github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-31 16:46:54 +00:00
Code Issues Projects Releases Wiki Activity

Fix list_type_missing in api/authorization

Browse Source
This commit is contained in:
Tim Hockin
2023-11-12 15:10:01 -08:00
parent b24cffb174
commit ad39737397
8 changed files with 162 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
api/api-rules/violation_exceptions.list
View File

@@ -1,21 +1,3 @@
API rule violation: list_type_missing,k8s.io/api/authorization/v1,NonResourceRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/api/authorization/v1,NonResourceRule,Verbs
API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,APIGroups
API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,ResourceNames
API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,Resources
API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,Verbs
API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectAccessReviewSpec,Groups
API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectRulesReviewStatus,NonResourceRules
API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectRulesReviewStatus,ResourceRules
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,NonResourceRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,NonResourceRule,Verbs
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,APIGroups
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,ResourceNames
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,Resources
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,Verbs
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectAccessReviewSpec,Groups
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectRulesReviewStatus,NonResourceRules
API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectRulesReviewStatus,ResourceRules
API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerSpec,Metrics
API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerStatus,Conditions
API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerStatus,CurrentMetrics

27
api/openapi-spec/swagger.json generated
View File

@@ -2895,14 +2895,16 @@
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@@ -2952,28 +2954,32 @@
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceNames": {
"description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resources": {
"description": "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@@ -3131,7 +3137,8 @@
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"nonResourceAttributes": {
"$ref": "#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes",
@@ -3193,14 +3200,16 @@
"items": {
"$ref": "#/definitions/io.k8s.api.authorization.v1.NonResourceRule"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceRules": {
"description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
"items": {
"$ref": "#/definitions/io.k8s.api.authorization.v1.ResourceRule"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [

27
api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json
View File

@@ -75,7 +75,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.",
@@ -83,7 +84,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@@ -134,7 +136,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceNames": {
"description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.",
@@ -142,7 +145,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resources": {
"description": "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.",
@@ -150,7 +154,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.",
@@ -158,7 +163,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@@ -371,7 +377,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"nonResourceAttributes": {
"allOf": [
@@ -448,7 +455,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceRules": {
"description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
@@ -460,7 +468,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [

90
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@@ -10322,6 +10322,11 @@ func schema_k8sio_api_authorization_v1_NonResourceRule(ref common.ReferenceCallb
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.",
Type: []string{"array"},
@@ -10337,6 +10342,11 @@ func schema_k8sio_api_authorization_v1_NonResourceRule(ref common.ReferenceCallb
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.",
Type: []string{"array"},
@@ -10428,6 +10438,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.",
Type: []string{"array"},
@@ -10443,6 +10458,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback
},
},
"apiGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.",
Type: []string{"array"},
@@ -10458,6 +10478,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.",
Type: []string{"array"},
@@ -10473,6 +10498,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.",
Type: []string{"array"},
@@ -10721,6 +10751,11 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref common.Refere
},
},
"groups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Groups is the groups you're testing for.",
Type: []string{"array"},
@@ -10824,6 +10859,11 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer
Type: []string{"object"},
Properties: map[string]spec.Schema{
"resourceRules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
Type: []string{"array"},
@@ -10838,6 +10878,11 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer
},
},
"nonResourceRules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
Type: []string{"array"},
@@ -10961,6 +11006,11 @@ func schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref common.Reference
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.",
Type: []string{"array"},
@@ -10976,6 +11026,11 @@ func schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref common.Reference
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.",
Type: []string{"array"},
@@ -11067,6 +11122,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.",
Type: []string{"array"},
@@ -11082,6 +11142,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal
},
},
"apiGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.",
Type: []string{"array"},
@@ -11097,6 +11162,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.",
Type: []string{"array"},
@@ -11112,6 +11182,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.",
Type: []string{"array"},
@@ -11360,6 +11435,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref common.R
},
},
"group": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Groups is the groups you're testing for.",
Type: []string{"array"},
@@ -11463,6 +11543,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common.
Type: []string{"object"},
Properties: map[string]spec.Schema{
"resourceRules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
Type: []string{"array"},
@@ -11477,6 +11562,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common.
},
},
"nonResourceRules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
Type: []string{"array"},

