mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Copy v1beta1 authorization types to v1
This commit is contained in:
parent
d4bcf3ede5
commit
e4d6c48900
26
pkg/apis/authorization/v1/conversion.go
Normal file
26
pkg/apis/authorization/v1/conversion.go
Normal file
@ -0,0 +1,26 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
func addConversionFuncs(scheme *runtime.Scheme) error {
|
||||
// Add non-generated conversion functions
|
||||
return scheme.AddConversionFuncs()
|
||||
}
|
25
pkg/apis/authorization/v1/defaults.go
Normal file
25
pkg/apis/authorization/v1/defaults.go
Normal file
@ -0,0 +1,25 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
func addDefaultingFuncs(scheme *runtime.Scheme) error {
|
||||
return scheme.AddDefaultingFuncs()
|
||||
}
|
23
pkg/apis/authorization/v1/doc.go
Normal file
23
pkg/apis/authorization/v1/doc.go
Normal file
@ -0,0 +1,23 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// +k8s:deepcopy-gen=package,register
|
||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/authorization
|
||||
// +k8s:openapi-gen=true
|
||||
// +k8s:defaulter-gen=TypeMeta
|
||||
|
||||
// +groupName=authorization.k8s.io
|
||||
package v1 // import "k8s.io/kubernetes/pkg/apis/authorization/v1"
|
55
pkg/apis/authorization/v1/register.go
Normal file
55
pkg/apis/authorization/v1/register.go
Normal file
@ -0,0 +1,55 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
// GroupName is the group name use in this package
|
||||
const GroupName = "authorization.k8s.io"
|
||||
|
||||
// SchemeGroupVersion is group version used to register these objects
|
||||
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
|
||||
|
||||
// Resource takes an unqualified resource and returns a Group qualified GroupResource
|
||||
func Resource(resource string) schema.GroupResource {
|
||||
return SchemeGroupVersion.WithResource(resource).GroupResource()
|
||||
}
|
||||
|
||||
var (
|
||||
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addDefaultingFuncs, addConversionFuncs)
|
||||
AddToScheme = SchemeBuilder.AddToScheme
|
||||
)
|
||||
|
||||
// Adds the list of known types to api.Scheme.
|
||||
func addKnownTypes(scheme *runtime.Scheme) error {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&SelfSubjectAccessReview{},
|
||||
&SubjectAccessReview{},
|
||||
&LocalSubjectAccessReview{},
|
||||
)
|
||||
|
||||
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (obj *LocalSubjectAccessReview) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }
|
||||
func (obj *SubjectAccessReview) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }
|
||||
func (obj *SelfSubjectAccessReview) GetObjectKind() schema.ObjectKind { return &obj.TypeMeta }
|
176
pkg/apis/authorization/v1/types.go
Normal file
176
pkg/apis/authorization/v1/types.go
Normal file
@ -0,0 +1,176 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// +genclient=true
|
||||
// +nonNamespaced=true
|
||||
// +noMethods=true
|
||||
|
||||
// SubjectAccessReview checks whether or not a user or group can perform an action.
|
||||
type SubjectAccessReview struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// +optional
|
||||
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated
|
||||
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
// +optional
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// +genclient=true
|
||||
// +nonNamespaced=true
|
||||
// +noMethods=true
|
||||
|
||||
// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
|
||||
// spec.namespace means "in all namespaces". Self is a special case, because users should always be able
|
||||
// to check whether they can perform an action
|
||||
type SelfSubjectAccessReview struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// +optional
|
||||
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated. user and groups must be empty
|
||||
Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
// +optional
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// +genclient=true
|
||||
// +noMethods=true
|
||||
|
||||
// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
|
||||
// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
|
||||
// checking.
|
||||
type LocalSubjectAccessReview struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// +optional
|
||||
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
|
||||
// you made the request against. If empty, it is defaulted.
|
||||
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
// +optional
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
|
||||
type ResourceAttributes struct {
|
||||
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
|
||||
// "" (empty) is defaulted for LocalSubjectAccessReviews
|
||||
// "" (empty) is empty for cluster-scoped resources
|
||||
// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
|
||||
// +optional
|
||||
Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
|
||||
// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
|
||||
// +optional
|
||||
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
||||
// Group is the API Group of the Resource. "*" means all.
|
||||
// +optional
|
||||
Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
|
||||
// Version is the API Version of the Resource. "*" means all.
|
||||
// +optional
|
||||
Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
|
||||
// Resource is one of the existing resource types. "*" means all.
|
||||
// +optional
|
||||
Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
|
||||
// Subresource is one of the existing resource types. "" means none.
|
||||
// +optional
|
||||
Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
|
||||
// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
|
||||
// +optional
|
||||
Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
|
||||
}
|
||||
|
||||
// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
|
||||
type NonResourceAttributes struct {
|
||||
// Path is the URL path of the request
|
||||
// +optional
|
||||
Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
|
||||
// Verb is the standard HTTP verb
|
||||
// +optional
|
||||
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
||||
}
|
||||
|
||||
// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
||||
// and NonResourceAuthorizationAttributes must be set
|
||||
type SubjectAccessReviewSpec struct {
|
||||
// ResourceAuthorizationAttributes describes information for a resource access request
|
||||
// +optional
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
||||
// NonResourceAttributes describes information for a non-resource access request
|
||||
// +optional
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
||||
|
||||
// User is the user you're testing for.
|
||||
// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
|
||||
// +optional
|
||||
User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=verb"`
|
||||
// Groups is the groups you're testing for.
|
||||
// +optional
|
||||
Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
|
||||
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
|
||||
// it needs a reflection here.
|
||||
// +optional
|
||||
Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
|
||||
}
|
||||
|
||||
// ExtraValue masks the value so protobuf can generate
|
||||
// +protobuf.nullable=true
|
||||
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
||||
type ExtraValue []string
|
||||
|
||||
func (t ExtraValue) String() string {
|
||||
return fmt.Sprintf("%v", []string(t))
|
||||
}
|
||||
|
||||
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
||||
// and NonResourceAuthorizationAttributes must be set
|
||||
type SelfSubjectAccessReviewSpec struct {
|
||||
// ResourceAuthorizationAttributes describes information for a resource access request
|
||||
// +optional
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
||||
// NonResourceAttributes describes information for a non-resource access request
|
||||
// +optional
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
||||
}
|
||||
|
||||
// SubjectAccessReviewStatus
|
||||
type SubjectAccessReviewStatus struct {
|
||||
// Allowed is required. True if the action would be allowed, false otherwise.
|
||||
Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
|
||||
// Reason is optional. It indicates why a request was allowed or denied.
|
||||
// +optional
|
||||
Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
|
||||
// EvaluationError is an indication that some error occurred during the authorization check.
|
||||
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
|
||||
// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
|
||||
// +optional
|
||||
EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
|
||||
}
|
Loading…
Reference in New Issue
Block a user