1 package v1 2 3 import ( 4 "fmt" 5 6 corev1 "k8s.io/api/core/v1" 7 rbacv1 "k8s.io/api/rbac/v1" 8 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 kruntime "k8s.io/apimachinery/pkg/runtime" 10 ) 11 12 // Authorization is calculated against 13 // 1. all deny RoleBinding PolicyRules in the master namespace - short circuit on match 14 // 2. all allow RoleBinding PolicyRules in the master namespace - short circuit on match 15 // 3. all deny RoleBinding PolicyRules in the namespace - short circuit on match 16 // 4. all allow RoleBinding PolicyRules in the namespace - short circuit on match 17 // 5. deny by default 18 19 const ( 20 // GroupKind is string representation of kind used in role binding subjects that represents the "group". 21 GroupKind = "Group" 22 // UserKind is string representation of kind used in role binding subjects that represents the "user". 23 UserKind = "User" 24 25 ScopesKey = "scopes.authorization.openshift.io" 26 ) 27 28 // PolicyRule holds information that describes a policy rule, but does not contain information 29 // about who the rule applies to or which namespace the rule applies to. 30 type PolicyRule struct { 31 // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. 32 Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` 33 // AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports. 34 // If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error. 35 // +kubebuilder:pruning:PreserveUnknownFields 36 AttributeRestrictions kruntime.RawExtension `json:"attributeRestrictions,omitempty" protobuf:"bytes,2,opt,name=attributeRestrictions"` 37 // APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed. 38 // That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request 39 // will be allowed 40 // +optional 41 // +nullable 42 APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"` 43 // Resources is a list of resources this rule applies to. ResourceAll represents all resources. 44 Resources []string `json:"resources" protobuf:"bytes,4,rep,name=resources"` 45 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 46 ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"` 47 // NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path 48 // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. 49 NonResourceURLsSlice []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"` 50 } 51 52 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 53 54 // IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed 55 // 56 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 57 // +openshift:compatibility-gen:level=1 58 type IsPersonalSubjectAccessReview struct { 59 metav1.TypeMeta `json:",inline"` 60 } 61 62 // +genclient 63 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 64 65 // Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings. 66 // 67 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 68 // +openshift:compatibility-gen:level=1 69 type Role struct { 70 metav1.TypeMeta `json:",inline"` 71 72 // metadata is the standard object's metadata. 73 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 74 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 75 76 // Rules holds all the PolicyRules for this Role 77 Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` 78 } 79 80 // OptionalNames is an array that may also be left nil to distinguish between set and unset. 81 // +protobuf.nullable=true 82 // +protobuf.options.(gogoproto.goproto_stringer)=false 83 type OptionalNames []string 84 85 func (t OptionalNames) String() string { 86 return fmt.Sprintf("%v", []string(t)) 87 } 88 89 // +genclient 90 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 91 92 // RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace. 93 // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. 94 // RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). 95 // 96 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 97 // +openshift:compatibility-gen:level=1 98 type RoleBinding struct { 99 metav1.TypeMeta `json:",inline"` 100 101 // metadata is the standard object's metadata. 102 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 103 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 104 105 // UserNames holds all the usernames directly bound to the role. 106 // This field should only be specified when supporting legacy clients and servers. 107 // See Subjects for further details. 108 // +k8s:conversion-gen=false 109 // +optional 110 UserNames OptionalNames `json:"userNames" protobuf:"bytes,2,rep,name=userNames"` 111 // GroupNames holds all the groups directly bound to the role. 112 // This field should only be specified when supporting legacy clients and servers. 113 // See Subjects for further details. 