},
"description": "Created"
},
"202": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
}
}
},
"description": "Accepted"
},
"401": {
"description": "Unauthorized"
}
},
"tags": [
"authentication_v1alpha1"
],
"x-kubernetes-action": "post",
"x-kubernetes-group-version-kind": {
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1alpha1"
}
}
}
}
}

10
api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
View File

@ -413,6 +413,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1056,6 +1061,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
View File

@ -1066,6 +1066,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1766,6 +1771,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__batch__v1_openapi.json
View File

@ -4260,6 +4260,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -4960,6 +4965,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json
View File

@ -451,6 +451,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1094,6 +1099,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
View File

@ -340,6 +340,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -988,6 +993,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json
View File

@ -503,6 +503,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1146,6 +1151,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json
View File

@ -462,6 +462,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1110,6 +1115,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1beta2_openapi.json
View File

@ -913,6 +913,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1556,6 +1561,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json
View File

@ -430,6 +430,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1073,6 +1078,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json
View File

@ -1090,6 +1090,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1790,6 +1795,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__networking.k8s.io__v1alpha1_openapi.json
View File

@ -418,6 +418,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1061,6 +1066,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json
View File

@ -403,6 +403,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1046,6 +1051,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__policy__v1_openapi.json
View File

@ -462,6 +462,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1162,6 +1167,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
View File

@ -723,6 +723,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1423,6 +1428,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json
View File

@ -316,6 +316,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -959,6 +964,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json
View File

@ -2155,6 +2155,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -2855,6 +2860,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

10
api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json
View File

@ -342,6 +342,11 @@
"kind": "DeleteOptions",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "DeleteOptions",
@ -1042,6 +1047,11 @@
"kind": "WatchEvent",
"version": "v1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{
"group": "authentication.k8s.io",
"kind": "WatchEvent",

1
cmd/kube-apiserver/app/aggregator.go
View File

@ -251,6 +251,7 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{
{Group: "events.k8s.io", Version: "v1"}: {group: 17750, version: 15},
{Group: "events.k8s.io", Version: "v1beta1"}: {group: 17750, version: 5},
{Group: "authentication.k8s.io", Version: "v1"}: {group: 17700, version: 15},
{Group: "authentication.k8s.io", Version: "v1alpha1"}: {group: 17700, version: 1},
{Group: "authorization.k8s.io", Version: "v1"}: {group: 17600, version: 15},
{Group: "autoscaling", Version: "v1"}: {group: 17500, version: 15},
{Group: "autoscaling", Version: "v2"}: {group: 17500, version: 30},

1
hack/lib/init.sh
View File

@ -72,6 +72,7 @@ apps/v1 \
apps/v1beta1 \
apps/v1beta2 \
authentication.k8s.io/v1 \
authentication.k8s.io/v1alpha1 \
authentication.k8s.io/v1beta1 \
authorization.k8s.io/v1 \
authorization.k8s.io/v1beta1 \

4
pkg/apis/authentication/install/install.go
View File

@ -24,6 +24,7 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/apis/authentication/v1"
"k8s.io/kubernetes/pkg/apis/authentication/v1alpha1"
"k8s.io/kubernetes/pkg/apis/authentication/v1beta1"
)
@ -35,6 +36,7 @@ func init() {
func Install(scheme *runtime.Scheme) {
utilruntime.Must(authentication.AddToScheme(scheme))
utilruntime.Must(v1beta1.AddToScheme(scheme))
utilruntime.Must(v1alpha1.AddToScheme(scheme))
utilruntime.Must(v1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion, v1beta1.SchemeGroupVersion))
utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion, v1beta1.SchemeGroupVersion, v1alpha1.SchemeGroupVersion))
}

1
pkg/apis/authentication/register.go
View File

@ -48,6 +48,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&TokenReview{},
&TokenRequest{},
&SelfSubjectReview{},
)
return nil
}

19
pkg/apis/authentication/types.go
View File

@ -162,3 +162,22 @@ type BoundObjectReference struct {
// UID of the referent.
UID types.UID
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.
type SelfSubjectReview struct {
metav1.TypeMeta
// ObjectMeta fulfills the metav1.ObjectMetaAccessor interface so that the stock.
// REST handler paths work.
metav1.ObjectMeta
// Status is filled in by the server with the user attributes.
Status SelfSubjectReviewStatus
}
// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
type SelfSubjectReviewStatus struct {
// User attributes of the user making this request.
UserInfo UserInfo
}

25
pkg/apis/authentication/v1alpha1/defaults.go Normal file
View File

@ -0,0 +1,25 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

23
pkg/apis/authentication/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,23 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/authentication
// +k8s:conversion-gen-external-types=k8s.io/api/authentication/v1alpha1
// +groupName=authentication.k8s.io
// +k8s:defaulter-gen=TypeMeta
// +k8s:defaulter-gen-input=k8s.io/api/authentication/v1alpha1
package v1alpha1 // import "k8s.io/kubernetes/pkg/apis/authentication/v1alpha1"

46
pkg/apis/authentication/v1alpha1/register.go Normal file
View File

@ -0,0 +1,46 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name use in this package
const GroupName = "authentication.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
localSchemeBuilder = &authenticationv1alpha1.SchemeBuilder
// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addDefaultingFuncs)
}

110
pkg/apis/authentication/v1alpha1/zz_generated.conversion.go generated Normal file
View File

@ -0,0 +1,110 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "k8s.io/api/authentication/v1alpha1"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
authentication "k8s.io/kubernetes/pkg/apis/authentication"
v1 "k8s.io/kubernetes/pkg/apis/authentication/v1"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*v1alpha1.SelfSubjectReview)(nil), (*authentication.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_SelfSubjectReview_To_authentication_SelfSubjectReview(a.(*v1alpha1.SelfSubjectReview), b.(*authentication.SelfSubjectReview), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReview)(nil), (*v1alpha1.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_authentication_SelfSubjectReview_To_v1alpha1_SelfSubjectReview(a.(*authentication.SelfSubjectReview), b.(*v1alpha1.SelfSubjectReview), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1alpha1.SelfSubjectReviewStatus)(nil), (*authentication.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(a.(*v1alpha1.SelfSubjectReviewStatus), b.(*authentication.SelfSubjectReviewStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReviewStatus)(nil), (*v1alpha1.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus(a.(*authentication.SelfSubjectReviewStatus), b.(*v1alpha1.SelfSubjectReviewStatus), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1alpha1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1alpha1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1alpha1_SelfSubjectReview_To_authentication_SelfSubjectReview is an autogenerated conversion function.
func Convert_v1alpha1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1alpha1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error {
return autoConvert_v1alpha1_SelfSubjectReview_To_authentication_SelfSubjectReview(in, out, s)
}
func autoConvert_authentication_SelfSubjectReview_To_v1alpha1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1alpha1.SelfSubjectReview, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_authentication_SelfSubjectReview_To_v1alpha1_SelfSubjectReview is an autogenerated conversion function.
func Convert_authentication_SelfSubjectReview_To_v1alpha1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1alpha1.SelfSubjectReview, s conversion.Scope) error {
return autoConvert_authentication_SelfSubjectReview_To_v1alpha1_SelfSubjectReview(in, out, s)
}
func autoConvert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1alpha1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error {
if err := v1.Convert_v1_UserInfo_To_authentication_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil {
return err
}
return nil
}
// Convert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus is an autogenerated conversion function.
func Convert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1alpha1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error {
return autoConvert_v1alpha1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in, out, s)
}
func autoConvert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1alpha1.SelfSubjectReviewStatus, s conversion.Scope) error {
if err := v1.Convert_authentication_UserInfo_To_v1_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil {
return err
}
return nil
}
// Convert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus is an autogenerated conversion function.
func Convert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1alpha1.SelfSubjectReviewStatus, s conversion.Scope) error {
return autoConvert_authentication_SelfSubjectReviewStatus_To_v1alpha1_SelfSubjectReviewStatus(in, out, s)
}

