1
2// This file was autogenerated by go-to-protobuf. Do not edit it manually!
3
4syntax = "proto2";
5
6package github.com.openshift.api.authorization.v1;
7
8import "k8s.io/api/core/v1/generated.proto";
9import "k8s.io/api/rbac/v1/generated.proto";
10import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
11import "k8s.io/apimachinery/pkg/runtime/generated.proto";
12import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
13
14// Package-wide variables from generator "generated".
15option go_package = "github.com/openshift/api/authorization/v1";
16
17// Action describes a request to the API server
18message Action {
19 // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
20 optional string namespace = 1;
21
22 // Verb is one of: get, list, watch, create, update, delete
23 optional string verb = 2;
24
25 // Group is the API group of the resource
26 // Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined
27 optional string resourceAPIGroup = 3;
28
29 // Version is the API version of the resource
30 // Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined
31 optional string resourceAPIVersion = 4;
32
33 // Resource is one of the existing resource types
34 optional string resource = 5;
35
36 // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete"
37 optional string resourceName = 6;
38
39 // Path is the path of a non resource URL
40 optional string path = 8;
41
42 // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hierarchy)
43 optional bool isNonResourceURL = 9;
44
45 // Content is the actual content of the request for create and update
46 // +kubebuilder:pruning:PreserveUnknownFields
47 optional k8s.io.apimachinery.pkg.runtime.RawExtension content = 7;
48}
49
50// ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings.
51//
52// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
53// +openshift:compatibility-gen:level=1
54message ClusterRole {
55 // metadata is the standard object's metadata.
56 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
57 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
58
59 // Rules holds all the PolicyRules for this ClusterRole
60 repeated PolicyRule rules = 2;
61
62 // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
63 // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
64 // stomped by the controller.
65 optional k8s.io.api.rbac.v1.AggregationRule aggregationRule = 3;
66}
67
68// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace.
69// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
70// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
71//
72// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
73// +openshift:compatibility-gen:level=1
74message ClusterRoleBinding {
75 // metadata is the standard object's metadata.
76 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
77 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
78
79 // UserNames holds all the usernames directly bound to the role.
80 // This field should only be specified when supporting legacy clients and servers.
81 // See Subjects for further details.
82 // +k8s:conversion-gen=false
83 // +optional
84 optional OptionalNames userNames = 2;
85
86 // GroupNames holds all the groups directly bound to the role.
87 // This field should only be specified when supporting legacy clients and servers.
88 // See Subjects for further details.
89 // +k8s:conversion-gen=false
90 // +optional
91 optional OptionalNames groupNames = 3;
92
93 // Subjects hold object references to authorize with this rule.
94 // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
95 // Thus newer clients that do not need to support backwards compatibility should send
96 // only fully qualified Subjects and should omit the UserNames and GroupNames fields.
97 // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
98 repeated k8s.io.api.core.v1.ObjectReference subjects = 4;
99
100 // RoleRef can only reference the current namespace and the global namespace.
101 // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.
102 // Since Policy is a singleton, this is sufficient knowledge to locate a role.
103 optional k8s.io.api.core.v1.ObjectReference roleRef = 5;
104}
105
106// ClusterRoleBindingList is a collection of ClusterRoleBindings
107//
108// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
109// +openshift:compatibility-gen:level=1
110message ClusterRoleBindingList {
111 // metadata is the standard list's metadata.
112 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
113 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
114
115 // Items is a list of ClusterRoleBindings
116 repeated ClusterRoleBinding items = 2;
117}
118
119// ClusterRoleList is a collection of ClusterRoles
120//
121// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
122// +openshift:compatibility-gen:level=1
123message ClusterRoleList {
124 // metadata is the standard list's metadata.
125 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
126 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
127
128 // Items is a list of ClusterRoles
129 repeated ClusterRole items = 2;
130}
131
132// GroupRestriction matches a group either by a string match on the group name
133// or a label selector applied to group labels.
134message GroupRestriction {
135 // Groups is a list of groups used to match against an individual user's
136 // groups. If the user is a member of one of the whitelisted groups, the user
137 // is allowed to be bound to a role.
138 // +nullable
139 repeated string groups = 1;
140
141 // Selectors specifies a list of label selectors over group labels.