114 // +k8s:conversion-gen=false 115 // +optional 116 GroupNames OptionalNames `json:"groupNames" protobuf:"bytes,3,rep,name=groupNames"` 117 // Subjects hold object references to authorize with this rule. 118 // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. 119 // Thus newer clients that do not need to support backwards compatibility should send 120 // only fully qualified Subjects and should omit the UserNames and GroupNames fields. 121 // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. 122 Subjects []corev1.ObjectReference `json:"subjects" protobuf:"bytes,4,rep,name=subjects"` 123 124 // RoleRef can only reference the current namespace and the global namespace. 125 // If the RoleRef cannot be resolved, the Authorizer must return an error. 126 // Since Policy is a singleton, this is sufficient knowledge to locate a role. 127 RoleRef corev1.ObjectReference `json:"roleRef" protobuf:"bytes,5,opt,name=roleRef"` 128 } 129 130 // NamedRole relates a Role with a name 131 type NamedRole struct { 132 // Name is the name of the role 133 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 134 // Role is the role being named 135 Role Role `json:"role" protobuf:"bytes,2,opt,name=role"` 136 } 137 138 // NamedRoleBinding relates a role binding with a name 139 type NamedRoleBinding struct { 140 // Name is the name of the role binding 141 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 142 // RoleBinding is the role binding being named 143 RoleBinding RoleBinding `json:"roleBinding" protobuf:"bytes,2,opt,name=roleBinding"` 144 } 145 146 // +genclient 147 // +genclient:onlyVerbs=create 148 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 149 150 // SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace 151 // 152 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 153 // +openshift:compatibility-gen:level=1 154 type SelfSubjectRulesReview struct { 155 metav1.TypeMeta `json:",inline"` 156 157 // Spec adds information about how to conduct the check 158 Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` 159 160 // Status is completed by the server to tell which permissions you have 161 Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 162 } 163 164 // SelfSubjectRulesReviewSpec adds information about how to conduct the check 165 type SelfSubjectRulesReviewSpec struct { 166 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". 167 // Nil means "use the scopes on this request". 168 // +k8s:conversion-gen=false 169 Scopes OptionalScopes `json:"scopes" protobuf:"bytes,1,rep,name=scopes"` 170 } 171 172 // +genclient 173 // +genclient:onlyVerbs=create 174 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 175 176 // SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace 177 // 178 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 179 // +openshift:compatibility-gen:level=1 180 type SubjectRulesReview struct { 181 metav1.TypeMeta `json:",inline"` 182 183 // Spec adds information about how to conduct the check 184 Spec SubjectRulesReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` 185 186 // Status is completed by the server to tell which permissions you have 187 Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 188 } 189 190 // SubjectRulesReviewSpec adds information about how to conduct the check 191 type SubjectRulesReviewSpec struct { 192 // User is optional. At least one of User and Groups must be specified. 193 User string `json:"user" protobuf:"bytes,1,opt,name=user"` 194 // Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified. 195 Groups []string `json:"groups" protobuf:"bytes,2,rep,name=groups"` 196 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". 197 Scopes OptionalScopes `json:"scopes" protobuf:"bytes,3,opt,name=scopes"` 198 } 199 200 // SubjectRulesReviewStatus is contains the result of a rules check 201 type SubjectRulesReviewStatus struct { 202 // Rules is the list of rules (no particular sort) that are allowed for the subject 203 Rules []PolicyRule `json:"rules" protobuf:"bytes,1,rep,name=rules"` 204 // EvaluationError can appear in combination with Rules. It means some error happened during evaluation 205 // that may have prevented additional rules from being populated. 