33
pkg/apis/authentication/v1alpha1/zz_generated.defaults.go generated Normal file
View File

@ -0,0 +1,33 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

44
pkg/apis/authentication/zz_generated.deepcopy.go generated
View File

@ -61,6 +61,50 @@ func (in ExtraValue) DeepCopy() ExtraValue {
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReview) DeepCopyInto(out *SelfSubjectReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReview.
func (in *SelfSubjectReview) DeepCopy() *SelfSubjectReview {
if in == nil {
return nil
}
out := new(SelfSubjectReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *SelfSubjectReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReviewStatus) DeepCopyInto(out *SelfSubjectReviewStatus) {
*out = *in
in.UserInfo.DeepCopyInto(&out.UserInfo)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReviewStatus.
func (in *SelfSubjectReviewStatus) DeepCopy() *SelfSubjectReviewStatus {
if in == nil {
return nil
}
out := new(SelfSubjectReviewStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TokenRequest) DeepCopyInto(out *TokenRequest) {
*out = *in

2
pkg/controlplane/instance.go
View File

@ -29,6 +29,7 @@ import (
apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
appsv1 "k8s.io/api/apps/v1"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authorizationapiv1 "k8s.io/api/authorization/v1"
autoscalingapiv1 "k8s.io/api/autoscaling/v1"
autoscalingapiv2 "k8s.io/api/autoscaling/v2"
@ -654,6 +655,7 @@ var (
// alphaAPIGroupVersionsDisabledByDefault holds the alpha APIs we have. They are always disabled by default.
alphaAPIGroupVersionsDisabledByDefault = []schema.GroupVersion{
apiserverinternalv1alpha1.SchemeGroupVersion,
authenticationv1alpha1.SchemeGroupVersion,
networkingapiv1alpha1.SchemeGroupVersion,
storageapiv1alpha1.SchemeGroupVersion,
flowcontrolv1alpha1.SchemeGroupVersion,

8
pkg/features/kube_features.go
View File

@ -43,6 +43,12 @@ const (
// Enables usage of any object for volume data source in PVCs
AnyVolumeDataSource featuregate.Feature = "AnyVolumeDataSource"
// owner: @nabokihms
// alpha: v1.26
//
// Enables API to get self subject attributes after authentication.
APISelfSubjectReview featuregate.Feature = "APISelfSubjectReview"
// owner: @tallclair
// beta: v1.4
AppArmor featuregate.Feature = "AppArmor"
@ -878,6 +884,8 @@ func init() {
var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
AnyVolumeDataSource: {Default: true, PreRelease: featuregate.Beta}, // on by default in 1.24
APISelfSubjectReview: {Default: false, PreRelease: featuregate.Alpha},
AppArmor: {Default: true, PreRelease: featuregate.Beta},
CPUCFSQuotaPeriod: {Default: false, PreRelease: featuregate.Alpha},

67
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -152,6 +152,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"k8s.io/api/authentication/v1.TokenReviewSpec": schema_k8sio_api_authentication_v1_TokenReviewSpec(ref),
"k8s.io/api/authentication/v1.TokenReviewStatus": schema_k8sio_api_authentication_v1_TokenReviewStatus(ref),
"k8s.io/api/authentication/v1.UserInfo": schema_k8sio_api_authentication_v1_UserInfo(ref),
"k8s.io/api/authentication/v1alpha1.SelfSubjectReview": schema_k8sio_api_authentication_v1alpha1_SelfSubjectReview(ref),
"k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus": schema_k8sio_api_authentication_v1alpha1_SelfSubjectReviewStatus(ref),
"k8s.io/api/authentication/v1beta1.TokenReview": schema_k8sio_api_authentication_v1beta1_TokenReview(ref),
"k8s.io/api/authentication/v1beta1.TokenReviewSpec": schema_k8sio_api_authentication_v1beta1_TokenReviewSpec(ref),
"k8s.io/api/authentication/v1beta1.TokenReviewStatus": schema_k8sio_api_authentication_v1beta1_TokenReviewStatus(ref),
@ -7358,6 +7360,71 @@ func schema_k8sio_api_authentication_v1_UserInfo(ref common.ReferenceCallback) c
}
}
func schema_k8sio_api_authentication_v1alpha1_SelfSubjectReview(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
Default: map[string]interface{}{},
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "Status is filled in by the server with the user attributes.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus"),
},
},
},
},
},
Dependencies: []string{
"k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
}
}
func schema_k8sio_api_authentication_v1alpha1_SelfSubjectReviewStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"userInfo": {
SchemaProps: spec.SchemaProps{
Description: "User attributes of the user making this request.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/authentication/v1.UserInfo"),
},
},
},
},
},
Dependencies: []string{
"k8s.io/api/authentication/v1.UserInfo"},
}
}
func schema_k8sio_api_authentication_v1beta1_TokenReview(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{

1
pkg/quota/v1/install/registry.go
View File

@ -44,6 +44,7 @@ var ignoredResources = map[schema.GroupResource]struct{}{
{Group: "", Resource: "bindings"}: {},
{Group: "", Resource: "componentstatuses"}: {},
{Group: authentication.GroupName, Resource: "tokenreviews"}: {},
{Group: authentication.GroupName, Resource: "selfsubjectreviews"}: {},
{Group: authorization.GroupName, Resource: "subjectaccessreviews"}: {},
{Group: authorization.GroupName, Resource: "selfsubjectaccessreviews"}: {},
{Group: authorization.GroupName, Resource: "localsubjectaccessreviews"}: {},

24
pkg/registry/authentication/rest/storage_authentication.go
View File

@ -18,13 +18,18 @@ package rest
import (
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/registry/generic"
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
serverstorage "k8s.io/apiserver/pkg/server/storage"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/registry/authentication/selfsubjectreview"
"k8s.io/kubernetes/pkg/registry/authentication/tokenreview"
)
@ -43,6 +48,10 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
// TODO refactor the plumbing to provide the information in the APIGroupInfo
if storageMap := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
apiGroupInfo.VersionedResourcesStorageMap[authenticationv1alpha1.SchemeGroupVersion.Version] = storageMap
}
if storageMap := p.v1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
apiGroupInfo.VersionedResourcesStorageMap[authenticationv1.SchemeGroupVersion.Version] = storageMap
}
@ -62,6 +71,21 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
return storage
}
func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
storage := map[string]rest.Storage{}
// selfsubjectreviews
if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
} else {
klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.")
}
}
return storage
}
func (p RESTStorageProvider) GroupName() string {
return authentication.GroupName
}

