github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-09 13:12:20 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #53273 from mikedanese/authtristate

Browse Source 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add support for short-circuit deny in union authorizer

This change has no behavioral changes.

Fixes https://github.com/kubernetes/kubernetes/issues/51862

```release-note
Add support for the webhook authorizer to make a Deny decision that short-circuits the union authorizer and immediately returns Deny. 
```
This commit is contained in:
Kubernetes Submit Queue
2017-11-07 09:25:37 -08:00
committed by GitHub
parent ef8746af3d 90d551a0de
commit d33077526a
52 changed files with 684 additions and 450 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
api/openapi-spec/swagger.json generated
View File

@@ -69539,7 +69539,11 @@
],
"properties": {
"allowed": {
"description": "Allowed is required. True if the action would be allowed, false otherwise.",
"description": "Allowed is required. True if the action would be allowed, false otherwise.",
"type": "boolean"
},
"denied": {
"description": "Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.",
"type": "boolean"
},
"evaluationError": {
@@ -69890,7 +69894,11 @@
],
"properties": {
"allowed": {
"description": "Allowed is required. True if the action would be allowed, false otherwise.",
"description": "Allowed is required. True if the action would be allowed, false otherwise.",
"type": "boolean"
},
"denied": {
"description": "Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.",
"type": "boolean"
},
"evaluationError": {

6
api/swagger-spec/authorization.k8s.io_v1.json generated
View File

@@ -635,7 +635,11 @@
"properties": {
"allowed": {
"type": "boolean",
"description": "Allowed is required. True if the action would be allowed, false otherwise."
"description": "Allowed is required. True if the action would be allowed, false otherwise."
},
"denied": {
"type": "boolean",
"description": "Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true."
},
"reason": {
"type": "string",

6
api/swagger-spec/authorization.k8s.io_v1beta1.json generated
View File

@@ -635,7 +635,11 @@
"properties": {
"allowed": {
"type": "boolean",
"description": "Allowed is required. True if the action would be allowed, false otherwise."
"description": "Allowed is required. True if the action would be allowed, false otherwise."
},
"denied": {
"type": "boolean",
"description": "Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true."
},
"reason": {
"type": "string",