From e96578fb4d0b5f85a2702384aaa7d337db7dbaab Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Thu, 16 Nov 2023 11:59:42 -0800 Subject: [PATCH] Fix list_type_missing in api/rbac --- api/api-rules/violation_exceptions.list | 30 ---- api/openapi-spec/swagger.json | 30 ++-- ...rbac.authorization.k8s.io__v1_openapi.json | 30 ++-- pkg/generated/openapi/zz_generated.openapi.go | 150 ++++++++++++++++++ .../src/k8s.io/api/rbac/v1/generated.proto | 10 ++ staging/src/k8s.io/api/rbac/v1/types.go | 10 ++ .../k8s.io/api/rbac/v1alpha1/generated.proto | 10 ++ staging/src/k8s.io/api/rbac/v1alpha1/types.go | 10 ++ .../k8s.io/api/rbac/v1beta1/generated.proto | 10 ++ staging/src/k8s.io/api/rbac/v1beta1/types.go | 10 ++ 10 files changed, 250 insertions(+), 50 deletions(-) diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list index 4d22577e65c..aaf03de8a0e 100644 --- a/api/api-rules/violation_exceptions.list +++ b/api/api-rules/violation_exceptions.list @@ -1,33 +1,3 @@ -API rule violation: list_type_missing,k8s.io/api/rbac/v1,AggregationRule,ClusterRoleSelectors -API rule violation: list_type_missing,k8s.io/api/rbac/v1,ClusterRole,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1,ClusterRoleBinding,Subjects -API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,APIGroups -API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,ResourceNames -API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,Resources -API rule violation: list_type_missing,k8s.io/api/rbac/v1,PolicyRule,Verbs -API rule violation: list_type_missing,k8s.io/api/rbac/v1,Role,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1,RoleBinding,Subjects -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,AggregationRule,ClusterRoleSelectors -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,ClusterRole,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,ClusterRoleBinding,Subjects -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,APIGroups -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,ResourceNames -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,Resources -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,PolicyRule,Verbs -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,Role,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1alpha1,RoleBinding,Subjects -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,AggregationRule,ClusterRoleSelectors -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,ClusterRole,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,ClusterRoleBinding,Subjects -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,APIGroups -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,NonResourceURLs -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,ResourceNames -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,Resources -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,PolicyRule,Verbs -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,Role,Rules -API rule violation: list_type_missing,k8s.io/api/rbac/v1beta1,RoleBinding,Subjects API rule violation: list_type_missing,k8s.io/api/storage/v1,CSINodeDriver,TopologyKeys API rule violation: list_type_missing,k8s.io/api/storage/v1,CSINodeSpec,Drivers API rule violation: list_type_missing,k8s.io/api/storage/v1,CSIStorageCapacityList,Items diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index 2b72e384569..4bf8d0516a4 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -13897,7 +13897,8 @@ "items": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" @@ -13926,7 +13927,8 @@ "items": { "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", @@ -13962,7 +13964,8 @@ "items": { "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -14055,35 +14058,40 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -14111,7 +14119,8 @@ "items": { "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", @@ -14147,7 +14156,8 @@ "items": { "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ diff --git a/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json index 9c4a063cb30..5fcd77c770e 100644 --- a/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json +++ b/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json @@ -14,7 +14,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" @@ -57,7 +58,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", @@ -108,7 +110,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -222,7 +225,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", @@ -230,7 +234,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", @@ -238,7 +243,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", @@ -246,7 +252,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", @@ -254,7 +261,8 @@ "default": "", "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -292,7 +300,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", @@ -343,7 +352,8 @@ ], "default": {} }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 886be9e80ee..58503a11a08 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -41322,6 +41322,11 @@ func schema_k8sio_api_rbac_v1_AggregationRule(ref common.ReferenceCallback) comm Type: []string{"object"}, Properties: map[string]spec.Schema{ "clusterRoleSelectors": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", Type: []string{"array"}, @@ -41372,6 +41377,11 @@ func schema_k8sio_api_rbac_v1_ClusterRole(ref common.ReferenceCallback) common.O }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this ClusterRole", Type: []string{"array"}, @@ -41428,6 +41438,11 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, @@ -41567,6 +41582,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", Type: []string{"array"}, @@ -41582,6 +41602,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "apiGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", Type: []string{"array"}, @@ -41597,6 +41622,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to. '*' represents all resources.", Type: []string{"array"}, @@ -41612,6 +41642,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", Type: []string{"array"}, @@ -41627,6 +41662,11 @@ func