package rbac
import "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
Package rbac implements the authorizer.Authorizer interface using roles base access control.
Package rbac implements the authorizer.Authorizer interface using roles base access control.
Index ¶
- func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool
- func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbacv1.PolicyRule) bool
- type ClusterRoleBindingLister
- type ClusterRoleGetter
- type RBACAuthorizer
- func New(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister) *RBACAuthorizer
- func (r *RBACAuthorizer) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error)
- func (r *RBACAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
- type RequestToRuleMapper
- type RoleBindingLister
- type RoleGetter
- type RoleToRuleMapper
- type SubjectAccessEvaluator
- func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister, superUser string) *SubjectAccessEvaluator
- func (r *SubjectAccessEvaluator) AllowedSubjects(ctx context.Context, requestAttributes authorizer.Attributes) ([]rbacv1.Subject, error)
- type SubjectLocator
Functions ¶
func RuleAllows ¶
func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool
func RulesAllow ¶
func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbacv1.PolicyRule) bool
Types ¶
type ClusterRoleBindingLister ¶
type ClusterRoleBindingLister struct {
Lister rbaclisters.ClusterRoleBindingLister
}
func (*ClusterRoleBindingLister) ListClusterRoleBindings ¶
func (l *ClusterRoleBindingLister) ListClusterRoleBindings(ctx context.Context) ([]*rbacv1.ClusterRoleBinding, error)
type ClusterRoleGetter ¶
type ClusterRoleGetter struct {
Lister rbaclisters.ClusterRoleLister
}
func (*ClusterRoleGetter) GetClusterRole ¶
func (g *ClusterRoleGetter) GetClusterRole(ctx context.Context, name string) (*rbacv1.ClusterRole, error)
type RBACAuthorizer ¶
type RBACAuthorizer struct {
// contains filtered or unexported fields
}
func New ¶
func New(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister) *RBACAuthorizer
func (*RBACAuthorizer) Authorize ¶
func (r *RBACAuthorizer) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error)
func (*RBACAuthorizer) RulesFor ¶
func (r *RBACAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
type RequestToRuleMapper ¶
type RequestToRuleMapper interface {
// RulesFor returns all known PolicyRules and any errors that happened while locating those rules.
// Any rule returned is still valid, since rules are deny by default. If you can pass with the rules
// supplied, you do not have to fail the request. If you cannot, you should indicate the error along
// with your denial.
RulesFor(ctx context.Context, subject user.Info, namespace string) ([]rbacv1.PolicyRule, error)
// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace,
// and each error encountered resolving those rules. Rule may be nil if err is non-nil.
// If visitor() returns false, visiting is short-circuited.
VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}
type RoleBindingLister ¶
type RoleBindingLister struct {
Lister rbaclisters.RoleBindingLister
}
func (*RoleBindingLister) ListRoleBindings ¶
func (l *RoleBindingLister) ListRoleBindings(ctx context.Context, namespace string) ([]*rbacv1.RoleBinding, error)
type RoleGetter ¶
type RoleGetter struct {
Lister rbaclisters.RoleLister
}
func (*RoleGetter) GetRole ¶
type RoleToRuleMapper ¶
type RoleToRuleMapper interface {
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namespace
// of the role binding, the empty string if a cluster role binding.
GetRoleReferenceRules(ctx context.Context, roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
}
type SubjectAccessEvaluator ¶
type SubjectAccessEvaluator struct {
// contains filtered or unexported fields
}
func NewSubjectAccessEvaluator ¶
func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister, superUser string) *SubjectAccessEvaluator
func (*SubjectAccessEvaluator) AllowedSubjects ¶
func (r *SubjectAccessEvaluator) AllowedSubjects(ctx context.Context, requestAttributes authorizer.Attributes) ([]rbacv1.Subject, error)
AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list. It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.
type SubjectLocator ¶
type SubjectLocator interface {
AllowedSubjects(ctx context.Context, attributes authorizer.Attributes) ([]rbacv1.Subject, error)
}
Source Files ¶
rbac.go subject_locator.go
Directories ¶
| Path | Synopsis |
|---|---|
| plugin/pkg/auth/authorizer/rbac/bootstrappolicy |
- Version
- v1.33.0 (latest)
- Published
- Apr 23, 2025
- Platform
- linux/amd64
- Imports
- 12 packages
- Last checked
- 3 hours ago –
Tools for package owners.