206 EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,2,opt,name=evaluationError"` 207 } 208 209 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 210 211 // ResourceAccessReviewResponse describes who can perform the action 212 // 213 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 214 // +openshift:compatibility-gen:level=1 215 type ResourceAccessReviewResponse struct { 216 metav1.TypeMeta `json:",inline"` 217 218 // Namespace is the namespace used for the access review 219 Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` 220 // UsersSlice is the list of users who can perform the action 221 // +k8s:conversion-gen=false 222 UsersSlice []string `json:"users" protobuf:"bytes,2,rep,name=users"` 223 // GroupsSlice is the list of groups who can perform the action 224 // +k8s:conversion-gen=false 225 GroupsSlice []string `json:"groups" protobuf:"bytes,3,rep,name=groups"` 226 227 // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. 228 // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is 229 // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. 230 EvaluationError string `json:"evalutionError" protobuf:"bytes,4,opt,name=evalutionError"` 231 } 232 233 // +genclient 234 // +genclient:nonNamespaced 235 // +genclient:skipVerbs=apply,get,list,create,update,patch,delete,deleteCollection,watch 236 // +genclient:method=Create,verb=create,result=ResourceAccessReviewResponse 237 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 238 239 // ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the 240 // action specified by spec 241 // 242 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 243 // +openshift:compatibility-gen:level=1 244 type ResourceAccessReview struct { 245 metav1.TypeMeta `json:",inline"` 246 247 // Action describes the action being tested. 248 Action `json:",inline" protobuf:"bytes,1,opt,name=Action"` 249 } 250 251 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 252 253 // SubjectAccessReviewResponse describes whether or not a user or group can perform an action 254 // 255 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 256 // +openshift:compatibility-gen:level=1 257 type SubjectAccessReviewResponse struct { 258 metav1.TypeMeta `json:",inline"` 259 260 // Namespace is the namespace used for the access review 261 Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` 262 // Allowed is required. True if the action would be allowed, false otherwise. 263 Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"` 264 // Reason is optional. It indicates why a request was allowed or denied. 265 Reason string `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"` 266 // EvaluationError is an indication that some error occurred during the authorization check. 267 // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is 268 // most common when a bound role is missing, but enough roles are still present and bound to reason about the request. 269 EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"` 270 } 271 272 // OptionalScopes is an array that may also be left nil to distinguish between set and unset. 273 // +protobuf.nullable=true 274 // +protobuf.options.(gogoproto.goproto_stringer)=false 275 type OptionalScopes []string 276 277 func (t OptionalScopes) String() string { 278 return fmt.Sprintf("%v", []string(t)) 279 } 280 281 // +genclient 282 // +genclient:nonNamespaced 283 // +genclient:skipVerbs=apply,get,list,create,update,patch,delete,deleteCollection,watch 284 // +genclient:method=Create,verb=create,result=SubjectAccessReviewResponse 285 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 286 287 // SubjectAccessReview is an object for requesting information about whether a user or group can perform an action 288 // 289 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 290 // +openshift:compatibility-gen:level=1 291 type SubjectAccessReview struct { 292 metav1.TypeMeta `json:",inline"` 293 294 // Action describes the action being tested. 295 Action `json:",inline" protobuf:"bytes,1,opt,name=Action"` 296 // User is optional. If both User and Groups are empty, the current authenticated user is used. 297 User string `json:"user" protobuf:"bytes,2,opt,name=user"` 298 // GroupsSlice is optional. Groups is the list of groups to which the User belongs. 299 // +k8s:conversion-gen=false 300 GroupsSlice []string `json:"groups" protobuf:"bytes,3,rep,name=groups"` 301 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". 302 // Nil for a self-SAR, means "use the scopes on this request". 303 // Nil for a regular SAR, means the same as empty. 304 // +k8s:conversion-gen=false 305 Scopes OptionalScopes `json:"scopes" protobuf:"bytes,4,rep,name=scopes"` 306 } 307 308 // +genclient 309 // +genclient:skipVerbs=apply,get,list,create,update,patch,delete,deleteCollection,watch 310 // +genclient:method=Create,verb=create,result=ResourceAccessReviewResponse 311 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 312 313 // LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace 314 // 315 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 316 // +openshift:compatibility-gen:level=1 317 type LocalResourceAccessReview struct { 318 metav1.TypeMeta `json:",inline"` 319 320 // Action describes the action being tested. The Namespace element is FORCED to the current namespace. 