add subjectaccessreviews resource
This commit is contained in:
deads2k
@@ -16,4 +16,5 @@ limitations under the License.
|
||||
|
||||
// +k8s:deepcopy-gen=package,register
|
||||
|
||||
// +groupName=authorization.k8s.io
|
||||
package authorization // import "k8s.io/kubernetes/pkg/apis/authorization"
|
||||
|
||||
@@ -17,13 +17,19 @@ limitations under the License.
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||
)
|
||||
|
||||
// +genclient=true
|
||||
// +nonNamespaced=true
|
||||
// +noMethods=true
|
||||
|
||||
// SubjectAccessReview checks whether or not a user or group can perform an action. Not filling in a
|
||||
// spec.namespace means "in all namespaces".
|
||||
type SubjectAccessReview struct {
|
||||
unversioned.TypeMeta
|
||||
api.ObjectMeta
|
||||
|
||||
// Spec holds information about the request being evaluated
|
||||
Spec SubjectAccessReviewSpec
|
||||
@@ -37,6 +43,7 @@ type SubjectAccessReview struct {
|
||||
// to check whether they can perform an action
|
||||
type SelfSubjectAccessReview struct {
|
||||
unversioned.TypeMeta
|
||||
api.ObjectMeta
|
||||
|
||||
// Spec holds information about the request being evaluated.
|
||||
Spec SelfSubjectAccessReviewSpec
|
||||
@@ -50,6 +57,7 @@ type SelfSubjectAccessReview struct {
|
||||
// checking.
|
||||
type LocalSubjectAccessReview struct {
|
||||
unversioned.TypeMeta
|
||||
api.ObjectMeta
|
||||
|
||||
// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
|
||||
// you made the request against. If empty, it is defaulted.
|
||||
@@ -103,9 +111,13 @@ type SubjectAccessReviewSpec struct {
|
||||
Groups []string
|
||||
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
|
||||
// it needs a reflection here.
|
||||
Extra map[string][]string
|
||||
Extra map[string]ExtraValue
|
||||
}
|
||||
|
||||
// ExtraValue masks the value so protobuf can generate
|
||||
// +protobuf.nullable=true
|
||||
type ExtraValue []string
|
||||
|
||||
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes
|
||||
// and NonResourceAttributes must be set
|
||||
type SelfSubjectAccessReviewSpec struct {
|
||||
@@ -121,4 +133,8 @@ type SubjectAccessReviewStatus struct {
|
||||
Allowed bool
|
||||
// Reason is optional. It indicates why a request was allowed or denied.
|
||||
Reason string
|
||||
// EvaluationError is an indication that some error occurred during the authorization check.
|
||||
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
|
||||
// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
|
||||
EvaluationError string
|
||||
}
|
||||
|
||||
@@ -17,4 +17,5 @@ limitations under the License.
|
||||
// +k8s:deepcopy-gen=package,register
|
||||
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/authorization
|
||||
|
||||
// +groupName=authorization.k8s.io
|
||||
package v1beta1 // import "k8s.io/kubernetes/pkg/apis/authorization/v1beta1"
|
||||
|
||||
@@ -18,7 +18,9 @@ package v1beta1
|
||||
|
||||
import (
|
||||
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
"k8s.io/kubernetes/pkg/runtime"
|
||||
versionedwatch "k8s.io/kubernetes/pkg/watch/versioned"
|
||||
)
|
||||
|
||||
// GroupName is the group name use in this package
|
||||
@@ -37,10 +39,15 @@ func AddToScheme(scheme *runtime.Scheme) {
|
||||
// Adds the list of known types to api.Scheme.
|
||||
func addKnownTypes(scheme *runtime.Scheme) {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&v1.ListOptions{},
|
||||
&v1.DeleteOptions{},
|
||||
|
||||
&SelfSubjectAccessReview{},
|
||||
&SubjectAccessReview{},
|
||||
&LocalSubjectAccessReview{},
|
||||
)
|
||||
|
||||
versionedwatch.AddToGroupVersion(scheme, SchemeGroupVersion)
|
||||
}
|
||||
|
||||
func (obj *LocalSubjectAccessReview) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
|
||||
|
||||
@@ -17,18 +17,26 @@ limitations under the License.