95
pkg/registry/authentication/selfsubjectreview/rest.go Normal file
View File

@ -0,0 +1,95 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package selfsubjectreview
import (
"context"
"fmt"
"time"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
)
// REST implements a RESTStorage for selfsubjectreviews.
type REST struct {
}
// NewREST returns a RESTStorage object that will work against selfsubjectrulesreviews.
func NewREST() *REST {
return &REST{}
}
// NamespaceScoped fulfill rest.Scoper
func (r *REST) NamespaceScoped() bool {
return false
}
// New creates a new selfsubjectrulesreview object.
func (r *REST) New() runtime.Object {
return &authenticationapi.SelfSubjectReview{}
}
// Destroy cleans up resources on shutdown.
func (r *REST) Destroy() {
// Given no underlying store, we don't destroy anything
// here explicitly.
}
// Create returns attributes of the subject making the request.
func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
if createValidation != nil {
if err := createValidation(ctx, obj.DeepCopyObject()); err != nil {
return nil, err
}
}
_, ok := obj.(*authenticationapi.SelfSubjectReview)
if !ok {
return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectReview: %#v", obj))
}
user, ok := genericapirequest.UserFrom(ctx)
if !ok {
return nil, apierrors.NewBadRequest("no user present on request")
}
extra := user.GetExtra()
selfSAR := &authenticationapi.SelfSubjectReview{
ObjectMeta: metav1.ObjectMeta{
CreationTimestamp: metav1.NewTime(time.Now()),
},
Status: authenticationapi.SelfSubjectReviewStatus{
UserInfo: authenticationapi.UserInfo{
Username: user.GetName(),
UID: user.GetUID(),
Groups: user.GetGroups(),
Extra: make(map[string]authenticationapi.ExtraValue, len(extra)),
},
},
}
for key, attr := range extra {
selfSAR.Status.UserInfo.Extra[key] = attr
}
return selfSAR, nil
}

20
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -24,7 +24,9 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
utilfeature "k8s.io/apiserver/pkg/util/feature"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
"k8s.io/kubernetes/pkg/features"
)
// Write and other vars are slices of the allowed verbs.
@ -214,13 +216,21 @@ func ClusterRoles() []rbacv1.ClusterRole {
).RuleOrDie(),
},
},
}
basicUserRules := []rbacv1.PolicyRule{
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
}
if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
basicUserRules = append(basicUserRules, rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie())
}
roles = append(roles, []rbacv1.ClusterRole{
{
// a role which provides minimal resource access to allow a "normal" user to learn information about themselves
ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"},
Rules: []rbacv1.PolicyRule{
// TODO add future selfsubjectrulesreview, project request APIs, project listing APIs
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
},
Rules: basicUserRules,
},
{
// a role which provides just enough power read insensitive cluster information
@ -495,7 +505,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.KubeAPIServerClientKubeletSignerName).RuleOrDie(),
},
},
}
}...)
// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
roles = append(roles, rbacv1.ClusterRole{

23
staging/src/k8s.io/api/authentication/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,23 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +k8s:protobuf-gen=package
// +groupName=authentication.k8s.io
// +k8s:openapi-gen=true
// +k8s:prerelease-lifecycle-gen=true
package v1alpha1 // import "k8s.io/api/authentication/v1alpha1"

567
staging/src/k8s.io/api/authentication/v1alpha1/generated.pb.go generated Normal file
View File