321 Action `json:",inline" protobuf:"bytes,1,opt,name=Action"` 322 } 323 324 // +genclient 325 // +genclient:skipVerbs=apply,get,list,create,update,patch,delete,deleteCollection,watch 326 // +genclient:method=Create,verb=create,result=SubjectAccessReviewResponse 327 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 328 329 // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace 330 // 331 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 332 // +openshift:compatibility-gen:level=1 333 type LocalSubjectAccessReview struct { 334 metav1.TypeMeta `json:",inline"` 335 336 // Action describes the action being tested. The Namespace element is FORCED to the current namespace. 337 Action `json:",inline" protobuf:"bytes,1,opt,name=Action"` 338 // User is optional. If both User and Groups are empty, the current authenticated user is used. 339 User string `json:"user" protobuf:"bytes,2,opt,name=user"` 340 // Groups is optional. Groups is the list of groups to which the User belongs. 341 // +k8s:conversion-gen=false 342 GroupsSlice []string `json:"groups" protobuf:"bytes,3,rep,name=groups"` 343 // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". 344 // Nil for a self-SAR, means "use the scopes on this request". 345 // Nil for a regular SAR, means the same as empty. 346 // +k8s:conversion-gen=false 347 Scopes OptionalScopes `json:"scopes" protobuf:"bytes,4,rep,name=scopes"` 348 } 349 350 // Action describes a request to the API server 351 type Action struct { 352 // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces 353 Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"` 354 // Verb is one of: get, list, watch, create, update, delete 355 Verb string `json:"verb" protobuf:"bytes,2,opt,name=verb"` 356 // Group is the API group of the resource 357 // Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined 358 Group string `json:"resourceAPIGroup" protobuf:"bytes,3,opt,name=resourceAPIGroup"` 359 // Version is the API version of the resource 360 // Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined 361 Version string `json:"resourceAPIVersion" protobuf:"bytes,4,opt,name=resourceAPIVersion"` 362 // Resource is one of the existing resource types 363 Resource string `json:"resource" protobuf:"bytes,5,opt,name=resource"` 364 // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" 365 ResourceName string `json:"resourceName" protobuf:"bytes,6,opt,name=resourceName"` 366 // Path is the path of a non resource URL 367 Path string `json:"path" protobuf:"bytes,8,opt,name=path"` 368 // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hierarchy) 369 IsNonResourceURL bool `json:"isNonResourceURL" protobuf:"varint,9,opt,name=isNonResourceURL"` 370 // Content is the actual content of the request for create and update 371 // +kubebuilder:pruning:PreserveUnknownFields 372 Content kruntime.RawExtension `json:"content,omitempty" protobuf:"bytes,7,opt,name=content"` 373 } 374 375 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 376 377 // RoleBindingList is a collection of RoleBindings 378 // 379 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 380 // +openshift:compatibility-gen:level=1 381 type RoleBindingList struct { 382 metav1.TypeMeta `json:",inline"` 383 384 // metadata is the standard list's metadata. 385 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 386 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 387 388 // Items is a list of RoleBindings 389 Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` 390 } 391 392 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 393 394 // RoleList is a collection of Roles 395 // 396 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 397 // +openshift:compatibility-gen:level=1 398 type RoleList struct { 399 metav1.TypeMeta `json:",inline"` 400 401 // metadata is the standard list's metadata. 402 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 403 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 404 405 // Items is a list of Roles 406 Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"` 407 } 408 409 // +genclient 410 // +genclient:nonNamespaced 411 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 412 413 // ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings. 414 // 415 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 416 // +openshift:compatibility-gen:level=1 417 type ClusterRole struct { 418 metav1.TypeMeta `json:",inline"` 419 420 // metadata is the standard object's metadata. 