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||
"k8s.io/kubernetes/pkg/api/v1"
|
||||
)
|
||||
|
||||
// +genclient=true
|
||||
// +nonNamespaced=true
|
||||
// +noMethods=true
|
||||
|
||||
// SubjectAccessReview checks whether or not a user or group can perform an action.
|
||||
type SubjectAccessReview struct {
|
||||
unversioned.TypeMeta `json:",inline"`
|
||||
v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated
|
||||
Spec SubjectAccessReviewSpec `json:"spec"`
|
||||
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty"`
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
|
||||
@@ -36,12 +44,13 @@ type SubjectAccessReview struct {
|
||||
// to check whether they can perform an action
|
||||
type SelfSubjectAccessReview struct {
|
||||
unversioned.TypeMeta `json:",inline"`
|
||||
v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated. user and groups must be empty
|
||||
Spec SelfSubjectAccessReviewSpec `json:"spec"`
|
||||
Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty"`
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
|
||||
@@ -49,13 +58,14 @@ type SelfSubjectAccessReview struct {
|
||||
// checking.
|
||||
type LocalSubjectAccessReview struct {
|
||||
unversioned.TypeMeta `json:",inline"`
|
||||
v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
||||
|
||||
// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
|
||||
// you made the request against. If empty, it is defaulted.
|
||||
Spec SubjectAccessReviewSpec `json:"spec"`
|
||||
Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
|
||||
|
||||
// Status is filled in by the server and indicates whether the request is allowed or not
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty"`
|
||||
Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
|
||||
}
|
||||
|
||||
// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
|
||||
@@ -64,60 +74,73 @@ type ResourceAttributes struct {
|
||||
// "" (empty) is defaulted for LocalSubjectAccessReviews
|
||||
// "" (empty) is empty for cluster-scoped resources
|
||||
// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
|
||||
// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
|
||||
Verb string `json:"verb,omitempty"`
|
||||
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
||||
// Group is the API Group of the Resource. "*" means all.
|
||||
Group string `json:"group,omitempty"`
|
||||
Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
|
||||
// Version is the API Version of the Resource. "*" means all.
|
||||
Version string `json:"version,omitempty"`
|
||||
Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
|
||||
// Resource is one of the existing resource types. "*" means all.
|
||||
Resource string `json:"resource,omitempty"`
|
||||
Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
|
||||
// Subresource is one of the existing resource types. "" means none.
|
||||
Subresource string `json:"subresource,omitempty"`
|
||||
Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
|
||||
// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
|
||||
Name string `json:"name,omitempty"`
|
||||
Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
|
||||
}
|
||||
|
||||
// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
|
||||
type NonResourceAttributes struct {
|
||||
// Path is the URL path of the request
|
||||
Path string `json:"path,omitempty"`
|
||||
Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
|
||||
// Verb is the standard HTTP verb
|
||||
Verb string `json:"verb,omitempty"`
|
||||
Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
|
||||
}
|
||||
|
||||
// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
||||
// and NonResourceAuthorizationAttributes must be set
|
||||
type SubjectAccessReviewSpec struct {
|
||||
// ResourceAuthorizationAttributes describes information for a resource access request
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty"`
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
||||
// NonResourceAttributes describes information for a non-resource access request
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty"`
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
||||
|
||||
// User is the user you're testing for.
|
||||
// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
|
||||
User string `json:"user,omitempty"`
|
||||
User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=verb"`
|
||||
// Groups is the groups you're testing for.
|
||||
Groups []string `json:"group,omitempty"`
|
||||
Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
|
||||
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
|
||||
// it needs a reflection here.
|
||||
Extra map[string][]string `json:"extra,omitempty"`
|
||||
Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
|
||||
}
|
||||
|
||||
// ExtraValue masks the value so protobuf can generate
|
||||
// +protobuf.nullable=true
|
||||
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
||||
type ExtraValue []string
|
||||
|
||||
func (t ExtraValue) String() string {
|
||||
return fmt.Sprintf("%v", []string(t))
|
||||
}
|
||||
|
||||
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
|
||||
// and NonResourceAuthorizationAttributes must be set
|
||||
type SelfSubjectAccessReviewSpec struct {
|
||||
// ResourceAuthorizationAttributes describes information for a resource access request
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty"`
|
||||
ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
|
||||
// NonResourceAttributes describes information for a non-resource access request
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty"`
|
||||
NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
|
||||
}
|
||||
|
||||
// SubjectAccessReviewStatus
|
||||
type SubjectAccessReviewStatus struct {
|
||||
// Allowed is required. True if the action would be allowed, false otherwise.
|
||||
Allowed bool `json:"allowed"`
|
||||
Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
|
||||
// Reason is optional. It indicates why a request was allowed or denied.
|
||||
Reason string `json:"reason,omitempty"`
|
||||
Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
|
||||
// EvaluationError is an indication that some error occurred during the authorization check.