@ -0,0 +1,567 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1alpha1/generated.proto
package v1alpha1
import (
fmt "fmt"
io "io"
proto "github.com/gogo/protobuf/proto"
math "math"
math_bits "math/bits"
reflect "reflect"
strings "strings"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} }
func (*SelfSubjectReview) ProtoMessage() {}
func (*SelfSubjectReview) Descriptor() ([]byte, []int) {
return fileDescriptor_05a77aeb710b43c2, []int{0}
}
func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *SelfSubjectReview) XXX_Merge(src proto.Message) {
xxx_messageInfo_SelfSubjectReview.Merge(m, src)
}
func (m *SelfSubjectReview) XXX_Size() int {
return m.Size()
}
func (m *SelfSubjectReview) XXX_DiscardUnknown() {
xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m)
}
var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo
func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} }
func (*SelfSubjectReviewStatus) ProtoMessage() {}
func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) {
return fileDescriptor_05a77aeb710b43c2, []int{1}
}
func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) {
xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src)
}
func (m *SelfSubjectReviewStatus) XXX_Size() int {
return m.Size()
}
func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() {
xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m)
}
var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo
func init() {
proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1alpha1.SelfSubjectReview")
proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1alpha1.SelfSubjectReviewStatus")
}
func init() {
proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1alpha1/generated.proto", fileDescriptor_05a77aeb710b43c2)
}
var fileDescriptor_05a77aeb710b43c2 = []byte{
// 384 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x92, 0xbd, 0x6e, 0xdb, 0x30,
0x14, 0x85, 0xc5, 0x0e, 0x86, 0xa1, 0x02, 0x45, 0xab, 0xa5, 0x86, 0x07, 0xba, 0xd0, 0x50, 0x74,
0x68, 0xc9, 0xba, 0x28, 0x8a, 0x02, 0xdd, 0x34, 0x35, 0x08, 0x82, 0x00, 0x72, 0xb2, 0x64, 0x0a,
0x25, 0x5f, 0x4b, 0x8c, 0x2c, 0x52, 0x10, 0x49, 0x05, 0xd9, 0xf2, 0x08, 0x79, 0x2c, 0x8f, 0x1e,
0x8d, 0x0c, 0x46, 0xac, 0xbc, 0x48, 0x20, 0x59, 0xb6, 0x11, 0x3b, 0xb6, 0x37, 0xde, 0xc3, 0xfb,
0x9d, 0x7b, 0xf8, 0x63, 0x9f, 0x26, 0x7f, 0x15, 0xe1, 0x92, 0x26, 0x26, 0x80, 0x5c, 0x80, 0x06,
0x45, 0x0b, 0x10, 0x43, 0x99, 0xd3, 0x66, 0x83, 0x65, 0x9c, 0x32, 0xa3, 0x63, 0x10, 0x9a, 0x87,
0x4c, 0x73, 0x29, 0x68, 0xd1, 0x67, 0xe3, 0x2c, 0x66, 0x7d, 0x1a, 0x81, 0x80, 0x9c, 0x69, 0x18,
0x92, 0x2c, 0x97, 0x5a, 0x3a, 0xee, 0x92, 0x21, 0x2c, 0xe3, 0xe4, 0x35, 0x43, 0x56, 0x4c, 0xf7,
0x47, 0xc4, 0x75, 0x6c, 0x02, 0x12, 0xca, 0x94, 0x46, 0x32, 0x92, 0xb4, 0x46, 0x03, 0x33, 0xaa,
0xab, 0xba, 0xa8, 0x57, 0x4b, 0xcb, 0xee, 0xf7, 0x43, 0x31, 0xb6, 0x03, 0x74, 0x7f, 0x6f, 0xba,
0x53, 0x16, 0xc6, 0x5c, 0x40, 0x7e, 0x47, 0xb3, 0x24, 0xaa, 0x04, 0x45, 0x53, 0xd0, 0xec, 0x2d,
0x8a, 0xee, 0xa3, 0x72, 0x23, 0x34, 0x4f, 0x61, 0x07, 0xf8, 0x73, 0x0c, 0x50, 0x61, 0x0c, 0x29,
0xdb, 0xe6, 0xdc, 0x47, 0x64, 0x7f, 0x1a, 0xc0, 0x78, 0x34, 0x30, 0xc1, 0x0d, 0x84, 0xda, 0x87,
0x82, 0xc3, 0xad, 0x73, 0x6d, 0xb7, 0xab, 0x64, 0x43, 0xa6, 0x59, 0x07, 0x7d, 0x41, 0xdf, 0xde,
0xff, 0xfa, 0x49, 0x36, 0x17, 0xb9, 0x1e, 0x40, 0xb2, 0x24, 0xaa, 0x04, 0x45, 0xaa, 0x6e, 0x52,
0xf4, 0xc9, 0x79, 0xed, 0x72, 0x06, 0x9a, 0x79, 0xce, 0x64, 0xde, 0xb3, 0xca, 0x79, 0xcf, 0xde,
0x68, 0xfe, 0xda, 0xd5, 0x09, 0xed, 0x96, 0xd2, 0x4c, 0x1b, 0xd5, 0x79, 0x57, 0xfb, 0xff, 0x23,
0xc7, 0x1f, 0x8a, 0xec, 0x04, 0x1d, 0xd4, 0x16, 0xde, 0x87, 0x66, 0x54, 0x6b, 0x59, 0xfb, 0x8d,
0xb5, 0x2b, 0xed, 0xcf, 0x7b, 0x10, 0xe7, 0xc2, 0x6e, 0x1b, 0x05, 0xf9, 0x89, 0x18, 0xc9, 0xe6,
0x84, 0x5f, 0x0f, 0x26, 0x20, 0x97, 0x4d, 0xb7, 0xf7, 0xb1, 0x19, 0xd6, 0x5e, 0x29, 0xfe, 0xda,
0xc9, 0xfb, 0x3f, 0x59, 0x60, 0x6b, 0xba, 0xc0, 0xd6, 0x6c, 0x81, 0xad, 0xfb, 0x12, 0xa3, 0x49,
0x89, 0xd1, 0xb4, 0xc4, 0x68, 0x56, 0x62, 0xf4, 0x54, 0x62, 0xf4, 0xf0, 0x8c, 0xad, 0x2b, 0xf7,
0xf8, 0x3f, 0x7e, 0x09, 0x00, 0x00, 0xff, 0xff, 0xec, 0xf9, 0xa3, 0xcd, 0x05, 0x03, 0x00, 0x00,
}
func (m *SelfSubjectReview) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *SelfSubjectReview) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *SelfSubjectReview) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
{
size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
{
size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func (m *SelfSubjectReviewStatus) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *SelfSubjectReviewStatus) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *SelfSubjectReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
{
size, err := m.UserInfo.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
offset -= sovGenerated(v)
base := offset
for v >= 1<<7 {
dAtA[offset] = uint8(v&0x7f | 0x80)
v >>= 7
offset++
}
dAtA[offset] = uint8(v)
return base
}
func (m *SelfSubjectReview) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.ObjectMeta.Size()
n += 1 + l + sovGenerated(uint64(l))
l = m.Status.Size()
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *SelfSubjectReviewStatus) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.UserInfo.Size()
n += 1 + l + sovGenerated(uint64(l))
return n
}
func sovGenerated(x uint64) (n int) {
return (math_bits.Len64(x|1) + 6) / 7
}
func sozGenerated(x uint64) (n int) {
return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (this *SelfSubjectReview) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&SelfSubjectReview{`,
`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SelfSubjectReviewStatus", "SelfSubjectReviewStatus", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
}
func (this *SelfSubjectReviewStatus) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&SelfSubjectReviewStatus{`,
`UserInfo:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.UserInfo), "UserInfo", "v11.UserInfo", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
}
func valueToStringGenerated(v interface{}) string {
rv := reflect.ValueOf(v)
if rv.IsNil() {
return "nil"
}
pv := reflect.Indirect(rv).Interface()
return fmt.Sprintf("*%v", pv)
}
func (m *SelfSubjectReview) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: SelfSubjectReview: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: SelfSubjectReview: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *SelfSubjectReviewStatus) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: SelfSubjectReviewStatus: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: SelfSubjectReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field UserInfo", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.UserInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func skipGenerated(dAtA []byte) (n int, err error) {
l := len(dAtA)
iNdEx := 0
depth := 0
for iNdEx < l {
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
wireType := int(wire & 0x7)
switch wireType {
case 0:
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
iNdEx++
if dAtA[iNdEx-1] < 0x80 {
break
}
}
case 1:
iNdEx += 8
case 2:
var length int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
length |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if length < 0 {
return 0, ErrInvalidLengthGenerated
}
iNdEx += length
case 3:
depth++
case 4:
if depth == 0 {
return 0, ErrUnexpectedEndOfGroupGenerated
}
depth--
case 5:
iNdEx += 4
default:
return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
}
if iNdEx < 0 {
return 0, ErrInvalidLengthGenerated
}
if depth == 0 {
return iNdEx, nil
}
}
return 0, io.ErrUnexpectedEOF
}
var (
ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
ErrIntOverflowGenerated = fmt.Errorf("proto: integer overflow")
ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
)

50
staging/src/k8s.io/api/authentication/v1alpha1/generated.proto Normal file
View File

@ -0,0 +1,50 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = "proto2";
package k8s.io.api.authentication.v1alpha1;
import "k8s.io/api/authentication/v1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "k8s.io/api/authentication/v1alpha1";
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.
message SelfSubjectReview {
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Status is filled in by the server with the user attributes.
optional SelfSubjectReviewStatus status = 2;
}
// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
message SelfSubjectReviewStatus {
// User attributes of the user making this request.
// +optional
optional k8s.io.api.authentication.v1.UserInfo userInfo = 1;
}

51
staging/src/k8s.io/api/authentication/v1alpha1/register.go Normal file
View File

@ -0,0 +1,51 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name use in this package
const GroupName = "authentication.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&SelfSubjectReview{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}

47
staging/src/k8s.io/api/authentication/v1alpha1/types.go Normal file
View File

@ -0,0 +1,47 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
v1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +k8s:prerelease-lifecycle-gen:introduced=1.25
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated.
type SelfSubjectReview struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Status is filled in by the server with the user attributes.
Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
type SelfSubjectReviewStatus struct {
// User attributes of the user making this request.
// +optional
UserInfo v1.UserInfo `json:"userInfo,omitempty" protobuf:"bytes,1,opt,name=userInfo"`
}

49
staging/src/k8s.io/api/authentication/v1alpha1/types_swagger_doc_generated.go generated Normal file
View File

@ -0,0 +1,49 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
// This file contains a collection of methods that can be used from go-restful to
// generate Swagger API documentation for its models. Please read this PR for more
// information on the implementation: https://github.com/emicklei/go-restful/pull/215
//
// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
// they are on one line! For multiple line or blocks that you want to ignore use ---.
// Any context after a --- is ignored.
//
// Those methods can be generated by using hack/update-generated-swagger-docs.sh
// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
var map_SelfSubjectReview = map[string]string{
"": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated.",
"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
"status": "Status is filled in by the server with the user attributes.",
}
func (SelfSubjectReview) SwaggerDoc() map[string]string {
return map_SelfSubjectReview
}
var map_SelfSubjectReviewStatus = map[string]string{
"": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"userInfo": "User attributes of the user making this request.",
}
func (SelfSubjectReviewStatus) SwaggerDoc() map[string]string {
return map_SelfSubjectReviewStatus
}
// AUTO-GENERATED FUNCTIONS END HERE

