Documentation
¶
Index ¶
- func CheckSubresource(log logr.Logger, attrs auth.Attributes, allowedSubresources ...string) (bool, string)
- func CheckVerb(log logr.Logger, attrs auth.Attributes, allowedVerbs ...string) (bool, string)
- func WithAllowedSubresources(resources ...string) configFunc
- func WithAllowedVerbs(verbs ...string) configFunc
- func WithAlwaysAllowedVerbs(verbs ...string) configFunc
- func WithFieldSelectorFields(fieldNames ...string) configFunc
- func WithLabelSelectorKeys(labelKeys ...string) configFunc
- type RequestAuthorizer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckSubresource ¶
func CheckSubresource(log logr.Logger, attrs auth.Attributes, allowedSubresources ...string) (bool, string)
CheckSubresource checks if the subresource in the attributes is allowed for the resource type. If no subresource is provided in the attributes, the check always passes.
func WithAllowedSubresources ¶
func WithAllowedSubresources(resources ...string) configFunc
WithAllowedSubresources is a config function for setting the allowed subresources.
func WithAllowedVerbs ¶
func WithAllowedVerbs(verbs ...string) configFunc
WithAllowedVerbs is a config function for setting the allowed verbs.
func WithAlwaysAllowedVerbs ¶
func WithAlwaysAllowedVerbs(verbs ...string) configFunc
WithAlwaysAllowedVerbs is a config function for setting the always allowed verbs.
func WithFieldSelectorFields ¶
func WithFieldSelectorFields(fieldNames ...string) configFunc
WithFieldSelectorFields is a config function for setting the field selector fields. Field names are matched against the name of the object the requestor is associated with. For example, if the field name is '.spec.seedName' and the requestor is associated with seed 'foo', then they must send a field selector for '.spec.seedName=foo' in order to be authorized for list/watch requests. TODO(rfranzke): Remove this 'nolint' annotation once the function is used.
func WithLabelSelectorKeys ¶
func WithLabelSelectorKeys(labelKeys ...string) configFunc
WithLabelSelectorKeys is a config function for setting the label selector keys. Label keys must contain the name of the object the requestor is associated with. For example, if the label key is 'name.seed.gardener.cloud/foo' and the requestor is associated with seed 'foo', then they must send a label selector for 'name.seed.gardener.cloud/foo=true' in order to be authorized for list/watch requests. TODO(rfranzke): Remove this 'nolint' annotation once the function is used.
Types ¶
type RequestAuthorizer ¶
type RequestAuthorizer struct {
Log logr.Logger
Graph graph.Interface
AuthorizeWithSelectors authorizerwebhook.WithSelectorsChecker
ToType graph.VertexType
ToNamespace string
ToName string
}
RequestAuthorizer contains common fields that can be used to authorize requests based on graph relationships.
func (*RequestAuthorizer) Check ¶
func (a *RequestAuthorizer) Check(fromType graph.VertexType, attrs auth.Attributes, fns ...configFunc) (auth.Decision, string, error)
Check checks if a request is allowed based on the graph relationships and the provided attributes.
func (*RequestAuthorizer) CheckRead ¶
func (a *RequestAuthorizer) CheckRead(fromType graph.VertexType, attrs auth.Attributes) (auth.Decision, string, error)
CheckRead checks if a read request (get, list, watch) is allowed based on the graph relationships and the provided attributes.
Source Files
Directories