9
staging/src/k8s.io/api/authorization/v1/generated.proto
View File

@@ -69,11 +69,13 @@ message NonResourceAttributes {
// NonResourceRule holds information that describes a rule for the non-resource
message NonResourceRule {
// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
// +listType=atomic
repeated string verbs = 1;
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
// final step in the path. "*" means all.
// +optional
// +listType=atomic
repeated string nonResourceURLs = 2;
}
@@ -115,20 +117,24 @@ message ResourceAttributes {
// may contain duplicates, and possibly be incomplete.
message ResourceRule {
// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
// +listType=atomic
repeated string verbs = 1;
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "*" means all.
// +optional
// +listType=atomic
repeated string apiGroups = 2;
// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
repeated string resources = 3;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
// +optional
// +listType=atomic
repeated string resourceNames = 4;
}
@@ -220,6 +226,7 @@ message SubjectAccessReviewSpec {
// Groups is the groups you're testing for.
// +optional
// +listType=atomic
repeated string groups = 4;
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
@@ -262,10 +269,12 @@ message SubjectAccessReviewStatus {
message SubjectRulesReviewStatus {
// ResourceRules is the list of actions the subject is allowed to perform on resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
repeated ResourceRule resourceRules = 1;
// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
repeated NonResourceRule nonResourceRules = 2;
// Incomplete is true when the rules returned by this call are incomplete. This is most commonly

9
staging/src/k8s.io/api/authorization/v1/types.go
View File

@@ -143,6 +143,7 @@ type SubjectAccessReviewSpec struct {
User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
// Groups is the groups you're testing for.
// +optional
// +listType=atomic
Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
// it needs a reflection here.
@@ -232,9 +233,11 @@ type SelfSubjectRulesReviewSpec struct {
type SubjectRulesReviewStatus struct {
// ResourceRules is the list of actions the subject is allowed to perform on resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
@@ -250,28 +253,34 @@ type SubjectRulesReviewStatus struct {
// may contain duplicates, and possibly be incomplete.
type ResourceRule struct {
// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "*" means all.
// +optional
// +listType=atomic
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
}
// NonResourceRule holds information that describes a rule for the non-resource
type NonResourceRule struct {
// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
// final step in the path. "*" means all.
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
}

9
staging/src/k8s.io/api/authorization/v1beta1/generated.proto
View File

@@ -69,11 +69,13 @@ message NonResourceAttributes {
// NonResourceRule holds information that describes a rule for the non-resource
message NonResourceRule {
// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
// +listType=atomic
repeated string verbs = 1;
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
// final step in the path. "*" means all.
// +optional
// +listType=atomic
repeated string nonResourceURLs = 2;
}
@@ -115,20 +117,24 @@ message ResourceAttributes {
// may contain duplicates, and possibly be incomplete.
message ResourceRule {
// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
// +listType=atomic
repeated string verbs = 1;
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "*" means all.
// +optional
// +listType=atomic
repeated string apiGroups = 2;
// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
repeated string resources = 3;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
// +optional
// +listType=atomic
repeated string resourceNames = 4;
}
@@ -220,6 +226,7 @@ message SubjectAccessReviewSpec {
// Groups is the groups you're testing for.
// +optional
// +listType=atomic
repeated string group = 4;
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
@@ -262,10 +269,12 @@ message SubjectAccessReviewStatus {
message SubjectRulesReviewStatus {
// ResourceRules is the list of actions the subject is allowed to perform on resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
repeated ResourceRule resourceRules = 1;
// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
repeated NonResourceRule nonResourceRules = 2;
// Incomplete is true when the rules returned by this call are incomplete. This is most commonly

9
staging/src/k8s.io/api/authorization/v1beta1/types.go
View File

@@ -152,6 +152,7 @@ type SubjectAccessReviewSpec struct {
User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
// Groups is the groups you're testing for.
// +optional
// +listType=atomic
Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
// it needs a reflection here.
@@ -244,9 +245,11 @@ type SelfSubjectRulesReviewSpec struct {
type SubjectRulesReviewStatus struct {
// ResourceRules is the list of actions the subject is allowed to perform on resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
// +listType=atomic
NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
@@ -262,28 +265,34 @@ type SubjectRulesReviewStatus struct {
// may contain duplicates, and possibly be incomplete.
type ResourceRule struct {
// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "*" means all.
// +optional
// +listType=atomic
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
}
// NonResourceRule holds information that describes a rule for the non-resource
type NonResourceRule struct {
// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
// final step in the path. "*" means all.
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
}