|
||||
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
|
||||
// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
|
||||
EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
|
||||
}
|
||||
|
||||
@@ -54,6 +54,10 @@ func autoConvert_v1beta1_LocalSubjectAccessReview_To_authorization_LocalSubjectA
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -71,6 +75,10 @@ func autoConvert_authorization_LocalSubjectAccessReview_To_v1beta1_LocalSubjectA
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -138,6 +146,10 @@ func autoConvert_v1beta1_SelfSubjectAccessReview_To_authorization_SelfSubjectAcc
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1beta1_SelfSubjectAccessReviewSpec_To_authorization_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -155,6 +167,10 @@ func autoConvert_authorization_SelfSubjectAccessReview_To_v1beta1_SelfSubjectAcc
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_authorization_SelfSubjectAccessReviewSpec_To_v1beta1_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -224,6 +240,10 @@ func autoConvert_v1beta1_SubjectAccessReview_To_authorization_SubjectAccessRevie
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -241,6 +261,10 @@ func autoConvert_authorization_SubjectAccessReview_To_v1beta1_SubjectAccessRevie
|
||||
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
|
||||
return err
|
||||
}
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&in.ObjectMeta, &out.ObjectMeta, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessReviewSpec(&in.Spec, &out.Spec, s); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -275,7 +299,20 @@ func autoConvert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessR
|
||||
}
|
||||
out.User = in.User
|
||||
out.Groups = in.Groups
|
||||
out.Extra = in.Extra
|
||||
if in.Extra != nil {
|
||||
in, out := &in.Extra, &out.Extra
|
||||
*out = make(map[string]authorization.ExtraValue, len(*in))
|
||||
for key, val := range *in {
|
||||
newVal := new(authorization.ExtraValue)
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&val, newVal, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
(*out)[key] = *newVal
|
||||
}
|
||||
} else {
|
||||
out.Extra = nil
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -304,7 +341,20 @@ func autoConvert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessR
|
||||
}
|
||||
out.User = in.User
|
||||
out.Groups = in.Groups
|
||||
out.Extra = in.Extra
|
||||
if in.Extra != nil {
|
||||
in, out := &in.Extra, &out.Extra
|
||||
*out = make(map[string]ExtraValue, len(*in))
|
||||
for key, val := range *in {
|
||||
newVal := new(ExtraValue)
|
||||
// TODO: Inefficient conversion - can we improve it?
|
||||
if err := s.Convert(&val, newVal, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
(*out)[key] = *newVal
|
||||
}
|
||||
} else {
|
||||
out.Extra = nil
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -315,6 +365,7 @@ func Convert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessRevie
|
||||
func autoConvert_v1beta1_SubjectAccessReviewStatus_To_authorization_SubjectAccessReviewStatus(in *SubjectAccessReviewStatus, out *authorization.SubjectAccessReviewStatus, s conversion.Scope) error {
|
||||
out.Allowed = in.Allowed
|
||||
out.Reason = in.Reason
|
||||
out.EvaluationError = in.EvaluationError
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -325,6 +376,7 @@ func Convert_v1beta1_SubjectAccessReviewStatus_To_authorization_SubjectAccessRev
|
||||
func autoConvert_authorization_SubjectAccessReviewStatus_To_v1beta1_SubjectAccessReviewStatus(in *authorization.SubjectAccessReviewStatus, out *SubjectAccessReviewStatus, s conversion.Scope) error {
|
||||
out.Allowed = in.Allowed
|
||||
out.Reason = in.Reason
|
||||
out.EvaluationError = in.EvaluationError
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -22,6 +22,7 @@ package v1beta1
|
||||
|
||||
import (
|
||||
api "k8s.io/kubernetes/pkg/api"
|
||||
v1 "k8s.io/kubernetes/pkg/api/v1"
|
||||
conversion "k8s.io/kubernetes/pkg/conversion"
|
||||
reflect "reflect"
|
||||
)
|
||||
@@ -47,6 +48,9 @@ func DeepCopy_v1beta1_LocalSubjectAccessReview(in interface{}, out interface{},
|
||||
in := in.(*LocalSubjectAccessReview)
|
||||
out := out.(*LocalSubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := v1.DeepCopy_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_v1beta1_SubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -85,6 +89,9 @@ func DeepCopy_v1beta1_SelfSubjectAccessReview(in interface{}, out interface{}, c
|
||||
in := in.(*SelfSubjectAccessReview)
|
||||
out := out.(*SelfSubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := v1.DeepCopy_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_v1beta1_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -120,6 +127,9 @@ func DeepCopy_v1beta1_SubjectAccessReview(in interface{}, out interface{}, c *co
|
||||
in := in.(*SubjectAccessReview)
|
||||
out := out.(*SubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := v1.DeepCopy_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_v1beta1_SubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -156,12 +166,12 @@ func DeepCopy_v1beta1_SubjectAccessReviewSpec(in interface{}, out interface{}, c
|
||||
}
|
||||
if in.Extra != nil {
|
||||
in, out := &in.Extra, &out.Extra
|
||||
*out = make(map[string][]string)
|
||||
*out = make(map[string]ExtraValue)
|
||||
for key, val := range *in {
|
||||
if newVal, err := c.DeepCopy(&val); err != nil {
|
||||
return err
|
||||
} else {
|
||||
(*out)[key] = *newVal.(*[]string)
|
||||
(*out)[key] = *newVal.(*ExtraValue)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -177,6 +187,7 @@ func DeepCopy_v1beta1_SubjectAccessReviewStatus(in interface{}, out interface{},
|
||||
out := out.(*SubjectAccessReviewStatus)
|
||||
out.Allowed = in.Allowed
|
||||
out.Reason = in.Reason
|
||||
out.EvaluationError = in.EvaluationError
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,6 +17,7 @@ limitations under the License.
