1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package rbac 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // Authorization is calculated against 24 // 1. evaluation of ClusterRoleBindings - short circuit on match 25 // 2. evaluation of RoleBindings in the namespace requested - short circuit on match 26 // 3. deny by default 27 28 // APIGroupAll and these consts are default values for rbac authorization. 29 const ( 30 APIGroupAll = "*" 31 ResourceAll = "*" 32 VerbAll = "*" 33 NonResourceAll = "*" 34 35 GroupKind = "Group" 36 ServiceAccountKind = "ServiceAccount" 37 UserKind = "User" 38 39 // AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" 40 AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate" 41 ) 42 43 // PolicyRule holds information that describes a policy rule, but does not contain information 44 // about who the rule applies to or which namespace the rule applies to. 45 type PolicyRule struct { 46 // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. 47 Verbs []string 48 49 // APIGroups is the name of the APIGroup that contains the resources. 50 // If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. 51 APIGroups []string 52 // Resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. 53 // '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups. 54 Resources []string 55 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 56 ResourceNames []string 57 58 // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path 59 // If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match. 60 // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. 61 // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. 62 NonResourceURLs []string 63 } 64 65 // Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, 66 // or a value for non-objects such as user and group names. 67 type Subject struct { 68 // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". 69 // If the Authorizer does not recognized the kind value, the Authorizer should report an error. 70 Kind string 71 // APIGroup holds the API group of the referenced subject. 72 // Defaults to "" for ServiceAccount subjects. 73 // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. 74 APIGroup string 75 // Name of the object being referenced. 76 Name string 77 // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty 78 // the Authorizer should report an error. 79 Namespace string 80 } 81 82 // RoleRef contains information that points to the role being used 83 type RoleRef struct { 84 // APIGroup is the group for the resource being referenced 85 APIGroup string 86 // Kind is the type of resource being referenced 87 Kind string 88 // Name is the name of resource being referenced 89 Name string 90 } 91 92 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 93 94 // Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. 95 type Role struct { 96 metav1.TypeMeta 97 // Standard object's metadata. 98 metav1.ObjectMeta 99 100 // Rules holds all the PolicyRules for this Role 101 Rules []PolicyRule 102 } 103 104 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 105 106 // RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. 107 // It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given 108 // namespace only have effect in that namespace. 109 type RoleBinding struct { 110 metav1.TypeMeta 111 metav1.ObjectMeta 112 113 // Subjects holds references to the objects the role applies to. 114 Subjects []Subject 115 116 // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. 117 // If the RoleRef cannot be resolved, the Authorizer must return an error. 118 // This field is immutable. 119 RoleRef RoleRef 120 } 121 122 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 123 124 // RoleBindingList is a collection of RoleBindings 125 type RoleBindingList struct { 126 metav1.TypeMeta 127 // Standard object's metadata. 128 metav1.ListMeta 129 130 // Items is a list of roleBindings 131 Items []RoleBinding 132 } 133 134 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 135 136 // RoleList is a collection of Roles 137 type RoleList struct { 138 metav1.TypeMeta 139 // Standard object's metadata. 140 metav1.ListMeta 141 142 // Items is a list of roles 143 Items []Role 144 } 145 146 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 147 148 // ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. 149 type ClusterRole struct { 150 metav1.TypeMeta 151 // Standard object's metadata. 152 metav1.ObjectMeta 153 154 // Rules holds all the PolicyRules for this ClusterRole 155 Rules []PolicyRule 156 157 // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. 158 // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be 159 // stomped by the controller. 160 AggregationRule *AggregationRule 161 } 162 163 // AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole 164 type AggregationRule struct { 165 // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. 166 // If any of the selectors match, then the ClusterRole's permissions will be added 167 ClusterRoleSelectors []metav1.LabelSelector 168 } 169 170 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 171 172 // ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, 173 // and adds who information via Subject. 174 type ClusterRoleBinding struct { 175 metav1.TypeMeta 176 // Standard object's metadata. 177 metav1.ObjectMeta 178 179 // Subjects holds references to the objects the role applies to. 180 Subjects []Subject 181 182 // RoleRef can only reference a ClusterRole in the global namespace. 183 // If the RoleRef cannot be resolved, the Authorizer must return an error. 184 // This field is immutable. 185 RoleRef RoleRef 186 } 187 188 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 189 190 // ClusterRoleBindingList is a collection of ClusterRoleBindings 191 type ClusterRoleBindingList struct { 192 metav1.TypeMeta 193 // Standard object's metadata. 194 metav1.ListMeta 195 196 // Items is a list of ClusterRoleBindings 197 Items []ClusterRoleBinding 198 } 199 200 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 201 202 // ClusterRoleList is a collection of ClusterRoles 203 type ClusterRoleList struct { 204 metav1.TypeMeta 205 // Standard object's metadata. 206 metav1.ListMeta 207 208 // Items is a list of ClusterRoles 209 Items []ClusterRole 210 } 211