github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-11 04:52:08 +00:00
Code Issues Projects Releases Wiki Activity

Fix list_type_missing in api/rbac

Browse Source
This commit is contained in:
Tim Hockin 2023-11-16 11:59:42 -08:00
parent b2458e456a
commit e96578fb4d
No known key found for this signature in database
10 changed files with 250 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
api/api-rules/violation_exceptions.list
View File

@ -1,33 +1,3 @@
API rule violation: list_type_missing,k8s.io/api/rbac/v1,AggregationRule,ClusterRoleSelectors
API rule violation: list_type_missing,k8s.io/api/rbac/v1,ClusterRole,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1,ClusterRoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,APIGroups
API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,ResourceNames
API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,Resources
API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,Verbs
API rule violation: list_type_missing,k8s.io/api/rbac/v1,Role,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1,RoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,AggregationRule,ClusterRoleSelectors
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,ClusterRole,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,ClusterRoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,APIGroups
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,ResourceNames
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,Resources
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,Verbs
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,Role,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,RoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,AggregationRule,ClusterRoleSelectors
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,ClusterRole,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,ClusterRoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,APIGroups
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,ResourceNames
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,Resources
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,Verbs
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,Role,Rules
API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,RoleBinding,Subjects
API rule violation: list_type_missing,k8s.io/api/storage/v1,CSINodeDriver,TopologyKeys
API rule violation: list_type_missing,k8s.io/api/storage/v1,CSINodeSpec,Drivers
API rule violation: list_type_missing,k8s.io/api/storage/v1,CSIStorageCapacityList,Items

30
api/openapi-spec/swagger.json generated
View File

@ -13897,7 +13897,8 @@
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object"
@ -13926,7 +13927,8 @@
"items": {
"$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object",
@ -13962,7 +13964,8 @@
"items": {
"$ref": "#/definitions/io.k8s.api.rbac.v1.Subject"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@ -14055,35 +14058,40 @@
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"nonResourceURLs": {
"description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceNames": {
"description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resources": {
"description": "Resources is a list of resources this rule applies to. '*' represents all resources.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.",
"items": {
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@ -14111,7 +14119,8 @@
"items": {
"$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object",
@ -14147,7 +14156,8 @@
"items": {
"$ref": "#/definitions/io.k8s.api.rbac.v1.Subject"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [

30
api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
View File

@ -14,7 +14,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object"
@ -57,7 +58,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object",
@ -108,7 +110,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@ -222,7 +225,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"nonResourceURLs": {
"description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.",
@ -230,7 +234,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resourceNames": {
"description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.",
@ -238,7 +243,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"resources": {
"description": "Resources is a list of resources this rule applies to. '*' represents all resources.",
@ -246,7 +252,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"verbs": {
"description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.",
@ -254,7 +261,8 @@
"default": "",
"type": "string"
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
@ -292,7 +300,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object",
@ -343,7 +352,8 @@
],
"default": {}
},
"type": "array"
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [

150
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -41322,6 +41322,11 @@ func schema_k8sio_api_rbac_v1_AggregationRule(ref common.ReferenceCallback) comm
Type: []string{"object"},
Properties: map[string]spec.Schema{
"clusterRoleSelectors": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added",
Type: []string{"array"},
@ -41372,6 +41377,11 @@ func schema_k8sio_api_rbac_v1_ClusterRole(ref common.ReferenceCallback) common.O
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this ClusterRole",
Type: []string{"array"},
@ -41428,6 +41438,11 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},
@ -41567,6 +41582,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.",
Type: []string{"array"},
@ -41582,6 +41602,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"apiGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.",
Type: []string{"array"},
@ -41597,6 +41622,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to. '*' represents all resources.",
Type: []string{"array"},
@ -41612,6 +41642,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.",
Type: []string{"array"},
@ -41627,6 +41662,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.",
Type: []string{"array"},
@ -41677,6 +41717,11 @@ func schema_k8sio_api_rbac_v1_Role(ref common.ReferenceCallback) common.OpenAPID
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this Role",
Type: []string{"array"},
@ -41727,6 +41772,11 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},
@ -41958,6 +42008,11 @@ func schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref common.ReferenceCallback
Type: []string{"object"},
Properties: map[string]spec.Schema{
"clusterRoleSelectors": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added",
Type: []string{"array"},
@ -42008,6 +42063,11 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref common.ReferenceCallback) co
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this ClusterRole",
Type: []string{"array"},
@ -42064,6 +42124,11 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},
@ -42203,6 +42268,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.",
Type: []string{"array"},
@ -42218,6 +42288,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com
},
},
"apiGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.",
Type: []string{"array"},
@ -42233,6 +42308,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to. '*' represents all resources.",
Type: []string{"array"},
@ -42248,6 +42328,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.",
Type: []string{"array"},
@ -42263,6 +42348,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.",
Type: []string{"array"},
@ -42313,6 +42403,11 @@ func schema_k8sio_api_rbac_v1alpha1_Role(ref common.ReferenceCallback) common.Op
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this Role",
Type: []string{"array"},
@ -42363,6 +42458,11 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},
@ -42584,6 +42684,11 @@ func schema_k8sio_api_rbac_v1beta1_AggregationRule(ref common.ReferenceCallback)
Type: []string{"object"},
Properties: map[string]spec.Schema{
"clusterRoleSelectors": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added",
Type: []string{"array"},
@ -42634,6 +42739,11 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRole(ref common.ReferenceCallback) com
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this ClusterRole",
Type: []string{"array"},
@ -42690,6 +42800,11 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},
@ -42829,6 +42944,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm
Type: []string{"object"},
Properties: map[string]spec.Schema{
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.",
Type: []string{"array"},
@ -42844,6 +42964,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm
},
},
"apiGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.",
Type: []string{"array"},
@ -42859,6 +42984,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.",
Type: []string{"array"},
@ -42874,6 +43004,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.",
Type: []string{"array"},
@ -42889,6 +43024,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.",
Type: []string{"array"},
@ -42939,6 +43079,11 @@ func schema_k8sio_api_rbac_v1beta1_Role(ref common.ReferenceCallback) common.Ope
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules holds all the PolicyRules for this Role",
Type: []string{"array"},
@ -42989,6 +43134,11 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com
},
},
"subjects": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Subjects holds references to the objects the role applies to.",
Type: []string{"array"},