70
staging/src/k8s.io/api/authentication/v1alpha1/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,70 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReview) DeepCopyInto(out *SelfSubjectReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReview.
func (in *SelfSubjectReview) DeepCopy() *SelfSubjectReview {
if in == nil {
return nil
}
out := new(SelfSubjectReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *SelfSubjectReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReviewStatus) DeepCopyInto(out *SelfSubjectReviewStatus) {
*out = *in
in.UserInfo.DeepCopyInto(&out.UserInfo)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReviewStatus.
func (in *SelfSubjectReviewStatus) DeepCopy() *SelfSubjectReviewStatus {
if in == nil {
return nil
}
out := new(SelfSubjectReviewStatus)
in.DeepCopyInto(out)
return out
}

40
staging/src/k8s.io/api/authentication/v1alpha1/zz_generated.prerelease-lifecycle.go generated Normal file
View File

@ -0,0 +1,40 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by prerelease-lifecycle-gen. DO NOT EDIT.
package v1alpha1
// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
func (in *SelfSubjectReview) APILifecycleIntroduced() (major, minor int) {
return 1, 25
}
// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
func (in *SelfSubjectReview) APILifecycleDeprecated() (major, minor int) {
return 1, 28
}
// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
func (in *SelfSubjectReview) APILifecycleRemoved() (major, minor int) {
return 1, 31
}

13
staging/src/k8s.io/client-go/kubernetes/clientset.go
View File

@ -30,6 +30,7 @@ import (
appsv1beta1 "k8s.io/client-go/kubernetes/typed/apps/v1beta1"
appsv1beta2 "k8s.io/client-go/kubernetes/typed/apps/v1beta2"
authenticationv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
authenticationv1alpha1 "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
authorizationv1beta1 "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
@ -82,6 +83,7 @@ type Interface interface {
AppsV1beta1() appsv1beta1.AppsV1beta1Interface
AppsV1beta2() appsv1beta2.AppsV1beta2Interface
AuthenticationV1() authenticationv1.AuthenticationV1Interface
AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface
AuthorizationV1() authorizationv1.AuthorizationV1Interface
AuthorizationV1beta1() authorizationv1beta1.AuthorizationV1beta1Interface
@ -134,6 +136,7 @@ type Clientset struct {
appsV1beta1 *appsv1beta1.AppsV1beta1Client
appsV1beta2 *appsv1beta2.AppsV1beta2Client
authenticationV1 *authenticationv1.AuthenticationV1Client
authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
authenticationV1beta1 *authenticationv1beta1.AuthenticationV1beta1Client
authorizationV1 *authorizationv1.AuthorizationV1Client
authorizationV1beta1 *authorizationv1beta1.AuthorizationV1beta1Client
@ -210,6 +213,11 @@ func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interfac
return c.authenticationV1
}
// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
return c.authenticationV1alpha1
}
// AuthenticationV1beta1 retrieves the AuthenticationV1beta1Client
func (c *Clientset) AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface {
return c.authenticationV1beta1
@ -477,6 +485,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
if err != nil {
return nil, err
}
cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
cs.authenticationV1beta1, err = authenticationv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
@ -661,6 +673,7 @@ func New(c rest.Interface) *Clientset {
cs.appsV1beta1 = appsv1beta1.New(c)
cs.appsV1beta2 = appsv1beta2.New(c)
cs.authenticationV1 = authenticationv1.New(c)
cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
cs.authenticationV1beta1 = authenticationv1beta1.New(c)
cs.authorizationV1 = authorizationv1.New(c)
cs.authorizationV1beta1 = authorizationv1beta1.New(c)

7
staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
View File

@ -38,6 +38,8 @@ import (
fakeappsv1beta2 "k8s.io/client-go/kubernetes/typed/apps/v1beta2/fake"
authenticationv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
fakeauthenticationv1 "k8s.io/client-go/kubernetes/typed/authentication/v1/fake"
authenticationv1alpha1 "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1"
fakeauthenticationv1alpha1 "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/fake"
authenticationv1beta1 "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
fakeauthenticationv1beta1 "k8s.io/client-go/kubernetes/typed/authentication/v1beta1/fake"
authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
@ -204,6 +206,11 @@ func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interfac
return &fakeauthenticationv1.FakeAuthenticationV1{Fake: &c.Fake}
}
// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
}
// AuthenticationV1beta1 retrieves the AuthenticationV1beta1Client
func (c *Clientset) AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface {
return &fakeauthenticationv1beta1.FakeAuthenticationV1beta1{Fake: &c.Fake}

2
staging/src/k8s.io/client-go/kubernetes/fake/register.go
View File

@ -26,6 +26,7 @@ import (
appsv1beta1 "k8s.io/api/apps/v1beta1"
appsv1beta2 "k8s.io/api/apps/v1beta2"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
authorizationv1 "k8s.io/api/authorization/v1"
authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
@ -83,6 +84,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
appsv1beta1.AddToScheme,
appsv1beta2.AddToScheme,
authenticationv1.AddToScheme,
authenticationv1alpha1.AddToScheme,
authenticationv1beta1.AddToScheme,
authorizationv1.AddToScheme,
authorizationv1beta1.AddToScheme,

2
staging/src/k8s.io/client-go/kubernetes/scheme/register.go
View File

@ -26,6 +26,7 @@ import (
appsv1beta1 "k8s.io/api/apps/v1beta1"
appsv1beta2 "k8s.io/api/apps/v1beta2"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
authorizationv1 "k8s.io/api/authorization/v1"
authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
@ -83,6 +84,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
appsv1beta1.AddToScheme,
appsv1beta2.AddToScheme,
authenticationv1.AddToScheme,
authenticationv1alpha1.AddToScheme,
authenticationv1beta1.AddToScheme,
authorizationv1.AddToScheme,
authorizationv1beta1.AddToScheme,

107
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/authentication_client.go Normal file
View File

@ -0,0 +1,107 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"net/http"
v1alpha1 "k8s.io/api/authentication/v1alpha1"
"k8s.io/client-go/kubernetes/scheme"
rest "k8s.io/client-go/rest"
)
type AuthenticationV1alpha1Interface interface {
RESTClient() rest.Interface
SelfSubjectReviewsGetter
}
// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.k8s.io group.
type AuthenticationV1alpha1Client struct {
restClient rest.Interface
}
func (c *AuthenticationV1alpha1Client) SelfSubjectReviews() SelfSubjectReviewInterface {
return newSelfSubjectReviews(c)
}
// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
httpClient, err := rest.HTTPClientFor(&config)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&config, httpClient)
}
// NewForConfigAndClient creates a new AuthenticationV1alpha1Client for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*AuthenticationV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
client, err := rest.RESTClientForConfigAndClient(&config, h)
if err != nil {
return nil, err
}
return &AuthenticationV1alpha1Client{client}, nil
}
// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *AuthenticationV1alpha1Client {
return &AuthenticationV1alpha1Client{c}
}
func setConfigDefaults(config *rest.Config) error {
gv := v1alpha1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
return nil
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}

20
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// This package has the automatically generated typed clients.
package v1alpha1

20
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/fake/doc.go Normal file
View File

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// Package fake has the automatically generated clients.
package fake

40
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/fake/fake_authentication_client.go Normal file
View File

@ -0,0 +1,40 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeAuthenticationV1alpha1 struct {
*testing.Fake
}
func (c *FakeAuthenticationV1alpha1) SelfSubjectReviews() v1alpha1.SelfSubjectReviewInterface {
return &FakeSelfSubjectReviews{c}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

47
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/fake/fake_selfsubjectreview.go Normal file
View File

