1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // Authorization is calculated against 24 // 1. evaluation of ClusterRoleBindings - short circuit on match 25 // 2. evaluation of RoleBindings in the namespace requested - short circuit on match 26 // 3. deny by default 27 28 const ( 29 APIGroupAll = "*" 30 ResourceAll = "*" 31 VerbAll = "*" 32 NonResourceAll = "*" 33 34 GroupKind = "Group" 35 ServiceAccountKind = "ServiceAccount" 36 UserKind = "User" 37 38 // AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" 39 AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate" 40 ) 41 42 // Authorization is calculated against 43 // 1. evaluation of ClusterRoleBindings - short circuit on match 44 // 2. evaluation of RoleBindings in the namespace requested - short circuit on match 45 // 3. deny by default 46 47 // PolicyRule holds information that describes a policy rule, but does not contain information 48 // about who the rule applies to or which namespace the rule applies to. 49 type PolicyRule struct { 50 // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. 51 // +listType=atomic 52 Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"` 53 54 // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of 55 // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. 56 // +optional 57 // +listType=atomic 58 APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"` 59 // Resources is a list of resources this rule applies to. '*' represents all resources. 60 // +optional 61 // +listType=atomic 62 Resources []string `json:"resources,omitempty" protobuf:"bytes,4,rep,name=resources"` 63 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 64 // +optional 65 // +listType=atomic 66 ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"` 67 68 // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path 69 // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. 70 // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. 71 // +optional 72 // +listType=atomic 73 NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"` 74 } 75 76 // Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, 77 // or a value for non-objects such as user and group names. 78 type Subject struct { 79 // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". 80 // If the Authorizer does not recognized the kind value, the Authorizer should report an error. 81 Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"` 82 // APIVersion holds the API group and version of the referenced subject. 83 // Defaults to "v1" for ServiceAccount subjects. 84 // Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects. 85 // +k8s:conversion-gen=false 86 // +optional 87 APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"` 88 // Name of the object being referenced. 89 Name string `json:"name" protobuf:"bytes,3,opt,name=name"` 90 // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty 91 // the Authorizer should report an error. 92 // +optional 93 Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"` 94 } 95 96 // RoleRef contains information that points to the role being used 97 type RoleRef struct { 98 // APIGroup is the group for the resource being referenced 99 APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"` 100 // Kind is the type of resource being referenced 101 Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"` 102 // Name is the name of resource being referenced 103 Name string `json:"name" protobuf:"bytes,3,opt,name=name"` 104 } 105 106 // +genclient 107 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 108 109 // Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. 110 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22. 111 type Role struct { 112 metav1.TypeMeta `json:",inline"` 113 // Standard object's metadata. 114 // +optional 115 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 116 117 // Rules holds all the PolicyRules for this Role 118 // +optional 119 // +listType=atomic 120 Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` 121 } 122 123 // +genclient 124 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 125 126 // RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. 127 // It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given 128 // namespace only have effect in that namespace. 129 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22. 130 type RoleBinding struct { 131 metav1.TypeMeta `json:",inline"` 132 // Standard object's metadata. 133 // +optional 134 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 135 136 // Subjects holds references to the objects the role applies to. 137 // +optional 138 // +listType=atomic 139 Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` 140 141 // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. 142 // If the RoleRef cannot be resolved, the Authorizer must return an error. 143 RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"` 144 } 145 146 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 147 148 // RoleBindingList is a collection of RoleBindings 149 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22. 150 type RoleBindingList struct { 151 metav1.TypeMeta `json:",inline"` 152 // Standard object's metadata. 153 // +optional 154 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 155 156 // Items is a list of RoleBindings 157 Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` 158 } 159 160 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 161 162 // RoleList is a collection of Roles. 163 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22. 164 type RoleList struct { 165 metav1.TypeMeta `json:",inline"` 166 // Standard object's metadata. 167 // +optional 168 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 169 170 // Items is a list of Roles 171 Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"` 172 } 173 174 // +genclient 175 // +genclient:nonNamespaced 176 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 177 178 // ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. 179 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22. 180 type ClusterRole struct { 181 metav1.TypeMeta `json:",inline"` 182 // Standard object's metadata. 183 // +optional 184 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 185 186 // Rules holds all the PolicyRules for this ClusterRole 187 // +optional 188 // +listType=atomic 189 Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"` 190 191 // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. 192 // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be 193 // stomped by the controller. 194 // +optional 195 AggregationRule *AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"` 196 } 197 198 // AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole 199 type AggregationRule struct { 200 // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. 201 // If any of the selectors match, then the ClusterRole's permissions will be added 202 // +optional 203 // +listType=atomic 204 ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"` 205 } 206 207 // +genclient 208 // +genclient:nonNamespaced 209 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 210 211 // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, 212 // and adds who information via Subject. 213 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22. 214 type ClusterRoleBinding struct { 215 metav1.TypeMeta `json:",inline"` 216 // Standard object's metadata. 217 // +optional 218 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 219 220 // Subjects holds references to the objects the role applies to. 221 // +optional 222 // +listType=atomic 223 Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` 224 225 // RoleRef can only reference a ClusterRole in the global namespace. 226 // If the RoleRef cannot be resolved, the Authorizer must return an error. 227 RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"` 228 } 229 230 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 231 232 // ClusterRoleBindingList is a collection of ClusterRoleBindings. 233 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindings, and will no longer be served in v1.22. 234 type ClusterRoleBindingList struct { 235 metav1.TypeMeta `json:",inline"` 236 // Standard object's metadata. 237 // +optional 238 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 239 240 // Items is a list of ClusterRoleBindings 241 Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"` 242 } 243 244 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 245 246 // ClusterRoleList is a collection of ClusterRoles. 247 // Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22. 248 type ClusterRoleList struct { 249 metav1.TypeMeta `json:",inline"` 250 // Standard object's metadata. 251 // +optional 252 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 253 254 // Items is a list of ClusterRoles 255 Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"` 256 } 257