Affected by 
Documentation
¶
Index ¶
- func NewAPIBindingAccessAuthorizer(kubeInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
- func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
- func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
- func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
- func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
- type LocalAuthorizer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewAPIBindingAccessAuthorizer ¶ added in v0.6.0
func NewAPIBindingAccessAuthorizer(kubeInformers clientgoinformers.SharedInformerFactory, kcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) authorizer.Authorizer
NewAPIBindingAccessAuthorizer returns an authorizer that checks if the the request is for a bound resource or not. If the resource is bound we will check the user has RBAC access in the exported resources workspace. If it is not allowed we will return NoDecision, if allowed we will call the delegate authorizer.
func NewBootstrapPolicyAuthorizer ¶
func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewLocalAuthorizer ¶
func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewTopLevelOrganizationAccessAuthorizer ¶ added in v0.6.0
func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer
NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.
func NewWorkspaceContentAuthorizer ¶
func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer
Types ¶
type LocalAuthorizer ¶
type LocalAuthorizer struct {
// contains filtered or unexported fields
}
func (*LocalAuthorizer) Authorize ¶
func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)
func (*LocalAuthorizer) RulesFor ¶
func (a *LocalAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.