// This file was autogenerated by go-to-protobuf. Do not edit it manually! syntax = "proto2"; package github.com.openshift.api.authorization.v1; import "k8s.io/api/core/v1/generated.proto"; import "k8s.io/api/rbac/v1/generated.proto"; import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; import "k8s.io/apimachinery/pkg/runtime/generated.proto"; import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; // Package-wide variables from generator "generated". option go_package = "github.com/openshift/api/authorization/v1"; // Action describes a request to the API server message Action { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces optional string namespace = 1; // Verb is one of: get, list, watch, create, update, delete optional string verb = 2; // Group is the API group of the resource // Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined optional string resourceAPIGroup = 3; // Version is the API version of the resource // Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined optional string resourceAPIVersion = 4; // Resource is one of the existing resource types optional string resource = 5; // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" optional string resourceName = 6; // Path is the path of a non resource URL optional string path = 8; // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hierarchy) optional bool isNonResourceURL = 9; // Content is the actual content of the request for create and update // +kubebuilder:pruning:PreserveUnknownFields optional k8s.io.apimachinery.pkg.runtime.RawExtension content = 7; } // ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings. // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ClusterRole { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Rules holds all the PolicyRules for this ClusterRole repeated PolicyRule rules = 2; // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be // stomped by the controller. optional k8s.io.api.rbac.v1.AggregationRule aggregationRule = 3; } // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace. // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. // ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ClusterRoleBinding { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // UserNames holds all the usernames directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false // +optional optional OptionalNames userNames = 2; // GroupNames holds all the groups directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false // +optional optional OptionalNames groupNames = 3; // Subjects hold object references to authorize with this rule. // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. // Thus newer clients that do not need to support backwards compatibility should send // only fully qualified Subjects and should omit the UserNames and GroupNames fields. // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. repeated k8s.io.api.core.v1.ObjectReference subjects = 4; // RoleRef can only reference the current namespace and the global namespace. // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. // Since Policy is a singleton, this is sufficient knowledge to locate a role. optional k8s.io.api.core.v1.ObjectReference roleRef = 5; } // ClusterRoleBindingList is a collection of ClusterRoleBindings // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ClusterRoleBindingList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // Items is a list of ClusterRoleBindings repeated ClusterRoleBinding items = 2; } // ClusterRoleList is a collection of ClusterRoles // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ClusterRoleList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // Items is a list of ClusterRoles repeated ClusterRole items = 2; } // GroupRestriction matches a group either by a string match on the group name // or a label selector applied to group labels. message GroupRestriction { // Groups is a list of groups used to match against an individual user's // groups. If the user is a member of one of the whitelisted groups, the user // is allowed to be bound to a role. // +nullable repeated string groups = 1; // Selectors specifies a list of label selectors over group labels. // +nullable repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 2; } // IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message IsPersonalSubjectAccessReview { } // LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message LocalResourceAccessReview { // Action describes the action being tested. The Namespace element is FORCED to the current namespace. optional Action Action = 1; } // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message LocalSubjectAccessReview { // Action describes the action being tested. The Namespace element is FORCED to the current namespace. optional Action Action = 1; // User is optional. If both User and Groups are empty, the current authenticated user is used. optional string user = 2; // Groups is optional. Groups is the list of groups to which the User belongs. // +k8s:conversion-gen=false repeated string groups = 3; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. // +k8s:conversion-gen=false optional OptionalScopes scopes = 4; } // NamedClusterRole relates a name with a cluster role message NamedClusterRole { // Name is the name of the cluster role optional string name = 1; // Role is the cluster role being named optional ClusterRole role = 2; } // NamedClusterRoleBinding relates a name with a cluster role binding message NamedClusterRoleBinding { // Name is the name of the cluster role binding optional string name = 1; // RoleBinding is the cluster role binding being named optional ClusterRoleBinding roleBinding = 2; } // NamedRole relates a Role with a name message NamedRole { // Name is the name of the role optional string name = 1; // Role is the role being named optional Role role = 2; } // NamedRoleBinding relates a role binding with a name message NamedRoleBinding { // Name is the name of the role binding optional string name = 1; // RoleBinding is the role binding being named optional RoleBinding roleBinding = 2; } // OptionalNames is an array that may also be left nil to distinguish between set and unset. // +protobuf.nullable=true // +protobuf.options.(gogoproto.goproto_stringer)=false message OptionalNames { // items, if empty, will result in an empty slice repeated string items = 1; } // OptionalScopes is an array that may also be left nil to distinguish between set and unset. // +protobuf.nullable=true // +protobuf.options.(gogoproto.goproto_stringer)=false message OptionalScopes { // items, if empty, will result in an empty slice repeated string items = 1; } // PolicyRule holds information that describes a policy rule, but does not contain information // about who the rule applies to or which namespace the rule applies to. message PolicyRule { // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. repeated string verbs = 1; // AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports. // If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error. // +kubebuilder:pruning:PreserveUnknownFields optional k8s.io.apimachinery.pkg.runtime.RawExtension attributeRestrictions = 2; // APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed. // That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request // will be allowed // +optional // +nullable repeated string apiGroups = 3; // Resources is a list of resources this rule applies to. ResourceAll represents all resources. repeated string resources = 4; // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. repeated string resourceNames = 5; // NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. repeated string nonResourceURLs = 6; } // ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the // action specified by spec // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ResourceAccessReview { // Action describes the action being tested. optional Action Action = 1; } // ResourceAccessReviewResponse describes who can perform the action // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message ResourceAccessReviewResponse { // Namespace is the namespace used for the access review optional string namespace = 1; // UsersSlice