421 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 422 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 423 424 // Rules holds all the PolicyRules for this ClusterRole 425 Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` 426 427 // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. 428 // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be 429 // stomped by the controller. 430 AggregationRule *rbacv1.AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"` 431 } 432 433 // +genclient 434 // +genclient:nonNamespaced 435 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 436 437 // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace. 438 // It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in. 439 // ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). 440 // 441 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 442 // +openshift:compatibility-gen:level=1 443 type ClusterRoleBinding struct { 444 metav1.TypeMeta `json:",inline"` 445 446 // metadata is the standard object's metadata. 447 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 448 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 449 450 // UserNames holds all the usernames directly bound to the role. 451 // This field should only be specified when supporting legacy clients and servers. 452 // See Subjects for further details. 453 // +k8s:conversion-gen=false 454 // +optional 455 UserNames OptionalNames `json:"userNames" protobuf:"bytes,2,rep,name=userNames"` 456 // GroupNames holds all the groups directly bound to the role. 457 // This field should only be specified when supporting legacy clients and servers. 458 // See Subjects for further details. 459 // +k8s:conversion-gen=false 460 // +optional 461 GroupNames OptionalNames `json:"groupNames" protobuf:"bytes,3,rep,name=groupNames"` 462 // Subjects hold object references to authorize with this rule. 463 // This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. 464 // Thus newer clients that do not need to support backwards compatibility should send 465 // only fully qualified Subjects and should omit the UserNames and GroupNames fields. 466 // Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames. 467 Subjects []corev1.ObjectReference `json:"subjects" protobuf:"bytes,4,rep,name=subjects"` 468 469 // RoleRef can only reference the current namespace and the global namespace. 470 // If the ClusterRoleRef cannot be resolved, the Authorizer must return an error. 471 // Since Policy is a singleton, this is sufficient knowledge to locate a role. 472 RoleRef corev1.ObjectReference `json:"roleRef" protobuf:"bytes,5,opt,name=roleRef"` 473 } 474 475 // NamedClusterRole relates a name with a cluster role 476 type NamedClusterRole struct { 477 // Name is the name of the cluster role 478 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 479 // Role is the cluster role being named 480 Role ClusterRole `json:"role" protobuf:"bytes,2,opt,name=role"` 481 } 482 483 // NamedClusterRoleBinding relates a name with a cluster role binding 484 type NamedClusterRoleBinding struct { 485 // Name is the name of the cluster role binding 486 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 487 // RoleBinding is the cluster role binding being named 488 RoleBinding ClusterRoleBinding `json:"roleBinding" protobuf:"bytes,2,opt,name=roleBinding"` 489 } 490 491 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 492 493 // ClusterRoleBindingList is a collection of ClusterRoleBindings 494 // 495 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 496 // +openshift:compatibility-gen:level=1 497 type ClusterRoleBindingList struct { 498 metav1.TypeMeta `json:",inline"` 499 500 // metadata is the standard list's metadata. 501 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 502 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 503 504 // Items is a list of ClusterRoleBindings 505 Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` 506 } 507 508 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 509 510 // ClusterRoleList is a collection of ClusterRoles 511 // 512 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 513 // +openshift:compatibility-gen:level=1 514 type ClusterRoleList struct { 515 metav1.TypeMeta `json:",inline"` 516 517 // metadata is the standard list's metadata. 518 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 519 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 520 521 // Items is a list of ClusterRoles 522 Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"` 523 } 524 525 // +genclient 526 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 527 528 // RoleBindingRestriction is an object that can be matched against a subject 529 // (user, group, or service account) to determine whether rolebindings on that 530 // subject are allowed in the namespace to which the RoleBindingRestriction 531 // belongs. If any one of those RoleBindingRestriction objects matches 532 // a subject, rolebindings on that subject in the namespace are allowed. 