...

Source file src/k8s.io/kubernetes/pkg/apis/abac/types.go

Documentation: k8s.io/kubernetes/pkg/apis/abac 

     1  /*
     2  Copyright 2015 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package abac
    18  
    19  import (
    20  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    21  )
    22  
    23  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    24  
    25  // Policy contains a single ABAC policy rule
    26  type Policy struct {
    27  	metav1.TypeMeta
    28  
    29  	// Spec describes the policy rule
    30  	Spec PolicySpec
    31  }
    32  
    33  // PolicySpec contains the attributes for a policy rule
    34  type PolicySpec struct {
    35  
    36  	// User is the username this rule applies to.
    37  	// Either user or group is required to match the request.
    38  	// "*" matches all users.
    39  	User string
    40  
    41  	// Group is the group this rule applies to.
    42  	// Either user or group is required to match the request.
    43  	// "*" matches all groups.
    44  	Group string
    45  
    46  	// Readonly matches readonly requests when true, and all requests when false
    47  	Readonly bool
    48  
    49  	// APIGroup is the name of an API group. APIGroup, Resource, and Namespace are required to match resource requests.
    50  	// "*" matches all API groups
    51  	APIGroup string
    52  
    53  	// Resource is the name of a resource. APIGroup, Resource, and Namespace are required to match resource requests.
    54  	// "*" matches all resources
    55  	Resource string
    56  
    57  	// Namespace is the name of a namespace. APIGroup, Resource, and Namespace are required to match resource requests.
    58  	// "*" matches all namespaces (including unnamespaced requests)
    59  	Namespace string
    60  
    61  	// NonResourcePath matches non-resource request paths.
    62  	// "*" matches all paths
    63  	// "/foo/*" matches all subpaths of foo
    64  	NonResourcePath string
    65  
    66  	// TODO: "expires" string in RFC3339 format.
    67  
    68  	// TODO: want a way to allow some users to restart containers of a pod but
    69  	// not delete or modify it.
    70  
    71  	// TODO: want a way to allow a controller to create a pod based only on a
    72  	// certain podTemplates.
    73  
    74  }
    75  

View as plain text