From f14c1384387ac196e87334b5a0e05e01d7581387 Mon Sep 17 00:00:00 2001 From: xilabao Date: Fri, 14 Jul 2017 11:24:27 +0800 Subject: [PATCH 1/3] add selfsubjectrulesreview api --- cmd/kube-apiserver/app/server.go | 4 +- .../cmd/federation-apiserver/app/server.go | 2 +- pkg/apis/authorization/install/install.go | 2 +- pkg/apis/authorization/register.go | 1 + pkg/apis/authorization/types.go | 71 ++++++ .../authorization/validation/validation.go | 4 + pkg/auth/authorizer/abac/abac.go | 53 ++++- pkg/auth/authorizer/abac/abac_test.go | 202 +++++++++++++++++- .../garbagecollector/graph_builder.go | 1 + pkg/kubeapiserver/authorizer/config.go | 38 ++-- pkg/kubeapiserver/authorizer/config_test.go | 2 +- pkg/master/master.go | 2 +- .../rest/storage_authorization.go | 10 +- .../selfsubjectrulesreview/rest.go | 99 +++++++++ plugin/pkg/auth/authorizer/rbac/rbac.go | 30 +++ .../k8s.io/api/authorization/v1/register.go | 1 + .../src/k8s.io/api/authorization/v1/types.go | 79 +++++++ .../api/authorization/v1beta1/register.go | 1 + .../k8s.io/api/authorization/v1beta1/types.go | 79 +++++++ .../authorization/authorizer/interfaces.go | 6 + .../pkg/authorization/authorizer/rule.go | 73 +++++++ .../authorizerfactory/builtin.go | 24 ++- .../pkg/authorization/union/union.go | 38 ++++ .../pkg/authorization/union/union_test.go | 142 ++++++++++++ .../src/k8s.io/apiserver/pkg/server/config.go | 3 + .../plugin/pkg/authorizer/webhook/webhook.go | 11 + test/integration/auth/node_test.go | 2 +- .../etcd/etcd_storage_path_test.go | 4 + 28 files changed, 951 insertions(+), 33 deletions(-) create mode 100644 pkg/registry/authorization/selfsubjectrulesreview/rest.go create mode 100644 staging/src/k8s.io/apiserver/pkg/authorization/authorizer/rule.go diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index df00872b9b1..837799fd2f8 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -441,7 +441,7 @@ func BuildGenericConfig(s *options.ServerRunOptions) (*genericapiserver.Config, return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err) } - genericConfig.Authorizer, err = BuildAuthorizer(s, sharedInformers) + genericConfig.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers) if err != nil { return nil, nil, nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err) } @@ -542,7 +542,7 @@ func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorag } // BuildAuthorizer constructs the authorizer -func BuildAuthorizer(s *options.ServerRunOptions, sharedInformers informers.SharedInformerFactory) (authorizer.Authorizer, error) { +func BuildAuthorizer(s *options.ServerRunOptions, sharedInformers informers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) { authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers) return authorizationConfig.New() } diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index 9f25c9a8bcd..47f3054cc55 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -190,7 +190,7 @@ func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error { sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute) authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers) - apiAuthorizer, err := authorizationConfig.New() + apiAuthorizer, _, err := authorizationConfig.New() if err != nil { return fmt.Errorf("invalid Authorization Config: %v", err) } diff --git a/pkg/apis/authorization/install/install.go b/pkg/apis/authorization/install/install.go index bb9d882cd9f..47b78fe5ec7 100644 --- a/pkg/apis/authorization/install/install.go +++ b/pkg/apis/authorization/install/install.go @@ -39,7 +39,7 @@ func Install(groupFactoryRegistry announced.APIGroupFactoryRegistry, registry *r &announced.GroupMetaFactoryArgs{ GroupName: authorization.GroupName, VersionPreferenceOrder: []string{v1.SchemeGroupVersion.Version, v1beta1.SchemeGroupVersion.Version}, - RootScopedKinds: sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview"), + RootScopedKinds: sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview", "SelfSubjectRulesReview"), AddInternalObjectsToScheme: authorization.AddToScheme, }, announced.VersionToSchemeFunc{ diff --git a/pkg/apis/authorization/register.go b/pkg/apis/authorization/register.go index 5693885e4e7..7ebf0322a53 100644 --- a/pkg/apis/authorization/register.go +++ b/pkg/apis/authorization/register.go @@ -44,6 +44,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, + &SelfSubjectRulesReview{}, &SelfSubjectAccessReview{}, &SubjectAccessReview{}, &LocalSubjectAccessReview{}, diff --git a/pkg/apis/authorization/types.go b/pkg/apis/authorization/types.go index cf69c260df3..4920913c59e 100644 --- a/pkg/apis/authorization/types.go +++ b/pkg/apis/authorization/types.go @@ -149,3 +149,74 @@ type SubjectAccessReviewStatus struct { // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. EvaluationError string } + +// +genclient +// +genclient:nonNamespaced +// +genclient:noVerbs +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +type SelfSubjectRulesReview struct { + metav1.TypeMeta + metav1.ObjectMeta + + // Spec holds information about the request being evaluated. + Spec SelfSubjectRulesReviewSpec + + // Status is filled in by the server and indicates the set of actions a user can perform. + Status SubjectRulesReviewStatus +} + +type SelfSubjectRulesReviewSpec struct { + // Namespace to evaluate rules for. Required. + Namespace string +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +type SubjectRulesReviewStatus struct { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + ResourceRules []ResourceRule + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + NonResourceRules []NonResourceRule + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + Incomplete bool + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + EvaluationError string +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +type ResourceRule struct { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + Verbs []string + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + APIGroups []string + // Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all. + Resources []string + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + ResourceNames []string +} + +// NonResourceRule holds information that describes a rule for the non-resource +type NonResourceRule struct { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + Verbs []string + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + NonResourceURLs []string +} diff --git a/pkg/apis/authorization/validation/validation.go b/pkg/apis/authorization/validation/validation.go index 725e6f0b2f0..512c383078c 100644 --- a/pkg/apis/authorization/validation/validation.go +++ b/pkg/apis/authorization/validation/validation.go @@ -50,6 +50,10 @@ func ValidateSelfSubjectAccessReviewSpec(spec authorizationapi.SelfSubjectAccess return allErrs } +func ValidateSelfSubjectRulesReview(review *authorizationapi.SelfSubjectRulesReview) field.ErrorList { + return field.ErrorList{} +} + func ValidateSubjectAccessReview(sar *authorizationapi.SubjectAccessReview) field.ErrorList { allErrs := ValidateSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec")) if !apiequality.Semantic.DeepEqual(metav1.ObjectMeta{}, sar.ObjectMeta) { diff --git a/pkg/auth/authorizer/abac/abac.go b/pkg/auth/authorizer/abac/abac.go index 70667e50375..5e56c19ba9c 100644 --- a/pkg/auth/authorizer/abac/abac.go +++ b/pkg/auth/authorizer/abac/abac.go @@ -28,6 +28,7 @@ import ( "github.com/golang/glog" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" api "k8s.io/kubernetes/pkg/apis/abac" _ "k8s.io/kubernetes/pkg/apis/abac/latest" @@ -114,7 +115,7 @@ func NewFromFile(path string) (policyList, error) { } func matches(p api.Policy, a authorizer.Attributes) bool { - if subjectMatches(p, a) { + if subjectMatches(p, a.GetUser()) { if verbMatches(p, a) { // Resource and non-resource requests are mutually exclusive, at most one will match a policy if resourceMatches(p, a) { @@ -129,15 +130,14 @@ func matches(p api.Policy, a authorizer.Attributes) bool { } // subjectMatches returns true if specified user and group properties in the policy match the attributes -func subjectMatches(p api.Policy, a authorizer.Attributes) bool { +func subjectMatches(p api.Policy, user user.Info) bool { matched := false - username := "" - groups := []string{} - if user := a.GetUser(); user != nil { - username = user.GetName() - groups = user.GetGroups() + if user == nil { + return false } + username := user.GetName() + groups := user.GetGroups() // If the policy specified a user, ensure it matches if len(p.Spec.User) > 0 { @@ -232,3 +232,42 @@ func (pl policyList) Authorize(a authorizer.Attributes) (bool, string, error) { // policy file, compared to other steps such as encoding/decoding. // Then, add Caching only if needed. } + +func (pl policyList) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + var ( + resourceRules []authorizer.ResourceRuleInfo + nonResourceRules []authorizer.NonResourceRuleInfo + ) + + for _, p := range pl { + if subjectMatches(*p, user) { + if p.Spec.Namespace == "*" || p.Spec.Namespace == namespace { + if len(p.Spec.Resource) > 0 { + r := authorizer.DefaultResourceRuleInfo{ + Verbs: getVerbs(p.Spec.Readonly), + APIGroups: []string{p.Spec.APIGroup}, + Resources: []string{p.Spec.Resource}, + } + var resourceRule authorizer.ResourceRuleInfo = &r + resourceRules = append(resourceRules, resourceRule) + } + if len(p.Spec.NonResourcePath) > 0 { + r := authorizer.DefaultNonResourceRuleInfo{ + Verbs: getVerbs(p.Spec.Readonly), + NonResourceURLs: []string{p.Spec.NonResourcePath}, + } + var nonResourceRule authorizer.NonResourceRuleInfo = &r + nonResourceRules = append(nonResourceRules, nonResourceRule) + } + } + } + } + return resourceRules, nonResourceRules, false, nil +} + +func getVerbs(isReadOnly bool) []string { + if isReadOnly { + return []string{"get", "list", "watch"} + } + return []string{"*"} +} diff --git a/pkg/auth/authorizer/abac/abac_test.go b/pkg/auth/authorizer/abac/abac_test.go index 51e27363871..b8df86bb806 100644 --- a/pkg/auth/authorizer/abac/abac_test.go +++ b/pkg/auth/authorizer/abac/abac_test.go @@ -19,6 +19,7 @@ package abac import ( "io/ioutil" "os" + "reflect" "testing" "k8s.io/apimachinery/pkg/runtime" @@ -141,6 +142,203 @@ func TestAuthorizeV0(t *testing.T) { } } +func getResourceRules(infos []authorizer.ResourceRuleInfo) []authorizer.DefaultResourceRuleInfo { + rules := make([]authorizer.DefaultResourceRuleInfo, len(infos)) + for i, info := range infos { + rules[i] = authorizer.DefaultResourceRuleInfo{ + Verbs: info.GetVerbs(), + APIGroups: info.GetAPIGroups(), + Resources: info.GetResources(), + ResourceNames: info.GetResourceNames(), + } + } + return rules +} + +func getNonResourceRules(infos []authorizer.NonResourceRuleInfo) []authorizer.DefaultNonResourceRuleInfo { + rules := make([]authorizer.DefaultNonResourceRuleInfo, len(infos)) + for i, info := range infos { + rules[i] = authorizer.DefaultNonResourceRuleInfo{ + Verbs: info.GetVerbs(), + NonResourceURLs: info.GetNonResourceURLs(), + } + } + return rules +} + +func TestRulesFor(t *testing.T) { + a, err := newWithContents(t, ` +{ "readonly": true, "resource": "events" } +{"user":"scheduler", "readonly": true, "resource": "pods" } +{"user":"scheduler", "resource": "bindings" } +{"user":"kubelet", "readonly": true, "resource": "pods" } +{"user":"kubelet", "resource": "events" } +{"user":"alice", "namespace": "projectCaribou"} +{"user":"bob", "readonly": true, "namespace": "projectCaribou"} +{"user":"bob", "readonly": true, "nonResourcePath": "*"} +{"group":"a", "resource": "bindings" } +{"group":"b", "readonly": true, "nonResourcePath": "*"} +`) + if err != nil { + t.Fatalf("unable to read policy file: %v", err) + } + + authenticatedGroup := []string{user.AllAuthenticated} + + uScheduler := user.DefaultInfo{Name: "scheduler", UID: "uid1", Groups: authenticatedGroup} + uKubelet := user.DefaultInfo{Name: "kubelet", UID: "uid2", Groups: []string{"a", "b"}} + uAlice := user.DefaultInfo{Name: "alice", UID: "uid3", Groups: authenticatedGroup} + uBob := user.DefaultInfo{Name: "bob", UID: "uid4", Groups: authenticatedGroup} + uChuck := user.DefaultInfo{Name: "chuck", UID: "uid5", Groups: []string{"a", "b"}} + + testCases := []struct { + User user.DefaultInfo + Namespace string + ExpectResourceRules []authorizer.DefaultResourceRuleInfo + ExpectNonResourceRules []authorizer.DefaultNonResourceRuleInfo + }{ + { + User: uScheduler, + Namespace: "ns1", + ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"pods"}, + }, + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"bindings"}, + }, + }, + ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{}, + }, + { + User: uKubelet, + Namespace: "ns1", + ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"pods"}, + }, + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"bindings"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + NonResourceURLs: []string{"*"}, + }, + }, + }, + { + User: uAlice, + Namespace: "projectCaribou", + ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{}, + }, + { + User: uBob, + Namespace: "projectCaribou", + ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + NonResourceURLs: []string{"*"}, + }, + }, + }, + { + User: uChuck, + Namespace: "ns1", + ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"bindings"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{ + { + Verbs: []string{"get", "list", "watch"}, + NonResourceURLs: []string{"*"}, + }, + }, + }, + } + for i, tc := range testCases { + attr := authorizer.AttributesRecord{ + User: &tc.User, + Namespace: tc.Namespace, + } + resourceRules, nonResourceRules, _, _ := a.RulesFor(attr.GetUser(), attr.GetNamespace()) + actualResourceRules := getResourceRules(resourceRules) + if !reflect.DeepEqual(tc.ExpectResourceRules, actualResourceRules) { + t.Logf("tc: %v -> attr %v", tc, attr) + t.Errorf("%d: Expected: \n%#v\n but actual: \n%#v\n", + i, tc.ExpectResourceRules, actualResourceRules) + } + actualNonResourceRules := getNonResourceRules(nonResourceRules) + if !reflect.DeepEqual(tc.ExpectNonResourceRules, actualNonResourceRules) { + t.Logf("tc: %v -> attr %v", tc, attr) + t.Errorf("%d: Expected: \n%#v\n but actual: \n%#v\n", + i, tc.ExpectNonResourceRules, actualNonResourceRules) + } + } +} + func TestAuthorizeV1beta1(t *testing.T) { a, err := newWithContents(t, ` @@ -609,7 +807,7 @@ func TestSubjectMatches(t *testing.T) { attr := authorizer.AttributesRecord{ User: &tc.User, } - actualMatch := subjectMatches(*policy, attr) + actualMatch := subjectMatches(*policy, attr.GetUser()) if tc.ExpectMatch != actualMatch { t.Errorf("%v: Expected actorMatches=%v but actually got=%v", k, tc.ExpectMatch, actualMatch) @@ -617,7 +815,7 @@ func TestSubjectMatches(t *testing.T) { } } -func newWithContents(t *testing.T, contents string) (authorizer.Authorizer, error) { +func newWithContents(t *testing.T, contents string) (policyList, error) { f, err := ioutil.TempFile("", "abac_test") if err != nil { t.Fatalf("unexpected error creating policyfile: %v", err) diff --git a/pkg/controller/garbagecollector/graph_builder.go b/pkg/controller/garbagecollector/graph_builder.go index 2cc7cb4daff..b4199222b41 100644 --- a/pkg/controller/garbagecollector/graph_builder.go +++ b/pkg/controller/garbagecollector/graph_builder.go @@ -359,6 +359,7 @@ var ignoredResources = map[schema.GroupResource]struct{}{ {Group: "authorization.k8s.io", Resource: "subjectaccessreviews"}: {}, {Group: "authorization.k8s.io", Resource: "selfsubjectaccessreviews"}: {}, {Group: "authorization.k8s.io", Resource: "localsubjectaccessreviews"}: {}, + {Group: "authorization.k8s.io", Resource: "selfsubjectrulesreviews"}: {}, {Group: "apiregistration.k8s.io", Resource: "apiservices"}: {}, {Group: "apiextensions.k8s.io", Resource: "customresourcedefinitions"}: {}, } diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index 1466d2b4114..659f2ae7a05 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -56,17 +56,20 @@ type AuthorizationConfig struct { // New returns the right sort of union of multiple authorizer.Authorizer objects // based on the authorizationMode or an error. -func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { +func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleResolver, error) { if len(config.AuthorizationModes) == 0 { - return nil, errors.New("At least one authorization mode should be passed") + return nil, nil, errors.New("At least one authorization mode should be passed") } - var authorizers []authorizer.Authorizer + var ( + authorizers []authorizer.Authorizer + ruleResolvers []authorizer.RuleResolver + ) authorizerMap := make(map[string]bool) for _, authorizationMode := range config.AuthorizationModes { if authorizerMap[authorizationMode] { - return nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode) + return nil, nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode) } // Keep cases in sync with constant list above. switch authorizationMode { @@ -81,29 +84,35 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { authorizers = append(authorizers, nodeAuthorizer) case modes.ModeAlwaysAllow: - authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer()) + alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer() + authorizers = append(authorizers, alwaysAllowAuthorizer) + ruleResolvers = append(ruleResolvers, alwaysAllowAuthorizer) case modes.ModeAlwaysDeny: - authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer()) + alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer() + authorizers = append(authorizers, alwaysDenyAuthorizer) + ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer) case modes.ModeABAC: if config.PolicyFile == "" { - return nil, errors.New("ABAC's authorization policy file not passed") + return nil, nil, errors.New("ABAC's authorization policy file not passed") } abacAuthorizer, err := abac.NewFromFile(config.PolicyFile) if err != nil { - return nil, err + return nil, nil, err } authorizers = append(authorizers, abacAuthorizer) + ruleResolvers = append(ruleResolvers, abacAuthorizer) case modes.ModeWebhook: if config.WebhookConfigFile == "" { - return nil, errors.New("Webhook's configuration file not passed") + return nil, nil, errors.New("Webhook's configuration file not passed") } webhookAuthorizer, err := webhook.New(config.WebhookConfigFile, config.WebhookCacheAuthorizedTTL, config.WebhookCacheUnauthorizedTTL) if err != nil { - return nil, err + return nil, nil, err } authorizers = append(authorizers, webhookAuthorizer) + ruleResolvers = append(ruleResolvers, webhookAuthorizer) case modes.ModeRBAC: rbacAuthorizer := rbac.New( &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, @@ -112,18 +121,19 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { &rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, ) authorizers = append(authorizers, rbacAuthorizer) + ruleResolvers = append(ruleResolvers, rbacAuthorizer) default: - return nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode) + return nil, nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode) } authorizerMap[authorizationMode] = true } if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" { - return nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC") + return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC") } if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" { - return nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook") + return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook") } - return union.New(authorizers...), nil + return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil } diff --git a/pkg/kubeapiserver/authorizer/config_test.go b/pkg/kubeapiserver/authorizer/config_test.go index ac2d5e983fd..42cee988900 100644 --- a/pkg/kubeapiserver/authorizer/config_test.go +++ b/pkg/kubeapiserver/authorizer/config_test.go @@ -91,7 +91,7 @@ func TestNew(t *testing.T) { } for _, tt := range tests { - _, err := tt.config.New() + _, _, err := tt.config.New() if tt.wantErr && (err == nil) { t.Errorf("New %s", tt.msg) } else if !tt.wantErr && (err != nil) { diff --git a/pkg/master/master.go b/pkg/master/master.go index d6f7130a076..a2b3d591eed 100644 --- a/pkg/master/master.go +++ b/pkg/master/master.go @@ -256,7 +256,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) // handlers that we have. restStorageProviders := []RESTStorageProvider{ authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authenticator}, - authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer}, + authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, autoscalingrest.RESTStorageProvider{}, batchrest.RESTStorageProvider{}, certificatesrest.RESTStorageProvider{}, diff --git a/pkg/registry/authorization/rest/storage_authorization.go b/pkg/registry/authorization/rest/storage_authorization.go index 4056516e3bc..19eeb2fd254 100644 --- a/pkg/registry/authorization/rest/storage_authorization.go +++ b/pkg/registry/authorization/rest/storage_authorization.go @@ -28,11 +28,13 @@ import ( "k8s.io/kubernetes/pkg/apis/authorization" "k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview" "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview" + "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectrulesreview" "k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview" ) type RESTStorageProvider struct { - Authorizer authorizer.Authorizer + Authorizer authorizer.Authorizer + RuleResolver authorizer.RuleResolver } func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) { @@ -70,6 +72,9 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) { storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer) } + if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectrulesreviews")) { + storage["selfsubjectrulesreviews"] = selfsubjectrulesreview.NewREST(p.RuleResolver) + } return storage } @@ -87,6 +92,9 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) { storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer) } + if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectrulesreviews")) { + storage["selfsubjectrulesreviews"] = selfsubjectrulesreview.NewREST(p.RuleResolver) + } return storage } diff --git a/pkg/registry/authorization/selfsubjectrulesreview/rest.go b/pkg/registry/authorization/selfsubjectrulesreview/rest.go new file mode 100644 index 00000000000..062829faba5 --- /dev/null +++ b/pkg/registry/authorization/selfsubjectrulesreview/rest.go @@ -0,0 +1,99 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package selfsubjectrulesreview + +import ( + "fmt" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/authorization/authorizer" + genericapirequest "k8s.io/apiserver/pkg/endpoints/request" + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" +) + +// REST implements a RESTStorage for selfsubjectrulesreview. +type REST struct { + ruleResolver authorizer.RuleResolver +} + +// NewREST returns a RESTStorage object that will work against selfsubjectrulesreview. +func NewREST(ruleResolver authorizer.RuleResolver) *REST { + return &REST{ruleResolver} +} + +// New creates a new selfsubjectrulesreview object. +func (r *REST) New() runtime.Object { + return &authorizationapi.SelfSubjectRulesReview{} +} + +// Create attempts to get self subject rules in specific namespace. +func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, includeUninitialized bool) (runtime.Object, error) { + selfSRR, ok := obj.(*authorizationapi.SelfSubjectRulesReview) + if !ok { + return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectRulesReview: %#v", obj)) + } + + user, ok := genericapirequest.UserFrom(ctx) + if !ok { + return nil, apierrors.NewBadRequest("no user present on request") + } + + namespace := selfSRR.Spec.Namespace + if namespace == "" { + return nil, apierrors.NewBadRequest("no namespace on request") + } + resourceInfo, nonResourceInfo, incomplete, err := r.ruleResolver.RulesFor(user, namespace) + + ret := &authorizationapi.SelfSubjectRulesReview{ + Status: authorizationapi.SubjectRulesReviewStatus{ + ResourceRules: getResourceRules(resourceInfo), + NonResourceRules: getNonResourceRules(nonResourceInfo), + Incomplete: incomplete, + }, + } + + if err != nil { + ret.Status.EvaluationError = err.Error() + } + + return ret, nil +} + +func getResourceRules(infos []authorizer.ResourceRuleInfo) []authorizationapi.ResourceRule { + rules := make([]authorizationapi.ResourceRule, len(infos)) + for i, info := range infos { + rules[i] = authorizationapi.ResourceRule{ + Verbs: info.GetVerbs(), + APIGroups: info.GetAPIGroups(), + Resources: info.GetResources(), + ResourceNames: info.GetResourceNames(), + } + } + return rules +} + +func getNonResourceRules(infos []authorizer.NonResourceRuleInfo) []authorizationapi.NonResourceRule { + rules := make([]authorizationapi.NonResourceRule, len(infos)) + for i, info := range infos { + rules[i] = authorizationapi.NonResourceRule{ + Verbs: info.GetVerbs(), + NonResourceURLs: info.GetNonResourceURLs(), + } + } + return rules +} diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 6341936edc5..68ef7b2567f 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -123,6 +123,36 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo return false, reason, nil } +func (r *RBACAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + var ( + resourceRules []authorizer.ResourceRuleInfo + nonResourceRules []authorizer.NonResourceRuleInfo + ) + + policyRules, err := r.authorizationRuleResolver.RulesFor(user, namespace) + for _, policyRule := range policyRules { + if len(policyRule.Resources) > 0 { + r := authorizer.DefaultResourceRuleInfo{ + Verbs: policyRule.Verbs, + APIGroups: policyRule.APIGroups, + Resources: policyRule.Resources, + ResourceNames: policyRule.ResourceNames, + } + var resourceRule authorizer.ResourceRuleInfo = &r + resourceRules = append(resourceRules, resourceRule) + } + if len(policyRule.NonResourceURLs) > 0 { + r := authorizer.DefaultNonResourceRuleInfo{ + Verbs: policyRule.Verbs, + NonResourceURLs: policyRule.NonResourceURLs, + } + var nonResourceRule authorizer.NonResourceRuleInfo = &r + nonResourceRules = append(nonResourceRules, nonResourceRule) + } + } + return resourceRules, nonResourceRules, false, err +} + func New(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister) *RBACAuthorizer { authorizer := &RBACAuthorizer{ authorizationRuleResolver: rbacregistryvalidation.NewDefaultRuleResolver( diff --git a/staging/src/k8s.io/api/authorization/v1/register.go b/staging/src/k8s.io/api/authorization/v1/register.go index 031227e8ff4..d716eaa98da 100644 --- a/staging/src/k8s.io/api/authorization/v1/register.go +++ b/staging/src/k8s.io/api/authorization/v1/register.go @@ -44,6 +44,7 @@ var ( // Adds the list of known types to api.Scheme. func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, + &SelfSubjectRulesReview{}, &SelfSubjectAccessReview{}, &SubjectAccessReview{}, &LocalSubjectAccessReview{}, diff --git a/staging/src/k8s.io/api/authorization/v1/types.go b/staging/src/k8s.io/api/authorization/v1/types.go index a68b8ca53dc..99ec3bcbf7f 100644 --- a/staging/src/k8s.io/api/authorization/v1/types.go +++ b/staging/src/k8s.io/api/authorization/v1/types.go @@ -180,3 +180,82 @@ type SubjectAccessReviewStatus struct { // +optional EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"` } + +// +genclient +// +genclient:nonNamespaced +// +genclient:noVerbs +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +type SelfSubjectRulesReview struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Spec holds information about the request being evaluated. + Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +type SelfSubjectRulesReviewSpec struct { + // Namespace to evaluate rules for. Required. + Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +type SubjectRulesReviewStatus struct { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"` + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"` + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"` + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"` +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +type ResourceRule struct { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` + // Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all. + // +optional + Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` +} + +// NonResourceRule holds information that describes a rule for the non-resource +type NonResourceRule struct { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"` +} diff --git a/staging/src/k8s.io/api/authorization/v1beta1/register.go b/staging/src/k8s.io/api/authorization/v1beta1/register.go index 07d4ffceb30..d8116d5a47a 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/register.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/register.go @@ -44,6 +44,7 @@ var ( // Adds the list of known types to api.Scheme. func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, + &SelfSubjectRulesReview{}, &SelfSubjectAccessReview{}, &SubjectAccessReview{}, &LocalSubjectAccessReview{}, diff --git a/staging/src/k8s.io/api/authorization/v1beta1/types.go b/staging/src/k8s.io/api/authorization/v1beta1/types.go index f395673766d..a0659d519c0 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/types.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/types.go @@ -180,3 +180,82 @@ type SubjectAccessReviewStatus struct { // +optional EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"` } + +// +genclient +// +genclient:nonNamespaced +// +genclient:noVerbs +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +type SelfSubjectRulesReview struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + // Spec holds information about the request being evaluated. + Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +type SelfSubjectRulesReviewSpec struct { + // Namespace to evaluate rules for. Required. + Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +type SubjectRulesReviewStatus struct { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"` + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"` + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"` + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"` +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +type ResourceRule struct { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` + // Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all. + // +optional + Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` +} + +// NonResourceRule holds information that describes a rule for the non-resource +type NonResourceRule struct { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"` +} diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go index 8d2753b972e..e94da3e1a44 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go @@ -76,6 +76,12 @@ func (f AuthorizerFunc) Authorize(a Attributes) (bool, string, error) { return f(a) } +// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. +type RuleResolver interface { + // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. + RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) +} + // RequestAttributesGetter provides a function that extracts Attributes from an http.Request type RequestAttributesGetter interface { GetRequestAttributes(user.Info, *http.Request) Attributes diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/rule.