is the list of users who can perform the action // +k8s:conversion-gen=false repeated string users = 2; // GroupsSlice is the list of groups who can perform the action // +k8s:conversion-gen=false repeated string groups = 3; // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. optional string evalutionError = 4; } // Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings. // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message Role { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Rules holds all the PolicyRules for this Role repeated PolicyRule rules = 2; } // RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace. // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. // RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RoleBinding { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // UserNames holds all the usernames directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false // +optional optional OptionalNames userNames = 2; // GroupNames holds all the groups directly bound to the role. // This field should only be specified when supporting legacy clients and servers. // See Subjects for further details. // +k8s:conversion-gen=false // +optional optional OptionalNames groupNames = 3; // Subjects hold object references to authorize with this rule. // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. // Thus newer clients that do not need to support backwards compatibility should send // only fully qualified Subjects and should omit the UserNames and GroupNames fields. // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. repeated k8s.io.api.core.v1.ObjectReference subjects = 4; // RoleRef can only reference the current namespace and the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. // Since Policy is a singleton, this is sufficient knowledge to locate a role. optional k8s.io.api.core.v1.ObjectReference roleRef = 5; } // RoleBindingList is a collection of RoleBindings // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RoleBindingList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // Items is a list of RoleBindings repeated RoleBinding items = 2; } // RoleBindingRestriction is an object that can be matched against a subject // (user, group, or service account) to determine whether rolebindings on that // subject are allowed in the namespace to which the RoleBindingRestriction // belongs. If any one of those RoleBindingRestriction objects matches // a subject, rolebindings on that subject in the namespace are allowed. // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RoleBindingRestriction { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Spec defines the matcher. optional RoleBindingRestrictionSpec spec = 2; } // RoleBindingRestrictionList is a collection of RoleBindingRestriction objects. // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RoleBindingRestrictionList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // Items is a list of RoleBindingRestriction objects. repeated RoleBindingRestriction items = 2; } // RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one // field must be non-nil. message RoleBindingRestrictionSpec { // UserRestriction matches against user subjects. // +nullable optional UserRestriction userrestriction = 1; // GroupRestriction matches against group subjects. // +nullable optional GroupRestriction grouprestriction = 2; // ServiceAccountRestriction matches against service-account subjects. // +nullable optional ServiceAccountRestriction serviceaccountrestriction = 3; } // RoleList is a collection of Roles // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RoleList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // Items is a list of Roles repeated Role items = 2; } // SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message SelfSubjectRulesReview { // Spec adds information about how to conduct the check optional SelfSubjectRulesReviewSpec spec = 1; // Status is completed by the server to tell which permissions you have optional SubjectRulesReviewStatus status = 2; } // SelfSubjectRulesReviewSpec adds information about how to conduct the check message SelfSubjectRulesReviewSpec { // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil means "use the scopes on this request". // +k8s:conversion-gen=false optional OptionalScopes scopes = 1; } // ServiceAccountReference specifies a service account and namespace by their // names. message ServiceAccountReference { // Name is the name of the service account. optional string name = 1; // Namespace is the namespace of the service account. Service accounts from // inside the whitelisted namespaces are allowed to be bound to roles. If // Namespace is empty, then the namespace of the RoleBindingRestriction in // which the ServiceAccountReference is embedded is used. optional string namespace = 2; } // ServiceAccountRestriction matches a service account by a string match on // either the service-account name or the name of the service account's // namespace. message ServiceAccountRestriction { // ServiceAccounts specifies a list of literal service-account names. repeated ServiceAccountReference serviceaccounts = 1; // Namespaces specifies a list of literal namespace names. repeated string namespaces = 2; } // SubjectAccessReview is an object for requesting information about whether a user or group can perform an action // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message SubjectAccessReview { // Action describes the action being tested. optional Action Action = 1; // User is optional. If both User and Groups are empty, the current authenticated user is used. optional string user = 2; // GroupsSlice is optional. Groups is the list of groups to which the User belongs. // +k8s:conversion-gen=false repeated string groups = 3; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. // +k8s:conversion-gen=false optional OptionalScopes scopes = 4; } // SubjectAccessReviewResponse describes whether or not a user or group can perform an action // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message SubjectAccessReviewResponse { // Namespace is the namespace used for the access review optional string namespace = 1; // Allowed is required. True if the action would be allowed, false otherwise. optional bool allowed = 2; // Reason is optional. It indicates why a request was allowed or denied. optional string reason = 3; // EvaluationError is an indication that some error occurred during the authorization check. // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. optional string evaluationError = 4; } // SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message SubjectRulesReview { // Spec adds information about how to conduct the check optional SubjectRulesReviewSpec spec = 1; // Status is completed by the server to tell which permissions you have optional SubjectRulesReviewStatus status = 2; } // SubjectRulesReviewSpec adds information about how to conduct the check message SubjectRulesReviewSpec { // User is optional. At least one of User and Groups must be specified. optional string user = 1; // Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified. repeated string groups = 2; // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". optional OptionalScopes scopes = 3; } // SubjectRulesReviewStatus is contains the result of a rules check message SubjectRulesReviewStatus { // Rules is the list of rules (no particular sort) that are allowed for the subject repeated PolicyRule rules = 1; // EvaluationError can appear in combination with Rules. It means some error happened during evaluation // that may have prevented additional rules from being populated. optional string evaluationError = 2; } // UserRestriction matches a user either by a string match on the user name, // a string match on the name of a group to which the user belongs, or a label // selector applied to the user labels. message UserRestriction { // Users specifies a list of literal user names. repeated string users = 1; // Groups specifies a list of literal group names. // +nullable repeated string groups = 2; // Selectors specifies a list of label selectors over user labels. // +nullable repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 3; }