10
staging/src/k8s.io/api/rbac/v1/generated.proto
View File

@ -33,6 +33,7 @@ message AggregationRule {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
}
@ -44,6 +45,7 @@ message ClusterRole {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
@ -62,6 +64,7 @@ message ClusterRoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@ -94,25 +97,30 @@ message ClusterRoleList {
// about who the rule applies to or which namespace the rule applies to.
message PolicyRule {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
repeated string verbs = 1;
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
repeated string apiGroups = 2;
// Resources is a list of resources this rule applies to. '*' represents all resources.
// +optional
// +listType=atomic
repeated string resources = 3;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
repeated string resourceNames = 4;
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
repeated string nonResourceURLs = 5;
}
@ -124,6 +132,7 @@ message Role {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
}
@ -137,6 +146,7 @@ message RoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.

10
staging/src/k8s.io/api/rbac/v1/types.go
View File

@ -48,23 +48,28 @@ const (
// about who the rule applies to or which namespace the rule applies to.
type PolicyRule struct {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
// Resources is a list of resources this rule applies to. '*' represents all resources.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"`
}
@ -111,6 +116,7 @@ type Role struct {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
}
@ -128,6 +134,7 @@ type RoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
@ -175,6 +182,7 @@ type ClusterRole struct {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
@ -189,6 +197,7 @@ type AggregationRule struct {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
}
@ -206,6 +215,7 @@ type ClusterRoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.

10
staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
View File

@ -33,6 +33,7 @@ message AggregationRule {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
}
@ -45,6 +46,7 @@ message ClusterRole {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
@ -64,6 +66,7 @@ message ClusterRoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@ -97,25 +100,30 @@ message ClusterRoleList {
// about who the rule applies to or which namespace the rule applies to.
message PolicyRule {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
repeated string verbs = 1;
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
repeated string apiGroups = 3;
// Resources is a list of resources this rule applies to. '*' represents all resources.
// +optional
// +listType=atomic
repeated string resources = 4;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
repeated string resourceNames = 5;
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
repeated string nonResourceURLs = 6;
}
@ -128,6 +136,7 @@ message Role {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
}
@ -142,6 +151,7 @@ message RoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.

10
staging/src/k8s.io/api/rbac/v1alpha1/types.go
View File

@ -48,23 +48,28 @@ const (
// about who the rule applies to or which namespace the rule applies to.
type PolicyRule struct {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"`
// Resources is a list of resources this rule applies to. '*' represents all resources.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,4,rep,name=resources"`
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"`
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"`
}
@ -111,6 +116,7 @@ type Role struct {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
}
@ -129,6 +135,7 @@ type RoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
@ -178,6 +185,7 @@ type ClusterRole struct {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
@ -192,6 +200,7 @@ type AggregationRule struct {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
}
@ -210,6 +219,7 @@ type ClusterRoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.

10
staging/src/k8s.io/api/rbac/v1beta1/generated.proto
View File

@ -33,6 +33,7 @@ message AggregationRule {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1;
}
@ -45,6 +46,7 @@ message ClusterRole {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
@ -64,6 +66,7 @@ message ClusterRoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can only reference a ClusterRole in the global namespace.
@ -97,26 +100,31 @@ message ClusterRoleList {
// about who the rule applies to or which namespace the rule applies to.
message PolicyRule {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
repeated string verbs = 1;
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
repeated string apiGroups = 2;
// Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups.
// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
repeated string resources = 3;
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
repeated string resourceNames = 4;
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
repeated string nonResourceURLs = 5;
}
@ -129,6 +137,7 @@ message Role {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
repeated PolicyRule rules = 2;
}
@ -143,6 +152,7 @@ message RoleBinding {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
repeated Subject subjects = 2;
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.

10
staging/src/k8s.io/api/rbac/v1beta1/types.go
View File

@ -48,24 +48,29 @@ const (
// about who the rule applies to or which namespace the rule applies to.
type PolicyRule struct {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
// +listType=atomic
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
// +optional
// +listType=atomic
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
// Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups.
// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"`
}
@ -115,6 +120,7 @@ type Role struct {
// Rules holds all the PolicyRules for this Role
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
}
@ -137,6 +143,7 @@ type RoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
@ -198,6 +205,7 @@ type ClusterRole struct {
// Rules holds all the PolicyRules for this ClusterRole
// +optional
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
@ -211,6 +219,7 @@ type AggregationRule struct {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
// +optional
// +listType=atomic
ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
}
@ -233,6 +242,7 @@ type ClusterRoleBinding struct {
// Subjects holds references to the objects the role applies to.
// +optional
// +listType=atomic
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
// RoleRef can only reference a ClusterRole in the global namespace.