533 // 534 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 535 // +openshift:compatibility-gen:level=1 536 type RoleBindingRestriction struct { 537 metav1.TypeMeta `json:",inline"` 538 539 // metadata is the standard object's metadata. 540 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 541 metav1.ObjectMeta `json:"metadata" protobuf:"bytes,1,opt,name=metadata"` 542 543 // Spec defines the matcher. 544 Spec RoleBindingRestrictionSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 545 } 546 547 // RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one 548 // field must be non-nil. 549 type RoleBindingRestrictionSpec struct { 550 // UserRestriction matches against user subjects. 551 // +nullable 552 UserRestriction *UserRestriction `json:"userrestriction" protobuf:"bytes,1,opt,name=userrestriction"` 553 554 // GroupRestriction matches against group subjects. 555 // +nullable 556 GroupRestriction *GroupRestriction `json:"grouprestriction" protobuf:"bytes,2,opt,name=grouprestriction"` 557 558 // ServiceAccountRestriction matches against service-account subjects. 559 // +nullable 560 ServiceAccountRestriction *ServiceAccountRestriction `json:"serviceaccountrestriction" protobuf:"bytes,3,opt,name=serviceaccountrestriction"` 561 } 562 563 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 564 565 // RoleBindingRestrictionList is a collection of RoleBindingRestriction objects. 566 // 567 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 568 // +openshift:compatibility-gen:level=1 569 type RoleBindingRestrictionList struct { 570 metav1.TypeMeta `json:",inline"` 571 572 // metadata is the standard list's metadata. 573 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 574 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 575 576 // Items is a list of RoleBindingRestriction objects. 577 Items []RoleBindingRestriction `json:"items" protobuf:"bytes,2,rep,name=items"` 578 } 579 580 // UserRestriction matches a user either by a string match on the user name, 581 // a string match on the name of a group to which the user belongs, or a label 582 // selector applied to the user labels. 583 type UserRestriction struct { 584 // Users specifies a list of literal user names. 585 Users []string `json:"users" protobuf:"bytes,1,rep,name=users"` 586 587 // Groups specifies a list of literal group names. 588 // +nullable 589 Groups []string `json:"groups" protobuf:"bytes,2,rep,name=groups"` 590 591 // Selectors specifies a list of label selectors over user labels. 592 // +nullable 593 Selectors []metav1.LabelSelector `json:"labels" protobuf:"bytes,3,rep,name=labels"` 594 } 595 596 // GroupRestriction matches a group either by a string match on the group name 597 // or a label selector applied to group labels. 598 type GroupRestriction struct { 599 // Groups is a list of groups used to match against an individual user's 600 // groups. If the user is a member of one of the whitelisted groups, the user 601 // is allowed to be bound to a role. 602 // +nullable 603 Groups []string `json:"groups" protobuf:"bytes,1,rep,name=groups"` 604 605 // Selectors specifies a list of label selectors over group labels. 606 // +nullable 607 Selectors []metav1.LabelSelector `json:"labels" protobuf:"bytes,2,rep,name=labels"` 608 } 609 610 // ServiceAccountRestriction matches a service account by a string match on 611 // either the service-account name or the name of the service account's 612 // namespace. 613 type ServiceAccountRestriction struct { 614 // ServiceAccounts specifies a list of literal service-account names. 615 ServiceAccounts []ServiceAccountReference `json:"serviceaccounts" protobuf:"bytes,1,rep,name=serviceaccounts"` 616 617 // Namespaces specifies a list of literal namespace names. 618 Namespaces []string `json:"namespaces" protobuf:"bytes,2,rep,name=namespaces"` 619 } 620 621 // ServiceAccountReference specifies a service account and namespace by their 622 // names. 623 type ServiceAccountReference struct { 624 // Name is the name of the service account. 625 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 626 627 // Namespace is the namespace of the service account. Service accounts from 628 // inside the whitelisted namespaces are allowed to be bound to roles. If 629 // Namespace is empty, then the namespace of the RoleBindingRestriction in 630 // which the ServiceAccountReference is embedded is used. 631 Namespace string `json:"namespace" protobuf:"bytes,2,opt,name=namespace"` 632 } 633