@ -0,0 +1,47 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "k8s.io/api/authentication/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
schema "k8s.io/apimachinery/pkg/runtime/schema"
testing "k8s.io/client-go/testing"
)
// FakeSelfSubjectReviews implements SelfSubjectReviewInterface
type FakeSelfSubjectReviews struct {
Fake *FakeAuthenticationV1alpha1
}
var selfsubjectreviewsResource = schema.GroupVersionResource{Group: "authentication.k8s.io", Version: "v1alpha1", Resource: "selfsubjectreviews"}
var selfsubjectreviewsKind = schema.GroupVersionKind{Group: "authentication.k8s.io", Version: "v1alpha1", Kind: "SelfSubjectReview"}
// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any.
func (c *FakeSelfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1alpha1.SelfSubjectReview, opts v1.CreateOptions) (result *v1alpha1.SelfSubjectReview, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootCreateAction(selfsubjectreviewsResource, selfSubjectReview), &v1alpha1.SelfSubjectReview{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.SelfSubjectReview), err
}

21
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/generated_expansion.go Normal file
View File

@ -0,0 +1,21 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
type SelfSubjectReviewExpansion interface{}

64
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/selfsubjectreview.go Normal file
View File

@ -0,0 +1,64 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
v1alpha1 "k8s.io/api/authentication/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
scheme "k8s.io/client-go/kubernetes/scheme"
rest "k8s.io/client-go/rest"
)
// SelfSubjectReviewsGetter has a method to return a SelfSubjectReviewInterface.
// A group's client should implement this interface.
type SelfSubjectReviewsGetter interface {
SelfSubjectReviews() SelfSubjectReviewInterface
}
// SelfSubjectReviewInterface has methods to work with SelfSubjectReview resources.
type SelfSubjectReviewInterface interface {
Create(ctx context.Context, selfSubjectReview *v1alpha1.SelfSubjectReview, opts v1.CreateOptions) (*v1alpha1.SelfSubjectReview, error)
SelfSubjectReviewExpansion
}
// selfSubjectReviews implements SelfSubjectReviewInterface
type selfSubjectReviews struct {
client rest.Interface
}
// newSelfSubjectReviews returns a SelfSubjectReviews
func newSelfSubjectReviews(c *AuthenticationV1alpha1Client) *selfSubjectReviews {
return &selfSubjectReviews{
client: c.RESTClient(),
}
}
// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any.
func (c *selfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1alpha1.SelfSubjectReview, opts v1.CreateOptions) (result *v1alpha1.SelfSubjectReview, err error) {
result = &v1alpha1.SelfSubjectReview{}
err = c.client.Post().
Resource("selfsubjectreviews").
VersionedParams(&opts, scheme.ParameterCodec).
Body(selfSubjectReview).
Do(ctx).
Into(result)
return
}

10
staging/src/k8s.io/kubectl/pkg/cmd/alpha.go
View File

@ -20,6 +20,7 @@ import (
"github.com/spf13/cobra"
"k8s.io/cli-runtime/pkg/genericclioptions"
"k8s.io/kubectl/pkg/cmd/auth"
"k8s.io/kubectl/pkg/cmd/events"
cmdutil "k8s.io/kubectl/pkg/cmd/util"
"k8s.io/kubectl/pkg/util/i18n"
@ -38,6 +39,15 @@ func NewCmdAlpha(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.
// from here to the CommandGroups defined by NewKubeletCommand() in cmd.go.
cmd.AddCommand(events.NewCmdEvents(f, streams))
authCmds := &cobra.Command{
Use: "auth",
Short: "Inspect authorization",
Long: `Inspect authorization`,
Run: cmdutil.DefaultSubCommandRun(streams.ErrOut),
}
cmd.AddCommand(authCmds)
authCmds.AddCommand(auth.NewCmdWhoAmI(f, streams))
// NewKubeletCommand() will hide the alpha command if it has no subcommands. Overriding
// the help function ensures a reasonable message if someone types the hidden command anyway.
if !cmd.HasAvailableSubCommands() {

203
staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go Normal file
View File

@ -0,0 +1,203 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"context"
"fmt"
"io"
"github.com/spf13/cobra"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/cli-runtime/pkg/genericclioptions"
"k8s.io/cli-runtime/pkg/printers"
authenticationv1alpha1client "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1"
cmdutil "k8s.io/kubectl/pkg/cmd/util"
"k8s.io/kubectl/pkg/scheme"
"k8s.io/kubectl/pkg/util/templates"
)
// WhoAmIFlags directly reflect the information that CLI is gathering via flags. They will be converted to Options, which
// reflect the runtime requirements for the command. This structure reduces the transformation to wiring and makes
// the logic itself easy to unit test.
type WhoAmIFlags struct {
RESTClientGetter genericclioptions.RESTClientGetter
PrintFlags *genericclioptions.PrintFlags
genericclioptions.IOStreams
}
// NewWhoAmIFlags returns a default WhoAmIFlags.
func NewWhoAmIFlags(restClientGetter genericclioptions.RESTClientGetter, streams genericclioptions.IOStreams) *WhoAmIFlags {
return &WhoAmIFlags{
RESTClientGetter: restClientGetter,
PrintFlags: genericclioptions.NewPrintFlags("").WithTypeSetter(scheme.Scheme),
IOStreams: streams,
}
}
// AddFlags registers flags for a cli.
func (flags *WhoAmIFlags) AddFlags(cmd *cobra.Command) {
flags.PrintFlags.AddFlags(cmd)
}
// ToOptions converts from CLI inputs to runtime inputs.
func (flags *WhoAmIFlags) ToOptions(ctx context.Context, args []string) (*WhoAmIOptions, error) {
w := &WhoAmIOptions{
ctx: ctx,
IOStreams: flags.IOStreams,
}
clientConfig, err := flags.RESTClientGetter.ToRESTConfig()
if err != nil {
return nil, err
}
w.authClient, err = authenticationv1alpha1client.NewForConfig(clientConfig)
if err != nil {
return nil, err
}
if !flags.PrintFlags.OutputFlagSpecified() {
w.resourcePrinterFunc = printTableSelfSubjectAccessReview
} else {
printer, err := flags.PrintFlags.ToPrinter()
if err != nil {
return nil, err
}
w.resourcePrinterFunc = printer.PrintObj
}
return w, nil
}
// WhoAmIOptions is the start of the data required to perform the operation. As new fields are added,
// add them here instead of referencing the cmd.Flags()
type WhoAmIOptions struct {
authClient authenticationv1alpha1client.AuthenticationV1alpha1Interface
ctx context.Context
resourcePrinterFunc printers.ResourcePrinterFunc
genericclioptions.IOStreams
}
var (
whoAmILong = templates.LongDesc(`
Experimental: Check who you are and your attributes (groups, extra).
This command is helpful to get yourself aware of the current user attributes,
especially when dynamic authentication, e.g., token webhook, auth proxy, or OIDC provider,
is enabled in the Kubernetes cluster.
`)
whoAmIExample = templates.Examples(`
# Get your subject attributes.
kubectl alpha auth whoami
# Get your subject attributes in JSON format.
kubectl alpha auth whoami -o json
`)
)
// NewCmdWhoAmI returns an initialized Command for 'auth whoami' sub command. Experimental.
func NewCmdWhoAmI(restClientGetter genericclioptions.RESTClientGetter, streams genericclioptions.IOStreams) *cobra.Command {
flags := NewWhoAmIFlags(restClientGetter, streams)
cmd := &cobra.Command{
Use: "whoami",
DisableFlagsInUseLine: true,
Short: "Experimental: Check self subject attributes",
Long: whoAmILong,
Example: whoAmIExample,
Run: func(cmd *cobra.Command, args []string) {
o, err := flags.ToOptions(cmd.Context(), args)
cmdutil.CheckErr(err)
cmdutil.CheckErr(o.Run())
},
}
flags.AddFlags(cmd)
return cmd
}
// Run prints all user attributes.
func (o WhoAmIOptions) Run() error {
sar := &authenticationv1alpha1.SelfSubjectReview{}
response, err := o.authClient.SelfSubjectReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
if err != nil {
if errors.IsNotFound(err) {
return fmt.Errorf("the selfsubjectreviews API is not enabled in the cluster.\n" +
"enable APISelfSubjectReview feature gate and authentication.k8s.io/v1alpha1 API.")
}
return err
}
return o.resourcePrinterFunc(response, o.Out)
}
func printTableSelfSubjectAccessReview(obj runtime.Object, out io.Writer) error {
ssr, ok := obj.(*authenticationv1alpha1.SelfSubjectReview)
if !ok {
return fmt.Errorf("object is not SelfSubjectReview")
}
w := printers.GetNewTabWriter(out)
defer w.Flush()
_, err := fmt.Fprintf(w, "ATTRIBUTE\tVALUE\n")
if err != nil {
return fmt.Errorf("cannot write a header: %w", err)
}
ui := ssr.Status.UserInfo
if ui.Username != "" {
_, err := fmt.Fprintf(w, "Username\t%s\n", ui.Username)
if err != nil {
return fmt.Errorf("cannot write a username: %w", err)
}
}
if ui.UID != "" {
_, err := fmt.Fprintf(w, "UID\t%s\n", ui.UID)
if err != nil {
return fmt.Errorf("cannot write a uid: %w", err)
}
}
if len(ui.Groups) > 0 {
_, err := fmt.Fprintf(w, "Groups\t%v\n", ui.Groups)
if err != nil {
return fmt.Errorf("cannot write groups: %w", err)
}
}
if len(ui.Extra) > 0 {
for k, v := range ui.Extra {
_, err := fmt.Fprintf(w, "Extra: %s\t%v\n", k, v)
if err != nil {
return fmt.Errorf("cannot write an extra: %w", err)
}
}
}
return nil
}