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/rule.go new file mode 100644 index 00000000000..8f7d9d9effc --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/rule.go @@ -0,0 +1,73 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package authorizer + +type ResourceRuleInfo interface { + // GetVerbs returns a list of kubernetes resource API verbs. + GetVerbs() []string + // GetAPIGroups return the names of the APIGroup that contains the resources. + GetAPIGroups() []string + // GetResources return a list of resources the rule applies to. + GetResources() []string + // GetResourceNames return a white list of names that the rule applies to. + GetResourceNames() []string +} + +// DefaultResourceRuleInfo holds information that describes a rule for the resource +type DefaultResourceRuleInfo struct { + Verbs []string + APIGroups []string + Resources []string + ResourceNames []string +} + +func (i *DefaultResourceRuleInfo) GetVerbs() []string { + return i.Verbs +} + +func (i *DefaultResourceRuleInfo) GetAPIGroups() []string { + return i.APIGroups +} + +func (i *DefaultResourceRuleInfo) GetResources() []string { + return i.Resources +} + +func (i *DefaultResourceRuleInfo) GetResourceNames() []string { + return i.ResourceNames +} + +type NonResourceRuleInfo interface { + // GetVerbs returns a list of kubernetes resource API verbs. + GetVerbs() []string + // GetNonResourceURLs return a set of partial urls that a user should have access to. + GetNonResourceURLs() []string +} + +// DefaultNonResourceRuleInfo holds information that describes a rule for the non-resource +type DefaultNonResourceRuleInfo struct { + Verbs []string + NonResourceURLs []string +} + +func (i *DefaultNonResourceRuleInfo) GetVerbs() []string { + return i.Verbs +} + +func (i *DefaultNonResourceRuleInfo) GetNonResourceURLs() []string { + return i.NonResourceURLs +} diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go index 85846619cc0..8381e83f437 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go @@ -19,6 +19,7 @@ package authorizerfactory import ( "errors" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" ) @@ -31,7 +32,22 @@ func (alwaysAllowAuthorizer) Authorize(a authorizer.Attributes) (authorized bool return true, "", nil } -func NewAlwaysAllowAuthorizer() authorizer.Authorizer { +func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + return []authorizer.ResourceRuleInfo{ + &authorizer.DefaultResourceRuleInfo{ + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, []authorizer.NonResourceRuleInfo{ + &authorizer.DefaultNonResourceRuleInfo{ + Verbs: []string{"*"}, + NonResourceURLs: []string{"*"}, + }, + }, false, nil +} + +func NewAlwaysAllowAuthorizer() *alwaysAllowAuthorizer { return new(alwaysAllowAuthorizer) } @@ -44,7 +60,11 @@ func (alwaysDenyAuthorizer) Authorize(a authorizer.Attributes) (authorized bool, return false, "Everything is forbidden.", nil } -func NewAlwaysDenyAuthorizer() authorizer.Authorizer { +func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil +} + +func NewAlwaysDenyAuthorizer() *alwaysDenyAuthorizer { return new(alwaysDenyAuthorizer) } diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go b/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go index 9278c6fa9b5..367da59d1be 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go @@ -20,6 +20,7 @@ import ( "strings" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" ) @@ -55,3 +56,40 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool, return false, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist) } + +// unionAuthzRulesHandler authorizer against a chain of authorizer.RuleResolver +type unionAuthzRulesHandler []authorizer.RuleResolver + +// NewRuleResolvers returns an authorizer that authorizes against a chain of authorizer.Authorizer objects +func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authorizer.RuleResolver { + return unionAuthzRulesHandler(authorizationHandlers) +} + +// RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful +func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + var ( + errList []error + resourceRulesList []authorizer.ResourceRuleInfo + nonResourceRulesList []authorizer.NonResourceRuleInfo + ) + incompleteStatus := false + + for _, currAuthzHandler := range authzHandler { + resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace) + + if incomplete == true { + incompleteStatus = true + } + if err != nil { + errList = append(errList, err) + } + if len(resourceRules) > 0 { + resourceRulesList = append(resourceRulesList, resourceRules...) + } + if len(nonResourceRules) > 0 { + nonResourceRulesList = append(nonResourceRulesList, nonResourceRules...) + } + } + + return resourceRulesList, nonResourceRulesList, incompleteStatus, utilerrors.NewAggregate(errList) +} diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/union/union_test.go b/staging/src/k8s.io/apiserver/pkg/authorization/union/union_test.go index 6107ace459d..96d989fb67b 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/union/union_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/union/union_test.go @@ -18,8 +18,10 @@ package union import ( "fmt" + "reflect" "testing" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" ) @@ -81,3 +83,143 @@ func TestAuthorizationError(t *testing.T) { t.Errorf("Expected error: %v", err) } } + +type mockAuthzRuleHandler struct { + resourceRules []authorizer.ResourceRuleInfo + nonResourceRules []authorizer.NonResourceRuleInfo + err error +} + +func (mock *mockAuthzRuleHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + if mock.err != nil { + return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err + } + return mock.resourceRules, mock.nonResourceRules, false, nil +} + +func TestAuthorizationResourceRules(t *testing.T) { + handler1 := &mockAuthzRuleHandler{ + resourceRules: []authorizer.ResourceRuleInfo{ + &authorizer.DefaultResourceRuleInfo{ + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"bindings"}, + }, + &authorizer.DefaultResourceRuleInfo{ + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + }, + } + handler2 := &mockAuthzRuleHandler{ + resourceRules: []authorizer.ResourceRuleInfo{ + &authorizer.DefaultResourceRuleInfo{ + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + &authorizer.DefaultResourceRuleInfo{ + Verbs: []string{"get"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + ResourceNames: []string{"foo"}, + }, + }, + } + + expected := []authorizer.DefaultResourceRuleInfo{ + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"bindings"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + }, + { + Verbs: []string{"*"}, + APIGroups: []string{"*"}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"get"}, + APIGroups: []string{"*"}, + Resources: []string{"*"}, + ResourceNames: []string{"foo"}, + }, + } + + authzRulesHandler := NewRuleResolvers(handler1, handler2) + + rules, _, _, _ := authzRulesHandler.RulesFor(nil, "") + actual := getResourceRules(rules) + if !reflect.DeepEqual(expected, actual) { + t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) + } +} + +func TestAuthorizationNonResourceRules(t *testing.T) { + handler1 := &mockAuthzRuleHandler{ + nonResourceRules: []authorizer.NonResourceRuleInfo{ + &authorizer.DefaultNonResourceRuleInfo{ + Verbs: []string{"get"}, + NonResourceURLs: []string{"/api"}, + }, + }, + } + + handler2 := &mockAuthzRuleHandler{ + nonResourceRules: []authorizer.NonResourceRuleInfo{ + &authorizer.DefaultNonResourceRuleInfo{ + Verbs: []string{"get"}, + NonResourceURLs: []string{"/api/*"}, + }, + }, + } + + expected := []authorizer.DefaultNonResourceRuleInfo{ + { + Verbs: []string{"get"}, + NonResourceURLs: []string{"/api"}, + }, + { + Verbs: []string{"get"}, + NonResourceURLs: []string{"/api/*"}, + }, + } + + authzRulesHandler := NewRuleResolvers(handler1, handler2) + + _, rules, _, _ := authzRulesHandler.RulesFor(nil, "") + actual := getNonResourceRules(rules) + if !reflect.DeepEqual(expected, actual) { + t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) + } +} + +func getResourceRules(infos []authorizer.ResourceRuleInfo) []authorizer.DefaultResourceRuleInfo { + rules := make([]authorizer.DefaultResourceRuleInfo, len(infos)) + for i, info := range infos { + rules[i] = authorizer.DefaultResourceRuleInfo{ + Verbs: info.GetVerbs(), + APIGroups: info.GetAPIGroups(), + Resources: info.GetResources(), + ResourceNames: info.GetResourceNames(), + } + } + return rules +} + +func getNonResourceRules(infos []authorizer.NonResourceRuleInfo) []authorizer.DefaultNonResourceRuleInfo { + rules := make([]authorizer.DefaultNonResourceRuleInfo, len(infos)) + for i, info := range infos { + rules[i] = authorizer.DefaultNonResourceRuleInfo{ + Verbs: info.GetVerbs(), + NonResourceURLs: info.GetNonResourceURLs(), + } + } + return rules +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index 4d67c70528d..0c62c531284 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -87,6 +87,9 @@ type Config struct { // Authorizer determines whether the subject is allowed to make the request based only // on the RequestURI Authorizer authorizer.Authorizer + // RuleResolver is required to get the list of rules that apply to a given user + // in a given namespace + RuleResolver authorizer.RuleResolver // AdmissionControl performs deep inspection of a given request (including content) // to set values and determine whether its allowed AdmissionControl admission.Interface diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go index e008e6746f9..890845caeb9 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go @@ -28,6 +28,7 @@ import ( "k8s.io/apimachinery/pkg/apimachinery/registered" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/cache" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/util/webhook" "k8s.io/client-go/kubernetes/scheme" @@ -196,6 +197,16 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bo return r.Status.Allowed, r.Status.Reason, nil } +//TODO: need to finish the method to get the rules when using webhook mode +func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + var ( + resourceRules []authorizer.ResourceRuleInfo + nonResourceRules []authorizer.NonResourceRuleInfo + ) + incomplete := true + return resourceRules, nonResourceRules, incomplete, fmt.Errorf("webhook authorizer does not support user rule resolution") +} + func convertToSARExtra(extra map[string][]string) map[string]authorization.ExtraValue { if extra == nil { return nil diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index e8eedff7770..bbb404aaf07 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -74,7 +74,7 @@ func TestNodeAuthorizer(t *testing.T) { AuthorizationModes: []string{"Node", "RBAC"}, InformerFactory: informerFactory, } - nodeRBACAuthorizer, err := authorizerConfig.New() + nodeRBACAuthorizer, _, err := authorizerConfig.New() if err != nil { t.Fatal(err) } diff --git a/test/integration/etcd/etcd_storage_path_test.go b/test/integration/etcd/etcd_storage_path_test.go index d94be2fe09f..c6e4c88ca21 100644 --- a/test/integration/etcd/etcd_storage_path_test.go +++ b/test/integration/etcd/etcd_storage_path_test.go @@ -394,6 +394,8 @@ var ephemeralWhiteList = createEphemeralWhiteList( // k8s.io/kubernetes/pkg/apis/authorization/v1beta1 + // SRR objects that are not stored in etcd + gvr("authorization.k8s.io", "v1beta1", "selfsubjectrulesreviews"), // SAR objects that are not stored in etcd gvr("authorization.k8s.io", "v1beta1", "selfsubjectaccessreviews"), gvr("authorization.k8s.io", "v1beta1", "localsubjectaccessreviews"), @@ -402,6 +404,8 @@ var ephemeralWhiteList = createEphemeralWhiteList( // k8s.io/kubernetes/pkg/apis/authorization/v1 + // SRR objects that are not stored in etcd + gvr("authorization.k8s.io", "v1", "selfsubjectrulesreviews"), // SAR objects that are not stored in etcd gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"), gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"), From ed8adf6e51d76b3652be3b433b2dab590f1ff1f0 Mon Sep 17 00:00:00 2001 From: Chen Rong Date: Thu, 31 Aug 2017 08:52:11 +0800 Subject: [PATCH 2/3] generated --- api/openapi-spec/swagger.json | 376 +++++ api/swagger-spec/authorization.k8s.io_v1.json | 175 +++ .../authorization.k8s.io_v1beta1.json | 175 +++ .../authorization.k8s.io/v1/definitions.html | 247 ++++ .../authorization.k8s.io/v1/operations.html | 119 +- .../v1beta1/definitions.html | 247 ++++ .../v1beta1/operations.html | 119 +- .../v1/zz_generated.conversion.go | 136 ++ .../v1beta1/zz_generated.conversion.go | 136 ++ .../authorization/zz_generated.deepcopy.go | 157 +++ pkg/auth/authorizer/abac/BUILD | 1 + .../typed/authorization/internalversion/BUILD | 1 + .../internalversion/authorization_client.go | 5 + .../authorization/internalversion/fake/BUILD | 1 + .../fake/fake_authorization_client.go | 4 + .../fake/fake_selfsubjectrulesreview.go | 22 + .../internalversion/generated_expansion.go | 2 + .../internalversion/selfsubjectrulesreview.go | 44 + .../authorization/internalversion/BUILD | 1 + .../internalversion/expansion_generated.go | 4 + .../internalversion/selfsubjectrulesreview.go | 67 + pkg/registry/BUILD | 1 + pkg/registry/authorization/rest/BUILD | 1 + .../selfsubjectrulesreview/BUILD | 28 + .../api/authorization/v1/generated.pb.go | 1243 +++++++++++++++- .../api/authorization/v1/generated.proto | 78 ++ .../v1/types_swagger_doc_generated.go | 52 + .../authorization/v1/zz_generated.deepcopy.go | 157 +++ .../api/authorization/v1beta1/generated.pb.go | 1245 ++++++++++++++++- .../api/authorization/v1beta1/generated.proto | 78 ++ .../v1beta1/types_swagger_doc_generated.go | 52 + .../v1beta1/zz_generated.deepcopy.go | 157 +++ .../pkg/authorization/authorizer/BUILD | 5 +- .../pkg/authorization/authorizerfactory/BUILD | 1 + .../apiserver/pkg/authorization/union/BUILD | 6 +- .../plugin/pkg/authorizer/webhook/BUILD | 1 + .../kubernetes/typed/authorization/v1/BUILD | 1 + .../authorization/v1/authorization_client.go | 5 + .../typed/authorization/v1/fake/BUILD | 1 + .../v1/fake/fake_authorization_client.go | 4 + .../v1/fake/fake_selfsubjectrulesreview.go | 22 + .../authorization/v1/generated_expansion.go | 2 + .../v1/selfsubjectrulesreview.go | 44 + .../typed/authorization/v1beta1/BUILD | 1 + .../v1beta1/authorization_client.go | 5 + .../typed/authorization/v1beta1/fake/BUILD | 1 + .../v1beta1/fake/fake_authorization_client.go | 4 + .../fake/fake_selfsubjectrulesreview.go | 22 + .../v1beta1/generated_expansion.go | 2 + .../v1beta1/selfsubjectrulesreview.go | 44 + .../client-go/listers/authorization/v1/BUILD | 1 + .../authorization/v1/expansion_generated.go | 4 + .../v1/selfsubjectrulesreview.go | 67 + .../listers/authorization/v1beta1/BUILD | 1 + .../v1beta1/expansion_generated.go | 4 + .../v1beta1/selfsubjectrulesreview.go | 67 + 56 files changed, 5289 insertions(+), 157 deletions(-) create mode 100644 pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview.go create mode 100644 pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview.go create mode 100644 pkg/client/listers/authorization/internalversion/selfsubjectrulesreview.go create mode 100644 pkg/registry/authorization/selfsubjectrulesreview/BUILD create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go create mode 100644 staging/src/k8s.io/client-go/listers/authorization/v1/selfsubjectrulesreview.go create mode 100644 staging/src/k8s.io/client-go/listers/authorization/v1beta1/selfsubjectrulesreview.go diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index a96a6fe2e57..5d4ea0cda69 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -28347,6 +28347,62 @@ } ] }, + "/apis/authorization.k8s.io/v1/selfsubjectrulesreviews": { + "post": { + "description": "create a SelfSubjectRulesReview", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "schemes": [ + "https" + ], + "tags": [ + "authorization_v1" + ], + "operationId": "createAuthorizationV1SelfSubjectRulesReview", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "authorization.k8s.io", + "kind": "SelfSubjectRulesReview", + "version": "v1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "If 'true', then the output is pretty printed.", + "name": "pretty", + "in": "query" + } + ] + }, "/apis/authorization.k8s.io/v1/subjectaccessreviews": { "post": { "description": "create a SubjectAccessReview", @@ -28556,6 +28612,62 @@ } ] }, + "/apis/authorization.k8s.io/v1beta1/selfsubjectrulesreviews": { + "post": { + "description": "create a SelfSubjectRulesReview", + "consumes": [ + "*/*" + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "schemes": [ + "https" + ], + "tags": [ + "authorization_v1beta1" + ], + "operationId": "createAuthorizationV1beta1SelfSubjectRulesReview", + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview" + } + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "authorization.k8s.io", + "kind": "SelfSubjectRulesReview", + "version": "v1beta1" + } + }, + "parameters": [ + { + "uniqueItems": true, + "type": "string", + "description": "If 'true', then the output is pretty printed.", + "name": "pretty", + "in": "query" + } + ] + }, "/apis/authorization.k8s.io/v1beta1/subjectaccessreviews": { "post": { "description": "create a SubjectAccessReview", @@ -56494,6 +56606,28 @@ } } }, + "io.k8s.api.authorization.v1.NonResourceRule": { + "description": "NonResourceRule holds information that describes a rule for the non-resource", + "required": [ + "verbs" + ], + "properties": { + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "verbs": { + "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, "io.k8s.api.authorization.v1.ResourceAttributes": { "description": "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface", "properties": { @@ -56527,6 +56661,42 @@ } } }, + "io.k8s.api.authorization.v1.ResourceRule": { + "description": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "verbs": { + "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, "io.k8s.api.authorization.v1.SelfSubjectAccessReview": { "description": "SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means \"in all namespaces\". Self is a special case, because users should always be able to check whether they can perform an action", "required": [ @@ -56574,6 +56744,48 @@ } } }, + "io.k8s.api.authorization.v1.SelfSubjectRulesReview": { + "description": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "Spec holds information about the request being evaluated.", + "$ref": "#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec" + }, + "status": { + "description": "Status is filled in by the server and indicates the set of actions a user can perform.", + "$ref": "#/definitions/io.k8s.api.authorization.v1.SubjectRulesReviewStatus" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "authorization.k8s.io", + "kind": "SelfSubjectRulesReview", + "version": "v1" + } + ] + }, + "io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec": { + "properties": { + "namespace": { + "description": "Namespace to evaluate rules for. Required.", + "type": "string" + } + } + }, "io.k8s.api.authorization.v1.SubjectAccessReview": { "description": "SubjectAccessReview checks whether or not a user or group can perform an action.", "required": [ @@ -56666,6 +56878,38 @@ } } }, + "io.k8s.api.authorization.v1.SubjectRulesReviewStatus": { + "description": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "required": [ + "resourceRules", + "nonResourceRules", + "incomplete" + ], + "properties": { + "evaluationError": { + "description": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.", + "type": "string" + }, + "incomplete": { + "description": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.", + "type": "boolean" + }, + "nonResourceRules": { + "description": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.api.authorization.v1.NonResourceRule" + } + }, + "resourceRules": { + "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.api.authorization.v1.ResourceRule" + } + } + } + }, "io.k8s.api.authorization.v1beta1.LocalSubjectAccessReview": { "description": "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.", "required": [ @@ -56713,6 +56957,28 @@ } } }, + "io.k8s.api.authorization.v1beta1.NonResourceRule": { + "description": "NonResourceRule holds information that describes a rule for the non-resource", + "required": [ + "verbs" + ], + "properties": { + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "verbs": { + "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, "io.k8s.api.authorization.v1beta1.ResourceAttributes": { "description": "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface", "properties": { @@ -56746,6 +57012,42 @@ } } }, + "io.k8s.api.authorization.v1beta1.ResourceRule": { + "description": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "required": [ + "verbs" + ], + "properties": { + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "resources": { + "description": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + }, + "verbs": { + "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, "io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview": { "description": "SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means \"in all namespaces\". Self is a special case, because users should always be able to check whether they can perform an action", "required": [ @@ -56793,6 +57095,48 @@ } } }, + "io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview": { + "description": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "Spec holds information about the request being evaluated.", + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpec" + }, + "status": { + "description": "Status is filled in by the server and indicates the set of actions a user can perform.", + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatus" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "authorization.k8s.io", + "kind": "SelfSubjectRulesReview", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpec": { + "properties": { + "namespace": { + "description": "Namespace to evaluate rules for. Required.", + "type": "string" + } + } + }, "io.k8s.api.authorization.v1beta1.SubjectAccessReview": { "description": "SubjectAccessReview checks whether or not a user or group can perform an action.", "required": [ @@ -56885,6 +57229,38 @@ } } }, + "io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatus": { + "description": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "required": [ + "resourceRules", + "nonResourceRules", + "incomplete" + ], + "properties": { + "evaluationError": { + "description": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.", + "type": "string" + }, + "incomplete": { + "description": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.", + "type": "boolean" + }, + "nonResourceRules": { + "description": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.NonResourceRule" + } + }, + "resourceRules": { + "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "type": "array", + "items": { + "$ref": "#/definitions/io.k8s.api.authorization.v1beta1.ResourceRule" + } + } + } + }, "io.k8s.api.autoscaling.v1.CrossVersionObjectReference": { "description": "CrossVersionObjectReference contains enough information to let you identify the referred resource.", "required": [ diff --git a/api/swagger-spec/authorization.k8s.io_v1.json b/api/swagger-spec/authorization.k8s.io_v1.json index 997e133f498..62f15592807 100644 --- a/api/swagger-spec/authorization.k8s.io_v1.json +++ b/api/swagger-spec/authorization.k8s.io_v1.json @@ -106,6 +106,51 @@ } ] }, + { + "path": "/apis/authorization.k8s.io/v1/selfsubjectrulesreviews", + "description": "API at /apis/authorization.k8s.io/v1", + "operations": [ + { + "type": "v1.SelfSubjectRulesReview", + "method": "POST", + "summary": "create a SelfSubjectRulesReview", + "nickname": "createSelfSubjectRulesReview", + "parameters": [ + { + "type": "string", + "paramType": "query", + "name": "pretty", + "description": "If 'true', then the output is pretty printed.", + "required": false, + "allowMultiple": false + }, + { + "type": "v1.SelfSubjectRulesReview", + "paramType": "body", + "name": "body", + "description": "", + "required": true, + "allowMultiple": false + } + ], + "responseMessages": [ + { + "code": 200, + "message": "OK", + "responseModel": "v1.SelfSubjectRulesReview" + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "consumes": [ + "*/*" + ] + } + ] + }, { "path": "/apis/authorization.k8s.io/v1/subjectaccessreviews", "description": "API at /apis/authorization.k8s.io/v1", @@ -600,6 +645,136 @@ } } }, + "v1.SelfSubjectRulesReview": { + "id": "v1.SelfSubjectRulesReview", + "description": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "required": [ + "spec" + ], + "properties": { + "kind": { + "type": "string", + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds" + }, + "apiVersion": { + "type": "string", + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources" + }, + "metadata": { + "$ref": "v1.ObjectMeta" + }, + "spec": { + "$ref": "v1.SelfSubjectRulesReviewSpec", + "description": "Spec holds information about the request being evaluated." + }, + "status": { + "$ref": "v1.SubjectRulesReviewStatus", + "description": "Status is filled in by the server and indicates the set of actions a user can perform." + } + } + }, + "v1.SelfSubjectRulesReviewSpec": { + "id": "v1.SelfSubjectRulesReviewSpec", + "properties": { + "namespace": { + "type": "string", + "description": "Namespace to evaluate rules for. Required." + } + } + }, + "v1.SubjectRulesReviewStatus": { + "id": "v1.SubjectRulesReviewStatus", + "description": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "required": [ + "resourceRules", + "nonResourceRules", + "incomplete" + ], + "properties": { + "resourceRules": { + "type": "array", + "items": { + "$ref": "v1.ResourceRule" + }, + "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete." + }, + "nonResourceRules": { + "type": "array", + "items": { + "$ref": "v1.NonResourceRule" + }, + "description": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete." + }, + "incomplete": { + "type": "boolean", + "description": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation." + }, + "evaluationError": { + "type": "string", + "description": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete." + } + } + }, + "v1.ResourceRule": { + "id": "v1.ResourceRule", + "description": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "required": [ + "verbs" + ], + "properties": { + "verbs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all." + }, + "apiGroups": { + "type": "array", + "items": { + "type": "string" + }, + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all." + }, + "resources": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all." + }, + "resourceNames": { + "type": "array", + "items": { + "type": "string" + }, + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all." + } + } + }, + "v1.NonResourceRule": { + "id": "v1.NonResourceRule", + "description": "NonResourceRule holds information that describes a rule for the non-resource", + "required": [ + "verbs" + ], + "properties": { + "verbs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all." + }, + "nonResourceURLs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all." + } + } + }, "v1.SubjectAccessReview": { "id": "v1.SubjectAccessReview", "description": "SubjectAccessReview checks whether or not a user or group can perform an action.", diff --git a/api/swagger-spec/authorization.k8s.io_v1beta1.json b/api/swagger-spec/authorization.k8s.io_v1beta1.json index 6430dad49ff..ded768927f4 100644 --- a/api/swagger-spec/authorization.k8s.io_v1beta1.json +++ b/api/swagger-spec/authorization.k8s.io_v1beta1.json @@ -106,6 +106,51 @@ } ] }, + { + "path": "/apis/authorization.k8s.io/v1beta1/selfsubjectrulesreviews", + "description": "API at /apis/authorization.k8s.io/v1beta1", + "operations": [ + { + "type": "v1beta1.SelfSubjectRulesReview", + "method": "POST", + "summary": "create a SelfSubjectRulesReview", + "nickname": "createSelfSubjectRulesReview", + "parameters": [ + { + "type": "string", + "paramType": "query", + "name": "pretty", + "description": "If 'true', then the output is pretty printed.", + "required": false, + "allowMultiple": false + }, + { + "type": "v1beta1.SelfSubjectRulesReview", + "paramType": "body", + "name": "body", + "description": "", + "required": true, + "allowMultiple": false + } + ], + "responseMessages": [ + { + "code": 200, + "message": "OK", + "responseModel": "v1beta1.SelfSubjectRulesReview" + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "consumes": [ + "*/*" + ] + } + ] + }, { "path": "/apis/authorization.k8s.io/v1beta1/subjectaccessreviews", "description": "API at /apis/authorization.k8s.io/v1beta1", @@ -600,6 +645,136 @@ } } }, + "v1beta1.SelfSubjectRulesReview": { + "id": "v1beta1.SelfSubjectRulesReview", + "description": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "required": [ + "spec" + ], + "properties": { + "kind": { + "type": "string", + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds" + }, + "apiVersion": { + "type": "string", + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources" + }, + "metadata": { + "$ref": "v1.ObjectMeta" + }, + "spec": { + "$ref": "v1beta1.SelfSubjectRulesReviewSpec", + "description": "Spec holds information about the request being evaluated." + }, + "status": { + "$ref": "v1beta1.SubjectRulesReviewStatus", + "description": "Status is filled in by the server and indicates the set of actions a user can perform." + } + } + }, + "v1beta1.SelfSubjectRulesReviewSpec": { + "id": "v1beta1.SelfSubjectRulesReviewSpec", + "properties": { + "namespace": { + "type": "string", + "description": "Namespace to evaluate rules for. Required." + } + } + }, + "v1beta1.SubjectRulesReviewStatus": { + "id": "v1beta1.SubjectRulesReviewStatus", + "description": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "required": [ + "resourceRules", + "nonResourceRules", + "incomplete" + ], + "properties": { + "resourceRules": { + "type": "array", + "items": { + "$ref": "v1beta1.ResourceRule" + }, + "description": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete." + }, + "nonResourceRules": { + "type": "array", + "items": { + "$ref": "v1beta1.NonResourceRule" + }, + "description": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete." + }, + "incomplete": { + "type": "boolean", + "description": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation." + }, + "evaluationError": { + "type": "string", + "description": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete." + } + } + }, + "v1beta1.ResourceRule": { + "id": "v1beta1.ResourceRule", + "description": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "required": [ + "verbs" + ], + "properties": { + "verbs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all." + }, + "apiGroups": { + "type": "array", + "items": { + "type": "string" + }, + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all." + }, + "resources": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all." + }, + "resourceNames": { + "type": "array", + "items": { + "type": "string" + }, + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all." + } + } + }, + "v1beta1.NonResourceRule": { + "id": "v1beta1.NonResourceRule", + "description": "NonResourceRule holds information that describes a rule for the non-resource", + "required": [ + "verbs" + ], + "properties": { + "verbs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all." + }, + "nonResourceURLs": { + "type": "array", + "items": { + "type": "string" + }, + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all." + } + } + }, "v1beta1.SubjectAccessReview": { "id": "v1beta1.SubjectAccessReview", "description": "SubjectAccessReview checks whether or not a user or group can perform an action.", diff --git a/docs/api-reference/authorization.k8s.io/v1/definitions.html b/docs/api-reference/authorization.k8s.io/v1/definitions.html index f966f8fefbf..ab649a7c00c 100755 --- a/docs/api-reference/authorization.k8s.io/v1/definitions.html +++ b/docs/api-reference/authorization.k8s.io/v1/definitions.html @@ -370,6 +370,9 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
+
+

