diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 7e0e7232bfe..2be956e7d3a 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -1,21 +1,3 @@ -API rule violation: list_type_missing,k8s.io/api/authorization/v1,NonResourceRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/api/authorization/v1,NonResourceRule,Verbs -API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,APIGroups -API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,ResourceNames -API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,Resources -API rule violation: list_type_missing,k8s.io/api/authorization/v1,ResourceRule,Verbs -API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectAccessReviewSpec,Groups -API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectRulesReviewStatus,NonResourceRules -API rule violation: list_type_missing,k8s.io/api/authorization/v1,SubjectRulesReviewStatus,ResourceRules -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,NonResourceRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,NonResourceRule,Verbs -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,APIGroups -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,ResourceNames -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,Resources -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,ResourceRule,Verbs -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectAccessReviewSpec,Groups -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectRulesReviewStatus,NonResourceRules -API rule violation: list_type_missing,k8s.io/api/authorization/v1beta1,SubjectRulesReviewStatus,ResourceRules API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerSpec,Metrics API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerStatus,Conditions API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta1,HorizontalPodAutoscalerStatus,CurrentMetrics diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index f9c3803fa71..a32fe8887e9 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -2895,14 +2895,16 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -2952,28 +2954,32 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -3131,7 +3137,8 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "nonResourceAttributes": { "$ref": "#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes", @@ -3193,14 +3200,16 @@ "items": { "$ref": "#/definitions/io.k8s.api.authorization.v1.NonResourceRule" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceRules": { "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", "items": { "$ref": "#/definitions/io.k8s.api.authorization.v1.ResourceRule" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ diff --git a/api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json index 2941d5d73cd..19db19882b2 100644 --- a/api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json +++ b/api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json @@ -75,7 +75,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", @@ -83,7 +84,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -134,7 +136,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", @@ -142,7 +145,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.", @@ -150,7 +154,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", @@ -158,7 +163,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -371,7 +377,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "nonResourceAttributes": { "allOf": [ @@ -448,7 +455,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceRules": { "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", @@ -460,7 +468,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 21a9701cac2..4650a0eadce 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -10322,6 +10322,11 @@ func schema_k8sio_api_authorization_v1_NonResourceRule(ref common.ReferenceCallb Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", Type: []string{"array"}, @@ -10337,6 +10342,11 @@ func schema_k8sio_api_authorization_v1_NonResourceRule(ref common.ReferenceCallb }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", Type: []string{"array"}, @@ -10428,6 +10438,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", Type: []string{"array"}, @@ -10443,6 +10458,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback }, }, "apiGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", Type: []string{"array"}, @@ -10458,6 +10478,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.", Type: []string{"array"}, @@ -10473,6 +10498,11 @@ func schema_k8sio_api_authorization_v1_ResourceRule(ref common.ReferenceCallback }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", Type: []string{"array"}, @@ -10721,6 +10751,11 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref common.Refere }, }, "groups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Groups is the groups you're testing for.", Type: []string{"array"}, @@ -10824,6 +10859,11 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer Type: []string{"object"}, Properties: map[string]spec.Schema{ "resourceRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", Type: []string{"array"}, @@ -10838,6 +10878,11 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer }, }, "nonResourceRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", Type: []string{"array"}, @@ -10961,6 +11006,11 @@ func schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref common.Reference Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", Type: []string{"array"}, @@ -10976,6 +11026,11 @@ func schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref common.Reference }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", Type: []string{"array"}, @@ -11067,6 +11122,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", Type: []string{"array"}, @@ -11082,6 +11142,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal }, }, "apiGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", Type: []string{"array"}, @@ -11097,6 +11162,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.", Type: []string{"array"}, @@ -11112,6 +11182,11 @@ func schema_k8sio_api_authorization_v1beta1_ResourceRule(ref common.ReferenceCal }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", Type: []string{"array"}, @@ -11360,6 +11435,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref common.R }, }, "group": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Groups is the groups you're testing for.", Type: []string{"array"}, @@ -11463,6 +11543,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common. Type: []string{"object"}, Properties: map[string]spec.Schema{ "resourceRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", Type: []string{"array"}, @@ -11477,6 +11562,11 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common. }, }, "nonResourceRules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", Type: []string{"array"}, diff --git a/staging/src/k8s.io/api/authorization/v1/generated.proto b/staging/src/k8s.io/api/authorization/v1/generated.proto index 47d3a57a072..83283d0bdbe 100644 --- a/staging/src/k8s.io/api/authorization/v1/generated.proto +++ b/staging/src/k8s.io/api/authorization/v1/generated.proto @@ -69,11 +69,13 @@ message NonResourceAttributes { // NonResourceRule holds information that describes a rule for the non-resource message NonResourceRule { // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + // +listType=atomic repeated string verbs = 1; // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, // final step in the path. "*" means all. // +optional + // +listType=atomic repeated string nonResourceURLs = 2; } @@ -115,20 +117,24 @@ message ResourceAttributes { // may contain duplicates, and possibly be incomplete. message ResourceRule { // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +listType=atomic repeated string verbs = 1; // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "*" means all. // +optional + // +listType=atomic repeated string apiGroups = 2; // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic repeated string resources = 3; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. // +optional + // +listType=atomic repeated string resourceNames = 4; } @@ -220,6 +226,7 @@ message SubjectAccessReviewSpec { // Groups is the groups you're testing for. // +optional + // +listType=atomic repeated string groups = 4; // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer @@ -262,10 +269,12 @@ message SubjectAccessReviewStatus { message SubjectRulesReviewStatus { // ResourceRules is the list of actions the subject is allowed to perform on resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic repeated ResourceRule resourceRules = 1; // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic repeated NonResourceRule nonResourceRules = 2; // Incomplete is true when the rules returned by this call are incomplete. This is most commonly diff --git a/staging/src/k8s.io/api/authorization/v1/types.go b/staging/src/k8s.io/api/authorization/v1/types.go index d1fe483f964..3b42956f899 100644 --- a/staging/src/k8s.io/api/authorization/v1/types.go +++ b/staging/src/k8s.io/api/authorization/v1/types.go @@ -143,6 +143,7 @@ type SubjectAccessReviewSpec struct { User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"` // Groups is the groups you're testing for. // +optional + // +listType=atomic Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"` // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer // it needs a reflection here. @@ -232,9 +233,11 @@ type SelfSubjectRulesReviewSpec struct { type SubjectRulesReviewStatus struct { // ResourceRules is the list of actions the subject is allowed to perform on resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"` // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"` // Incomplete is true when the rules returned by this call are incomplete. This is most commonly // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. @@ -250,28 +253,34 @@ type SubjectRulesReviewStatus struct { // may contain duplicates, and possibly be incomplete. type ResourceRule struct { // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "*" means all. // +optional + // +listType=atomic APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` } // NonResourceRule holds information that describes a rule for the non-resource type NonResourceRule struct { // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, // final step in the path. "*" means all. // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"` } diff --git a/staging/src/k8s.io/api/authorization/v1beta1/generated.proto b/staging/src/k8s.io/api/authorization/v1beta1/generated.proto index 01736202f83..43bea7aa12d 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/authorization/v1beta1/generated.proto @@ -69,11 +69,13 @@ message NonResourceAttributes { // NonResourceRule holds information that describes a rule for the non-resource message NonResourceRule { // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + // +listType=atomic repeated string verbs = 1; // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, // final step in the path. "*" means all. // +optional + // +listType=atomic repeated string nonResourceURLs = 2; } @@ -115,20 +117,24 @@ message ResourceAttributes { // may contain duplicates, and possibly be incomplete. message ResourceRule { // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +listType=atomic repeated string verbs = 1; // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "*" means all. // +optional + // +listType=atomic repeated string apiGroups = 2; // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic repeated string resources = 3; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. // +optional + // +listType=atomic repeated string resourceNames = 4; } @@ -220,6 +226,7 @@ message SubjectAccessReviewSpec { // Groups is the groups you're testing for. // +optional + // +listType=atomic repeated string group = 4; // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer @@ -262,10 +269,12 @@ message SubjectAccessReviewStatus { message SubjectRulesReviewStatus { // ResourceRules is the list of actions the subject is allowed to perform on resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic repeated ResourceRule resourceRules = 1; // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic repeated NonResourceRule nonResourceRules = 2; // Incomplete is true when the rules returned by this call are incomplete. This is most commonly diff --git a/staging/src/k8s.io/api/authorization/v1beta1/types.go b/staging/src/k8s.io/api/authorization/v1beta1/types.go index 26530986556..ef3a501b058 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/types.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/types.go @@ -152,6 +152,7 @@ type SubjectAccessReviewSpec struct { User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"` // Groups is the groups you're testing for. // +optional + // +listType=atomic Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"` // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer // it needs a reflection here. @@ -244,9 +245,11 @@ type SelfSubjectRulesReviewSpec struct { type SubjectRulesReviewStatus struct { // ResourceRules is the list of actions the subject is allowed to perform on resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"` // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + // +listType=atomic NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"` // Incomplete is true when the rules returned by this call are incomplete. This is most commonly // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. @@ -262,28 +265,34 @@ type SubjectRulesReviewStatus struct { // may contain duplicates, and possibly be incomplete. type ResourceRule struct { // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "*" means all. // +optional + // +listType=atomic APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` } // NonResourceRule holds information that describes a rule for the non-resource type NonResourceRule struct { // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, // final step in the path. "*" means all. // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"` }