150
staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go Normal file
View File

@ -0,0 +1,150 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"bytes"
"io/ioutil"
"strings"
"testing"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/cli-runtime/pkg/printers"
authfake "k8s.io/client-go/kubernetes/fake"
core "k8s.io/client-go/testing"
cmdtesting "k8s.io/kubectl/pkg/cmd/testing"
"k8s.io/kubectl/pkg/scheme"
)
func TestWhoAmIRun(t *testing.T) {
tests := []struct {
name string
o *WhoAmIOptions
args []string
allowed bool
serverErr error
expectedBodyStrings []string
}{
{
name: "success test",
o: &WhoAmIOptions{
resourcePrinterFunc: printTableSelfSubjectAccessReview,
},
args: []string{},
expectedBodyStrings: []string{
`ATTRIBUTE VALUE`,
`Username jane.doe`,
`UID uniq-id`,
`Groups [students teachers]`,
`Extra: subjects [math sports]`,
`Extra: skills [reading learning]`,
``,
},
},
{
name: "JSON test",
o: &WhoAmIOptions{
resourcePrinterFunc: printers.NewTypeSetter(scheme.Scheme).ToPrinter(&printers.JSONPrinter{}).PrintObj,
},
args: []string{},
expectedBodyStrings: []string{
`{
"kind": "SelfSubjectReview",
"apiVersion": "authentication.k8s.io/v1alpha1",
"metadata": {
"creationTimestamp": null
},
"status": {
"userInfo": {
"username": "jane.doe",
"uid": "uniq-id",
"groups": [
"students",
"teachers"
],
"extra": {
"skills": [
"reading",
"learning"
],
"subjects": [
"math",
"sports"
]
}
}
}
}
`,
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
var b bytes.Buffer
test.o.Out = &b
test.o.ErrOut = ioutil.Discard
tf := cmdtesting.NewTestFactory().WithNamespace("test")
defer tf.Cleanup()
fakeAuthClientSet := &authfake.Clientset{}
fakeAuthClientSet.AddReactor("create", "selfsubjectreviews",
func(action core.Action) (handled bool, ret runtime.Object, err error) {
res := &authenticationv1alpha1.SelfSubjectReview{
Status: authenticationv1alpha1.SelfSubjectReviewStatus{
UserInfo: authenticationv1.UserInfo{
Username: "jane.doe",
UID: "uniq-id",
Groups: []string{"students", "teachers"},
Extra: map[string]authenticationv1.ExtraValue{
"subjects": {"math", "sports"},
"skills": {"reading", "learning"},
},
},
},
}
return true, res, nil
})
test.o.authClient = fakeAuthClientSet.AuthenticationV1alpha1()
err := test.o.Run()
switch {
case test.serverErr == nil && err == nil:
// pass
case err != nil && test.serverErr != nil && strings.Contains(err.Error(), test.serverErr.Error()):
// pass
default:
t.Errorf("%s: expected %v, got %v", test.name, test.serverErr, err)
return
}
res := b.String()
expectedBody := strings.Join(test.expectedBodyStrings, "\n")
if expectedBody != res {
t.Errorf("%s: expected \n%q, got \n%q", test.name, expectedBody, res)
}
})
}
}

1
staging/src/k8s.io/kubectl/pkg/cmd/testing/fake.go
View File

@ -583,6 +583,7 @@ func (f *TestFactory) KubernetesClientSet() (*kubernetes.Clientset, error) {
clientset.AuthorizationV1beta1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.AuthorizationV1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.AuthorizationV1beta1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.AuthenticationV1alpha1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.AutoscalingV1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.AutoscalingV2beta1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client
clientset.BatchV1().RESTClient().(*restclient.RESTClient).Client = fakeClient.Client

