Documentation
¶
Index ¶
Constants ¶
View Source
const ( // SystemKcpAdminGroup is global admin group. Members of this group have all permissions across all workspaces. SystemKcpAdminGroup = "system:kcp:admin" // SystemKcpWorkspaceBootstrapper is the group used to bootstrap resources, both during the root setup, as well // as when the default APIBinding initializing controller performs its bootstrapping for initializing workspaces. // We need a separate group (not the privileged system group) for this because system-owned workspaces (e.g. root:users) need // a workspace owner annotation set, and the owner annotation is skipped/not set for the privileged system group. SystemKcpWorkspaceBootstrapper = "system:kcp:tenancy:workspace-bootstrapper" // SystemLogicalClusterAdmin is a group used by the workspace scheduler to create LogicalCluster resources. // This group allows it to skip the entire authorization stack except the bootstrap policy authorizer. // Otherwise, the requests would be rejected because the LogicalCluster resource does not exist yet. SystemLogicalClusterAdmin = "system:kcp:logical-cluster-admin" // SystemExternalLogicalClusterAdmin is a group used by the workspace controllers to manage LogicalCluster // resources after creation, using a subset of permissions allowed for the internal logical-cluster-admin. SystemExternalLogicalClusterAdmin = "system:kcp:external-logical-cluster-admin" // SystemKcpWorkspaceAccessGroup is a group that gives a user system:authenticated access to a workspace. SystemKcpWorkspaceAccessGroup = "system:kcp:workspace:access" // SystemKcpMetricsReader is a ClusterRole that grants read access to the // shard-wide /metrics endpoint. A kcp-admin binds it inside :root to an // identity (User, Group, or ServiceAccount) used by prometheus or similar // scrapers. The binding is replicated to every shard via the cache server, // so a single :root binding authorizes scraping on all shards. SystemKcpMetricsReader = "system:kcp:metrics-reader" // SystemKcpInitializerGroupPrefix is the group prefix used by the initializing virtual workspace's // content proxy to mark a request as already authorized against the WorkspaceType's // initializerPermissions. Concrete groups are formed as // system:kcp:initializer:<initializer-name> // where <initializer-name> is the fully qualified initializer identifier produced by // initialization.InitializerForType (e.g. "root:org:tenant"). Clients cannot self-assert // these groups: the front-proxy strips them via --authentication-drop-groups before the // request ever reaches a shard, so seeing one inside the workspace content authorizer is // a trustworthy signal that a VW proxy has already evaluated the request. SystemKcpInitializerGroupPrefix = "system:kcp:initializer:" // SystemKcpTerminatorGroupPrefix is the group prefix used by the terminating virtual // workspace's content proxy. See SystemKcpInitializerGroupPrefix for semantics. SystemKcpTerminatorGroupPrefix = "system:kcp:terminator:" )
View Source
const ( // SystemMastersGroup is the group inherited from k8s codebase - all powerful, all knowing! // Users should not be added to this group. SystemMastersGroup = user.SystemPrivilegedGroup )
Variables ¶
This section is empty.
Functions ¶
func Policy ¶
func Policy() *rbacrest.PolicyData
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.