v1.SelfSubjectRulesReviewSpec

+ +++++++ + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

namespace

Namespace to evaluate rules for. Required.

false

string

+

v1.Status

@@ -1165,6 +1199,61 @@ When an object is created, the system will populate this list with the current s +
+
+

v1.SubjectRulesReviewStatus

+
+

SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it’s safe to assume the subject has that permission, even if that list is incomplete.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

resourceRules

ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

true

v1.ResourceRule array

nonResourceRules

NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

true

v1.NonResourceRule array

incomplete

Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn’t support rules evaluation.

true

boolean

false

evaluationError

EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn’t support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.

false

string

+

v1.APIResource

@@ -1296,6 +1385,61 @@ When an object is created, the system will populate this list with the current s +
+
+

v1.ResourceRule

+
+

ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

verbs

Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.

true

string array

apiGroups

APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.

false

string array

resources

Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all.

false

string array

resourceNames

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.

false

string array

+

v1.StatusCause

@@ -1410,6 +1554,47 @@ Examples:
+
+
+

v1.NonResourceRule

+
+

NonResourceRule holds information that describes a rule for the non-resource

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

verbs

Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.

true

string array

nonResourceURLs

NonResourceURLs is a set of partial urls that a user should have access to. s are allowed, but only as the full, final step in the path. "" means all.

false

string array

+

v1.SelfSubjectAccessReview

@@ -1534,6 +1719,68 @@ Examples:
+
+
+

v1.SelfSubjectRulesReview

+
+

SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server’s authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

kind

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds

false

string

apiVersion

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources

false

string

metadata

false

v1.ObjectMeta

spec

Spec holds information about the request being evaluated.

true

v1.SelfSubjectRulesReviewSpec

status

Status is filled in by the server and indicates the set of actions a user can perform.

false

v1.SubjectRulesReviewStatus

+

any

diff --git a/docs/api-reference/authorization.k8s.io/v1/operations.html b/docs/api-reference/authorization.k8s.io/v1/operations.html index ac7f8387796..4ec82272c08 100755 --- a/docs/api-reference/authorization.k8s.io/v1/operations.html +++ b/docs/api-reference/authorization.k8s.io/v1/operations.html @@ -673,10 +673,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
-

create a SubjectAccessReview

+

create a SelfSubjectRulesReview

-
POST /apis/authorization.k8s.io/v1/subjectaccessreviews
+
POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews
@@ -714,7 +714,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

body

true

-

v1.SubjectAccessReview

+

v1.SelfSubjectRulesReview

@@ -740,7 +740,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

200

success

-

v1.SubjectAccessReview

+

v1.SelfSubjectRulesReview

@@ -783,6 +783,117 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
+
+

create a SubjectAccessReview

+
+
+
POST /apis/authorization.k8s.io/v1/subjectaccessreviews
+
+
+
+

Parameters

+ ++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TypeNameDescriptionRequiredSchemaDefault

QueryParameter

pretty

If true, then the output is pretty printed.

false

string

BodyParameter

body

true

v1.SubjectAccessReview

+ +
+
+

Responses

+ +++++ + + + + + + + + + + + + + + +
HTTP CodeDescriptionSchema

200

success

v1.SubjectAccessReview

+ +
+
+

Consumes

+
+
    +
  • +

    /

    +
    • +
+
+
+
+

Produces

+
+
    +
  • +

    application/json

    +
    • +
  • +

    application/yaml

    +
    • +
  • +

    application/vnd.kubernetes.protobuf

    +
    • +
+
+
+
+

Tags

+
+
    +
  • +

    apisauthorization.k8s.iov1

    +
    • +
+
+
+
diff --git a/docs/api-reference/authorization.k8s.io/v1beta1/definitions.html b/docs/api-reference/authorization.k8s.io/v1beta1/definitions.html index 63039e8d3dd..11ac18b881d 100755 --- a/docs/api-reference/authorization.k8s.io/v1beta1/definitions.html +++ b/docs/api-reference/authorization.k8s.io/v1beta1/definitions.html @@ -370,6 +370,9 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
+
+

v1beta1.SubjectRulesReviewStatus

+
+

SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it’s safe to assume the subject has that permission, even if that list is incomplete.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

resourceRules

ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

true

v1beta1.ResourceRule array

nonResourceRules

NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

true

v1beta1.NonResourceRule array

incomplete

Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn’t support rules evaluation.

true

boolean

false

evaluationError

EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn’t support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.

false

string

+

v1.Initializers

@@ -941,6 +999,68 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; } +
+
+

v1beta1.SelfSubjectRulesReview

+
+

SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server’s authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

kind

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds

false

string

apiVersion

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources

false

string

metadata

false

v1.ObjectMeta

spec

Spec holds information about the request being evaluated.

true

v1beta1.SelfSubjectRulesReviewSpec

status

Status is filled in by the server and indicates the set of actions a user can perform.

false

v1beta1.SubjectRulesReviewStatus

+

v1beta1.SubjectAccessReviewStatus

@@ -1213,6 +1333,133 @@ When an object is created, the system will populate this list with the current s +
+
+

v1beta1.SelfSubjectRulesReviewSpec

+ +++++++ + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

namespace

Namespace to evaluate rules for. Required.

false

string

+ +
+
+

v1beta1.NonResourceRule

+
+

NonResourceRule holds information that describes a rule for the non-resource

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

verbs

Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.

true

string array

nonResourceURLs

NonResourceURLs is a set of partial urls that a user should have access to. s are allowed, but only as the full, final step in the path. "" means all.

false

string array

+ +
+
+

v1beta1.ResourceRule

+
+

ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn’t significant, may contain duplicates, and possibly be incomplete.

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionRequiredSchemaDefault

verbs

Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.

true

string array

apiGroups

APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.

false

string array

resources

Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all.

false

string array

resourceNames

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.

false

string array

+

v1beta1.SelfSubjectAccessReview

diff --git a/docs/api-reference/authorization.k8s.io/v1beta1/operations.html b/docs/api-reference/authorization.k8s.io/v1beta1/operations.html index b683a212c94..7726468cf32 100755 --- a/docs/api-reference/authorization.k8s.io/v1beta1/operations.html +++ b/docs/api-reference/authorization.k8s.io/v1beta1/operations.html @@ -673,10 +673,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
-

create a SubjectAccessReview

+

create a SelfSubjectRulesReview

-
POST /apis/authorization.k8s.io/v1beta1/subjectaccessreviews
+
POST /apis/authorization.k8s.io/v1beta1/selfsubjectrulesreviews
@@ -714,7 +714,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

body

true

-

v1beta1.SubjectAccessReview

+

v1beta1.SelfSubjectRulesReview

@@ -740,7 +740,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

200

success

-

v1beta1.SubjectAccessReview

+

v1beta1.SelfSubjectRulesReview

@@ -783,6 +783,117 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
+
+

create a SubjectAccessReview

+
+
+
POST /apis/authorization.k8s.io/v1beta1/subjectaccessreviews
+
+
+
+

Parameters

+ ++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TypeNameDescriptionRequiredSchemaDefault

QueryParameter

pretty

If true, then the output is pretty printed.