130
test/e2e/auth/selfsubjectreviews.go Normal file
View File

@ -0,0 +1,130 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"context"
"fmt"
"github.com/onsi/ginkgo/v2"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/kubernetes/test/e2e/framework"
admissionapi "k8s.io/pod-security-admission/api"
)
var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
f := framework.NewDefaultFramework("selfsubjectreviews")
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
/*
Release: v1.24
Testname: SelfSubjectReview API
Description:
The authentication.k8s.io API group MUST exist in the /apis discovery document.
The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
The selfsubjectreviews resource must support create.
*/
ginkgo.It("should support SelfSubjectReview API operations", func() {
// Setup
ssarAPIVersion := "v1alpha1"
// Discovery
ginkgo.By("getting /apis")
{
discoveryGroups, err := f.ClientSet.Discovery().ServerGroups()
framework.ExpectNoError(err)
found := false
for _, group := range discoveryGroups.Groups {
if group.Name == authenticationv1alpha1.GroupName {
for _, version := range group.Versions {
if version.Version == ssarAPIVersion {
found = true
break
}
}
}
}
if !found {
ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API group/version, got %#v", discoveryGroups.Groups))
}
}
ginkgo.By("getting /apis/authentication.k8s.io")
{
group := &metav1.APIGroup{}
err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/authentication.k8s.io").Do(context.TODO()).Into(group)
framework.ExpectNoError(err)
found := false
for _, version := range group.Versions {
if version.Version == ssarAPIVersion {
found = true
break
}
}
if !found {
ginkgo.Skip(fmt.Sprintf("expected SelfSubjectReview API version, got %#v", group.Versions))
}
}
ginkgo.By("getting /apis/authentication.k8s.io/" + ssarAPIVersion)
{
resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(authenticationv1alpha1.SchemeGroupVersion.String())
framework.ExpectNoError(err)
found := false
for _, resource := range resources.APIResources {
switch resource.Name {
case "selfsubjectreviews":
found = true
}
}
if !found {
ginkgo.Skip(fmt.Sprintf("expected selfsubjectreviews, got %#v", resources.APIResources))
}
}
// Check creating
ginkgo.By("creating")
{
// Use impersonate to make user attributes predictable
config := f.ClientConfig()
config.Impersonate.UserName = "jane-doe"
config.Impersonate.UID = "uniq-id"
config.Impersonate.Groups = []string{"system:authenticated", "developers"}
config.Impersonate.Extra = map[string][]string{
"known-languages": {"python", "javascript"},
}
ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews()
res, err := ssrClient.Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
framework.ExpectNoError(err)
framework.ExpectEqual(config.Impersonate.UserName, res.Status.UserInfo.Username)
framework.ExpectEqual(config.Impersonate.UID, res.Status.UserInfo.UID)
framework.ExpectEqual(config.Impersonate.Groups, res.Status.UserInfo.Groups)
extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
for k, v := range res.Status.UserInfo.Extra {
extra[k] = v
}
framework.ExpectEqual(config.Impersonate.Extra, extra)
}
})
})

6
test/integration/apiserver/admissionwebhook/admission_test.go
View File

@ -52,12 +52,15 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/wait"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/dynamic"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/util/retry"
featuregatetesting "k8s.io/component-base/featuregate/testing"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
apisv1beta1 "k8s.io/kubernetes/pkg/apis/admissionregistration/v1beta1"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/test/integration/etcd"
"k8s.io/kubernetes/test/integration/framework"
)
@ -150,6 +153,7 @@ var (
// Non persistent Reviews resource
gvr("authentication.k8s.io", "v1", "tokenreviews"): `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
gvr("authentication.k8s.io", "v1beta1", "tokenreviews"): `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`,
gvr("authorization.k8s.io", "v1", "subjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`,
gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`,
@ -444,6 +448,8 @@ func TestWebhookAdmissionWithoutWatchCache(t *testing.T) {
// testWebhookAdmission tests communication between API server and webhook process.
func testWebhookAdmission(t *testing.T, watchCache bool) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APISelfSubjectReview, true)()
// holder communicates expectations to webhooks, and results from webhooks
holder := &holder{
t: t,

195
test/integration/auth/selfsubjectreview_test.go Normal file
View File

@ -0,0 +1,195 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"context"
"fmt"
"net/http"
"reflect"
"sync"
"sync/atomic"
"testing"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
utilfeature "k8s.io/apiserver/pkg/util/feature"
featuregatetesting "k8s.io/component-base/featuregate/testing"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/pkg/controlplane"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/test/integration/framework"
)
func TestGetsSelfAttributes(t *testing.T) {
tests := []struct {
name string
userInfo *user.DefaultInfo
expectedName string
expectedUID string
expectedGroups []string
expectedExtra map[string]authenticationv1.ExtraValue
}{
{
name: "Username",
userInfo: &user.DefaultInfo{
Name: "alice",
},
expectedName: "alice",
},
{
name: "Username with groups and UID",
userInfo: &user.DefaultInfo{
Name: "alice",
UID: "unique-id",
Groups: []string{"devs", "admins"},
},
expectedName: "alice",
expectedUID: "unique-id",
expectedGroups: []string{"devs", "admins"},
},
{
name: "Username with extra attributes",
userInfo: &user.DefaultInfo{
Name: "alice",
Extra: map[string][]string{
"nicknames": {"cutie", "bestie"},
},
},
expectedName: "alice",
expectedExtra: map[string]authenticationv1.ExtraValue{
"nicknames": authenticationv1.ExtraValue([]string{"cutie", "bestie"}),
},
},
{
name: "Without username",
userInfo: &user.DefaultInfo{
UID: "unique-id",
},
expectedUID: "unique-id",
},
}
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APISelfSubjectReview, true)()
var respMu sync.RWMutex
response := &user.DefaultInfo{
Name: "stub",
}
kubeClient, _, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
ModifyServerConfig: func(config *controlplane.Config) {
// Unset BearerToken to disable BearerToken authenticator.
config.GenericConfig.LoopbackClientConfig.BearerToken = ""
config.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
respMu.RLock()
defer respMu.RUnlock()
return &authenticator.Response{User: response}, true, nil
})
config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
},
ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
},
})
defer tearDownFn()
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
respMu.Lock()
response = tc.userInfo
respMu.Unlock()
res, err := kubeClient.AuthenticationV1alpha1().
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if res == nil {
t.Fatalf("empty response")
}
if res.Status.UserInfo.Username != tc.expectedName {
t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
}
if res.Status.UserInfo.UID != tc.expectedUID {
t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
}
if !reflect.DeepEqual(res.Status.UserInfo.Groups, tc.expectedGroups) {
t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
}
if !reflect.DeepEqual(res.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
}
})
}
}
func TestGetsSelfAttributesError(t *testing.T) {
toggle := &atomic.Value{}
toggle.Store(true)
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APISelfSubjectReview, true)()
kubeClient, _, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
ModifyServerConfig: func(config *controlplane.Config) {
// Unset BearerToken to disable BearerToken authenticator.
config.GenericConfig.LoopbackClientConfig.BearerToken = ""
config.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
if toggle.Load().(bool) {
return &authenticator.Response{
User: &user.DefaultInfo{
Name: "alice",
},
}, true, nil
}
return nil, false, fmt.Errorf("test error")
})
config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
},
ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
},
})
defer tearDownFn()
expected := fmt.Errorf("Unauthorized")
toggle.Store(!toggle.Load().(bool))
_, err := kubeClient.AuthenticationV1alpha1().
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
if err == nil {
t.Fatalf("expected error: %v, got nil", err)
}
toggle.Store(!toggle.Load().(bool))
if expected.Error() != err.Error() {
t.Fatalf("expected error: %v, got %v", expected, err)
}
}

3
vendor/modules.txt vendored
View File

@ -1332,6 +1332,7 @@ k8s.io/api/apps/v1
k8s.io/api/apps/v1beta1
k8s.io/api/apps/v1beta2
k8s.io/api/authentication/v1
k8s.io/api/authentication/v1alpha1
k8s.io/api/authentication/v1beta1
k8s.io/api/authorization/v1
k8s.io/api/authorization/v1beta1
@ -1792,6 +1793,8 @@ k8s.io/client-go/kubernetes/typed/apps/v1beta2
k8s.io/client-go/kubernetes/typed/apps/v1beta2/fake
k8s.io/client-go/kubernetes/typed/authentication/v1
k8s.io/client-go/kubernetes/typed/authentication/v1/fake
k8s.io/client-go/kubernetes/typed/authentication/v1alpha1
k8s.io/client-go/kubernetes/typed/authentication/v1alpha1/fake
k8s.io/client-go/kubernetes/typed/authentication/v1beta1
k8s.io/client-go/kubernetes/typed/authentication/v1beta1/fake
k8s.io/client-go/kubernetes/typed/authorization/v1