142 // +nullable
143 repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 2;
144}
145
146// IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed
147//
148// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
149// +openshift:compatibility-gen:level=1
150message IsPersonalSubjectAccessReview {
151}
152
153// LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace
154//
155// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
156// +openshift:compatibility-gen:level=1
157message LocalResourceAccessReview {
158 // Action describes the action being tested. The Namespace element is FORCED to the current namespace.
159 optional Action Action = 1;
160}
161
162// LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
163//
164// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
165// +openshift:compatibility-gen:level=1
166message LocalSubjectAccessReview {
167 // Action describes the action being tested. The Namespace element is FORCED to the current namespace.
168 optional Action Action = 1;
169
170 // User is optional. If both User and Groups are empty, the current authenticated user is used.
171 optional string user = 2;
172
173 // Groups is optional. Groups is the list of groups to which the User belongs.
174 // +k8s:conversion-gen=false
175 repeated string groups = 3;
176
177 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
178 // Nil for a self-SAR, means "use the scopes on this request".
179 // Nil for a regular SAR, means the same as empty.
180 // +k8s:conversion-gen=false
181 optional OptionalScopes scopes = 4;
182}
183
184// NamedClusterRole relates a name with a cluster role
185message NamedClusterRole {
186 // Name is the name of the cluster role
187 optional string name = 1;
188
189 // Role is the cluster role being named
190 optional ClusterRole role = 2;
191}
192
193// NamedClusterRoleBinding relates a name with a cluster role binding
194message NamedClusterRoleBinding {
195 // Name is the name of the cluster role binding
196 optional string name = 1;
197
198 // RoleBinding is the cluster role binding being named
199 optional ClusterRoleBinding roleBinding = 2;
200}
201
202// NamedRole relates a Role with a name
203message NamedRole {
204 // Name is the name of the role
205 optional string name = 1;
206
207 // Role is the role being named
208 optional Role role = 2;
209}
210
211// NamedRoleBinding relates a role binding with a name
212message NamedRoleBinding {
213 // Name is the name of the role binding
214 optional string name = 1;
215
216 // RoleBinding is the role binding being named
217 optional RoleBinding roleBinding = 2;
218}
219
220// OptionalNames is an array that may also be left nil to distinguish between set and unset.
221// +protobuf.nullable=true
222// +protobuf.options.(gogoproto.goproto_stringer)=false
223message OptionalNames {
224 // items, if empty, will result in an empty slice
225
226 repeated string items = 1;
227}
228
229// OptionalScopes is an array that may also be left nil to distinguish between set and unset.
230// +protobuf.nullable=true
231// +protobuf.options.(gogoproto.goproto_stringer)=false
232message OptionalScopes {
233 // items, if empty, will result in an empty slice
234
235 repeated string items = 1;
236}
237
238// PolicyRule holds information that describes a policy rule, but does not contain information
239// about who the rule applies to or which namespace the rule applies to.
240message PolicyRule {
241 // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
242 repeated string verbs = 1;
243
244 // AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
245 // If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
246 // +kubebuilder:pruning:PreserveUnknownFields
247 optional k8s.io.apimachinery.pkg.runtime.RawExtension attributeRestrictions = 2;
248
249 // APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed.
250 // That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request
251 // will be allowed
252 // +optional
253 // +nullable
254 repeated string apiGroups = 3;
255
256 // Resources is a list of resources this rule applies to. ResourceAll represents all resources.
257 repeated string resources = 4;
258
259 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
260 repeated string resourceNames = 5;
261
262 // NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
263 // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
264 repeated string nonResourceURLs = 6;
265}
266
267// ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the
268// action specified by spec
269//
270// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
271// +openshift:compatibility-gen:level=1
272message ResourceAccessReview {
273 // Action describes the action being tested.
274 optional Action Action = 1;
275}
276
277// ResourceAccessReviewResponse describes who can perform the action
278//
279// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
280// +openshift:compatibility-gen:level=1
281message ResourceAccessReviewResponse {
282 // Namespace is the namespace used for the access review
283 optional string namespace = 1;
284
285 // UsersSlice is the list of users who can perform the action
286 // +k8s:conversion-gen=false
287 repeated string users = 2;
288
289 // GroupsSlice is the list of groups who can perform the action
290 // +k8s:conversion-gen=false
291 repeated string groups = 3;
292
293 // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
294 // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
295 // most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
296 optional string evalutionError = 4;
297}
298
299// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.
