Documentation
¶
Index ¶
- Variables
- func Allowed() authorizationv1.SubjectAccessReviewStatus
- func AuthorizationAttributesFrom(spec authorizationv1.SubjectAccessReviewSpec) auth.AttributesRecord
- func Denied(reason string) authorizationv1.SubjectAccessReviewStatus
- func Errored(code int32, err error) authorizationv1.SubjectAccessReviewStatus
- func NoOpinion(reason string) authorizationv1.SubjectAccessReviewStatus
- func NonResourceAttributesFrom(user user.Info, in authorizationv1.NonResourceAttributes) auth.AttributesRecord
- func ResourceAttributesFrom(user user.Info, in authorizationv1.ResourceAttributes) auth.AttributesRecord
- type Handler
- type WithSelectorsCheckerdeprecated
Constants ¶
This section is empty.
Variables ¶
var ( // DecisionTimeout is the maximum time for the authorizer to take a decision. Exposed for testing. DecisionTimeout = 10 * time.Second )
Functions ¶
func Allowed ¶
func Allowed() authorizationv1.SubjectAccessReviewStatus
Allowed constructs a SubjectAccessReview and indicates in its status that the given operation is allowed.
func AuthorizationAttributesFrom ¶
func AuthorizationAttributesFrom(spec authorizationv1.SubjectAccessReviewSpec) auth.AttributesRecord
AuthorizationAttributesFrom takes a spec and returns the proper authz attributes to check it.
func Denied ¶
func Denied(reason string) authorizationv1.SubjectAccessReviewStatus
Denied constructs a SubjectAccessReview and indicates in its status that the given operation is denied and that other authenticators should not be consulted for their opinion.
func Errored ¶
func Errored(code int32, err error) authorizationv1.SubjectAccessReviewStatus
Errored constructs a SubjectAccessReview and indicates in its status that an error has occurred during the evaluation of the result.
func NoOpinion ¶
func NoOpinion(reason string) authorizationv1.SubjectAccessReviewStatus
NoOpinion constructs a SubjectAccessReview and indicates in its status that the authorizer does not have an opinion about the result, i.e., other authenticators should be consulted for their opinion.
func NonResourceAttributesFrom ¶
func NonResourceAttributesFrom(user user.Info, in authorizationv1.NonResourceAttributes) auth.AttributesRecord
NonResourceAttributesFrom combines the API object information and the user.Info from the context to build a full auth.AttributesRecord for non resource access.
func ResourceAttributesFrom ¶
func ResourceAttributesFrom(user user.Info, in authorizationv1.ResourceAttributes) auth.AttributesRecord
ResourceAttributesFrom combines the API object information and the user.Info from the context to build a full auth.AttributesRecord for resource access.
Types ¶
type Handler ¶
type Handler struct {
Logger logr.Logger
Authorizer auth.Authorizer
}
Handler authorizing requests for resources.
type WithSelectorsChecker
deprecated
added in
v1.128.0
type WithSelectorsChecker interface {
// IsPossible returns true if the 'AuthorizeWithSelectors' feature is enabled in the kube-apiserver.
IsPossible() (bool, error)
}
WithSelectorsChecker checks whether the 'AuthorizeWithSelectors' feature is enabled in the kube-apiserver. TODO(rfranzke): Remove this interface once the lowest supported Kubernetes version is 1.34.
Deprecated: This interface will be removed once the lowest supported Kubernetes version is 1.34.
func NewWithSelectorsChecker ¶ added in v1.128.0
func NewWithSelectorsChecker(ctx context.Context, log logr.Logger, clientSet kubernetes.Interface, clock clock.Clock) WithSelectorsChecker
NewWithSelectorsChecker creates a new WithSelectorsChecker.
Source Files
Directories