false

string

BodyParameter

body

true

v1beta1.SubjectAccessReview

+ +
+
+

Responses

+ +++++ + + + + + + + + + + + + + + +
HTTP CodeDescriptionSchema

200

success

v1beta1.SubjectAccessReview

+ +
+
+

Consumes

+
+
    +
  • +

    /

    +
    • +
+
+
+
+

Produces

+
+
    +
  • +

    application/json

    +
    • +
  • +

    application/yaml

    +
    • +
  • +

    application/vnd.kubernetes.protobuf

    +
    • +
+
+
+
+

Tags

+
+
    +
  • +

    apisauthorization.k8s.iov1beta1

    +
    • +
+
+
+
diff --git a/pkg/apis/authorization/v1/zz_generated.conversion.go b/pkg/apis/authorization/v1/zz_generated.conversion.go index 3fae7463f16..1c06171c6fc 100644 --- a/pkg/apis/authorization/v1/zz_generated.conversion.go +++ b/pkg/apis/authorization/v1/zz_generated.conversion.go @@ -40,18 +40,28 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_authorization_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview, Convert_v1_NonResourceAttributes_To_authorization_NonResourceAttributes, Convert_authorization_NonResourceAttributes_To_v1_NonResourceAttributes, + Convert_v1_NonResourceRule_To_authorization_NonResourceRule, + Convert_authorization_NonResourceRule_To_v1_NonResourceRule, Convert_v1_ResourceAttributes_To_authorization_ResourceAttributes, Convert_authorization_ResourceAttributes_To_v1_ResourceAttributes, + Convert_v1_ResourceRule_To_authorization_ResourceRule, + Convert_authorization_ResourceRule_To_v1_ResourceRule, Convert_v1_SelfSubjectAccessReview_To_authorization_SelfSubjectAccessReview, Convert_authorization_SelfSubjectAccessReview_To_v1_SelfSubjectAccessReview, Convert_v1_SelfSubjectAccessReviewSpec_To_authorization_SelfSubjectAccessReviewSpec, Convert_authorization_SelfSubjectAccessReviewSpec_To_v1_SelfSubjectAccessReviewSpec, + Convert_v1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview, + Convert_authorization_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview, + Convert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec, + Convert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec, Convert_v1_SubjectAccessReview_To_authorization_SubjectAccessReview, Convert_authorization_SubjectAccessReview_To_v1_SubjectAccessReview, Convert_v1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec, Convert_authorization_SubjectAccessReviewSpec_To_v1_SubjectAccessReviewSpec, Convert_v1_SubjectAccessReviewStatus_To_authorization_SubjectAccessReviewStatus, Convert_authorization_SubjectAccessReviewStatus_To_v1_SubjectAccessReviewStatus, + Convert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus, + Convert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus, ) } @@ -109,6 +119,28 @@ func Convert_authorization_NonResourceAttributes_To_v1_NonResourceAttributes(in return autoConvert_authorization_NonResourceAttributes_To_v1_NonResourceAttributes(in, out, s) } +func autoConvert_v1_NonResourceRule_To_authorization_NonResourceRule(in *v1.NonResourceRule, out *authorization.NonResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + return nil +} + +// Convert_v1_NonResourceRule_To_authorization_NonResourceRule is an autogenerated conversion function. +func Convert_v1_NonResourceRule_To_authorization_NonResourceRule(in *v1.NonResourceRule, out *authorization.NonResourceRule, s conversion.Scope) error { + return autoConvert_v1_NonResourceRule_To_authorization_NonResourceRule(in, out, s) +} + +func autoConvert_authorization_NonResourceRule_To_v1_NonResourceRule(in *authorization.NonResourceRule, out *v1.NonResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + return nil +} + +// Convert_authorization_NonResourceRule_To_v1_NonResourceRule is an autogenerated conversion function. +func Convert_authorization_NonResourceRule_To_v1_NonResourceRule(in *authorization.NonResourceRule, out *v1.NonResourceRule, s conversion.Scope) error { + return autoConvert_authorization_NonResourceRule_To_v1_NonResourceRule(in, out, s) +} + func autoConvert_v1_ResourceAttributes_To_authorization_ResourceAttributes(in *v1.ResourceAttributes, out *authorization.ResourceAttributes, s conversion.Scope) error { out.Namespace = in.Namespace out.Verb = in.Verb @@ -141,6 +173,32 @@ func Convert_authorization_ResourceAttributes_To_v1_ResourceAttributes(in *autho return autoConvert_authorization_ResourceAttributes_To_v1_ResourceAttributes(in, out, s) } +func autoConvert_v1_ResourceRule_To_authorization_ResourceRule(in *v1.ResourceRule, out *authorization.ResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups)) + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.ResourceNames = *(*[]string)(unsafe.Pointer(&in.ResourceNames)) + return nil +} + +// Convert_v1_ResourceRule_To_authorization_ResourceRule is an autogenerated conversion function. +func Convert_v1_ResourceRule_To_authorization_ResourceRule(in *v1.ResourceRule, out *authorization.ResourceRule, s conversion.Scope) error { + return autoConvert_v1_ResourceRule_To_authorization_ResourceRule(in, out, s) +} + +func autoConvert_authorization_ResourceRule_To_v1_ResourceRule(in *authorization.ResourceRule, out *v1.ResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups)) + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.ResourceNames = *(*[]string)(unsafe.Pointer(&in.ResourceNames)) + return nil +} + +// Convert_authorization_ResourceRule_To_v1_ResourceRule is an autogenerated conversion function. +func Convert_authorization_ResourceRule_To_v1_ResourceRule(in *authorization.ResourceRule, out *v1.ResourceRule, s conversion.Scope) error { + return autoConvert_authorization_ResourceRule_To_v1_ResourceRule(in, out, s) +} + func autoConvert_v1_SelfSubjectAccessReview_To_authorization_SelfSubjectAccessReview(in *v1.SelfSubjectAccessReview, out *authorization.SelfSubjectAccessReview, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1_SelfSubjectAccessReviewSpec_To_authorization_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil { @@ -195,6 +253,58 @@ func Convert_authorization_SelfSubjectAccessReviewSpec_To_v1_SelfSubjectAccessRe return autoConvert_authorization_SelfSubjectAccessReviewSpec_To_v1_SelfSubjectAccessReviewSpec(in, out, s) } +func autoConvert_v1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in *v1.SelfSubjectRulesReview, out *authorization.SelfSubjectRulesReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview is an autogenerated conversion function. +func Convert_v1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in *v1.SelfSubjectRulesReview, out *authorization.SelfSubjectRulesReview, s conversion.Scope) error { + return autoConvert_v1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in, out, s) +} + +func autoConvert_authorization_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview(in *authorization.SelfSubjectRulesReview, out *v1.SelfSubjectRulesReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_authorization_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview is an autogenerated conversion function. +func Convert_authorization_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview(in *authorization.SelfSubjectRulesReview, out *v1.SelfSubjectRulesReview, s conversion.Scope) error { + return autoConvert_authorization_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview(in, out, s) +} + +func autoConvert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in *v1.SelfSubjectRulesReviewSpec, out *authorization.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + out.Namespace = in.Namespace + return nil +} + +// Convert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec is an autogenerated conversion function. +func Convert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in *v1.SelfSubjectRulesReviewSpec, out *authorization.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + return autoConvert_v1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in, out, s) +} + +func autoConvert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in *authorization.SelfSubjectRulesReviewSpec, out *v1.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + out.Namespace = in.Namespace + return nil +} + +// Convert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec is an autogenerated conversion function. +func Convert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in *authorization.SelfSubjectRulesReviewSpec, out *v1.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + return autoConvert_authorization_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in, out, s) +} + func autoConvert_v1_SubjectAccessReview_To_authorization_SubjectAccessReview(in *v1.SubjectAccessReview, out *authorization.SubjectAccessReview, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil { @@ -280,3 +390,29 @@ func autoConvert_authorization_SubjectAccessReviewStatus_To_v1_SubjectAccessRevi func Convert_authorization_SubjectAccessReviewStatus_To_v1_SubjectAccessReviewStatus(in *authorization.SubjectAccessReviewStatus, out *v1.SubjectAccessReviewStatus, s conversion.Scope) error { return autoConvert_authorization_SubjectAccessReviewStatus_To_v1_SubjectAccessReviewStatus(in, out, s) } + +func autoConvert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in *v1.SubjectRulesReviewStatus, out *authorization.SubjectRulesReviewStatus, s conversion.Scope) error { + out.ResourceRules = *(*[]authorization.ResourceRule)(unsafe.Pointer(&in.ResourceRules)) + out.NonResourceRules = *(*[]authorization.NonResourceRule)(unsafe.Pointer(&in.NonResourceRules)) + out.Incomplete = in.Incomplete + out.EvaluationError = in.EvaluationError + return nil +} + +// Convert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus is an autogenerated conversion function. +func Convert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in *v1.SubjectRulesReviewStatus, out *authorization.SubjectRulesReviewStatus, s conversion.Scope) error { + return autoConvert_v1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in, out, s) +} + +func autoConvert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus(in *authorization.SubjectRulesReviewStatus, out *v1.SubjectRulesReviewStatus, s conversion.Scope) error { + out.ResourceRules = *(*[]v1.ResourceRule)(unsafe.Pointer(&in.ResourceRules)) + out.NonResourceRules = *(*[]v1.NonResourceRule)(unsafe.Pointer(&in.NonResourceRules)) + out.Incomplete = in.Incomplete + out.EvaluationError = in.EvaluationError + return nil +} + +// Convert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus is an autogenerated conversion function. +func Convert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus(in *authorization.SubjectRulesReviewStatus, out *v1.SubjectRulesReviewStatus, s conversion.Scope) error { + return autoConvert_authorization_SubjectRulesReviewStatus_To_v1_SubjectRulesReviewStatus(in, out, s) +} diff --git a/pkg/apis/authorization/v1beta1/zz_generated.conversion.go b/pkg/apis/authorization/v1beta1/zz_generated.conversion.go index 9e1bd969805..4ba9417a61f 100644 --- a/pkg/apis/authorization/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/authorization/v1beta1/zz_generated.conversion.go @@ -40,18 +40,28 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_authorization_LocalSubjectAccessReview_To_v1beta1_LocalSubjectAccessReview, Convert_v1beta1_NonResourceAttributes_To_authorization_NonResourceAttributes, Convert_authorization_NonResourceAttributes_To_v1beta1_NonResourceAttributes, + Convert_v1beta1_NonResourceRule_To_authorization_NonResourceRule, + Convert_authorization_NonResourceRule_To_v1beta1_NonResourceRule, Convert_v1beta1_ResourceAttributes_To_authorization_ResourceAttributes, Convert_authorization_ResourceAttributes_To_v1beta1_ResourceAttributes, + Convert_v1beta1_ResourceRule_To_authorization_ResourceRule, + Convert_authorization_ResourceRule_To_v1beta1_ResourceRule, Convert_v1beta1_SelfSubjectAccessReview_To_authorization_SelfSubjectAccessReview, Convert_authorization_SelfSubjectAccessReview_To_v1beta1_SelfSubjectAccessReview, Convert_v1beta1_SelfSubjectAccessReviewSpec_To_authorization_SelfSubjectAccessReviewSpec, Convert_authorization_SelfSubjectAccessReviewSpec_To_v1beta1_SelfSubjectAccessReviewSpec, + Convert_v1beta1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview, + Convert_authorization_SelfSubjectRulesReview_To_v1beta1_SelfSubjectRulesReview, + Convert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec, + Convert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec, Convert_v1beta1_SubjectAccessReview_To_authorization_SubjectAccessReview, Convert_authorization_SubjectAccessReview_To_v1beta1_SubjectAccessReview, Convert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec, Convert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessReviewSpec, Convert_v1beta1_SubjectAccessReviewStatus_To_authorization_SubjectAccessReviewStatus, Convert_authorization_SubjectAccessReviewStatus_To_v1beta1_SubjectAccessReviewStatus, + Convert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus, + Convert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus, ) } @@ -109,6 +119,28 @@ func Convert_authorization_NonResourceAttributes_To_v1beta1_NonResourceAttribute return autoConvert_authorization_NonResourceAttributes_To_v1beta1_NonResourceAttributes(in, out, s) } +func autoConvert_v1beta1_NonResourceRule_To_authorization_NonResourceRule(in *v1beta1.NonResourceRule, out *authorization.NonResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + return nil +} + +// Convert_v1beta1_NonResourceRule_To_authorization_NonResourceRule is an autogenerated conversion function. +func Convert_v1beta1_NonResourceRule_To_authorization_NonResourceRule(in *v1beta1.NonResourceRule, out *authorization.NonResourceRule, s conversion.Scope) error { + return autoConvert_v1beta1_NonResourceRule_To_authorization_NonResourceRule(in, out, s) +} + +func autoConvert_authorization_NonResourceRule_To_v1beta1_NonResourceRule(in *authorization.NonResourceRule, out *v1beta1.NonResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.NonResourceURLs = *(*[]string)(unsafe.Pointer(&in.NonResourceURLs)) + return nil +} + +// Convert_authorization_NonResourceRule_To_v1beta1_NonResourceRule is an autogenerated conversion function. +func Convert_authorization_NonResourceRule_To_v1beta1_NonResourceRule(in *authorization.NonResourceRule, out *v1beta1.NonResourceRule, s conversion.Scope) error { + return autoConvert_authorization_NonResourceRule_To_v1beta1_NonResourceRule(in, out, s) +} + func autoConvert_v1beta1_ResourceAttributes_To_authorization_ResourceAttributes(in *v1beta1.ResourceAttributes, out *authorization.ResourceAttributes, s conversion.Scope) error { out.Namespace = in.Namespace out.Verb = in.Verb @@ -141,6 +173,32 @@ func Convert_authorization_ResourceAttributes_To_v1beta1_ResourceAttributes(in * return autoConvert_authorization_ResourceAttributes_To_v1beta1_ResourceAttributes(in, out, s) } +func autoConvert_v1beta1_ResourceRule_To_authorization_ResourceRule(in *v1beta1.ResourceRule, out *authorization.ResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups)) + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.ResourceNames = *(*[]string)(unsafe.Pointer(&in.ResourceNames)) + return nil +} + +// Convert_v1beta1_ResourceRule_To_authorization_ResourceRule is an autogenerated conversion function. +func Convert_v1beta1_ResourceRule_To_authorization_ResourceRule(in *v1beta1.ResourceRule, out *authorization.ResourceRule, s conversion.Scope) error { + return autoConvert_v1beta1_ResourceRule_To_authorization_ResourceRule(in, out, s) +} + +func autoConvert_authorization_ResourceRule_To_v1beta1_ResourceRule(in *authorization.ResourceRule, out *v1beta1.ResourceRule, s conversion.Scope) error { + out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs)) + out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups)) + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.ResourceNames = *(*[]string)(unsafe.Pointer(&in.ResourceNames)) + return nil +} + +// Convert_authorization_ResourceRule_To_v1beta1_ResourceRule is an autogenerated conversion function. +func Convert_authorization_ResourceRule_To_v1beta1_ResourceRule(in *authorization.ResourceRule, out *v1beta1.ResourceRule, s conversion.Scope) error { + return autoConvert_authorization_ResourceRule_To_v1beta1_ResourceRule(in, out, s) +} + func autoConvert_v1beta1_SelfSubjectAccessReview_To_authorization_SelfSubjectAccessReview(in *v1beta1.SelfSubjectAccessReview, out *authorization.SelfSubjectAccessReview, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1beta1_SelfSubjectAccessReviewSpec_To_authorization_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil { @@ -195,6 +253,58 @@ func Convert_authorization_SelfSubjectAccessReviewSpec_To_v1beta1_SelfSubjectAcc return autoConvert_authorization_SelfSubjectAccessReviewSpec_To_v1beta1_SelfSubjectAccessReviewSpec(in, out, s) } +func autoConvert_v1beta1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in *v1beta1.SelfSubjectRulesReview, out *authorization.SelfSubjectRulesReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1beta1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview is an autogenerated conversion function. +func Convert_v1beta1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in *v1beta1.SelfSubjectRulesReview, out *authorization.SelfSubjectRulesReview, s conversion.Scope) error { + return autoConvert_v1beta1_SelfSubjectRulesReview_To_authorization_SelfSubjectRulesReview(in, out, s) +} + +func autoConvert_authorization_SelfSubjectRulesReview_To_v1beta1_SelfSubjectRulesReview(in *authorization.SelfSubjectRulesReview, out *v1beta1.SelfSubjectRulesReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec(&in.Spec, &out.Spec, s); err != nil { + return err + } + if err := Convert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_authorization_SelfSubjectRulesReview_To_v1beta1_SelfSubjectRulesReview is an autogenerated conversion function. +func Convert_authorization_SelfSubjectRulesReview_To_v1beta1_SelfSubjectRulesReview(in *authorization.SelfSubjectRulesReview, out *v1beta1.SelfSubjectRulesReview, s conversion.Scope) error { + return autoConvert_authorization_SelfSubjectRulesReview_To_v1beta1_SelfSubjectRulesReview(in, out, s) +} + +func autoConvert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in *v1beta1.SelfSubjectRulesReviewSpec, out *authorization.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + out.Namespace = in.Namespace + return nil +} + +// Convert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec is an autogenerated conversion function. +func Convert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in *v1beta1.SelfSubjectRulesReviewSpec, out *authorization.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + return autoConvert_v1beta1_SelfSubjectRulesReviewSpec_To_authorization_SelfSubjectRulesReviewSpec(in, out, s) +} + +func autoConvert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec(in *authorization.SelfSubjectRulesReviewSpec, out *v1beta1.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + out.Namespace = in.Namespace + return nil +} + +// Convert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec is an autogenerated conversion function. +func Convert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec(in *authorization.SelfSubjectRulesReviewSpec, out *v1beta1.SelfSubjectRulesReviewSpec, s conversion.Scope) error { + return autoConvert_authorization_SelfSubjectRulesReviewSpec_To_v1beta1_SelfSubjectRulesReviewSpec(in, out, s) +} + func autoConvert_v1beta1_SubjectAccessReview_To_authorization_SubjectAccessReview(in *v1beta1.SubjectAccessReview, out *authorization.SubjectAccessReview, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil { @@ -280,3 +390,29 @@ func autoConvert_authorization_SubjectAccessReviewStatus_To_v1beta1_SubjectAcces func Convert_authorization_SubjectAccessReviewStatus_To_v1beta1_SubjectAccessReviewStatus(in *authorization.SubjectAccessReviewStatus, out *v1beta1.SubjectAccessReviewStatus, s conversion.Scope) error { return autoConvert_authorization_SubjectAccessReviewStatus_To_v1beta1_SubjectAccessReviewStatus(in, out, s) } + +func autoConvert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in *v1beta1.SubjectRulesReviewStatus, out *authorization.SubjectRulesReviewStatus, s conversion.Scope) error { + out.ResourceRules = *(*[]authorization.ResourceRule)(unsafe.Pointer(&in.ResourceRules)) + out.NonResourceRules = *(*[]authorization.NonResourceRule)(unsafe.Pointer(&in.NonResourceRules)) + out.Incomplete = in.Incomplete + out.EvaluationError = in.EvaluationError + return nil +} + +// Convert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus is an autogenerated conversion function. +func Convert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in *v1beta1.SubjectRulesReviewStatus, out *authorization.SubjectRulesReviewStatus, s conversion.Scope) error { + return autoConvert_v1beta1_SubjectRulesReviewStatus_To_authorization_SubjectRulesReviewStatus(in, out, s) +} + +func autoConvert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus(in *authorization.SubjectRulesReviewStatus, out *v1beta1.SubjectRulesReviewStatus, s conversion.Scope) error { + out.ResourceRules = *(*[]v1beta1.ResourceRule)(unsafe.Pointer(&in.ResourceRules)) + out.NonResourceRules = *(*[]v1beta1.NonResourceRule)(unsafe.Pointer(&in.NonResourceRules)) + out.Incomplete = in.Incomplete + out.EvaluationError = in.EvaluationError + return nil +} + +// Convert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus is an autogenerated conversion function. +func Convert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus(in *authorization.SubjectRulesReviewStatus, out *v1beta1.SubjectRulesReviewStatus, s conversion.Scope) error { + return autoConvert_authorization_SubjectRulesReviewStatus_To_v1beta1_SubjectRulesReviewStatus(in, out, s) +} diff --git a/pkg/apis/authorization/zz_generated.deepcopy.go b/pkg/apis/authorization/zz_generated.deepcopy.go index 311dbe8b9fd..eb121f30885 100644 --- a/pkg/apis/authorization/zz_generated.deepcopy.go +++ b/pkg/apis/authorization/zz_generated.deepcopy.go @@ -44,10 +44,18 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*NonResourceAttributes).DeepCopyInto(out.(*NonResourceAttributes)) return nil }, InType: reflect.TypeOf(&NonResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*NonResourceRule).DeepCopyInto(out.(*NonResourceRule)) + return nil + }, InType: reflect.TypeOf(&NonResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*ResourceAttributes).DeepCopyInto(out.(*ResourceAttributes)) return nil }, InType: reflect.TypeOf(&ResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*ResourceRule).DeepCopyInto(out.(*ResourceRule)) + return nil + }, InType: reflect.TypeOf(&ResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SelfSubjectAccessReview).DeepCopyInto(out.(*SelfSubjectAccessReview)) return nil @@ -56,6 +64,14 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SelfSubjectAccessReviewSpec).DeepCopyInto(out.(*SelfSubjectAccessReviewSpec)) return nil }, InType: reflect.TypeOf(&SelfSubjectAccessReviewSpec{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReview).DeepCopyInto(out.(*SelfSubjectRulesReview)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReview{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReviewSpec).DeepCopyInto(out.(*SelfSubjectRulesReviewSpec)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReviewSpec{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SubjectAccessReview).DeepCopyInto(out.(*SubjectAccessReview)) return nil @@ -68,6 +84,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SubjectAccessReviewStatus).DeepCopyInto(out.(*SubjectAccessReviewStatus)) return nil }, InType: reflect.TypeOf(&SubjectAccessReviewStatus{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SubjectRulesReviewStatus).DeepCopyInto(out.(*SubjectRulesReviewStatus)) + return nil + }, InType: reflect.TypeOf(&SubjectRulesReviewStatus{})}, ) } @@ -116,6 +136,32 @@ func (in *NonResourceAttributes) DeepCopy() *NonResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NonResourceRule) DeepCopyInto(out *NonResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NonResourceURLs != nil { + in, out := &in.NonResourceURLs, &out.NonResourceURLs + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceRule. +func (in *NonResourceRule) DeepCopy() *NonResourceRule { + if in == nil { + return nil + } + out := new(NonResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ResourceAttributes) DeepCopyInto(out *ResourceAttributes) { *out = *in @@ -132,6 +178,42 @@ func (in *ResourceAttributes) DeepCopy() *ResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceRule) DeepCopyInto(out *ResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ResourceNames != nil { + in, out := &in.ResourceNames, &out.ResourceNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRule. +func (in *ResourceRule) DeepCopy() *ResourceRule { + if in == nil { + return nil + } + out := new(ResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SelfSubjectAccessReview) DeepCopyInto(out *SelfSubjectAccessReview) { *out = *in @@ -195,6 +277,51 @@ func (in *SelfSubjectAccessReviewSpec) DeepCopy() *SelfSubjectAccessReviewSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReview) DeepCopyInto(out *SelfSubjectRulesReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReview. +func (in *SelfSubjectRulesReview) DeepCopy() *SelfSubjectRulesReview { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SelfSubjectRulesReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } else { + return nil + } +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReviewSpec) DeepCopyInto(out *SelfSubjectRulesReviewSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReviewSpec. +func (in *SelfSubjectRulesReviewSpec) DeepCopy() *SelfSubjectRulesReviewSpec { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReviewSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SubjectAccessReview) DeepCopyInto(out *SubjectAccessReview) { *out = *in @@ -286,3 +413,33 @@ func (in *SubjectAccessReviewStatus) DeepCopy() *SubjectAccessReviewStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SubjectRulesReviewStatus) DeepCopyInto(out *SubjectRulesReviewStatus) { + *out = *in + if in.ResourceRules != nil { + in, out := &in.ResourceRules, &out.ResourceRules + *out = make([]ResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.NonResourceRules != nil { + in, out := &in.NonResourceRules, &out.NonResourceRules + *out = make([]NonResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectRulesReviewStatus. +func (in *SubjectRulesReviewStatus) DeepCopy() *SubjectRulesReviewStatus { + if in == nil { + return nil + } + out := new(SubjectRulesReviewStatus) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/auth/authorizer/abac/BUILD b/pkg/auth/authorizer/abac/BUILD index 307072800dc..78bbcb36970 100644 --- a/pkg/auth/authorizer/abac/BUILD +++ b/pkg/auth/authorizer/abac/BUILD @@ -15,6 +15,7 @@ go_library( "//pkg/apis/abac/v0:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", ], ) diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD index 311749fb48b..c0a60a8349d 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD @@ -15,6 +15,7 @@ go_library( "localsubjectaccessreview_expansion.go", "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/authorization_client.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/authorization_client.go index b3ee68f467a..a5aeb4831ec 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/authorization_client.go +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/authorization_client.go @@ -25,6 +25,7 @@ type AuthorizationInterface interface { RESTClient() rest.Interface LocalSubjectAccessReviewsGetter SelfSubjectAccessReviewsGetter + SelfSubjectRulesReviewsGetter SubjectAccessReviewsGetter } @@ -41,6 +42,10 @@ func (c *AuthorizationClient) SelfSubjectAccessReviews() SelfSubjectAccessReview return newSelfSubjectAccessReviews(c) } +func (c *AuthorizationClient) SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface { + return newSelfSubjectRulesReviews(c) +} + func (c *AuthorizationClient) SubjectAccessReviews() SubjectAccessReviewInterface { return newSubjectAccessReviews(c) } diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD index 481ab6164a3..0b7a845b33e 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD @@ -15,6 +15,7 @@ go_library( "fake_localsubjectaccessreview_expansion.go", "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", + "fake_selfsubjectrulesreview.