rbac

package

v0.0.0-...-081007f Latest Latest Go to latest Published: Sep 15, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/adiazny/rbac-tool

Links

Open Source Insights

Documentation ¶

Index ¶

func DescribeSubject(s *rbacv1.Subject, bindingNamespace string) string
func ReplaceToCore(l []string)
func ReplaceToWildCard(l []string)
type ClusterRoleBindingDescriber
- func (d *ClusterRoleBindingDescriber) String() string
type NamespacedPolicyRule
type Permissions
- func NewPermissionsFromCluster(client *kube.KubeClient) (*Permissions, error)
- func NewPermissionsFromResourceList(objs []runtime.Object) (*Permissions, error)
type PolicyRule
type RoleBindingDescriber
- func (d *RoleBindingDescriber) String() string
type StaticRoles
type SubjectPermissions
- func NewSubjectPermissions(perms *Permissions) []SubjectPermissions
type SubjectPolicyList
- func NewSubjectPermissionsList(policies []SubjectPermissions) []SubjectPolicyList

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DescribeSubject ¶

func DescribeSubject(s *rbacv1.Subject, bindingNamespace string) string

func ReplaceToCore ¶

func ReplaceToCore(l []string)

func ReplaceToWildCard ¶

func ReplaceToWildCard(l []string)

Types ¶

type ClusterRoleBindingDescriber ¶

type ClusterRoleBindingDescriber struct {
	// contains filtered or unexported fields
}

func (*ClusterRoleBindingDescriber) String ¶

func (d *ClusterRoleBindingDescriber) String() string

type NamespacedPolicyRule ¶

type NamespacedPolicyRule struct {
	Namespace string `json:"namespace,omitempty"`

	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
	Verb string `json:"verb"`

	// The name of the APIGroup that contains the resources.
	APIGroup string `json:"apiGroup,omitempty"`

	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
	Resource string `json:"resource,omitempty"`

	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
	ResourceNames []string `json:"resourceNames,omitempty"`

	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`

	//The Role/ClusterRole rule references
	OriginatedFrom []v1.RoleRef `json:"originatedFrom,omitempty"`
}

type Permissions ¶

type Permissions struct {
	ServiceAccounts map[string]map[string]v1.ServiceAccount

	// Roles & RoleBinding maps captures Cluster & ClusterRoleBinding in namespace ""
	// - ClusterRoles are stored in Roles[""]
	// - ClusterRoleBindings are stored in RoleBindings[""]
	Roles        map[string]map[string]rbacv1.Role
	RoleBindings map[string]map[string]rbacv1.RoleBinding

	//deprecated
	PodSecurityPolicies map[string]policy.PodSecurityPolicy
}

func NewPermissionsFromCluster ¶

func NewPermissionsFromCluster(client *kube.KubeClient) (*Permissions, error)

func NewPermissionsFromResourceList ¶

func NewPermissionsFromResourceList(objs []runtime.Object) (*Permissions, error)

type PolicyRule ¶

type PolicyRule struct {
	v1.PolicyRule

	//Specify the Roles or ClusterRoles this rule originated from
	OriginatedFrom []v1.RoleRef
}

type RoleBindingDescriber ¶

type RoleBindingDescriber struct {
	// contains filtered or unexported fields
}

func (*RoleBindingDescriber) String ¶

func (d *RoleBindingDescriber) String() string

type StaticRoles ¶

type StaticRoles struct {
	// contains filtered or unexported fields
}

StaticRoles is a rule resolver that resolves from lists of role objects.

func (*StaticRoles) GetClusterRole ¶

func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

func (*StaticRoles) GetRole ¶

func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)

func (*StaticRoles) ListClusterRoleBindings ¶

func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

func (*StaticRoles) ListRoleBindings ¶

func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

type SubjectPermissions ¶

type SubjectPermissions struct {
	Subject v1.Subject

	//Rules Per Namespace ... "" means cluster-wide
	Rules map[string][]PolicyRule
}

func NewSubjectPermissions ¶

func NewSubjectPermissions(perms *Permissions) []SubjectPermissions

type SubjectPolicyList ¶

type SubjectPolicyList struct {
	v1.Subject

	AllowedTo []NamespacedPolicyRule `json:"allowedTo,omitempty"`
}

func NewSubjectPermissionsList ¶

func NewSubjectPermissionsList(policies []SubjectPermissions) []SubjectPolicyList

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL