Documentation
¶
Overview ¶
Package types holds the constants and GVRs shared across the iam subpackages (access, group, user). Anything more interesting than a constant or a GVR belongs in the consumer package.
Index ¶
Constants ¶
const ( KindAuthorizationRule = "AuthorizationRule" KindClusterAuthorizationRule = "ClusterAuthorizationRule" KindUserOperation = "UserOperation" )
Object kinds for the rule resources themselves. Kept as untyped strings because they are only ever used as literal values in unstructured maps and for ref formatting; introducing a separate "RuleKind" type would not catch any realistic bug today.
const ( APIVersionDeckhouseV1 = "deckhouse.io/v1" // User, ClusterAuthorizationRule, UserOperation APIVersionDeckhouseV1Alpha1 = "deckhouse.io/v1alpha1" // Group, AuthorizationRule )
API versions matching the GVRs above. Kept in sync explicitly because unstructured.Unstructured needs apiVersion strings literally.
The previous APIVersionUserAuthn / APIVersionUserAuthz names suggested a per-module split that does not actually exist in the API group: every resource here is under the deckhouse.io group, the only difference is the stability tier (v1 vs v1alpha1). The names below reflect that reality.
const ( LabelManagedBy = "app.kubernetes.io/managed-by" ManagedByValueCLI = "d8-cli" LabelAccessModel = "deckhouse.io/access-model" LabelAccessSubjectKind = "deckhouse.io/access-subject-kind" LabelAccessScope = "deckhouse.io/access-scope" AnnotationAccessSubjectRef = "deckhouse.io/access-subject-ref" AnnotationAccessSubjectPrincipal = "deckhouse.io/access-subject-principal" AnnotationAccessCanonicalSpec = "deckhouse.io/access-canonical-spec" AnnotationAccessCreatedByVersion = "deckhouse.io/access-created-by-version" )
Labels and annotations stamped on grant objects created by `d8 iam access grant`.
Variables ¶
var ( UserGVR = schema.GroupVersionResource{ Group: "deckhouse.io", Version: "v1", Resource: "users", } GroupGVR = schema.GroupVersionResource{ Group: "deckhouse.io", Version: "v1alpha1", Resource: "groups", } AuthorizationRuleGVR = schema.GroupVersionResource{ Group: "deckhouse.io", Version: "v1alpha1", Resource: "authorizationrules", } ClusterAuthorizationRuleGVR = schema.GroupVersionResource{ Group: "deckhouse.io", Version: "v1", Resource: "clusterauthorizationrules", } UserOperationGVR = schema.GroupVersionResource{ Group: "deckhouse.io", Version: "v1", Resource: "useroperations", } )
GVRs of the deckhouse IAM resources.
Functions ¶
This section is empty.
Types ¶
type AccessModel ¶
type AccessModel string
AccessModel is the internal authorization model identifier persisted on managed grants. There is only one model today; bumping it is a deliberate breaking change. Typed for the same reason as Scope.
const ModelCurrent AccessModel = "current"
type Scope ¶
type Scope string
Scope identifies how a grant maps onto cluster topology. Typed because it drives the choice between AuthorizationRule and ClusterAuthorizationRule and a wrong value here silently produces objects of the wrong kind.
type SubjectKind ¶
type SubjectKind string
SubjectKind identifies the principal type that appears in spec.subjects[].kind on AuthorizationRule / ClusterAuthorizationRule and in Group.spec.members[].kind. It is a typed string so that internal struct fields and switch statements get compile-time protection against typos like "user" (lowercase) or unrelated kinds. Conversions to/from string only happen at unstructured.Unstructured map boundaries, where the API server requires plain strings.
const ( KindUser SubjectKind = "User" KindGroup SubjectKind = "Group" KindServiceAccount SubjectKind = "ServiceAccount" )
Subject kinds. Note these are also the apiVersion-less object kinds for User / Group / ServiceAccount when referenced as principals.
Source Files