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_authorization_client.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_authorization_client.go index 3f458c1fd48..65689a76490 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_authorization_client.go +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_authorization_client.go @@ -34,6 +34,10 @@ func (c *FakeAuthorization) SelfSubjectAccessReviews() internalversion.SelfSubje return &FakeSelfSubjectAccessReviews{c} } +func (c *FakeAuthorization) SelfSubjectRulesReviews() internalversion.SelfSubjectRulesReviewInterface { + return &FakeSelfSubjectRulesReviews{c} +} + func (c *FakeAuthorization) SubjectAccessReviews() internalversion.SubjectAccessReviewInterface { return &FakeSubjectAccessReviews{c} } diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview.go new file mode 100644 index 00000000000..59841af9dbd --- /dev/null +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview.go @@ -0,0 +1,22 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +// FakeSelfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type FakeSelfSubjectRulesReviews struct { + Fake *FakeAuthorization +} diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go index b0f76eeede5..c190bb419e6 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go @@ -15,3 +15,5 @@ limitations under the License. */ package internalversion + +type SelfSubjectRulesReviewExpansion interface{} diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview.go new file mode 100644 index 00000000000..de80117b57b --- /dev/null +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview.go @@ -0,0 +1,44 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package internalversion + +import ( + rest "k8s.io/client-go/rest" +) + +// SelfSubjectRulesReviewsGetter has a method to return a SelfSubjectRulesReviewInterface. +// A group's client should implement this interface. +type SelfSubjectRulesReviewsGetter interface { + SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface +} + +// SelfSubjectRulesReviewInterface has methods to work with SelfSubjectRulesReview resources. +type SelfSubjectRulesReviewInterface interface { + SelfSubjectRulesReviewExpansion +} + +// selfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type selfSubjectRulesReviews struct { + client rest.Interface +} + +// newSelfSubjectRulesReviews returns a SelfSubjectRulesReviews +func newSelfSubjectRulesReviews(c *AuthorizationClient) *selfSubjectRulesReviews { + return &selfSubjectRulesReviews{ + client: c.RESTClient(), + } +} diff --git a/pkg/client/listers/authorization/internalversion/BUILD b/pkg/client/listers/authorization/internalversion/BUILD index 5431899c3dc..70ec1fc13d9 100644 --- a/pkg/client/listers/authorization/internalversion/BUILD +++ b/pkg/client/listers/authorization/internalversion/BUILD @@ -11,6 +11,7 @@ go_library( "expansion_generated.go", "localsubjectaccessreview.go", "selfsubjectaccessreview.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", ], deps = [ diff --git a/pkg/client/listers/authorization/internalversion/expansion_generated.go b/pkg/client/listers/authorization/internalversion/expansion_generated.go index d5876e7553f..7715a480aec 100644 --- a/pkg/client/listers/authorization/internalversion/expansion_generated.go +++ b/pkg/client/listers/authorization/internalversion/expansion_generated.go @@ -30,6 +30,10 @@ type LocalSubjectAccessReviewNamespaceListerExpansion interface{} // SelfSubjectAccessReviewLister. type SelfSubjectAccessReviewListerExpansion interface{} +// SelfSubjectRulesReviewListerExpansion allows custom methods to be added to +// SelfSubjectRulesReviewLister. +type SelfSubjectRulesReviewListerExpansion interface{} + // SubjectAccessReviewListerExpansion allows custom methods to be added to // SubjectAccessReviewLister. type SubjectAccessReviewListerExpansion interface{} diff --git a/pkg/client/listers/authorization/internalversion/selfsubjectrulesreview.go b/pkg/client/listers/authorization/internalversion/selfsubjectrulesreview.go new file mode 100644 index 00000000000..999956a5a6c --- /dev/null +++ b/pkg/client/listers/authorization/internalversion/selfsubjectrulesreview.go @@ -0,0 +1,67 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// This file was automatically generated by lister-gen + +package internalversion + +import ( + "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" + authorization "k8s.io/kubernetes/pkg/apis/authorization" +) + +// SelfSubjectRulesReviewLister helps list SelfSubjectRulesReviews. +type SelfSubjectRulesReviewLister interface { + // List lists all SelfSubjectRulesReviews in the indexer. + List(selector labels.Selector) (ret []*authorization.SelfSubjectRulesReview, err error) + // Get retrieves the SelfSubjectRulesReview from the index for a given name. + Get(name string) (*authorization.SelfSubjectRulesReview, error) + SelfSubjectRulesReviewListerExpansion +} + +// selfSubjectRulesReviewLister implements the SelfSubjectRulesReviewLister interface. +type selfSubjectRulesReviewLister struct { + indexer cache.Indexer +} + +// NewSelfSubjectRulesReviewLister returns a new SelfSubjectRulesReviewLister. +func NewSelfSubjectRulesReviewLister(indexer cache.Indexer) SelfSubjectRulesReviewLister { + return &selfSubjectRulesReviewLister{indexer: indexer} +} + +// List lists all SelfSubjectRulesReviews in the indexer. +func (s *selfSubjectRulesReviewLister) List(selector labels.Selector) (ret []*authorization.SelfSubjectRulesReview, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*authorization.SelfSubjectRulesReview)) + }) + return ret, err +} + +// Get retrieves the SelfSubjectRulesReview from the index for a given name. +func (s *selfSubjectRulesReviewLister) Get(name string) (*authorization.SelfSubjectRulesReview, error) { + key := &authorization.SelfSubjectRulesReview{ObjectMeta: v1.ObjectMeta{Name: name}} + obj, exists, err := s.indexer.Get(key) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(authorization.Resource("selfsubjectrulesreview"), name) + } + return obj.(*authorization.SelfSubjectRulesReview), nil +} diff --git a/pkg/registry/BUILD b/pkg/registry/BUILD index d73bca0a28d..db518e3822e 100644 --- a/pkg/registry/BUILD +++ b/pkg/registry/BUILD @@ -32,6 +32,7 @@ filegroup( "//pkg/registry/authorization/localsubjectaccessreview:all-srcs", "//pkg/registry/authorization/rest:all-srcs", "//pkg/registry/authorization/selfsubjectaccessreview:all-srcs", + "//pkg/registry/authorization/selfsubjectrulesreview:all-srcs", "//pkg/registry/authorization/subjectaccessreview:all-srcs", "//pkg/registry/authorization/util:all-srcs", "//pkg/registry/autoscaling/horizontalpodautoscaler:all-srcs", diff --git a/pkg/registry/authorization/rest/BUILD b/pkg/registry/authorization/rest/BUILD index 00520bd895c..59a4a229d8b 100644 --- a/pkg/registry/authorization/rest/BUILD +++ b/pkg/registry/authorization/rest/BUILD @@ -13,6 +13,7 @@ go_library( "//pkg/apis/authorization:go_default_library", "//pkg/registry/authorization/localsubjectaccessreview:go_default_library", "//pkg/registry/authorization/selfsubjectaccessreview:go_default_library", + "//pkg/registry/authorization/selfsubjectrulesreview:go_default_library", "//pkg/registry/authorization/subjectaccessreview:go_default_library", "//vendor/k8s.io/api/authorization/v1:go_default_library", "//vendor/k8s.io/api/authorization/v1beta1:go_default_library", diff --git a/pkg/registry/authorization/selfsubjectrulesreview/BUILD b/pkg/registry/authorization/selfsubjectrulesreview/BUILD new file mode 100644 index 00000000000..8c293520bfb --- /dev/null +++ b/pkg/registry/authorization/selfsubjectrulesreview/BUILD @@ -0,0 +1,28 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["rest.go"], + visibility = ["//visibility:public"], + deps = [ + "//pkg/apis/authorization:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", + "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/staging/src/k8s.io/api/authorization/v1/generated.pb.go b/staging/src/k8s.io/api/authorization/v1/generated.pb.go index 190b9696e7a..0795a645492 100644 --- a/staging/src/k8s.io/api/authorization/v1/generated.pb.go +++ b/staging/src/k8s.io/api/authorization/v1/generated.pb.go @@ -28,12 +28,17 @@ limitations under the License. ExtraValue LocalSubjectAccessReview NonResourceAttributes + NonResourceRule ResourceAttributes + ResourceRule SelfSubjectAccessReview SelfSubjectAccessReviewSpec + SelfSubjectRulesReview + SelfSubjectRulesReviewSpec SubjectAccessReview SubjectAccessReviewSpec SubjectAccessReviewStatus + SubjectRulesReviewStatus */ package v1 @@ -73,44 +78,75 @@ func (m *NonResourceAttributes) Reset() { *m = NonResourceAtt func (*NonResourceAttributes) ProtoMessage() {} func (*NonResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} } +func (m *NonResourceRule) Reset() { *m = NonResourceRule{} } +func (*NonResourceRule) ProtoMessage() {} +func (*NonResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} } + func (m *ResourceAttributes) Reset() { *m = ResourceAttributes{} } func (*ResourceAttributes) ProtoMessage() {} -func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} } +func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } + +func (m *ResourceRule) Reset() { *m = ResourceRule{} } +func (*ResourceRule) ProtoMessage() {} +func (*ResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} } func (m *SelfSubjectAccessReview) Reset() { *m = SelfSubjectAccessReview{} } func (*SelfSubjectAccessReview) ProtoMessage() {} -func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } +func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } func (m *SelfSubjectAccessReviewSpec) Reset() { *m = SelfSubjectAccessReviewSpec{} } func (*SelfSubjectAccessReviewSpec) ProtoMessage() {} func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{5} + return fileDescriptorGenerated, []int{7} +} + +func (m *SelfSubjectRulesReview) Reset() { *m = SelfSubjectRulesReview{} } +func (*SelfSubjectRulesReview) ProtoMessage() {} +func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} } + +func (m *SelfSubjectRulesReviewSpec) Reset() { *m = SelfSubjectRulesReviewSpec{} } +func (*SelfSubjectRulesReviewSpec) ProtoMessage() {} +func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{9} } func (m *SubjectAccessReview) Reset() { *m = SubjectAccessReview{} } func (*SubjectAccessReview) ProtoMessage() {} -func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } +func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} } -func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} } -func (*SubjectAccessReviewSpec) ProtoMessage() {} -func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} } +func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} } +func (*SubjectAccessReviewSpec) ProtoMessage() {} +func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{11} +} func (m *SubjectAccessReviewStatus) Reset() { *m = SubjectAccessReviewStatus{} } func (*SubjectAccessReviewStatus) ProtoMessage() {} func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{8} + return fileDescriptorGenerated, []int{12} +} + +func (m *SubjectRulesReviewStatus) Reset() { *m = SubjectRulesReviewStatus{} } +func (*SubjectRulesReviewStatus) ProtoMessage() {} +func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{13} } func init() { proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1.ExtraValue") proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.LocalSubjectAccessReview") proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1.NonResourceAttributes") + proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1.NonResourceRule") proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1.ResourceAttributes") + proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1.ResourceRule") proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReview") proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReviewSpec") + proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReview") + proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReviewSpec") proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SubjectAccessReview") proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewSpec") proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewStatus") + proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectRulesReviewStatus") } func (m ExtraValue) Marshal() (dAtA []byte, err error) { size := m.Size() @@ -213,6 +249,54 @@ func (m *NonResourceAttributes) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *NonResourceRule) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NonResourceRule) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + dAtA[i] = 0xa + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.NonResourceURLs) > 0 { + for _, s := range m.NonResourceURLs { + dAtA[i] = 0x12 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + return i, nil +} + func (m *ResourceAttributes) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -259,6 +343,84 @@ func (m *ResourceAttributes) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *ResourceRule) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *ResourceRule) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + dAtA[i] = 0xa + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.APIGroups) > 0 { + for _, s := range m.APIGroups { + dAtA[i] = 0x12 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.Resources) > 0 { + for _, s := range m.Resources { + dAtA[i] = 0x1a + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.ResourceNames) > 0 { + for _, s := range m.ResourceNames { + dAtA[i] = 0x22 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + return i, nil +} + func (m *SelfSubjectAccessReview) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -339,7 +501,7 @@ func (m *SelfSubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { return i, nil } -func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { +func (m *SelfSubjectRulesReview) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalTo(dAtA) @@ -349,7 +511,7 @@ func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { +func (m *SelfSubjectRulesReview) MarshalTo(dAtA []byte) (int, error) { var i int _ = i var l int @@ -381,6 +543,70 @@ func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *SelfSubjectRulesReviewSpec) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SelfSubjectRulesReviewSpec) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace))) + i += copy(dAtA[i:], m.Namespace) + return i, nil +} + +func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size())) + n12, err := m.ObjectMeta.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n12 + dAtA[i] = 0x12 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size())) + n13, err := m.Spec.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n13 + dAtA[i] = 0x1a + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size())) + n14, err := m.Status.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n14 + return i, nil +} + func (m *SubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -400,21 +626,21 @@ func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { dAtA[i] = 0xa i++ i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size())) - n12, err := m.ResourceAttributes.MarshalTo(dAtA[i:]) + n15, err := m.ResourceAttributes.MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n12 + i += n15 } if m.NonResourceAttributes != nil { dAtA[i] = 0x12 i++ i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size())) - n13, err := m.NonResourceAttributes.MarshalTo(dAtA[i:]) + n16, err := m.NonResourceAttributes.MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n13 + i += n16 } dAtA[i] = 0x1a i++ @@ -459,11 +685,11 @@ func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { dAtA[i] = 0x12 i++ i = encodeVarintGenerated(dAtA, i, uint64((&v).Size())) - n14, err := (&v).MarshalTo(dAtA[i:]) + n17, err := (&v).MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n14 + i += n17 } } dAtA[i] = 0x32 @@ -507,6 +733,60 @@ func (m *SubjectAccessReviewStatus) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *SubjectRulesReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SubjectRulesReviewStatus) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.ResourceRules) > 0 { + for _, msg := range m.ResourceRules { + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + if len(m.NonResourceRules) > 0 { + for _, msg := range m.NonResourceRules { + dAtA[i] = 0x12 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + dAtA[i] = 0x18 + i++ + if m.Incomplete { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i++ + dAtA[i] = 0x22 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError))) + i += copy(dAtA[i:], m.EvaluationError) + return i, nil +} + func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int { dAtA[offset] = uint8(v) dAtA[offset+1] = uint8(v >> 8) @@ -568,6 +848,24 @@ func (m *NonResourceAttributes) Size() (n int) { return n } +func (m *NonResourceRule) Size() (n int) { + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.NonResourceURLs) > 0 { + for _, s := range m.NonResourceURLs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *ResourceAttributes) Size() (n int) { var l int _ = l @@ -588,6 +886,36 @@ func (m *ResourceAttributes) Size() (n int) { return n } +func (m *ResourceRule) Size() (n int) { + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.APIGroups) > 0 { + for _, s := range m.APIGroups { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.Resources) > 0 { + for _, s := range m.Resources { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.ResourceNames) > 0 { + for _, s := range m.ResourceNames { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *SelfSubjectAccessReview) Size() (n int) { var l int _ = l @@ -614,6 +942,26 @@ func (m *SelfSubjectAccessReviewSpec) Size() (n int) { return n } +func (m *SelfSubjectRulesReview) Size() (n int) { + var l int + _ = l + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Spec.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *SelfSubjectRulesReviewSpec) Size() (n int) { + var l int + _ = l + l = len(m.Namespace) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *SubjectAccessReview) Size() (n int) { var l int _ = l @@ -670,6 +1018,27 @@ func (m *SubjectAccessReviewStatus) Size() (n int) { return n } +func (m *SubjectRulesReviewStatus) Size() (n int) { + var l int + _ = l + if len(m.ResourceRules) > 0 { + for _, e := range m.ResourceRules { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.NonResourceRules) > 0 { + for _, e := range m.NonResourceRules { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + n += 2 + l = len(m.EvaluationError) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func sovGenerated(x uint64) (n int) { for { n++ @@ -706,6 +1075,17 @@ func (this *NonResourceAttributes) String() string { }, "") return s } +func (this *NonResourceRule) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NonResourceRule{`, + `Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`, + `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, + `}`, + }, "") + return s +} func (this *ResourceAttributes) String() string { if this == nil { return "nil" @@ -722,6 +1102,19 @@ func (this *ResourceAttributes) String() string { }, "") return s } +func (this *ResourceRule) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&ResourceRule{`, + `Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`, + `APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`, + `Resources:` + fmt.Sprintf("%v", this.Resources) + `,`, + `ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`, + `}`, + }, "") + return s +} func (this *SelfSubjectAccessReview) String() string { if this == nil { return "nil" @@ -745,6 +1138,28 @@ func (this *SelfSubjectAccessReviewSpec) String() string { }, "") return s } +func (this *SelfSubjectRulesReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectRulesReview{`, + `ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectRulesReviewSpec", "SelfSubjectRulesReviewSpec", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectRulesReviewStatus", "SubjectRulesReviewStatus", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *SelfSubjectRulesReviewSpec) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectRulesReviewSpec{`, + `Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`, + `}`, + }, "") + return s +} func (this *SubjectAccessReview) String() string { if this == nil { return "nil" @@ -794,6 +1209,19 @@ func (this *SubjectAccessReviewStatus) String() string { }, "") return s } +func (this *SubjectRulesReviewStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SubjectRulesReviewStatus{`, + `ResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ResourceRules), "ResourceRule", "ResourceRule", 1), `&`, ``, 1) + `,`, + `NonResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NonResourceRules), "NonResourceRule", "NonResourceRule", 1), `&`, ``, 1) + `,`, + `Incomplete:` + fmt.Sprintf("%v", this.Incomplete) + `,`, + `EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`, + `}`, + }, "") + return s +} func valueToStringGenerated(v interface{}) string { rv := reflect.ValueOf(v) if rv.IsNil() { @@ -1129,6 +1557,114 @@ func (m *NonResourceAttributes) Unmarshal(dAtA []byte) error { } return nil } +func (m *NonResourceRule) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NonResourceRule: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NonResourceRule: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *ResourceAttributes) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -1382,6 +1918,172 @@ func (m *ResourceAttributes) Unmarshal(dAtA []byte) error { } return nil } +func (m *ResourceRule) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: ResourceRule: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: ResourceRule: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *SelfSubjectAccessReview) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -1638,6 +2340,225 @@ func (m *SelfSubjectAccessReviewSpec) Unmarshal(dAtA []byte) error { } return nil } +func (m *SelfSubjectRulesReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectRulesReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectRulesReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SelfSubjectRulesReviewSpec) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Namespace = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *SubjectAccessReview) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -2230,6 +3151,167 @@ func (m *SubjectAccessReviewStatus) Unmarshal(dAtA []byte) error { } return nil } +func (m *SubjectRulesReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SubjectRulesReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SubjectRulesReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ResourceRules", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ResourceRules = append(m.ResourceRules, ResourceRule{}) + if err := m.ResourceRules[len(m.ResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NonResourceRules", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NonResourceRules = append(m.NonResourceRules, NonResourceRule{}) + if err := m.NonResourceRules[len(m.NonResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Incomplete", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.Incomplete = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.EvaluationError = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipGenerated(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 @@ -2340,62 +3422,77 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 902 bytes of a gzipped FileDescriptorProto + // 1137 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xf7, 0xfa, 0x5f, 0xec, 0x31, 0x90, 0x32, 0x55, 0xc9, 0x36, 0x15, 0x6b, 0xcb, 0x48, 0x10, - 0x24, 0xd8, 0x25, 0xa1, 0x94, 0xa8, 0x12, 0x42, 0xb1, 0x1a, 0xa1, 0x4a, 0x50, 0xd0, 0x44, 0xcd, - 0xa1, 0x48, 0x88, 0xd9, 0xf5, 0xab, 0xbd, 0xd8, 0xde, 0x59, 0xcd, 0xcc, 0x6e, 0x08, 0xa7, 0x4a, - 0x7c, 0x01, 0x8e, 0x1c, 0x38, 0xf0, 0x0d, 0x10, 0x12, 0x12, 0x37, 0x8e, 0x28, 0xc7, 0x1e, 0x7b, - 0x40, 0x16, 0x59, 0xbe, 0x08, 0x9a, 0xd9, 0xb1, 0xb7, 0x69, 0x36, 0xae, 0xda, 0x4b, 0x2f, 0xbd, - 0xed, 0xbc, 0xf7, 0xfb, 0xfd, 0xde, 0x9b, 0x37, 0x6f, 0xe7, 0x0d, 0xba, 0x35, 0xd9, 0x15, 0x6e, - 0xc8, 0xbc, 0x49, 0xe2, 0x03, 0x8f, 0x40, 0x82, 0xf0, 0x52, 0x88, 0x86, 0x8c, 0x7b, 0xc6, 0x41, - 0xe3, 0xd0, 0xa3, 0x89, 0x1c, 0x33, 0x1e, 0xfe, 0x40, 0x65, 0xc8, 0x22, 0x2f, 0xdd, 0xf6, 0x46, - 0x10, 0x01, 0xa7, 0x12, 0x86, 0x6e, 0xcc, 0x99, 0x64, 0xf8, 0x5a, 0x0e, 0x76, 0x69, 0x1c, 0xba, - 0x67, 0xc0, 0x6e, 0xba, 0xbd, 0xf9, 0xfe, 0x28, 0x94, 0xe3, 0xc4, 0x77, 0x03, 0x36, 0xf3, 0x46, - 0x6c, 0xc4, 0x3c, 0xcd, 0xf1, 0x93, 0xfb, 0x7a, 0xa5, 0x17, 0xfa, 0x2b, 0xd7, 0xda, 0xbc, 0x5e, - 0x04, 0x9e, 0xd1, 0x60, 0x1c, 0x46, 0xc0, 0x8f, 0xbd, 0x78, 0x32, 0x52, 0x06, 0xe1, 0xcd, 0x40, - 0xd2, 0x92, 0x0c, 0x36, 0xbd, 0x8b, 0x58, 0x3c, 0x89, 0x64, 0x38, 0x83, 0x73, 0x84, 0x1b, 0x4f, - 0x23, 0x88, 0x60, 0x0c, 0x33, 0x7a, 0x8e, 0xf7, 0xe1, 0x45, 0xbc, 0x44, 0x86, 0x53, 0x2f, 0x8c, - 0xa4, 0x90, 0xfc, 0x49, 0x52, 0xff, 0x63, 0x84, 0xf6, 0xbf, 0x97, 0x9c, 0x1e, 0xd2, 0x69, 0x02, - 0xb8, 0x8b, 0x1a, 0xa1, 0x84, 0x99, 0xb0, 0xad, 0x5e, 0x6d, 0xab, 0x3d, 0x68, 0x67, 0xf3, 0x6e, - 0xe3, 0xb6, 0x32, 0x90, 0xdc, 0x7e, 0xb3, 0xf5, 0xf3, 0xaf, 0xdd, 0xca, 0x83, 0x7f, 0x7a, 0x95, - 0xfe, 0x1f, 0x55, 0x64, 0x7f, 0xce, 0x02, 0x3a, 0x3d, 0x48, 0xfc, 0xef, 0x20, 0x90, 0x7b, 0x41, - 0x00, 0x42, 0x10, 0x48, 0x43, 0x38, 0xc2, 0xdf, 0xa2, 0x96, 0x2a, 0xc7, 0x90, 0x4a, 0x6a, 0x5b, - 0x3d, 0x6b, 0xab, 0xb3, 0xf3, 0x81, 0x5b, 0x1c, 0xc4, 0x32, 0x3b, 0x37, 0x9e, 0x8c, 0x94, 0x41, - 0xb8, 0x0a, 0xed, 0xa6, 0xdb, 0xee, 0x97, 0x5a, 0xeb, 0x0b, 0x90, 0x74, 0x80, 0x4f, 0xe6, 0xdd, - 0x4a, 0x36, 0xef, 0xa2, 0xc2, 0x46, 0x96, 0xaa, 0xf8, 0x10, 0xd5, 0x45, 0x0c, 0x81, 0x5d, 0xd5, - 0xea, 0xd7, 0xdd, 0x15, 0xc7, 0xec, 0x96, 0x64, 0x78, 0x10, 0x43, 0x30, 0x78, 0xc5, 0x44, 0xa8, - 0xab, 0x15, 0xd1, 0x7a, 0xf8, 0x1b, 0xd4, 0x14, 0x92, 0xca, 0x44, 0xd8, 0x35, 0xad, 0x7c, 0xe3, - 0x99, 0x95, 0x35, 0x7b, 0xf0, 0x9a, 0xd1, 0x6e, 0xe6, 0x6b, 0x62, 0x54, 0xfb, 0x5f, 0xa3, 0x2b, - 0x77, 0x58, 0x44, 0x40, 0xb0, 0x84, 0x07, 0xb0, 0x27, 0x25, 0x0f, 0xfd, 0x44, 0x82, 0xc0, 0x3d, - 0x54, 0x8f, 0xa9, 0x1c, 0xeb, 0x72, 0xb5, 0x8b, 0xd4, 0xbe, 0xa2, 0x72, 0x4c, 0xb4, 0x47, 0x21, - 0x52, 0xe0, 0xbe, 0xde, 0xf2, 0x63, 0x88, 0x43, 0xe0, 0x3e, 0xd1, 0x9e, 0xfe, 0x5f, 0x55, 0x84, - 0x4b, 0xa4, 0x3d, 0xd4, 0x8e, 0xe8, 0x0c, 0x44, 0x4c, 0x03, 0x30, 0xfa, 0xaf, 0x1b, 0x76, 0xfb, - 0xce, 0xc2, 0x41, 0x0a, 0xcc, 0xd3, 0x23, 0xe1, 0xb7, 0x50, 0x63, 0xc4, 0x59, 0x12, 0xeb, 0x2a, - 0xb5, 0x07, 0xaf, 0x1a, 0x48, 0xe3, 0x33, 0x65, 0x24, 0xb9, 0x0f, 0xbf, 0x8b, 0xd6, 0x52, 0xe0, - 0x22, 0x64, 0x91, 0x5d, 0xd7, 0xb0, 0x75, 0x03, 0x5b, 0x3b, 0xcc, 0xcd, 0x64, 0xe1, 0xc7, 0xef, - 0xa1, 0x16, 0x37, 0x89, 0xdb, 0x0d, 0x8d, 0xbd, 0x64, 0xb0, 0xad, 0xc5, 0x86, 0xc8, 0x12, 0x81, - 0x3f, 0x42, 0x1d, 0x91, 0xf8, 0x4b, 0x42, 0x53, 0x13, 0x2e, 0x1b, 0x42, 0xe7, 0xa0, 0x70, 0x91, - 0xc7, 0x71, 0x6a, 0x5b, 0x6a, 0x8f, 0xf6, 0xda, 0xd9, 0x6d, 0xa9, 0x12, 0x10, 0xed, 0xe9, 0xff, - 0x59, 0x45, 0x1b, 0x07, 0x30, 0xbd, 0xff, 0x62, 0x7a, 0xfa, 0xde, 0x99, 0x9e, 0xde, 0x5d, 0xdd, - 0x79, 0xe5, 0x59, 0xbe, 0xb0, 0xbe, 0xfe, 0xa5, 0x8a, 0xae, 0xad, 0xc8, 0x09, 0x1f, 0x21, 0xcc, - 0xcf, 0x75, 0xa6, 0xa9, 0xa3, 0xb7, 0x32, 0x97, 0xf3, 0x0d, 0x3d, 0x78, 0x23, 0x9b, 0x77, 0x4b, - 0x1a, 0x9d, 0x94, 0x84, 0xc0, 0x3f, 0x5a, 0xe8, 0x4a, 0x54, 0xf6, 0xc7, 0x99, 0x32, 0xef, 0xac, - 0x0c, 0x5e, 0xfa, 0xaf, 0x0e, 0xae, 0x66, 0xf3, 0x6e, 0xf9, 0x6f, 0x4c, 0xca, 0x63, 0xf5, 0x7f, - 0xab, 0xa2, 0xcb, 0x2f, 0x2f, 0xca, 0x67, 0x69, 0xa8, 0xbf, 0xeb, 0x68, 0xe3, 0x65, 0x33, 0x5d, - 0x34, 0x2a, 0x12, 0x01, 0xdc, 0xdc, 0xbd, 0xcb, 0xc3, 0xb9, 0x2b, 0x80, 0x13, 0xed, 0xc1, 0x7d, - 0xd4, 0xd4, 0x57, 0xb0, 0xb0, 0xeb, 0x7a, 0x90, 0x23, 0x55, 0x60, 0x7d, 0x37, 0x0b, 0x62, 0x3c, - 0x78, 0x88, 0x1a, 0xa0, 0x26, 0xbf, 0xdd, 0xe8, 0xd5, 0xb6, 0x3a, 0x3b, 0x9f, 0x3e, 0x4f, 0x67, - 0xb8, 0xfa, 0xed, 0xb0, 0x1f, 0x49, 0x7e, 0x5c, 0xcc, 0x00, 0x6d, 0x23, 0xb9, 0x38, 0x7e, 0x13, - 0xd5, 0x92, 0x70, 0x68, 0xae, 0xe8, 0x8e, 0x81, 0xd4, 0xee, 0xde, 0xbe, 0x45, 0x94, 0x7d, 0x93, - 0x9a, 0xe7, 0x87, 0x96, 0xc0, 0x97, 0x50, 0x6d, 0x02, 0xc7, 0xf9, 0x88, 0x22, 0xea, 0x13, 0x7f, - 0x82, 0x1a, 0xa9, 0x7a, 0x99, 0x98, 0xfa, 0xbe, 0xb3, 0x32, 0xc9, 0xe2, 0x21, 0x43, 0x72, 0xd6, - 0xcd, 0xea, 0xae, 0xd5, 0xff, 0xdd, 0x42, 0x57, 0x2f, 0x6c, 0x3f, 0x35, 0xa3, 0xe8, 0x74, 0xca, - 0x8e, 0x60, 0xa8, 0xc3, 0xb6, 0x8a, 0x19, 0xb5, 0x97, 0x9b, 0xc9, 0xc2, 0x8f, 0xdf, 0x46, 0x4d, - 0x0e, 0x54, 0xb0, 0xc8, 0xcc, 0xc5, 0x65, 0xe7, 0x12, 0x6d, 0x25, 0xc6, 0x8b, 0xf7, 0xd0, 0x3a, - 0xa8, 0xf0, 0x3a, 0xaf, 0x7d, 0xce, 0xd9, 0xe2, 0xa4, 0x36, 0x0c, 0x61, 0x7d, 0xff, 0xac, 0x9b, - 0x3c, 0x89, 0x1f, 0x6c, 0x9d, 0x9c, 0x3a, 0x95, 0x87, 0xa7, 0x4e, 0xe5, 0xd1, 0xa9, 0x53, 0x79, - 0x90, 0x39, 0xd6, 0x49, 0xe6, 0x58, 0x0f, 0x33, 0xc7, 0x7a, 0x94, 0x39, 0xd6, 0xbf, 0x99, 0x63, - 0xfd, 0xf4, 0x9f, 0x53, 0xb9, 0x57, 0x4d, 0xb7, 0xff, 0x0f, 0x00, 0x00, 0xff, 0xff, 0xc6, 0xa7, - 0x62, 0xf1, 0x26, 0x0b, 0x00, 0x00, + 0x14, 0xf7, 0xae, 0xed, 0xc4, 0x1e, 0x37, 0x24, 0x9d, 0x28, 0xcd, 0x36, 0x15, 0x76, 0xb4, 0x48, + 0x90, 0x8a, 0xb2, 0x4b, 0x4c, 0xdb, 0x44, 0x95, 0x2a, 0x14, 0xab, 0x11, 0x8a, 0xd4, 0x96, 0x6a, + 0xa2, 0x44, 0xa2, 0x08, 0xc4, 0x78, 0x3d, 0xb1, 0x97, 0xd8, 0xbb, 0xcb, 0xcc, 0xac, 0x43, 0x38, + 0x55, 0xe2, 0x0b, 0x70, 0xe4, 0xc0, 0x81, 0x6f, 0x80, 0x90, 0x90, 0xb8, 0x71, 0xe0, 0x80, 0x72, + 0xec, 0xb1, 0x07, 0x64, 0x91, 0xe5, 0xcc, 0x77, 0x40, 0x33, 0x3b, 0xf6, 0xae, 0x93, 0xb5, 0x9b, + 0x70, 0xa0, 0x97, 0xde, 0x76, 0xdf, 0xef, 0xf7, 0xfe, 0xcc, 0x7b, 0x6f, 0xde, 0x3c, 0xf0, 0xe0, + 0x70, 0x93, 0x59, 0xae, 0x6f, 0x1f, 0x86, 0x4d, 0x42, 0x3d, 0xc2, 0x09, 0xb3, 0xfb, 0xc4, 0x6b, + 0xf9, 0xd4, 0x56, 0x00, 0x0e, 0x5c, 0x1b, 0x87, 0xbc, 0xe3, 0x53, 0xf7, 0x1b, 0xcc, 0x5d, 0xdf, + 0xb3, 0xfb, 0xeb, 0x76, 0x9b, 0x78, 0x84, 0x62, 0x4e, 0x5a, 0x56, 0x40, 0x7d, 0xee, 0xc3, 0x1b, + 0x31, 0xd9, 0xc2, 0x81, 0x6b, 0x8d, 0x91, 0xad, 0xfe, 0xfa, 0xca, 0x7b, 0x6d, 0x97, 0x77, 0xc2, + 0xa6, 0xe5, 0xf8, 0x3d, 0xbb, 0xed, 0xb7, 0x7d, 0x5b, 0xea, 0x34, 0xc3, 0x03, 0xf9, 0x27, 0x7f, + 0xe4, 0x57, 0x6c, 0x6b, 0xe5, 0x76, 0xe2, 0xb8, 0x87, 0x9d, 0x8e, 0xeb, 0x11, 0x7a, 0x6c, 0x07, + 0x87, 0x6d, 0x21, 0x60, 0x76, 0x8f, 0x70, 0x9c, 0x11, 0xc1, 0x8a, 0x3d, 0x49, 0x8b, 0x86, 0x1e, + 0x77, 0x7b, 0xe4, 0x9c, 0xc2, 0xdd, 0x97, 0x29, 0x30, 0xa7, 0x43, 0x7a, 0xf8, 0x9c, 0xde, 0x07, + 0x93, 0xf4, 0x42, 0xee, 0x76, 0x6d, 0xd7, 0xe3, 0x8c, 0xd3, 0xb3, 0x4a, 0xe6, 0x06, 0x00, 0xdb, + 0x5f, 0x73, 0x8a, 0xf7, 0x71, 0x37, 0x24, 0xb0, 0x06, 0x8a, 0x2e, 0x27, 0x3d, 0x66, 0x68, 0xab, + 0xf9, 0xb5, 0x72, 0xa3, 0x1c, 0x0d, 0x6a, 0xc5, 0x1d, 0x21, 0x40, 0xb1, 0xfc, 0x5e, 0xe9, 0xfb, + 0x1f, 0x6b, 0xb9, 0x67, 0x7f, 0xae, 0xe6, 0xcc, 0x5f, 0x74, 0x60, 0x3c, 0xf4, 0x1d, 0xdc, 0xdd, + 0x0d, 0x9b, 0x5f, 0x12, 0x87, 0x6f, 0x39, 0x0e, 0x61, 0x0c, 0x91, 0xbe, 0x4b, 0x8e, 0xe0, 0x17, + 0xa0, 0x24, 0xd2, 0xd1, 0xc2, 0x1c, 0x1b, 0xda, 0xaa, 0xb6, 0x56, 0xa9, 0xbf, 0x6f, 0x25, 0x85, + 0x18, 0x45, 0x67, 0x05, 0x87, 0x6d, 0x21, 0x60, 0x96, 0x60, 0x5b, 0xfd, 0x75, 0xeb, 0x63, 0x69, + 0xeb, 0x11, 0xe1, 0xb8, 0x01, 0x4f, 0x06, 0xb5, 0x5c, 0x34, 0xa8, 0x81, 0x44, 0x86, 0x46, 0x56, + 0xe1, 0x3e, 0x28, 0xb0, 0x80, 0x38, 0x86, 0x2e, 0xad, 0xdf, 0xb6, 0xa6, 0x94, 0xd9, 0xca, 0x88, + 0x70, 0x37, 0x20, 0x4e, 0xe3, 0x8a, 0xf2, 0x50, 0x10, 0x7f, 0x48, 0xda, 0x83, 0x9f, 0x83, 0x19, + 0xc6, 0x31, 0x0f, 0x99, 0x91, 0x97, 0x96, 0xef, 0x5e, 0xda, 0xb2, 0xd4, 0x6e, 0xbc, 0xa1, 0x6c, + 0xcf, 0xc4, 0xff, 0x48, 0x59, 0x35, 0x3f, 0x05, 0x4b, 0x8f, 0x7d, 0x0f, 0x11, 0xe6, 0x87, 0xd4, + 0x21, 0x5b, 0x9c, 0x53, 0xb7, 0x19, 0x72, 0xc2, 0xe0, 0x2a, 0x28, 0x04, 0x98, 0x77, 0x64, 0xba, + 0xca, 0x49, 0x68, 0x4f, 0x30, 0xef, 0x20, 0x89, 0x08, 0x46, 0x9f, 0xd0, 0xa6, 0x3c, 0x72, 0x8a, + 0xb1, 0x4f, 0x68, 0x13, 0x49, 0xc4, 0xfc, 0x0a, 0xcc, 0xa7, 0x8c, 0xa3, 0xb0, 0x2b, 0x2b, 0x2a, + 0xa0, 0xb1, 0x8a, 0x0a, 0x0d, 0x86, 0x62, 0x39, 0xbc, 0x0f, 0xe6, 0xbd, 0x44, 0x67, 0x0f, 0x3d, + 0x64, 0x86, 0x2e, 0xa9, 0x8b, 0xd1, 0xa0, 0x96, 0x36, 0x27, 0x20, 0x74, 0x96, 0x6b, 0xfe, 0xa6, + 0x03, 0x98, 0x71, 0x1a, 0x1b, 0x94, 0x3d, 0xdc, 0x23, 0x2c, 0xc0, 0x0e, 0x51, 0x47, 0xba, 0xaa, + 0x02, 0x2e, 0x3f, 0x1e, 0x02, 0x28, 0xe1, 0xbc, 0xfc, 0x70, 0xf0, 0x2d, 0x50, 0x6c, 0x53, 0x3f, + 0x0c, 0x64, 0x61, 0xca, 0x8d, 0x39, 0x45, 0x29, 0x7e, 0x24, 0x84, 0x28, 0xc6, 0xe0, 0x4d, 0x30, + 0xdb, 0x27, 0x94, 0xb9, 0xbe, 0x67, 0x14, 0x24, 0x6d, 0x5e, 0xd1, 0x66, 0xf7, 0x63, 0x31, 0x1a, + 0xe2, 0xf0, 0x16, 0x28, 0x51, 0x15, 0xb8, 0x51, 0x94, 0xdc, 0x05, 0xc5, 0x2d, 0x8d, 0x32, 0x38, + 0x62, 0xc0, 0x3b, 0xa0, 0xc2, 0xc2, 0xe6, 0x48, 0x61, 0x46, 0x2a, 0x2c, 0x2a, 0x85, 0xca, 0x6e, + 0x02, 0xa1, 0x34, 0x4f, 0x1c, 0x4b, 0x9c, 0xd1, 0x98, 0x1d, 0x3f, 0x96, 0x48, 0x01, 0x92, 0x88, + 0xf9, 0xbb, 0x06, 0xae, 0x5c, 0xae, 0x62, 0xef, 0x82, 0x32, 0x0e, 0x5c, 0x79, 0xec, 0x61, 0xad, + 0xe6, 0x44, 0x5e, 0xb7, 0x9e, 0xec, 0xc4, 0x42, 0x94, 0xe0, 0x82, 0x3c, 0x0c, 0x46, 0xb4, 0xf4, + 0x88, 0x3c, 0x74, 0xc9, 0x50, 0x82, 0xc3, 0x0d, 0x30, 0x37, 0xfc, 0x91, 0x45, 0x32, 0x0a, 0x52, + 0xe1, 0x6a, 0x34, 0xa8, 0xcd, 0xa1, 0x34, 0x80, 0xc6, 0x79, 0xe6, 0xaf, 0x3a, 0x58, 0xde, 0x25, + 0xdd, 0x83, 0x57, 0x33, 0x0b, 0x9e, 0x8e, 0xcd, 0x82, 0xcd, 0xe9, 0x37, 0x36, 0x3b, 0xca, 0x57, + 0x36, 0x0f, 0x7e, 0xd0, 0xc1, 0x8d, 0x29, 0x31, 0xc1, 0x23, 0x00, 0xe9, 0xb9, 0xeb, 0xa5, 0xf2, + 0x68, 0x4f, 0x8d, 0xe5, 0xfc, 0xad, 0x6c, 0x5c, 0x8b, 0x06, 0xb5, 0x8c, 0xdb, 0x8a, 0x32, 0x5c, + 0xc0, 0x6f, 0x35, 0xb0, 0xe4, 0x65, 0x4d, 0x2a, 0x95, 0xe6, 0xfa, 0x54, 0xe7, 0x99, 0x33, 0xae, + 0x71, 0x3d, 0x1a, 0xd4, 0xb2, 0xc7, 0x1f, 0xca, 0xf6, 0x25, 0x5e, 0x99, 0x6b, 0xa9, 0xf4, 0x88, + 0x0b, 0xf2, 0xff, 0xf5, 0xd5, 0x27, 0x63, 0x7d, 0xb5, 0x71, 0xd1, 0xbe, 0x4a, 0x05, 0x39, 0xb1, + 0xad, 0x3e, 0x3b, 0xd3, 0x56, 0x77, 0x2e, 0xd2, 0x56, 0x69, 0xc3, 0xd3, 0xbb, 0xea, 0x11, 0x58, + 0x99, 0x1c, 0xd0, 0xa5, 0x87, 0xb3, 0xf9, 0x93, 0x0e, 0x16, 0x5f, 0x3f, 0xf3, 0x97, 0xb9, 0xd6, + 0x7f, 0x14, 0xc0, 0xf2, 0xeb, 0x2b, 0x3d, 0x69, 0xd1, 0x09, 0x19, 0xa1, 0xea, 0x19, 0x1f, 0x15, + 0x67, 0x8f, 0x11, 0x8a, 0x24, 0x02, 0x4d, 0x30, 0xd3, 0x8e, 0x5f, 0xb7, 0xf8, 0xfd, 0x01, 0x22, + 0xc1, 0xea, 0x69, 0x53, 0x08, 0x6c, 0x81, 0x22, 0x11, 0x7b, 0xab, 0x51, 0x5c, 0xcd, 0xaf, 0x55, + 0xea, 0x1f, 0xfe, 0x97, 0xce, 0xb0, 0xe4, 0xe6, 0xbb, 0xed, 0x71, 0x7a, 0x9c, 0xac, 0x13, 0x52, + 0x86, 0x62, 0xe3, 0xf0, 0x4d, 0x90, 0x0f, 0xdd, 0x96, 0x7a, 0xed, 0x2b, 0x8a, 0x92, 0xdf, 0xdb, + 0x79, 0x80, 0x84, 0x7c, 0x05, 0xab, 0xe5, 0x59, 0x9a, 0x80, 0x0b, 0x20, 0x7f, 0x48, 0x8e, 0xe3, + 0x0b, 0x85, 0xc4, 0x27, 0xbc, 0x0f, 0x8a, 0x7d, 0xb1, 0x57, 0xab, 0xfc, 0xbe, 0x33, 0x35, 0xc8, + 0x64, 0x0d, 0x47, 0xb1, 0xd6, 0x3d, 0x7d, 0x53, 0x33, 0x7f, 0xd6, 0xc0, 0xf5, 0x89, 0xed, 0x27, + 0xd6, 0x1d, 0xdc, 0xed, 0xfa, 0x47, 0xa4, 0x25, 0xdd, 0x96, 0x92, 0x75, 0x67, 0x2b, 0x16, 0xa3, + 0x21, 0x0e, 0xdf, 0x06, 0x33, 0x94, 0x60, 0xe6, 0x7b, 0x6a, 0xc5, 0x1a, 0x75, 0x2e, 0x92, 0x52, + 0xa4, 0x50, 0xb8, 0x05, 0xe6, 0x89, 0x70, 0x2f, 0xe3, 0xda, 0xa6, 0xd4, 0x1f, 0x56, 0x6a, 0x59, + 0x29, 0xcc, 0x6f, 0x8f, 0xc3, 0xe8, 0x2c, 0xdf, 0xfc, 0x47, 0x07, 0xc6, 0xa4, 0x91, 0x05, 0x0f, + 0x92, 0x1d, 0x43, 0x82, 0x72, 0xcd, 0xa9, 0xd4, 0x6f, 0x5e, 0xa8, 0xf1, 0x85, 0x46, 0x63, 0x49, + 0x05, 0x32, 0x97, 0x96, 0xa6, 0x56, 0x12, 0xf9, 0x0b, 0x29, 0x58, 0xf0, 0xc6, 0x77, 0xe1, 0x78, + 0x59, 0xaa, 0xd4, 0x6f, 0x5d, 0xb4, 0xcd, 0xa5, 0x37, 0x43, 0x79, 0x5b, 0x38, 0x03, 0x30, 0x74, + 0xce, 0x3e, 0xac, 0x03, 0xe0, 0x7a, 0x8e, 0xdf, 0x0b, 0xba, 0x84, 0x13, 0x99, 0xb6, 0x52, 0x32, + 0xdf, 0x76, 0x46, 0x08, 0x4a, 0xb1, 0xb2, 0xf2, 0x5d, 0xb8, 0x5c, 0xbe, 0x1b, 0x6b, 0x27, 0xa7, + 0xd5, 0xdc, 0xf3, 0xd3, 0x6a, 0xee, 0xc5, 0x69, 0x35, 0xf7, 0x2c, 0xaa, 0x6a, 0x27, 0x51, 0x55, + 0x7b, 0x1e, 0x55, 0xb5, 0x17, 0x51, 0x55, 0xfb, 0x2b, 0xaa, 0x6a, 0xdf, 0xfd, 0x5d, 0xcd, 0x3d, + 0xd5, 0xfb, 0xeb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x3f, 0xd9, 0x21, 0x54, 0x0f, 0x00, + 0x00, } diff --git a/staging/src/k8s.io/api/authorization/v1/generated.proto b/staging/src/k8s.io/api/authorization/v1/generated.proto index 41f01553b16..7f31d599a81 100644 --- a/staging/src/k8s.io/api/authorization/v1/generated.proto +++ b/staging/src/k8s.io/api/authorization/v1/generated.proto @@ -65,6 +65,17 @@ message NonResourceAttributes { optional string verb = 2; } +// NonResourceRule holds information that describes a rule for the non-resource +message NonResourceRule { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + repeated string verbs = 1; + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + repeated string nonResourceURLs = 2; +} + // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface message ResourceAttributes { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces @@ -99,6 +110,26 @@ message ResourceAttributes { optional string name = 7; } +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +message ResourceRule { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + repeated string verbs = 1; + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + repeated string apiGroups = 2; + + // Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all. + // +optional + repeated string resources = 3; + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + repeated string resourceNames = 4; +} + // SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a // spec.namespace means "in all namespaces". Self is a special case, because users should always be able // to check whether they can perform an action @@ -126,6 +157,29 @@ message SelfSubjectAccessReviewSpec { optional NonResourceAttributes nonResourceAttributes = 2; } +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +message SelfSubjectRulesReview { + // +optional + optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; + + // Spec holds information about the request being evaluated. + optional SelfSubjectRulesReviewSpec spec = 2; + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + optional SubjectRulesReviewStatus status = 3; +} + +message SelfSubjectRulesReviewSpec { + // Namespace to evaluate rules for. Required. + optional string namespace = 1; +} + // SubjectAccessReview checks whether or not a user or group can perform an action. message SubjectAccessReview { // +optional @@ -185,3 +239,27 @@ message SubjectAccessReviewStatus { optional string evaluationError = 3; } +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +message SubjectRulesReviewStatus { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + repeated ResourceRule resourceRules = 1; + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + repeated NonResourceRule nonResourceRules = 2; + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + optional bool incomplete = 3; + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + optional string evaluationError = 4; +} + diff --git a/staging/src/k8s.io/api/authorization/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/authorization/v1/types_swagger_doc_generated.go index d689686b372..8a0fb8a857b 100644 --- a/staging/src/k8s.io/api/authorization/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/authorization/v1/types_swagger_doc_generated.go @@ -47,6 +47,16 @@ func (NonResourceAttributes) SwaggerDoc() map[string]string { return map_NonResourceAttributes } +var map_NonResourceRule = map[string]string{ + "": "NonResourceRule holds information that describes a rule for the non-resource", + "verbs": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", + "nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", +} + +func (NonResourceRule) SwaggerDoc() map[string]string { + return map_NonResourceRule +} + var map_ResourceAttributes = map[string]string{ "": "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface", "namespace": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview", @@ -62,6 +72,18 @@ func (ResourceAttributes) SwaggerDoc() map[string]string { return map_ResourceAttributes } +var map_ResourceRule = map[string]string{ + "": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "verbs": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", + "apiGroups": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", + "resources": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all.", + "resourceNames": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", +} + +func (ResourceRule) SwaggerDoc() map[string]string { + return map_ResourceRule +} + var map_SelfSubjectAccessReview = map[string]string{ "": "SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means \"in all namespaces\". Self is a special case, because users should always be able to check whether they can perform an action", "spec": "Spec holds information about the request being evaluated. user and groups must be empty", @@ -82,6 +104,24 @@ func (SelfSubjectAccessReviewSpec) SwaggerDoc() map[string]string { return map_SelfSubjectAccessReviewSpec } +var map_SelfSubjectRulesReview = map[string]string{ + "": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "spec": "Spec holds information about the request being evaluated.", + "status": "Status is filled in by the server and indicates the set of actions a user can perform.", +} + +func (SelfSubjectRulesReview) SwaggerDoc() map[string]string { + return map_SelfSubjectRulesReview +} + +var map_SelfSubjectRulesReviewSpec = map[string]string{ + "namespace": "Namespace to evaluate rules for. Required.", +} + +func (SelfSubjectRulesReviewSpec) SwaggerDoc() map[string]string { + return map_SelfSubjectRulesReviewSpec +} + var map_SubjectAccessReview = map[string]string{ "": "SubjectAccessReview checks whether or not a user or group can perform an action.", "spec": "Spec holds information about the request being evaluated", @@ -117,4 +157,16 @@ func (SubjectAccessReviewStatus) SwaggerDoc() map[string]string { return map_SubjectAccessReviewStatus } +var map_SubjectRulesReviewStatus = map[string]string{ + "": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "resourceRules": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "nonResourceRules": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "incomplete": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.", + "evaluationError": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.", +} + +func (SubjectRulesReviewStatus) SwaggerDoc() map[string]string { + return map_SubjectRulesReviewStatus +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/staging/src/k8s.io/api/authorization/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/authorization/v1/zz_generated.deepcopy.go index 7ecb7503315..916974ffcf8 100644 --- a/staging/src/k8s.io/api/authorization/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/authorization/v1/zz_generated.deepcopy.go @@ -44,10 +44,18 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*NonResourceAttributes).DeepCopyInto(out.(*NonResourceAttributes)) return nil }, InType: reflect.TypeOf(&NonResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*NonResourceRule).DeepCopyInto(out.(*NonResourceRule)) + return nil + }, InType: reflect.TypeOf(&NonResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*ResourceAttributes).DeepCopyInto(out.(*ResourceAttributes)) return nil }, InType: reflect.TypeOf(&ResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*ResourceRule).DeepCopyInto(out.(*ResourceRule)) + return nil + }, InType: reflect.TypeOf(&ResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SelfSubjectAccessReview).DeepCopyInto(out.(*SelfSubjectAccessReview)) return nil @@ -56,6 +64,14 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SelfSubjectAccessReviewSpec).DeepCopyInto(out.(*SelfSubjectAccessReviewSpec)) return nil }, InType: reflect.TypeOf(&SelfSubjectAccessReviewSpec{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReview).DeepCopyInto(out.(*SelfSubjectRulesReview)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReview{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReviewSpec).DeepCopyInto(out.(*SelfSubjectRulesReviewSpec)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReviewSpec{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SubjectAccessReview).DeepCopyInto(out.(*SubjectAccessReview)) return nil @@ -68,6 +84,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SubjectAccessReviewStatus).DeepCopyInto(out.(*SubjectAccessReviewStatus)) return nil }, InType: reflect.TypeOf(&SubjectAccessReviewStatus{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SubjectRulesReviewStatus).DeepCopyInto(out.(*SubjectRulesReviewStatus)) + return nil + }, InType: reflect.TypeOf(&SubjectRulesReviewStatus{})}, ) } @@ -116,6 +136,32 @@ func (in *NonResourceAttributes) DeepCopy() *NonResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NonResourceRule) DeepCopyInto(out *NonResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NonResourceURLs != nil { + in, out := &in.NonResourceURLs, &out.NonResourceURLs + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceRule. +func (in *NonResourceRule) DeepCopy() *NonResourceRule { + if in == nil { + return nil + } + out := new(NonResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ResourceAttributes) DeepCopyInto(out *ResourceAttributes) { *out = *in @@ -132,6 +178,42 @@ func (in *ResourceAttributes) DeepCopy() *ResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceRule) DeepCopyInto(out *ResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ResourceNames != nil { + in, out := &in.ResourceNames, &out.ResourceNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRule. +func (in *ResourceRule) DeepCopy() *ResourceRule { + if in == nil { + return nil + } + out := new(ResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SelfSubjectAccessReview) DeepCopyInto(out *SelfSubjectAccessReview) { *out = *in @@ -195,6 +277,51 @@ func (in *SelfSubjectAccessReviewSpec) DeepCopy() *SelfSubjectAccessReviewSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReview) DeepCopyInto(out *SelfSubjectRulesReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReview. +func (in *SelfSubjectRulesReview) DeepCopy() *SelfSubjectRulesReview { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SelfSubjectRulesReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } else { + return nil + } +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReviewSpec) DeepCopyInto(out *SelfSubjectRulesReviewSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReviewSpec. +func (in *SelfSubjectRulesReviewSpec) DeepCopy() *SelfSubjectRulesReviewSpec { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReviewSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SubjectAccessReview) DeepCopyInto(out *SubjectAccessReview) { *out = *in @@ -286,3 +413,33 @@ func (in *SubjectAccessReviewStatus) DeepCopy() *SubjectAccessReviewStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SubjectRulesReviewStatus) DeepCopyInto(out *SubjectRulesReviewStatus) { + *out = *in + if in.ResourceRules != nil { + in, out := &in.ResourceRules, &out.ResourceRules + *out = make([]ResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.NonResourceRules != nil { + in, out := &in.NonResourceRules, &out.NonResourceRules + *out = make([]NonResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectRulesReviewStatus. +func (in *SubjectRulesReviewStatus) DeepCopy() *SubjectRulesReviewStatus { + if in == nil { + return nil + } + out := new(SubjectRulesReviewStatus) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go b/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go index 9efb8caab60..e1f49d46467 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go @@ -28,12 +28,17 @@ limitations under the License. ExtraValue LocalSubjectAccessReview NonResourceAttributes + NonResourceRule ResourceAttributes + ResourceRule SelfSubjectAccessReview SelfSubjectAccessReviewSpec + SelfSubjectRulesReview + SelfSubjectRulesReviewSpec SubjectAccessReview SubjectAccessReviewSpec SubjectAccessReviewStatus + SubjectRulesReviewStatus */ package v1beta1 @@ -73,44 +78,75 @@ func (m *NonResourceAttributes) Reset() { *m = NonResourceAtt func (*NonResourceAttributes) ProtoMessage() {} func (*NonResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} } +func (m *NonResourceRule) Reset() { *m = NonResourceRule{} } +func (*NonResourceRule) ProtoMessage() {} +func (*NonResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} } + func (m *ResourceAttributes) Reset() { *m = ResourceAttributes{} } func (*ResourceAttributes) ProtoMessage() {} -func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} } +func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } + +func (m *ResourceRule) Reset() { *m = ResourceRule{} } +func (*ResourceRule) ProtoMessage() {} +func (*ResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} } func (m *SelfSubjectAccessReview) Reset() { *m = SelfSubjectAccessReview{} } func (*SelfSubjectAccessReview) ProtoMessage() {} -func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} } +func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } func (m *SelfSubjectAccessReviewSpec) Reset() { *m = SelfSubjectAccessReviewSpec{} } func (*SelfSubjectAccessReviewSpec) ProtoMessage() {} func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{5} + return fileDescriptorGenerated, []int{7} +} + +func (m *SelfSubjectRulesReview) Reset() { *m = SelfSubjectRulesReview{} } +func (*SelfSubjectRulesReview) ProtoMessage() {} +func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} } + +func (m *SelfSubjectRulesReviewSpec) Reset() { *m = SelfSubjectRulesReviewSpec{} } +func (*SelfSubjectRulesReviewSpec) ProtoMessage() {} +func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{9} } func (m *SubjectAccessReview) Reset() { *m = SubjectAccessReview{} } func (*SubjectAccessReview) ProtoMessage() {} -func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} } +func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} } -func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} } -func (*SubjectAccessReviewSpec) ProtoMessage() {} -func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} } +func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} } +func (*SubjectAccessReviewSpec) ProtoMessage() {} +func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{11} +} func (m *SubjectAccessReviewStatus) Reset() { *m = SubjectAccessReviewStatus{} } func (*SubjectAccessReviewStatus) ProtoMessage() {} func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) { - return fileDescriptorGenerated, []int{8} + return fileDescriptorGenerated, []int{12} +} + +func (m *SubjectRulesReviewStatus) Reset() { *m = SubjectRulesReviewStatus{} } +func (*SubjectRulesReviewStatus) ProtoMessage() {} +func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptorGenerated, []int{13} } func init() { proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1beta1.ExtraValue") proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.LocalSubjectAccessReview") proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.NonResourceAttributes") + proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1beta1.NonResourceRule") proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.ResourceAttributes") + proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1beta1.ResourceRule") proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReview") proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReviewSpec") + proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReview") + proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReviewSpec") proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReview") proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewSpec") proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewStatus") + proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectRulesReviewStatus") } func (m ExtraValue) Marshal() (dAtA []byte, err error) { size := m.Size() @@ -213,6 +249,54 @@ func (m *NonResourceAttributes) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *NonResourceRule) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NonResourceRule) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + dAtA[i] = 0xa + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.NonResourceURLs) > 0 { + for _, s := range m.NonResourceURLs { + dAtA[i] = 0x12 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + return i, nil +} + func (m *ResourceAttributes) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -259,6 +343,84 @@ func (m *ResourceAttributes) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *ResourceRule) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *ResourceRule) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + dAtA[i] = 0xa + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.APIGroups) > 0 { + for _, s := range m.APIGroups { + dAtA[i] = 0x12 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.Resources) > 0 { + for _, s := range m.Resources { + dAtA[i] = 0x1a + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if len(m.ResourceNames) > 0 { + for _, s := range m.ResourceNames { + dAtA[i] = 0x22 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + return i, nil +} + func (m *SelfSubjectAccessReview) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -339,7 +501,7 @@ func (m *SelfSubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { return i, nil } -func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { +func (m *SelfSubjectRulesReview) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalTo(dAtA) @@ -349,7 +511,7 @@ func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { +func (m *SelfSubjectRulesReview) MarshalTo(dAtA []byte) (int, error) { var i int _ = i var l int @@ -381,6 +543,70 @@ func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *SelfSubjectRulesReviewSpec) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SelfSubjectRulesReviewSpec) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace))) + i += copy(dAtA[i:], m.Namespace) + return i, nil +} + +func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size())) + n12, err := m.ObjectMeta.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n12 + dAtA[i] = 0x12 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size())) + n13, err := m.Spec.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n13 + dAtA[i] = 0x1a + i++ + i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size())) + n14, err := m.Status.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n14 + return i, nil +} + func (m *SubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -400,21 +626,21 @@ func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { dAtA[i] = 0xa i++ i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size())) - n12, err := m.ResourceAttributes.MarshalTo(dAtA[i:]) + n15, err := m.ResourceAttributes.MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n12 + i += n15 } if m.NonResourceAttributes != nil { dAtA[i] = 0x12 i++ i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size())) - n13, err := m.NonResourceAttributes.MarshalTo(dAtA[i:]) + n16, err := m.NonResourceAttributes.MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n13 + i += n16 } dAtA[i] = 0x1a i++ @@ -459,11 +685,11 @@ func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) { dAtA[i] = 0x12 i++ i = encodeVarintGenerated(dAtA, i, uint64((&v).Size())) - n14, err := (&v).MarshalTo(dAtA[i:]) + n17, err := (&v).MarshalTo(dAtA[i:]) if err != nil { return 0, err } - i += n14 + i += n17 } } dAtA[i] = 0x32 @@ -507,6 +733,60 @@ func (m *SubjectAccessReviewStatus) MarshalTo(dAtA []byte) (int, error) { return i, nil } +func (m *SubjectRulesReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SubjectRulesReviewStatus) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.ResourceRules) > 0 { + for _, msg := range m.ResourceRules { + dAtA[i] = 0xa + i++ + i = encodeVarintGenerated(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + if len(m.NonResourceRules) > 0 { + for _, msg := range m.NonResourceRules { + dAtA[i] = 0x12 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + dAtA[i] = 0x18 + i++ + if m.Incomplete { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i++ + dAtA[i] = 0x22 + i++ + i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError))) + i += copy(dAtA[i:], m.EvaluationError) + return i, nil +} + func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int { dAtA[offset] = uint8(v) dAtA[offset+1] = uint8(v >> 8) @@ -568,6 +848,24 @@ func (m *NonResourceAttributes) Size() (n int) { return n } +func (m *NonResourceRule) Size() (n int) { + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.NonResourceURLs) > 0 { + for _, s := range m.NonResourceURLs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *ResourceAttributes) Size() (n int) { var l int _ = l @@ -588,6 +886,36 @@ func (m *ResourceAttributes) Size() (n int) { return n } +func (m *ResourceRule) Size() (n int) { + var l int + _ = l + if len(m.Verbs) > 0 { + for _, s := range m.Verbs { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.APIGroups) > 0 { + for _, s := range m.APIGroups { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.Resources) > 0 { + for _, s := range m.Resources { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.ResourceNames) > 0 { + for _, s := range m.ResourceNames { + l = len(s) + n += 1 + l + sovGenerated(uint64(l)) + } + } + return n +} + func (m *SelfSubjectAccessReview) Size() (n int) { var l int _ = l @@ -614,6 +942,26 @@ func (m *SelfSubjectAccessReviewSpec) Size() (n int) { return n } +func (m *SelfSubjectRulesReview) Size() (n int) { + var l int + _ = l + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Spec.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *SelfSubjectRulesReviewSpec) Size() (n int) { + var l int + _ = l + l = len(m.Namespace) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *SubjectAccessReview) Size() (n int) { var l int _ = l @@ -670,6 +1018,27 @@ func (m *SubjectAccessReviewStatus) Size() (n int) { return n } +func (m *SubjectRulesReviewStatus) Size() (n int) { + var l int + _ = l + if len(m.ResourceRules) > 0 { + for _, e := range m.ResourceRules { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + if len(m.NonResourceRules) > 0 { + for _, e := range m.NonResourceRules { + l = e.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + } + n += 2 + l = len(m.EvaluationError) + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func sovGenerated(x uint64) (n int) { for { n++ @@ -706,6 +1075,17 @@ func (this *NonResourceAttributes) String() string { }, "") return s } +func (this *NonResourceRule) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NonResourceRule{`, + `Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`, + `NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`, + `}`, + }, "") + return s +} func (this *ResourceAttributes) String() string { if this == nil { return "nil" @@ -722,6 +1102,19 @@ func (this *ResourceAttributes) String() string { }, "") return s } +func (this *ResourceRule) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&ResourceRule{`, + `Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`, + `APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`, + `Resources:` + fmt.Sprintf("%v", this.Resources) + `,`, + `ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`, + `}`, + }, "") + return s +} func (this *SelfSubjectAccessReview) String() string { if this == nil { return "nil" @@ -745,6 +1138,28 @@ func (this *SelfSubjectAccessReviewSpec) String() string { }, "") return s } +func (this *SelfSubjectRulesReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectRulesReview{`, + `ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectRulesReviewSpec", "SelfSubjectRulesReviewSpec", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectRulesReviewStatus", "SubjectRulesReviewStatus", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *SelfSubjectRulesReviewSpec) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectRulesReviewSpec{`, + `Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`, + `}`, + }, "") + return s +} func (this *SubjectAccessReview) String() string { if this == nil { return "nil" @@ -794,6 +1209,19 @@ func (this *SubjectAccessReviewStatus) String() string { }, "") return s } +func (this *SubjectRulesReviewStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SubjectRulesReviewStatus{`, + `ResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ResourceRules), "ResourceRule", "ResourceRule", 1), `&`, ``, 1) + `,`, + `NonResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NonResourceRules), "NonResourceRule", "NonResourceRule", 1), `&`, ``, 1) + `,`, + `Incomplete:` + fmt.Sprintf("%v", this.Incomplete) + `,`, + `EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`, + `}`, + }, "") + return s +} func valueToStringGenerated(v interface{}) string { rv := reflect.ValueOf(v) if rv.IsNil() { @@ -1129,6 +1557,114 @@ func (m *NonResourceAttributes) Unmarshal(dAtA []byte) error { } return nil } +func (m *NonResourceRule) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NonResourceRule: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NonResourceRule: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *ResourceAttributes) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -1382,6 +1918,172 @@ func (m *ResourceAttributes) Unmarshal(dAtA []byte) error { } return nil } +func (m *ResourceRule) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: ResourceRule: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: ResourceRule: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *SelfSubjectAccessReview) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -1638,6 +2340,225 @@ func (m *SelfSubjectAccessReviewSpec) Unmarshal(dAtA []byte) error { } return nil } +func (m *SelfSubjectRulesReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectRulesReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectRulesReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SelfSubjectRulesReviewSpec) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Namespace = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *SubjectAccessReview) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -2230,6 +3151,167 @@ func (m *SubjectAccessReviewStatus) Unmarshal(dAtA []byte) error { } return nil } +func (m *SubjectRulesReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SubjectRulesReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SubjectRulesReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ResourceRules", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ResourceRules = append(m.ResourceRules, ResourceRule{}) + if err := m.ResourceRules[len(m.ResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NonResourceRules", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NonResourceRules = append(m.NonResourceRules, NonResourceRule{}) + if err := m.NonResourceRules[len(m.NonResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Incomplete", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.Incomplete = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.EvaluationError = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipGenerated(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 @@ -2340,62 +3422,77 @@ func init() { } var fileDescriptorGenerated = []byte{ - // 905 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xcf, 0x6f, 0x1b, 0xc5, - 0x17, 0xf7, 0xfa, 0x47, 0x62, 0x8f, 0xbf, 0x5f, 0x52, 0xa6, 0x2a, 0xd9, 0x06, 0xb1, 0xb6, 0x8c, - 0x84, 0x82, 0xd4, 0xee, 0x92, 0x52, 0x68, 0x29, 0xe2, 0x90, 0x55, 0x23, 0x14, 0x09, 0x0a, 0x9a, - 0xa8, 0x39, 0xd0, 0x03, 0xcc, 0xae, 0x5f, 0xec, 0xc5, 0xf6, 0xce, 0x6a, 0x66, 0xd6, 0x25, 0x88, - 0x43, 0x8f, 0x1c, 0x39, 0x72, 0xe4, 0xc4, 0x9d, 0x23, 0x17, 0x24, 0x6e, 0x39, 0xf6, 0x98, 0x03, - 0xb2, 0xc8, 0xf2, 0x8f, 0xa0, 0x99, 0x1d, 0x7b, 0x9b, 0x7a, 0x53, 0xa3, 0x5c, 0x7a, 0xe9, 0x6d, - 0xe7, 0xbd, 0xcf, 0xe7, 0xbd, 0x37, 0x6f, 0x3e, 0xfb, 0x66, 0xd0, 0xfe, 0xe8, 0xae, 0x70, 0x23, - 0xe6, 0x8d, 0xd2, 0x00, 0x78, 0x0c, 0x12, 0x84, 0x37, 0x85, 0xb8, 0xcf, 0xb8, 0x67, 0x1c, 0x34, - 0x89, 0x3c, 0x9a, 0xca, 0x21, 0xe3, 0xd1, 0xf7, 0x54, 0x46, 0x2c, 0xf6, 0xa6, 0x3b, 0x01, 0x48, - 0xba, 0xe3, 0x0d, 0x20, 0x06, 0x4e, 0x25, 0xf4, 0xdd, 0x84, 0x33, 0xc9, 0x70, 0x37, 0x67, 0xb8, - 0x34, 0x89, 0xdc, 0x73, 0x0c, 0xd7, 0x30, 0xb6, 0x6e, 0x0e, 0x22, 0x39, 0x4c, 0x03, 0x37, 0x64, - 0x13, 0x6f, 0xc0, 0x06, 0xcc, 0xd3, 0xc4, 0x20, 0x3d, 0xd2, 0x2b, 0xbd, 0xd0, 0x5f, 0x79, 0xc0, - 0xad, 0xdb, 0x45, 0x09, 0x13, 0x1a, 0x0e, 0xa3, 0x18, 0xf8, 0xb1, 0x97, 0x8c, 0x06, 0xca, 0x20, - 0xbc, 0x09, 0x48, 0xea, 0x4d, 0x97, 0xca, 0xd8, 0xf2, 0x2e, 0x62, 0xf1, 0x34, 0x96, 0xd1, 0x04, - 0x96, 0x08, 0x1f, 0xae, 0x22, 0x88, 0x70, 0x08, 0x13, 0xba, 0xc4, 0x7b, 0xff, 0x22, 0x5e, 0x2a, - 0xa3, 0xb1, 0x17, 0xc5, 0x52, 0x48, 0xfe, 0x3c, 0xa9, 0x77, 0x07, 0xa1, 0xbd, 0xef, 0x24, 0xa7, - 0x87, 0x74, 0x9c, 0x02, 0xee, 0xa0, 0x46, 0x24, 0x61, 0x22, 0x6c, 0xab, 0x5b, 0xdb, 0x6e, 0xf9, - 0xad, 0x6c, 0xd6, 0x69, 0xec, 0x2b, 0x03, 0xc9, 0xed, 0xf7, 0x9a, 0x3f, 0xff, 0xd2, 0xa9, 0x3c, - 0xf9, 0xab, 0x5b, 0xe9, 0xfd, 0x51, 0x45, 0xf6, 0x67, 0x2c, 0xa4, 0xe3, 0x83, 0x34, 0xf8, 0x16, - 0x42, 0xb9, 0x1b, 0x86, 0x20, 0x04, 0x81, 0x69, 0x04, 0x8f, 0xf1, 0x37, 0xa8, 0xa9, 0xda, 0xd1, - 0xa7, 0x92, 0xda, 0x56, 0xd7, 0xda, 0x6e, 0xdf, 0x7a, 0xcf, 0x2d, 0x4e, 0x63, 0x51, 0x9d, 0x9b, - 0x8c, 0x06, 0xca, 0x20, 0x5c, 0x85, 0x76, 0xa7, 0x3b, 0xee, 0x17, 0x3a, 0xd6, 0xe7, 0x20, 0xa9, - 0x8f, 0x4f, 0x66, 0x9d, 0x4a, 0x36, 0xeb, 0xa0, 0xc2, 0x46, 0x16, 0x51, 0xf1, 0x23, 0x54, 0x17, - 0x09, 0x84, 0x76, 0x55, 0x47, 0xff, 0xc8, 0x5d, 0x75, 0xd6, 0x6e, 0x49, 0x99, 0x07, 0x09, 0x84, - 0xfe, 0xff, 0x4c, 0x9a, 0xba, 0x5a, 0x11, 0x1d, 0x14, 0x87, 0x68, 0x4d, 0x48, 0x2a, 0x53, 0x61, - 0xd7, 0x74, 0xf8, 0x8f, 0x2f, 0x17, 0x5e, 0x87, 0xf0, 0x5f, 0x33, 0x09, 0xd6, 0xf2, 0x35, 0x31, - 0xa1, 0x7b, 0x8f, 0xd0, 0xb5, 0x07, 0x2c, 0x26, 0x20, 0x58, 0xca, 0x43, 0xd8, 0x95, 0x92, 0x47, - 0x41, 0x2a, 0x41, 0xe0, 0x2e, 0xaa, 0x27, 0x54, 0x0e, 0x75, 0xe3, 0x5a, 0x45, 0x7d, 0x5f, 0x52, - 0x39, 0x24, 0xda, 0xa3, 0x10, 0x53, 0xe0, 0x81, 0xde, 0xfc, 0x33, 0x88, 0x43, 0xe0, 0x01, 0xd1, - 0x1e, 0x75, 0x3a, 0xb8, 0x24, 0xb4, 0x87, 0x5a, 0x31, 0x9d, 0x80, 0x48, 0x68, 0x08, 0x26, 0xfe, - 0xeb, 0x86, 0xdd, 0x7a, 0x30, 0x77, 0x90, 0x02, 0xb3, 0x3a, 0x13, 0x7e, 0x1b, 0x35, 0x06, 0x9c, - 0xa5, 0x89, 0x6e, 0x55, 0xcb, 0xff, 0xbf, 0x81, 0x34, 0x3e, 0x55, 0x46, 0x92, 0xfb, 0xf0, 0xbb, - 0x68, 0x7d, 0x0a, 0x5c, 0x44, 0x2c, 0xb6, 0xeb, 0x1a, 0xb6, 0x61, 0x60, 0xeb, 0x87, 0xb9, 0x99, - 0xcc, 0xfd, 0xf8, 0x06, 0x6a, 0x72, 0x53, 0xb8, 0xdd, 0xd0, 0xd8, 0x2b, 0x06, 0xdb, 0x9c, 0x6f, - 0x88, 0x2c, 0x10, 0xf8, 0x03, 0xd4, 0x16, 0x69, 0xb0, 0x20, 0xac, 0x69, 0xc2, 0x55, 0x43, 0x68, - 0x1f, 0x14, 0x2e, 0xf2, 0x2c, 0x4e, 0x6d, 0x4b, 0xed, 0xd1, 0x5e, 0x3f, 0xbf, 0x2d, 0xd5, 0x02, - 0xa2, 0x3d, 0xbd, 0x3f, 0xab, 0x68, 0xf3, 0x00, 0xc6, 0x47, 0x2f, 0x47, 0xdd, 0x5f, 0x9f, 0x53, - 0xf7, 0x27, 0xff, 0x41, 0x7e, 0xe5, 0xa5, 0xbe, 0x5c, 0x85, 0xff, 0x5a, 0x45, 0x6f, 0xbe, 0xa0, - 0x30, 0xfc, 0x03, 0xc2, 0x7c, 0x49, 0xa3, 0xa6, 0xa3, 0xb7, 0x57, 0x17, 0xb4, 0xac, 0x6f, 0xff, - 0x8d, 0x6c, 0xd6, 0x29, 0xd1, 0x3d, 0x29, 0xc9, 0x83, 0x7f, 0xb4, 0xd0, 0xb5, 0xb8, 0xec, 0x07, - 0x34, 0x5d, 0xbf, 0xb3, 0xba, 0x82, 0xd2, 0xff, 0xd7, 0xbf, 0x9e, 0xcd, 0x3a, 0xe5, 0xbf, 0x36, - 0x29, 0x4f, 0xd8, 0xfb, 0xbd, 0x8a, 0xae, 0xbe, 0x1a, 0xa3, 0x97, 0x13, 0xd9, 0x69, 0x1d, 0x6d, - 0xbe, 0x12, 0xd8, 0x8b, 0x05, 0xa6, 0xe6, 0x5d, 0x2a, 0x80, 0x9b, 0x19, 0xbd, 0x38, 0xab, 0x87, - 0x02, 0x38, 0xd1, 0x1e, 0xdc, 0x9d, 0x8f, 0xf1, 0xba, 0xbe, 0xf9, 0x91, 0xea, 0xb4, 0x1e, 0xe1, - 0x62, 0x3e, 0xc3, 0x23, 0xd4, 0x00, 0xf5, 0x52, 0xb0, 0x1b, 0xdd, 0xda, 0x76, 0xfb, 0xd6, 0xfd, - 0x4b, 0x6b, 0xc5, 0xd5, 0x0f, 0x8e, 0xbd, 0x58, 0xf2, 0xe3, 0xe2, 0xba, 0xd0, 0x36, 0x92, 0x67, - 0xc0, 0x6f, 0xa1, 0x5a, 0x1a, 0xf5, 0xcd, 0x34, 0x6f, 0x1b, 0x48, 0xed, 0xe1, 0xfe, 0x7d, 0xa2, - 0xec, 0x5b, 0x47, 0xe6, 0xcd, 0xa2, 0x43, 0xe0, 0x2b, 0xa8, 0x36, 0x82, 0xe3, 0xfc, 0x36, 0x23, - 0xea, 0x13, 0xfb, 0xa8, 0x31, 0x55, 0xcf, 0x19, 0xd3, 0xe7, 0x1b, 0xab, 0x2b, 0x2d, 0x9e, 0x40, - 0x24, 0xa7, 0xde, 0xab, 0xde, 0xb5, 0x7a, 0xbf, 0x59, 0xe8, 0xfa, 0x85, 0x82, 0x54, 0x77, 0x1a, - 0x1d, 0x8f, 0xd9, 0x63, 0xe8, 0xeb, 0xdc, 0xcd, 0xe2, 0x4e, 0xdb, 0xcd, 0xcd, 0x64, 0xee, 0xc7, - 0xef, 0xa0, 0x35, 0x0e, 0x54, 0xb0, 0xd8, 0xdc, 0xa3, 0x0b, 0x2d, 0x13, 0x6d, 0x25, 0xc6, 0x8b, - 0x77, 0xd1, 0x06, 0xa8, 0xf4, 0xba, 0xb8, 0x3d, 0xce, 0xd9, 0xfc, 0xc4, 0x36, 0x0d, 0x61, 0x63, - 0xef, 0xbc, 0x9b, 0x3c, 0x8f, 0xf7, 0x6f, 0x9e, 0x9c, 0x39, 0x95, 0xa7, 0x67, 0x4e, 0xe5, 0xf4, - 0xcc, 0xa9, 0x3c, 0xc9, 0x1c, 0xeb, 0x24, 0x73, 0xac, 0xa7, 0x99, 0x63, 0x9d, 0x66, 0x8e, 0xf5, - 0x77, 0xe6, 0x58, 0x3f, 0xfd, 0xe3, 0x54, 0xbe, 0x5a, 0x37, 0x1b, 0xff, 0x37, 0x00, 0x00, 0xff, - 0xff, 0x9e, 0xae, 0x9a, 0x67, 0x6f, 0x0b, 0x00, 0x00, + // 1139 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xcf, 0x6f, 0x1b, 0x45, + 0x14, 0xf6, 0xfa, 0x47, 0x62, 0x8f, 0x1b, 0x92, 0x4e, 0x94, 0x66, 0x1b, 0x84, 0x6d, 0x19, 0x09, + 0x05, 0xd1, 0xee, 0x92, 0x50, 0x48, 0x09, 0xf4, 0x10, 0xab, 0x11, 0x8a, 0xd4, 0x96, 0x6a, 0xa2, + 0xe4, 0x40, 0x25, 0x60, 0x76, 0x33, 0xb1, 0x17, 0xdb, 0xbb, 0xcb, 0xcc, 0xac, 0x43, 0x10, 0x87, + 0x1e, 0x39, 0x72, 0xe4, 0xc8, 0x89, 0x3b, 0x47, 0x2e, 0x48, 0x70, 0xca, 0xb1, 0xc7, 0x1c, 0x90, + 0x45, 0x96, 0x3f, 0x82, 0x2b, 0x9a, 0xd9, 0xb1, 0x77, 0x1d, 0xaf, 0xe3, 0x24, 0x87, 0xf6, 0xd2, + 0xdb, 0xce, 0xfb, 0xde, 0xf7, 0xde, 0x9b, 0x37, 0xef, 0xbd, 0x7d, 0x60, 0xa7, 0x7d, 0x9f, 0x19, + 0x8e, 0x67, 0xb6, 0x03, 0x8b, 0x50, 0x97, 0x70, 0xc2, 0xcc, 0x1e, 0x71, 0x0f, 0x3c, 0x6a, 0x2a, + 0x00, 0xfb, 0x8e, 0x89, 0x03, 0xde, 0xf2, 0xa8, 0xf3, 0x3d, 0xe6, 0x8e, 0xe7, 0x9a, 0xbd, 0x35, + 0x8b, 0x70, 0xbc, 0x66, 0x36, 0x89, 0x4b, 0x28, 0xe6, 0xe4, 0xc0, 0xf0, 0xa9, 0xc7, 0x3d, 0x58, + 0x8b, 0x18, 0x06, 0xf6, 0x1d, 0x63, 0x84, 0x61, 0x28, 0xc6, 0xca, 0xdd, 0xa6, 0xc3, 0x5b, 0x81, + 0x65, 0xd8, 0x5e, 0xd7, 0x6c, 0x7a, 0x4d, 0xcf, 0x94, 0x44, 0x2b, 0x38, 0x94, 0x27, 0x79, 0x90, + 0x5f, 0x91, 0xc1, 0x95, 0x7b, 0x71, 0x08, 0x5d, 0x6c, 0xb7, 0x1c, 0x97, 0xd0, 0x63, 0xd3, 0x6f, + 0x37, 0x85, 0x80, 0x99, 0x5d, 0xc2, 0xb1, 0xd9, 0x1b, 0x0b, 0x63, 0xc5, 0x9c, 0xc4, 0xa2, 0x81, + 0xcb, 0x9d, 0x2e, 0x19, 0x23, 0x7c, 0x34, 0x8d, 0xc0, 0xec, 0x16, 0xe9, 0xe2, 0x31, 0xde, 0x07, + 0x93, 0x78, 0x01, 0x77, 0x3a, 0xa6, 0xe3, 0x72, 0xc6, 0xe9, 0x79, 0x52, 0x7d, 0x03, 0x80, 0xed, + 0xef, 0x38, 0xc5, 0xfb, 0xb8, 0x13, 0x10, 0x58, 0x05, 0x05, 0x87, 0x93, 0x2e, 0xd3, 0xb5, 0x5a, + 0x6e, 0xb5, 0xd4, 0x28, 0x85, 0xfd, 0x6a, 0x61, 0x47, 0x08, 0x50, 0x24, 0xdf, 0x2c, 0xfe, 0xfc, + 0x4b, 0x35, 0xf3, 0xfc, 0xef, 0x5a, 0xa6, 0xfe, 0x47, 0x16, 0xe8, 0x8f, 0x3c, 0x1b, 0x77, 0x76, + 0x03, 0xeb, 0x1b, 0x62, 0xf3, 0x2d, 0xdb, 0x26, 0x8c, 0x21, 0xd2, 0x73, 0xc8, 0x11, 0xfc, 0x1a, + 0x14, 0x45, 0x3a, 0x0e, 0x30, 0xc7, 0xba, 0x56, 0xd3, 0x56, 0xcb, 0xeb, 0xef, 0x1b, 0xf1, 0x6b, + 0x0c, 0xa3, 0x33, 0xfc, 0x76, 0x53, 0x08, 0x98, 0x21, 0xb4, 0x8d, 0xde, 0x9a, 0xf1, 0xb9, 0xb4, + 0xf5, 0x98, 0x70, 0xdc, 0x80, 0x27, 0xfd, 0x6a, 0x26, 0xec, 0x57, 0x41, 0x2c, 0x43, 0x43, 0xab, + 0xf0, 0x19, 0xc8, 0x33, 0x9f, 0xd8, 0x7a, 0x56, 0x5a, 0xff, 0xd8, 0x98, 0xf6, 0xd6, 0x46, 0x4a, + 0x98, 0xbb, 0x3e, 0xb1, 0x1b, 0x37, 0x94, 0x9b, 0xbc, 0x38, 0x21, 0x69, 0x14, 0xda, 0x60, 0x86, + 0x71, 0xcc, 0x03, 0xa6, 0xe7, 0xa4, 0xf9, 0x4f, 0xae, 0x67, 0x5e, 0x9a, 0x68, 0xbc, 0xa1, 0x1c, + 0xcc, 0x44, 0x67, 0xa4, 0x4c, 0xd7, 0x9f, 0x81, 0xa5, 0x27, 0x9e, 0x8b, 0x08, 0xf3, 0x02, 0x6a, + 0x93, 0x2d, 0xce, 0xa9, 0x63, 0x05, 0x9c, 0x30, 0x58, 0x03, 0x79, 0x1f, 0xf3, 0x96, 0x4c, 0x5c, + 0x29, 0x8e, 0xef, 0x29, 0xe6, 0x2d, 0x24, 0x11, 0xa1, 0xd1, 0x23, 0xd4, 0x92, 0x97, 0x4f, 0x68, + 0xec, 0x13, 0x6a, 0x21, 0x89, 0xd4, 0xbf, 0x05, 0xf3, 0x09, 0xe3, 0x28, 0xe8, 0xc8, 0xb7, 0x15, + 0xd0, 0xc8, 0xdb, 0x0a, 0x06, 0x43, 0x91, 0x1c, 0x3e, 0x00, 0xf3, 0x6e, 0xcc, 0xd9, 0x43, 0x8f, + 0x98, 0x9e, 0x95, 0xaa, 0x8b, 0x61, 0xbf, 0x9a, 0x34, 0x27, 0x20, 0x74, 0x5e, 0x57, 0x14, 0x04, + 0x4c, 0xb9, 0x8d, 0x09, 0x4a, 0x2e, 0xee, 0x12, 0xe6, 0x63, 0x9b, 0xa8, 0x2b, 0xdd, 0x54, 0x01, + 0x97, 0x9e, 0x0c, 0x00, 0x14, 0xeb, 0x4c, 0xbf, 0x1c, 0x7c, 0x1b, 0x14, 0x9a, 0xd4, 0x0b, 0x7c, + 0xf9, 0x3a, 0xa5, 0xc6, 0x9c, 0x52, 0x29, 0x7c, 0x26, 0x84, 0x28, 0xc2, 0xe0, 0xbb, 0x60, 0xb6, + 0x47, 0x28, 0x73, 0x3c, 0x57, 0xcf, 0x4b, 0xb5, 0x79, 0xa5, 0x36, 0xbb, 0x1f, 0x89, 0xd1, 0x00, + 0x87, 0x77, 0x40, 0x91, 0xaa, 0xc0, 0xf5, 0x82, 0xd4, 0x5d, 0x50, 0xba, 0xc5, 0x61, 0x06, 0x87, + 0x1a, 0xf0, 0x43, 0x50, 0x66, 0x81, 0x35, 0x24, 0xcc, 0x48, 0xc2, 0xa2, 0x22, 0x94, 0x77, 0x63, + 0x08, 0x25, 0xf5, 0xc4, 0xb5, 0xc4, 0x1d, 0xf5, 0xd9, 0xd1, 0x6b, 0x89, 0x14, 0x20, 0x89, 0xd4, + 0xff, 0xd2, 0xc0, 0x8d, 0xab, 0xbd, 0xd8, 0x7b, 0xa0, 0x84, 0x7d, 0x47, 0x5e, 0x7b, 0xf0, 0x56, + 0x73, 0x22, 0xaf, 0x5b, 0x4f, 0x77, 0x22, 0x21, 0x8a, 0x71, 0xa1, 0x3c, 0x08, 0x46, 0xd4, 0xf5, + 0x50, 0x79, 0xe0, 0x92, 0xa1, 0x18, 0x87, 0x1b, 0x60, 0x6e, 0x70, 0x90, 0x8f, 0xa4, 0xe7, 0x25, + 0xe1, 0x66, 0xd8, 0xaf, 0xce, 0xa1, 0x24, 0x80, 0x46, 0xf5, 0xea, 0x7f, 0x66, 0xc1, 0xf2, 0x2e, + 0xe9, 0x1c, 0xbe, 0x9a, 0xa9, 0xf0, 0xd5, 0xc8, 0x54, 0x78, 0x70, 0x89, 0xb6, 0x4d, 0x0f, 0xf5, + 0xd5, 0x4e, 0x86, 0x5f, 0xb3, 0xe0, 0xcd, 0x0b, 0x02, 0x83, 0x3f, 0x00, 0x48, 0xc7, 0x1a, 0x4d, + 0x65, 0xf4, 0xde, 0xf4, 0x80, 0xc6, 0x9b, 0xb4, 0x71, 0x2b, 0xec, 0x57, 0x53, 0x9a, 0x17, 0xa5, + 0xf8, 0x81, 0x3f, 0x6a, 0x60, 0xc9, 0x4d, 0x1b, 0x5c, 0x2a, 0xeb, 0x1b, 0xd3, 0x23, 0x48, 0x9d, + 0x7b, 0x8d, 0xdb, 0x61, 0xbf, 0x9a, 0x3e, 0x12, 0x51, 0xba, 0x43, 0x31, 0x72, 0x6e, 0x25, 0x12, + 0x25, 0x9a, 0xe6, 0xe5, 0xd5, 0xda, 0x97, 0x23, 0xb5, 0xf6, 0xe9, 0x95, 0x6a, 0x2d, 0x11, 0xe9, + 0xc4, 0x52, 0xb3, 0xce, 0x95, 0xda, 0xe6, 0xa5, 0x4b, 0x2d, 0x69, 0xfd, 0xe2, 0x4a, 0x7b, 0x0c, + 0x56, 0x26, 0x47, 0x75, 0xe5, 0xd1, 0x5d, 0xff, 0x3d, 0x0b, 0x16, 0x5f, 0xaf, 0x03, 0xd7, 0x6b, + 0xfa, 0xd3, 0x3c, 0x58, 0x7e, 0xdd, 0xf0, 0x17, 0x37, 0xbc, 0xf8, 0x89, 0x06, 0x8c, 0x50, 0xf5, + 0xe3, 0x1f, 0xbe, 0xd5, 0x1e, 0x23, 0x14, 0x49, 0x04, 0xd6, 0x06, 0xbb, 0x41, 0xf4, 0xc3, 0x02, + 0x22, 0xd3, 0xea, 0x5f, 0xa8, 0x16, 0x03, 0x07, 0x14, 0x88, 0xd8, 0x78, 0xf5, 0x42, 0x2d, 0xb7, + 0x5a, 0x5e, 0x7f, 0x78, 0xed, 0x5a, 0x31, 0xe4, 0xe2, 0xbc, 0xed, 0x72, 0x7a, 0x1c, 0xef, 0x20, + 0x52, 0x86, 0x22, 0x0f, 0xf0, 0x2d, 0x90, 0x0b, 0x9c, 0x03, 0xb5, 0x22, 0x94, 0x95, 0x4a, 0x6e, + 0x6f, 0xe7, 0x21, 0x12, 0xf2, 0x95, 0x43, 0xb5, 0x7b, 0x4b, 0x13, 0x70, 0x01, 0xe4, 0xda, 0xe4, + 0x38, 0xea, 0x33, 0x24, 0x3e, 0x61, 0x03, 0x14, 0x7a, 0x62, 0x2d, 0x57, 0x79, 0xbe, 0x33, 0x3d, + 0xd2, 0x78, 0x95, 0x47, 0x11, 0x75, 0x33, 0x7b, 0x5f, 0xab, 0xff, 0xa6, 0x81, 0xdb, 0x13, 0x0b, + 0x52, 0x2c, 0x4a, 0xb8, 0xd3, 0xf1, 0x8e, 0xc8, 0x81, 0xf4, 0x5d, 0x8c, 0x17, 0xa5, 0xad, 0x48, + 0x8c, 0x06, 0x38, 0x7c, 0x07, 0xcc, 0x50, 0x82, 0x99, 0xe7, 0xaa, 0xe5, 0x6c, 0x58, 0xcb, 0x48, + 0x4a, 0x91, 0x42, 0xe1, 0x16, 0x98, 0x27, 0xc2, 0xbd, 0x0c, 0x6e, 0x9b, 0x52, 0x6f, 0xf0, 0x62, + 0xcb, 0x8a, 0x30, 0xbf, 0x3d, 0x0a, 0xa3, 0xf3, 0xfa, 0xf5, 0xff, 0xb2, 0x40, 0x9f, 0x34, 0xce, + 0x60, 0x3b, 0xde, 0x4e, 0x24, 0x28, 0x17, 0xa4, 0xf2, 0xba, 0x71, 0xf9, 0x56, 0x10, 0xb4, 0xc6, + 0x92, 0x8a, 0x66, 0x2e, 0x29, 0x4d, 0x6c, 0x34, 0xf2, 0x08, 0x8f, 0xc0, 0x82, 0x3b, 0xba, 0x4a, + 0x47, 0xbb, 0x56, 0x79, 0x7d, 0xed, 0x4a, 0x85, 0x2f, 0x5d, 0xea, 0xca, 0xe5, 0xc2, 0x39, 0x80, + 0xa1, 0x31, 0x27, 0x70, 0x1d, 0x00, 0xc7, 0xb5, 0xbd, 0xae, 0xdf, 0x21, 0x9c, 0xc8, 0x04, 0x16, + 0xe3, 0x29, 0xb8, 0x33, 0x44, 0x50, 0x42, 0x2b, 0x2d, 0xf3, 0xf9, 0xab, 0x65, 0xbe, 0x71, 0xf7, + 0xe4, 0xac, 0x92, 0x79, 0x71, 0x56, 0xc9, 0x9c, 0x9e, 0x55, 0x32, 0xcf, 0xc3, 0x8a, 0x76, 0x12, + 0x56, 0xb4, 0x17, 0x61, 0x45, 0x3b, 0x0d, 0x2b, 0xda, 0x3f, 0x61, 0x45, 0xfb, 0xe9, 0xdf, 0x4a, + 0xe6, 0x8b, 0x59, 0x75, 0xc3, 0xff, 0x03, 0x00, 0x00, 0xff, 0xff, 0x29, 0xa9, 0x9d, 0x7c, 0xb1, + 0x0f, 0x00, 0x00, } diff --git a/staging/src/k8s.io/api/authorization/v1beta1/generated.proto b/staging/src/k8s.io/api/authorization/v1beta1/generated.proto index 746847d9ebf..9e9942f367a 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/authorization/v1beta1/generated.proto @@ -65,6 +65,17 @@ message NonResourceAttributes { optional string verb = 2; } +// NonResourceRule holds information that describes a rule for the non-resource +message NonResourceRule { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + repeated string verbs = 1; + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + repeated string nonResourceURLs = 2; +} + // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface message ResourceAttributes { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces @@ -99,6 +110,26 @@ message ResourceAttributes { optional string name = 7; } +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +message ResourceRule { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + repeated string verbs = 1; + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + repeated string apiGroups = 2; + + // Resources is a list of resources this rule applies to. ResourceAll represents all resources. "*" means all. + // +optional + repeated string resources = 3; + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + repeated string resourceNames = 4; +} + // SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a // spec.namespace means "in all namespaces". Self is a special case, because users should always be able // to check whether they can perform an action @@ -126,6 +157,29 @@ message SelfSubjectAccessReviewSpec { optional NonResourceAttributes nonResourceAttributes = 2; } +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +message SelfSubjectRulesReview { + // +optional + optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; + + // Spec holds information about the request being evaluated. + optional SelfSubjectRulesReviewSpec spec = 2; + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + optional SubjectRulesReviewStatus status = 3; +} + +message SelfSubjectRulesReviewSpec { + // Namespace to evaluate rules for. Required. + optional string namespace = 1; +} + // SubjectAccessReview checks whether or not a user or group can perform an action. message SubjectAccessReview { // +optional @@ -185,3 +239,27 @@ message SubjectAccessReviewStatus { optional string evaluationError = 3; } +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +message SubjectRulesReviewStatus { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + repeated ResourceRule resourceRules = 1; + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + repeated NonResourceRule nonResourceRules = 2; + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + optional bool incomplete = 3; + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + optional string evaluationError = 4; +} + diff --git a/staging/src/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go index ef06865d63a..1d8bb9849ba 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go @@ -47,6 +47,16 @@ func (NonResourceAttributes) SwaggerDoc() map[string]string { return map_NonResourceAttributes } +var map_NonResourceRule = map[string]string{ + "": "NonResourceRule holds information that describes a rule for the non-resource", + "verbs": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", + "nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", +} + +func (NonResourceRule) SwaggerDoc() map[string]string { + return map_NonResourceRule +} + var map_ResourceAttributes = map[string]string{ "": "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface", "namespace": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview", @@ -62,6 +72,18 @@ func (ResourceAttributes) SwaggerDoc() map[string]string { return map_ResourceAttributes } +var map_ResourceRule = map[string]string{ + "": "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "verbs": "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.", + "apiGroups": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.", + "resources": "Resources is a list of resources this rule applies to. ResourceAll represents all resources. \"*\" means all.", + "resourceNames": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.", +} + +func (ResourceRule) SwaggerDoc() map[string]string { + return map_ResourceRule +} + var map_SelfSubjectAccessReview = map[string]string{ "": "SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means \"in all namespaces\". Self is a special case, because users should always be able to check whether they can perform an action", "spec": "Spec holds information about the request being evaluated. user and groups must be empty", @@ -82,6 +104,24 @@ func (SelfSubjectAccessReviewSpec) SwaggerDoc() map[string]string { return map_SelfSubjectAccessReviewSpec } +var map_SelfSubjectRulesReview = map[string]string{ + "": "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.", + "spec": "Spec holds information about the request being evaluated.", + "status": "Status is filled in by the server and indicates the set of actions a user can perform.", +} + +func (SelfSubjectRulesReview) SwaggerDoc() map[string]string { + return map_SelfSubjectRulesReview +} + +var map_SelfSubjectRulesReviewSpec = map[string]string{ + "namespace": "Namespace to evaluate rules for. Required.", +} + +func (SelfSubjectRulesReviewSpec) SwaggerDoc() map[string]string { + return map_SelfSubjectRulesReviewSpec +} + var map_SubjectAccessReview = map[string]string{ "": "SubjectAccessReview checks whether or not a user or group can perform an action.", "spec": "Spec holds information about the request being evaluated", @@ -117,4 +157,16 @@ func (SubjectAccessReviewStatus) SwaggerDoc() map[string]string { return map_SubjectAccessReviewStatus } +var map_SubjectRulesReviewStatus = map[string]string{ + "": "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.", + "resourceRules": "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "nonResourceRules": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.", + "incomplete": "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.", + "evaluationError": "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.", +} + +func (SubjectRulesReviewStatus) SwaggerDoc() map[string]string { + return map_SubjectRulesReviewStatus +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go index 8d341ce53c3..aeb77ddbc86 100644 --- a/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go @@ -44,10 +44,18 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*NonResourceAttributes).DeepCopyInto(out.(*NonResourceAttributes)) return nil }, InType: reflect.TypeOf(&NonResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*NonResourceRule).DeepCopyInto(out.(*NonResourceRule)) + return nil + }, InType: reflect.TypeOf(&NonResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*ResourceAttributes).DeepCopyInto(out.(*ResourceAttributes)) return nil }, InType: reflect.TypeOf(&ResourceAttributes{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*ResourceRule).DeepCopyInto(out.(*ResourceRule)) + return nil + }, InType: reflect.TypeOf(&ResourceRule{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SelfSubjectAccessReview).DeepCopyInto(out.(*SelfSubjectAccessReview)) return nil @@ -56,6 +64,14 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SelfSubjectAccessReviewSpec).DeepCopyInto(out.(*SelfSubjectAccessReviewSpec)) return nil }, InType: reflect.TypeOf(&SelfSubjectAccessReviewSpec{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReview).DeepCopyInto(out.(*SelfSubjectRulesReview)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReview{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SelfSubjectRulesReviewSpec).DeepCopyInto(out.