300//
301// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
302// +openshift:compatibility-gen:level=1
303message Role {
304 // metadata is the standard object's metadata.
305 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
306 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
307
308 // Rules holds all the PolicyRules for this Role
309 repeated PolicyRule rules = 2;
310}
311
312// RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace.
313// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
314// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
315//
316// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
317// +openshift:compatibility-gen:level=1
318message RoleBinding {
319 // metadata is the standard object's metadata.
320 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
321 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
322
323 // UserNames holds all the usernames directly bound to the role.
324 // This field should only be specified when supporting legacy clients and servers.
325 // See Subjects for further details.
326 // +k8s:conversion-gen=false
327 // +optional
328 optional OptionalNames userNames = 2;
329
330 // GroupNames holds all the groups directly bound to the role.
331 // This field should only be specified when supporting legacy clients and servers.
332 // See Subjects for further details.
333 // +k8s:conversion-gen=false
334 // +optional
335 optional OptionalNames groupNames = 3;
336
337 // Subjects hold object references to authorize with this rule.
338 // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
339 // Thus newer clients that do not need to support backwards compatibility should send
340 // only fully qualified Subjects and should omit the UserNames and GroupNames fields.
341 // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
342 repeated k8s.io.api.core.v1.ObjectReference subjects = 4;
343
344 // RoleRef can only reference the current namespace and the global namespace.
345 // If the RoleRef cannot be resolved, the Authorizer must return an error.
346 // Since Policy is a singleton, this is sufficient knowledge to locate a role.
347 optional k8s.io.api.core.v1.ObjectReference roleRef = 5;
348}
349
350// RoleBindingList is a collection of RoleBindings
351//
352// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
353// +openshift:compatibility-gen:level=1
354message RoleBindingList {
355 // metadata is the standard list's metadata.
356 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
357 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
358
359 // Items is a list of RoleBindings
360 repeated RoleBinding items = 2;
361}
362
363// RoleBindingRestriction is an object that can be matched against a subject
364// (user, group, or service account) to determine whether rolebindings on that
365// subject are allowed in the namespace to which the RoleBindingRestriction
366// belongs. If any one of those RoleBindingRestriction objects matches
367// a subject, rolebindings on that subject in the namespace are allowed.
368//
369// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
370// +openshift:compatibility-gen:level=1
371message RoleBindingRestriction {
372 // metadata is the standard object's metadata.
373 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
374 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
375
376 // Spec defines the matcher.
377 optional RoleBindingRestrictionSpec spec = 2;
378}
379
380// RoleBindingRestrictionList is a collection of RoleBindingRestriction objects.
381//
382// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
383// +openshift:compatibility-gen:level=1
384message RoleBindingRestrictionList {
385 // metadata is the standard list's metadata.
386 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
387 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
388
389 // Items is a list of RoleBindingRestriction objects.
390 repeated RoleBindingRestriction items = 2;
391}
392
393// RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one
394// field must be non-nil.
395message RoleBindingRestrictionSpec {
396 // UserRestriction matches against user subjects.
397 // +nullable
398 optional UserRestriction userrestriction = 1;
399
400 // GroupRestriction matches against group subjects.
401 // +nullable
402 optional GroupRestriction grouprestriction = 2;
403
404 // ServiceAccountRestriction matches against service-account subjects.
405 // +nullable
406 optional ServiceAccountRestriction serviceaccountrestriction = 3;
407}
408
409// RoleList is a collection of Roles
410//
411// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
412// +openshift:compatibility-gen:level=1
413message RoleList {
414 // metadata is the standard list's metadata.
415 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
416 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
417
418 // Items is a list of Roles
419 repeated Role items = 2;
420}
421
422// SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace
423//
424// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
425// +openshift:compatibility-gen:level=1
426message SelfSubjectRulesReview {
427 // Spec adds information about how to conduct the check
428 optional SelfSubjectRulesReviewSpec spec = 1;
429
430 // Status is completed by the server to tell which permissions you have
431 optional SubjectRulesReviewStatus status = 2;
432}
433
434// SelfSubjectRulesReviewSpec adds information about how to conduct the check
435message SelfSubjectRulesReviewSpec {
436 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
437 // Nil means "use the scopes on this request".