|
||||
package validation
|
||||
|
||||
import (
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
|
||||
"k8s.io/kubernetes/pkg/util/validation/field"
|
||||
)
|
||||
@@ -50,15 +51,24 @@ func ValidateSelfSubjectAccessReviewSpec(spec authorizationapi.SelfSubjectAccess
|
||||
|
||||
func ValidateSubjectAccessReview(sar *authorizationapi.SubjectAccessReview) field.ErrorList {
|
||||
allErrs := ValidateSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
|
||||
if !api.Semantic.DeepEqual(api.ObjectMeta{}, sar.ObjectMeta) {
|
||||
allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty`))
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func ValidateSelfSubjectAccessReview(sar *authorizationapi.SelfSubjectAccessReview) field.ErrorList {
|
||||
allErrs := ValidateSelfSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
|
||||
if !api.Semantic.DeepEqual(api.ObjectMeta{}, sar.ObjectMeta) {
|
||||
allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty`))
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
func ValidateLocalSubjectAccessReview(sar *authorizationapi.LocalSubjectAccessReview) field.ErrorList {
|
||||
allErrs := ValidateSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
|
||||
if !api.Semantic.DeepEqual(api.ObjectMeta{}, sar.ObjectMeta) {
|
||||
allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty`))
|
||||
}
|
||||
return allErrs
|
||||
}
|
||||
|
||||
@@ -47,6 +47,9 @@ func DeepCopy_authorization_LocalSubjectAccessReview(in interface{}, out interfa
|
||||
in := in.(*LocalSubjectAccessReview)
|
||||
out := out.(*LocalSubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := api.DeepCopy_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -85,6 +88,9 @@ func DeepCopy_authorization_SelfSubjectAccessReview(in interface{}, out interfac
|
||||
in := in.(*SelfSubjectAccessReview)
|
||||
out := out.(*SelfSubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := api.DeepCopy_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_authorization_SelfSubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -120,6 +126,9 @@ func DeepCopy_authorization_SubjectAccessReview(in interface{}, out interface{},
|
||||
in := in.(*SubjectAccessReview)
|
||||
out := out.(*SubjectAccessReview)
|
||||
out.TypeMeta = in.TypeMeta
|
||||
if err := api.DeepCopy_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := DeepCopy_authorization_SubjectAccessReviewSpec(&in.Spec, &out.Spec, c); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -156,12 +165,12 @@ func DeepCopy_authorization_SubjectAccessReviewSpec(in interface{}, out interfac
|
||||
}
|
||||
if in.Extra != nil {
|
||||
in, out := &in.Extra, &out.Extra
|
||||
*out = make(map[string][]string)
|
||||
*out = make(map[string]ExtraValue)
|
||||
for key, val := range *in {
|
||||
if newVal, err := c.DeepCopy(&val); err != nil {
|
||||
return err
|
||||
} else {
|
||||
(*out)[key] = *newVal.(*[]string)
|
||||
(*out)[key] = *newVal.(*ExtraValue)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -177,6 +186,7 @@ func DeepCopy_authorization_SubjectAccessReviewStatus(in interface{}, out interf
|
||||
out := out.(*SubjectAccessReviewStatus)
|
||||
out.Allowed = in.Allowed
|
||||
out.Reason = in.Reason
|
||||
out.EvaluationError = in.EvaluationError
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user