(*SelfSubjectRulesReviewSpec)) + return nil + }, InType: reflect.TypeOf(&SelfSubjectRulesReviewSpec{})}, conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { in.(*SubjectAccessReview).DeepCopyInto(out.(*SubjectAccessReview)) return nil @@ -68,6 +84,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error { in.(*SubjectAccessReviewStatus).DeepCopyInto(out.(*SubjectAccessReviewStatus)) return nil }, InType: reflect.TypeOf(&SubjectAccessReviewStatus{})}, + conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error { + in.(*SubjectRulesReviewStatus).DeepCopyInto(out.(*SubjectRulesReviewStatus)) + return nil + }, InType: reflect.TypeOf(&SubjectRulesReviewStatus{})}, ) } @@ -116,6 +136,32 @@ func (in *NonResourceAttributes) DeepCopy() *NonResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NonResourceRule) DeepCopyInto(out *NonResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NonResourceURLs != nil { + in, out := &in.NonResourceURLs, &out.NonResourceURLs + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceRule. +func (in *NonResourceRule) DeepCopy() *NonResourceRule { + if in == nil { + return nil + } + out := new(NonResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ResourceAttributes) DeepCopyInto(out *ResourceAttributes) { *out = *in @@ -132,6 +178,42 @@ func (in *ResourceAttributes) DeepCopy() *ResourceAttributes { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceRule) DeepCopyInto(out *ResourceRule) { + *out = *in + if in.Verbs != nil { + in, out := &in.Verbs, &out.Verbs + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ResourceNames != nil { + in, out := &in.ResourceNames, &out.ResourceNames + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRule. +func (in *ResourceRule) DeepCopy() *ResourceRule { + if in == nil { + return nil + } + out := new(ResourceRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SelfSubjectAccessReview) DeepCopyInto(out *SelfSubjectAccessReview) { *out = *in @@ -195,6 +277,51 @@ func (in *SelfSubjectAccessReviewSpec) DeepCopy() *SelfSubjectAccessReviewSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReview) DeepCopyInto(out *SelfSubjectRulesReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReview. +func (in *SelfSubjectRulesReview) DeepCopy() *SelfSubjectRulesReview { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SelfSubjectRulesReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } else { + return nil + } +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectRulesReviewSpec) DeepCopyInto(out *SelfSubjectRulesReviewSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReviewSpec. +func (in *SelfSubjectRulesReviewSpec) DeepCopy() *SelfSubjectRulesReviewSpec { + if in == nil { + return nil + } + out := new(SelfSubjectRulesReviewSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SubjectAccessReview) DeepCopyInto(out *SubjectAccessReview) { *out = *in @@ -286,3 +413,33 @@ func (in *SubjectAccessReviewStatus) DeepCopy() *SubjectAccessReviewStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SubjectRulesReviewStatus) DeepCopyInto(out *SubjectRulesReviewStatus) { + *out = *in + if in.ResourceRules != nil { + in, out := &in.ResourceRules, &out.ResourceRules + *out = make([]ResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.NonResourceRules != nil { + in, out := &in.NonResourceRules, &out.NonResourceRules + *out = make([]NonResourceRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectRulesReviewStatus. +func (in *SubjectRulesReviewStatus) DeepCopy() *SubjectRulesReviewStatus { + if in == nil { + return nil + } + out := new(SubjectRulesReviewStatus) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/BUILD b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/BUILD index e49523f2998..be1b16ea16f 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/BUILD @@ -7,7 +7,10 @@ load( go_library( name = "go_default_library", - srcs = ["interfaces.go"], + srcs = [ + "interfaces.go", + "rule.go", + ], deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"], ) diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/BUILD b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/BUILD index 655342a6d22..4dd0801ca06 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/BUILD @@ -23,6 +23,7 @@ go_library( "delegating.go", ], deps = [ + "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/plugin/pkg/authorizer/webhook:go_default_library", "//vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library", diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/union/BUILD b/staging/src/k8s.io/apiserver/pkg/authorization/union/BUILD index 47d6f38b205..c533b9bf829 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/union/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authorization/union/BUILD @@ -10,7 +10,10 @@ go_test( name = "go_default_test", srcs = ["union_test.go"], library = ":go_default_library", - deps = ["//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library"], + deps = [ + "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", + "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", + ], ) go_library( @@ -18,6 +21,7 @@ go_library( srcs = ["union.go"], deps = [ "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", + "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/BUILD index 92d2a388fb1..5c116bd624f 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/BUILD +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/BUILD @@ -32,6 +32,7 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/apimachinery/registered:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/cache:go_default_library", + "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/pkg/util/webhook:go_default_library", "//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library", diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD index ab5f2454af5..0a0c7ae8e14 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD @@ -15,6 +15,7 @@ go_library( "localsubjectaccessreview_expansion.go", "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go index af9828e01b5..385dffcd173 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go @@ -27,6 +27,7 @@ type AuthorizationV1Interface interface { RESTClient() rest.Interface LocalSubjectAccessReviewsGetter SelfSubjectAccessReviewsGetter + SelfSubjectRulesReviewsGetter SubjectAccessReviewsGetter } @@ -43,6 +44,10 @@ func (c *AuthorizationV1Client) SelfSubjectAccessReviews() SelfSubjectAccessRevi return newSelfSubjectAccessReviews(c) } +func (c *AuthorizationV1Client) SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface { + return newSelfSubjectRulesReviews(c) +} + func (c *AuthorizationV1Client) SubjectAccessReviews() SubjectAccessReviewInterface { return newSubjectAccessReviews(c) } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD index 8fe5bebd438..f8828e7e5d0 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD @@ -14,6 +14,7 @@ go_library( "fake_localsubjectaccessreview_expansion.go", "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", + "fake_selfsubjectrulesreview.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_authorization_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_authorization_client.go index 5107d5fc8b2..7ee26250b2c 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_authorization_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_authorization_client.go @@ -34,6 +34,10 @@ func (c *FakeAuthorizationV1) SelfSubjectAccessReviews() v1.SelfSubjectAccessRev return &FakeSelfSubjectAccessReviews{c} } +func (c *FakeAuthorizationV1) SelfSubjectRulesReviews() v1.SelfSubjectRulesReviewInterface { + return &FakeSelfSubjectRulesReviews{c} +} + func (c *FakeAuthorizationV1) SubjectAccessReviews() v1.SubjectAccessReviewInterface { return &FakeSubjectAccessReviews{c} } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview.go new file mode 100644 index 00000000000..dfe947b90ad --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview.go @@ -0,0 +1,22 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +// FakeSelfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type FakeSelfSubjectRulesReviews struct { + Fake *FakeAuthorizationV1 +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go index 42e76d5e43c..ca5c38a16ea 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go @@ -15,3 +15,5 @@ limitations under the License. */ package v1 + +type SelfSubjectRulesReviewExpansion interface{} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go new file mode 100644 index 00000000000..fbd374a137c --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go @@ -0,0 +1,44 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + rest "k8s.io/client-go/rest" +) + +// SelfSubjectRulesReviewsGetter has a method to return a SelfSubjectRulesReviewInterface. +// A group's client should implement this interface. +type SelfSubjectRulesReviewsGetter interface { + SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface +} + +// SelfSubjectRulesReviewInterface has methods to work with SelfSubjectRulesReview resources. +type SelfSubjectRulesReviewInterface interface { + SelfSubjectRulesReviewExpansion +} + +// selfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type selfSubjectRulesReviews struct { + client rest.Interface +} + +// newSelfSubjectRulesReviews returns a SelfSubjectRulesReviews +func newSelfSubjectRulesReviews(c *AuthorizationV1Client) *selfSubjectRulesReviews { + return &selfSubjectRulesReviews{ + client: c.RESTClient(), + } +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD index 1fa7e72282c..1cbb71a5634 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD @@ -15,6 +15,7 @@ go_library( "localsubjectaccessreview_expansion.go", "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go index d43a5625d74..7c05341235b 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go @@ -27,6 +27,7 @@ type AuthorizationV1beta1Interface interface { RESTClient() rest.Interface LocalSubjectAccessReviewsGetter SelfSubjectAccessReviewsGetter + SelfSubjectRulesReviewsGetter SubjectAccessReviewsGetter } @@ -43,6 +44,10 @@ func (c *AuthorizationV1beta1Client) SelfSubjectAccessReviews() SelfSubjectAcces return newSelfSubjectAccessReviews(c) } +func (c *AuthorizationV1beta1Client) SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface { + return newSelfSubjectRulesReviews(c) +} + func (c *AuthorizationV1beta1Client) SubjectAccessReviews() SubjectAccessReviewInterface { return newSubjectAccessReviews(c) } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD index eb9a8b32050..10c5f1b307c 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD @@ -15,6 +15,7 @@ go_library( "fake_localsubjectaccessreview_expansion.go", "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", + "fake_selfsubjectrulesreview.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_authorization_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_authorization_client.go index 89b0b2d7891..33d5746a53f 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_authorization_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_authorization_client.go @@ -34,6 +34,10 @@ func (c *FakeAuthorizationV1beta1) SelfSubjectAccessReviews() v1beta1.SelfSubjec return &FakeSelfSubjectAccessReviews{c} } +func (c *FakeAuthorizationV1beta1) SelfSubjectRulesReviews() v1beta1.SelfSubjectRulesReviewInterface { + return &FakeSelfSubjectRulesReviews{c} +} + func (c *FakeAuthorizationV1beta1) SubjectAccessReviews() v1beta1.SubjectAccessReviewInterface { return &FakeSubjectAccessReviews{c} } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview.go new file mode 100644 index 00000000000..4e221c282e7 --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview.go @@ -0,0 +1,22 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +// FakeSelfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type FakeSelfSubjectRulesReviews struct { + Fake *FakeAuthorizationV1beta1 +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go index 2b7e8ca0bfb..1949011e76b 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go @@ -15,3 +15,5 @@ limitations under the License. */ package v1beta1 + +type SelfSubjectRulesReviewExpansion interface{} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go new file mode 100644 index 00000000000..7f640d91bfe --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go @@ -0,0 +1,44 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + rest "k8s.io/client-go/rest" +) + +// SelfSubjectRulesReviewsGetter has a method to return a SelfSubjectRulesReviewInterface. +// A group's client should implement this interface. +type SelfSubjectRulesReviewsGetter interface { + SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface +} + +// SelfSubjectRulesReviewInterface has methods to work with SelfSubjectRulesReview resources. +type SelfSubjectRulesReviewInterface interface { + SelfSubjectRulesReviewExpansion +} + +// selfSubjectRulesReviews implements SelfSubjectRulesReviewInterface +type selfSubjectRulesReviews struct { + client rest.Interface +} + +// newSelfSubjectRulesReviews returns a SelfSubjectRulesReviews +func newSelfSubjectRulesReviews(c *AuthorizationV1beta1Client) *selfSubjectRulesReviews { + return &selfSubjectRulesReviews{ + client: c.RESTClient(), + } +} diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1/BUILD b/staging/src/k8s.io/client-go/listers/authorization/v1/BUILD index 3c77a5e3583..9b85ed9c7d8 100644 --- a/staging/src/k8s.io/client-go/listers/authorization/v1/BUILD +++ b/staging/src/k8s.io/client-go/listers/authorization/v1/BUILD @@ -11,6 +11,7 @@ go_library( "expansion_generated.go", "localsubjectaccessreview.go", "selfsubjectaccessreview.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", ], deps = [ diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/authorization/v1/expansion_generated.go index d7acd55c97e..0c91dd0c1c2 100644 --- a/staging/src/k8s.io/client-go/listers/authorization/v1/expansion_generated.go +++ b/staging/src/k8s.io/client-go/listers/authorization/v1/expansion_generated.go @@ -30,6 +30,10 @@ type LocalSubjectAccessReviewNamespaceListerExpansion interface{} // SelfSubjectAccessReviewLister. type SelfSubjectAccessReviewListerExpansion interface{} +// SelfSubjectRulesReviewListerExpansion allows custom methods to be added to +// SelfSubjectRulesReviewLister. +type SelfSubjectRulesReviewListerExpansion interface{} + // SubjectAccessReviewListerExpansion allows custom methods to be added to // SubjectAccessReviewLister. type SubjectAccessReviewListerExpansion interface{} diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1/selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/listers/authorization/v1/selfsubjectrulesreview.go new file mode 100644 index 00000000000..b654974b488 --- /dev/null +++ b/staging/src/k8s.io/client-go/listers/authorization/v1/selfsubjectrulesreview.go @@ -0,0 +1,67 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// This file was automatically generated by lister-gen + +package v1 + +import ( + v1 "k8s.io/api/authorization/v1" + "k8s.io/apimachinery/pkg/api/errors" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// SelfSubjectRulesReviewLister helps list SelfSubjectRulesReviews. +type SelfSubjectRulesReviewLister interface { + // List lists all SelfSubjectRulesReviews in the indexer. + List(selector labels.Selector) (ret []*v1.SelfSubjectRulesReview, err error) + // Get retrieves the SelfSubjectRulesReview from the index for a given name. + Get(name string) (*v1.SelfSubjectRulesReview, error) + SelfSubjectRulesReviewListerExpansion +} + +// selfSubjectRulesReviewLister implements the SelfSubjectRulesReviewLister interface. +type selfSubjectRulesReviewLister struct { + indexer cache.Indexer +} + +// NewSelfSubjectRulesReviewLister returns a new SelfSubjectRulesReviewLister. +func NewSelfSubjectRulesReviewLister(indexer cache.Indexer) SelfSubjectRulesReviewLister { + return &selfSubjectRulesReviewLister{indexer: indexer} +} + +// List lists all SelfSubjectRulesReviews in the indexer. +func (s *selfSubjectRulesReviewLister) List(selector labels.Selector) (ret []*v1.SelfSubjectRulesReview, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1.SelfSubjectRulesReview)) + }) + return ret, err +} + +// Get retrieves the SelfSubjectRulesReview from the index for a given name. +func (s *selfSubjectRulesReviewLister) Get(name string) (*v1.SelfSubjectRulesReview, error) { + key := &v1.SelfSubjectRulesReview{ObjectMeta: meta_v1.ObjectMeta{Name: name}} + obj, exists, err := s.indexer.Get(key) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1.Resource("selfsubjectrulesreview"), name) + } + return obj.(*v1.SelfSubjectRulesReview), nil +} diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1beta1/BUILD b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/BUILD index 7fca960f7c6..c0c3923b8d2 100644 --- a/staging/src/k8s.io/client-go/listers/authorization/v1beta1/BUILD +++ b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/BUILD @@ -11,6 +11,7 @@ go_library( "expansion_generated.go", "localsubjectaccessreview.go", "selfsubjectaccessreview.go", + "selfsubjectrulesreview.go", "subjectaccessreview.go", ], deps = [ diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1beta1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/expansion_generated.go index 82b149fc704..771d7740000 100644 --- a/staging/src/k8s.io/client-go/listers/authorization/v1beta1/expansion_generated.go +++ b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/expansion_generated.go @@ -30,6 +30,10 @@ type LocalSubjectAccessReviewNamespaceListerExpansion interface{} // SelfSubjectAccessReviewLister. type SelfSubjectAccessReviewListerExpansion interface{} +// SelfSubjectRulesReviewListerExpansion allows custom methods to be added to +// SelfSubjectRulesReviewLister. +type SelfSubjectRulesReviewListerExpansion interface{} + // SubjectAccessReviewListerExpansion allows custom methods to be added to // SubjectAccessReviewLister. type SubjectAccessReviewListerExpansion interface{} diff --git a/staging/src/k8s.io/client-go/listers/authorization/v1beta1/selfsubjectrulesreview.go b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/selfsubjectrulesreview.go new file mode 100644 index 00000000000..8c775961af1 --- /dev/null +++ b/staging/src/k8s.io/client-go/listers/authorization/v1beta1/selfsubjectrulesreview.go @@ -0,0 +1,67 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// This file was automatically generated by lister-gen + +package v1beta1 + +import ( + v1beta1 "k8s.io/api/authorization/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// SelfSubjectRulesReviewLister helps list SelfSubjectRulesReviews. +type SelfSubjectRulesReviewLister interface { + // List lists all SelfSubjectRulesReviews in the indexer. + List(selector labels.Selector) (ret []*v1beta1.SelfSubjectRulesReview, err error) + // Get retrieves the SelfSubjectRulesReview from the index for a given name. + Get(name string) (*v1beta1.SelfSubjectRulesReview, error) + SelfSubjectRulesReviewListerExpansion +} + +// selfSubjectRulesReviewLister implements the SelfSubjectRulesReviewLister interface. +type selfSubjectRulesReviewLister struct { + indexer cache.Indexer +} + +// NewSelfSubjectRulesReviewLister returns a new SelfSubjectRulesReviewLister. +func NewSelfSubjectRulesReviewLister(indexer cache.Indexer) SelfSubjectRulesReviewLister { + return &selfSubjectRulesReviewLister{indexer: indexer} +} + +// List lists all SelfSubjectRulesReviews in the indexer. +func (s *selfSubjectRulesReviewLister) List(selector labels.Selector) (ret []*v1beta1.SelfSubjectRulesReview, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1beta1.SelfSubjectRulesReview)) + }) + return ret, err +} + +// Get retrieves the SelfSubjectRulesReview from the index for a given name. +func (s *selfSubjectRulesReviewLister) Get(name string) (*v1beta1.SelfSubjectRulesReview, error) { + key := &v1beta1.SelfSubjectRulesReview{ObjectMeta: v1.ObjectMeta{Name: name}} + obj, exists, err := s.indexer.Get(key) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1beta1.Resource("selfsubjectrulesreview"), name) + } + return obj.(*v1beta1.SelfSubjectRulesReview), nil +} From 790374da10d3a59899ae832c24a73349b802f72b Mon Sep 17 00:00:00 2001 From: xilabao Date: Fri, 1 Sep 2017 19:15:59 +0800 Subject: [PATCH 3/3] create the methods in the generated expansion files --- .../typed/authorization/internalversion/BUILD | 1 + .../authorization/internalversion/fake/BUILD | 1 + .../fake_selfsubjectrulesreview_expansion.go | 27 ++++++++++++++ .../internalversion/generated_expansion.go | 2 -- .../selfsubjectrulesreview_expansion.go | 35 +++++++++++++++++++ .../kubernetes/typed/authorization/v1/BUILD | 1 + .../typed/authorization/v1/fake/BUILD | 1 + .../fake_selfsubjectrulesreview_expansion.go | 27 ++++++++++++++ .../authorization/v1/generated_expansion.go | 2 -- .../v1/selfsubjectrulesreview_expansion.go | 35 +++++++++++++++++++ .../typed/authorization/v1beta1/BUILD | 1 + .../typed/authorization/v1beta1/fake/BUILD | 1 + .../fake_selfsubjectrulesreview_expansion.go | 27 ++++++++++++++ .../v1beta1/generated_expansion.go | 2 -- .../selfsubjectrulesreview_expansion.go | 35 +++++++++++++++++++ 15 files changed, 192 insertions(+), 6 deletions(-) create mode 100644 pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview_expansion.go create mode 100644 pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview_expansion.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview_expansion.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview_expansion.go create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD index c0a60a8349d..53deb0f43cf 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/BUILD @@ -16,6 +16,7 @@ go_library( "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", "selfsubjectrulesreview.go", + "selfsubjectrulesreview_expansion.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD index 0b7a845b33e..b98ea5be509 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/BUILD @@ -16,6 +16,7 @@ go_library( "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", "fake_selfsubjectrulesreview.go", + "fake_selfsubjectrulesreview_expansion.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..d08aaef4a7d --- /dev/null +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/fake/fake_selfsubjectrulesreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + core "k8s.io/client-go/testing" + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" +) + +func (c *FakeSelfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectrulesreviews"), srr), &authorizationapi.SelfSubjectRulesReview{}) + return obj.(*authorizationapi.SelfSubjectRulesReview), err +} diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go index c190bb419e6..b0f76eeede5 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/generated_expansion.go @@ -15,5 +15,3 @@ limitations under the License. */ package internalversion - -type SelfSubjectRulesReviewExpansion interface{} diff --git a/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..5f8f754a68f --- /dev/null +++ b/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion/selfsubjectrulesreview_expansion.go @@ -0,0 +1,35 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package internalversion + +import ( + authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" +) + +type SelfSubjectRulesReviewExpansion interface { + Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) +} + +func (c *selfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + result = &authorizationapi.SelfSubjectRulesReview{} + err = c.client.Post(). + Resource("selfsubjectrulesreviews"). + Body(srr). + Do(). + Into(result) + return +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD index 0a0c7ae8e14..816aaa3d8fc 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/BUILD @@ -16,6 +16,7 @@ go_library( "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", "selfsubjectrulesreview.go", + "selfsubjectrulesreview_expansion.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD index f8828e7e5d0..26cccdf1c0a 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/BUILD @@ -15,6 +15,7 @@ go_library( "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", "fake_selfsubjectrulesreview.go", + "fake_selfsubjectrulesreview_expansion.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..a6dc9513498 --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/fake/fake_selfsubjectrulesreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + authorizationapi "k8s.io/api/authorization/v1" + core "k8s.io/client-go/testing" +) + +func (c *FakeSelfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectrulesreviews"), srr), &authorizationapi.SelfSubjectRulesReview{}) + return obj.(*authorizationapi.SelfSubjectRulesReview), err +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go index ca5c38a16ea..42e76d5e43c 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go @@ -15,5 +15,3 @@ limitations under the License. */ package v1 - -type SelfSubjectRulesReviewExpansion interface{} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..e2cad880eb1 --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go @@ -0,0 +1,35 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + authorizationapi "k8s.io/api/authorization/v1" +) + +type SelfSubjectRulesReviewExpansion interface { + Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) +} + +func (c *selfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + result = &authorizationapi.SelfSubjectRulesReview{} + err = c.client.Post(). + Resource("selfsubjectrulesreviews"). + Body(srr). + Do(). + Into(result) + return +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD index 1cbb71a5634..be939575b58 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/BUILD @@ -16,6 +16,7 @@ go_library( "selfsubjectaccessreview.go", "selfsubjectaccessreview_expansion.go", "selfsubjectrulesreview.go", + "selfsubjectrulesreview_expansion.go", "subjectaccessreview.go", "subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD index 10c5f1b307c..42c224102b3 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/BUILD @@ -16,6 +16,7 @@ go_library( "fake_selfsubjectaccessreview.go", "fake_selfsubjectaccessreview_expansion.go", "fake_selfsubjectrulesreview.go", + "fake_selfsubjectrulesreview_expansion.go", "fake_subjectaccessreview.go", "fake_subjectaccessreview_expansion.go", ], diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..f92ffd717de --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake/fake_selfsubjectrulesreview_expansion.go @@ -0,0 +1,27 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + authorizationapi "k8s.io/api/authorization/v1beta1" + core "k8s.io/client-go/testing" +) + +func (c *FakeSelfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + obj, err := c.Fake.Invokes(core.NewRootCreateAction(authorizationapi.SchemeGroupVersion.WithResource("selfsubjectrulesreviews"), srr), &authorizationapi.SelfSubjectRulesReview{}) + return obj.(*authorizationapi.SelfSubjectRulesReview), err +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go index 1949011e76b..2b7e8ca0bfb 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go @@ -15,5 +15,3 @@ limitations under the License. */ package v1beta1 - -type SelfSubjectRulesReviewExpansion interface{} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go new file mode 100644 index 00000000000..5f1f37ef7ee --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go @@ -0,0 +1,35 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + authorizationapi "k8s.io/api/authorization/v1beta1" +) + +type SelfSubjectRulesReviewExpansion interface { + Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) +} + +func (c *selfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) { + result = &authorizationapi.SelfSubjectRulesReview{} + err = c.client.Post(). + Resource("selfsubjectrulesreviews"). + Body(srr). + Do(). + Into(result) + return +}