438 // +k8s:conversion-gen=false
439 optional OptionalScopes scopes = 1;
440}
441
442// ServiceAccountReference specifies a service account and namespace by their
443// names.
444message ServiceAccountReference {
445 // Name is the name of the service account.
446 optional string name = 1;
447
448 // Namespace is the namespace of the service account. Service accounts from
449 // inside the whitelisted namespaces are allowed to be bound to roles. If
450 // Namespace is empty, then the namespace of the RoleBindingRestriction in
451 // which the ServiceAccountReference is embedded is used.
452 optional string namespace = 2;
453}
454
455// ServiceAccountRestriction matches a service account by a string match on
456// either the service-account name or the name of the service account's
457// namespace.
458message ServiceAccountRestriction {
459 // ServiceAccounts specifies a list of literal service-account names.
460 repeated ServiceAccountReference serviceaccounts = 1;
461
462 // Namespaces specifies a list of literal namespace names.
463 repeated string namespaces = 2;
464}
465
466// SubjectAccessReview is an object for requesting information about whether a user or group can perform an action
467//
468// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
469// +openshift:compatibility-gen:level=1
470message SubjectAccessReview {
471 // Action describes the action being tested.
472 optional Action Action = 1;
473
474 // User is optional. If both User and Groups are empty, the current authenticated user is used.
475 optional string user = 2;
476
477 // GroupsSlice is optional. Groups is the list of groups to which the User belongs.
478 // +k8s:conversion-gen=false
479 repeated string groups = 3;
480
481 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
482 // Nil for a self-SAR, means "use the scopes on this request".
483 // Nil for a regular SAR, means the same as empty.
484 // +k8s:conversion-gen=false
485 optional OptionalScopes scopes = 4;
486}
487
488// SubjectAccessReviewResponse describes whether or not a user or group can perform an action
489//
490// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
491// +openshift:compatibility-gen:level=1
492message SubjectAccessReviewResponse {
493 // Namespace is the namespace used for the access review
494 optional string namespace = 1;
495
496 // Allowed is required. True if the action would be allowed, false otherwise.
497 optional bool allowed = 2;
498
499 // Reason is optional. It indicates why a request was allowed or denied.
500 optional string reason = 3;
501
502 // EvaluationError is an indication that some error occurred during the authorization check.
503 // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
504 // most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
505 optional string evaluationError = 4;
506}
507
508// SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace
509//
510// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
511// +openshift:compatibility-gen:level=1
512message SubjectRulesReview {
513 // Spec adds information about how to conduct the check
514 optional SubjectRulesReviewSpec spec = 1;
515
516 // Status is completed by the server to tell which permissions you have
517 optional SubjectRulesReviewStatus status = 2;
518}
519
520// SubjectRulesReviewSpec adds information about how to conduct the check
521message SubjectRulesReviewSpec {
522 // User is optional. At least one of User and Groups must be specified.
523 optional string user = 1;
524
525 // Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified.
526 repeated string groups = 2;
527
528 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
529 optional OptionalScopes scopes = 3;
530}
531
532// SubjectRulesReviewStatus is contains the result of a rules check
533message SubjectRulesReviewStatus {
534 // Rules is the list of rules (no particular sort) that are allowed for the subject
535 repeated PolicyRule rules = 1;
536
537 // EvaluationError can appear in combination with Rules. It means some error happened during evaluation
538 // that may have prevented additional rules from being populated.
539 optional string evaluationError = 2;
540}
541
542// UserRestriction matches a user either by a string match on the user name,
543// a string match on the name of a group to which the user belongs, or a label
544// selector applied to the user labels.
545message UserRestriction {
546 // Users specifies a list of literal user names.
547 repeated string users = 1;
548
549 // Groups specifies a list of literal group names.
550 // +nullable
551 repeated string groups = 2;
552
553 // Selectors specifies a list of label selectors over user labels.
554 // +nullable
555 repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 3;
556}
557
View as plain text