schema_k8sio_api_rbac_v1_PolicyRule(ref common.ReferenceCallback) common.Op }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", Type: []string{"array"}, @@ -41677,6 +41717,11 @@ func schema_k8sio_api_rbac_v1_Role(ref common.ReferenceCallback) common.OpenAPID }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this Role", Type: []string{"array"}, @@ -41727,6 +41772,11 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, @@ -41958,6 +42008,11 @@ func schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref common.ReferenceCallback Type: []string{"object"}, Properties: map[string]spec.Schema{ "clusterRoleSelectors": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", Type: []string{"array"}, @@ -42008,6 +42063,11 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref common.ReferenceCallback) co }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this ClusterRole", Type: []string{"array"}, @@ -42064,6 +42124,11 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, @@ -42203,6 +42268,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", Type: []string{"array"}, @@ -42218,6 +42288,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com }, }, "apiGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", Type: []string{"array"}, @@ -42233,6 +42308,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to. '*' represents all resources.", Type: []string{"array"}, @@ -42248,6 +42328,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", Type: []string{"array"}, @@ -42263,6 +42348,11 @@ func schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref common.ReferenceCallback) com }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", Type: []string{"array"}, @@ -42313,6 +42403,11 @@ func schema_k8sio_api_rbac_v1alpha1_Role(ref common.ReferenceCallback) common.Op }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this Role", Type: []string{"array"}, @@ -42363,6 +42458,11 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, @@ -42584,6 +42684,11 @@ func schema_k8sio_api_rbac_v1beta1_AggregationRule(ref common.ReferenceCallback) Type: []string{"object"}, Properties: map[string]spec.Schema{ "clusterRoleSelectors": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", Type: []string{"array"}, @@ -42634,6 +42739,11 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRole(ref common.ReferenceCallback) com }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this ClusterRole", Type: []string{"array"}, @@ -42690,6 +42800,11 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, @@ -42829,6 +42944,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm Type: []string{"object"}, Properties: map[string]spec.Schema{ "verbs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", Type: []string{"array"}, @@ -42844,6 +42964,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm }, }, "apiGroups": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", Type: []string{"array"}, @@ -42859,6 +42984,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm }, }, "resources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.", Type: []string{"array"}, @@ -42874,6 +43004,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm }, }, "resourceNames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", Type: []string{"array"}, @@ -42889,6 +43024,11 @@ func schema_k8sio_api_rbac_v1beta1_PolicyRule(ref common.ReferenceCallback) comm }, }, "nonResourceURLs": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", Type: []string{"array"}, @@ -42939,6 +43079,11 @@ func schema_k8sio_api_rbac_v1beta1_Role(ref common.ReferenceCallback) common.Ope }, }, "rules": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Rules holds all the PolicyRules for this Role", Type: []string{"array"}, @@ -42989,6 +43134,11 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com }, }, "subjects": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "Subjects holds references to the objects the role applies to.", Type: []string{"array"}, diff --git a/staging/src/k8s.io/api/rbac/v1/generated.proto b/staging/src/k8s.io/api/rbac/v1/generated.proto index 13ff60ea718..62f5e558ba7 100644 --- a/staging/src/k8s.io/api/rbac/v1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1/generated.proto @@ -33,6 +33,7 @@ message AggregationRule { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1; } @@ -44,6 +45,7 @@ message ClusterRole { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic repeated PolicyRule rules = 2; // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. @@ -62,6 +64,7 @@ message ClusterRoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -94,25 +97,30 @@ message ClusterRoleList { // about who the rule applies to or which namespace the rule applies to. message PolicyRule { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic repeated string verbs = 1; // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic repeated string apiGroups = 2; // Resources is a list of resources this rule applies to. '*' represents all resources. // +optional + // +listType=atomic repeated string resources = 3; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic repeated string resourceNames = 4; // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic repeated string nonResourceURLs = 5; } @@ -124,6 +132,7 @@ message Role { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic repeated PolicyRule rules = 2; } @@ -137,6 +146,7 @@ message RoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1/types.go b/staging/src/k8s.io/api/rbac/v1/types.go index ce845d69b42..8bef1ac462b 100644 --- a/staging/src/k8s.io/api/rbac/v1/types.go +++ b/staging/src/k8s.io/api/rbac/v1/types.go @@ -48,23 +48,28 @@ const ( // about who the rule applies to or which namespace the rule applies to. type PolicyRule struct { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` // Resources is a list of resources this rule applies to. '*' represents all resources. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"` } @@ -111,6 +116,7 @@ type Role struct { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` } @@ -128,6 +134,7 @@ type RoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. @@ -175,6 +182,7 @@ type ClusterRole struct { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. @@ -189,6 +197,7 @@ type AggregationRule struct { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"` } @@ -206,6 +215,7 @@ type ClusterRoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto index d5ceaa0e824..170e008a568 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto @@ -33,6 +33,7 @@ message AggregationRule { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1; } @@ -45,6 +46,7 @@ message ClusterRole { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic repeated PolicyRule rules = 2; // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. @@ -64,6 +66,7 @@ message ClusterRoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -97,25 +100,30 @@ message ClusterRoleList { // about who the rule applies to or which namespace the rule applies to. message PolicyRule { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic repeated string verbs = 1; // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic repeated string apiGroups = 3; // Resources is a list of resources this rule applies to. '*' represents all resources. // +optional + // +listType=atomic repeated string resources = 4; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic repeated string resourceNames = 5; // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic repeated string nonResourceURLs = 6; } @@ -128,6 +136,7 @@ message Role { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic repeated PolicyRule rules = 2; } @@ -142,6 +151,7 @@ message RoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/types.go b/staging/src/k8s.io/api/rbac/v1alpha1/types.go index e0e75b1503b..9a0a2197749 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/types.go +++ b/staging/src/k8s.io/api/rbac/v1alpha1/types.go @@ -48,23 +48,28 @@ const ( // about who the rule applies to or which namespace the rule applies to. type PolicyRule struct { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"` // Resources is a list of resources this rule applies to. '*' represents all resources. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,4,rep,name=resources"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"` } @@ -111,6 +116,7 @@ type Role struct { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` } @@ -129,6 +135,7 @@ type RoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. @@ -178,6 +185,7 @@ type ClusterRole struct { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. @@ -192,6 +200,7 @@ type AggregationRule struct { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"` } @@ -210,6 +219,7 @@ type ClusterRoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto index f6b2f0dde1a..7dfc50d7eb6 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto @@ -33,6 +33,7 @@ message AggregationRule { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector clusterRoleSelectors = 1; } @@ -45,6 +46,7 @@ message ClusterRole { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic repeated PolicyRule rules = 2; // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. @@ -64,6 +66,7 @@ message ClusterRoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -97,26 +100,31 @@ message ClusterRoleList { // about who the rule applies to or which namespace the rule applies to. message PolicyRule { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic repeated string verbs = 1; // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic repeated string apiGroups = 2; // Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. // '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic repeated string resources = 3; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic repeated string resourceNames = 4; // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic repeated string nonResourceURLs = 5; } @@ -129,6 +137,7 @@ message Role { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic repeated PolicyRule rules = 2; } @@ -143,6 +152,7 @@ message RoleBinding { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/types.go b/staging/src/k8s.io/api/rbac/v1beta1/types.go index 4941cd2abce..f761f81a6f5 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/types.go +++ b/staging/src/k8s.io/api/rbac/v1beta1/types.go @@ -48,24 +48,29 @@ const ( // about who the rule applies to or which namespace the rule applies to. type PolicyRule struct { // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + // +listType=atomic Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. // +optional + // +listType=atomic APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"` // Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. // '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups. // +optional + // +listType=atomic Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"` // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. // +optional + // +listType=atomic ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"` // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. // +optional + // +listType=atomic NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"` } @@ -115,6 +120,7 @@ type Role struct { // Rules holds all the PolicyRules for this Role // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` } @@ -137,6 +143,7 @@ type RoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. @@ -198,6 +205,7 @@ type ClusterRole struct { // Rules holds all the PolicyRules for this ClusterRole // +optional + // +listType=atomic Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be @@ -211,6 +219,7 @@ type AggregationRule struct { // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. // If any of the selectors match, then the ClusterRole's permissions will be added // +optional + // +listType=atomic ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"` } @@ -233,6 +242,7 @@ type ClusterRoleBinding struct { // Subjects holds references to the objects the role applies to. // +optional + // +listType=atomic Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace.