add subjectaccessreview field and label selectors
Co-authored-by: Jordan Liggitt <liggitt@google.com>
This commit is contained in:
David Eads
committed by
Jordan Liggitt
Jordan Liggitt
parent
acaec0c23a
commit
90f0b88b6a
@@ -87,6 +87,72 @@ type ResourceAttributes struct {
|
||||
Subresource string
|
||||
// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
|
||||
Name string
|
||||
// fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it.
|
||||
//
|
||||
// This field is alpha-level. To use this field, you must enable the
|
||||
// `AuthorizeWithSelectors` feature gate (disabled by default).
|
||||
// +optional
|
||||
FieldSelector *FieldSelectorAttributes
|
||||
// labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it.
|
||||
//
|
||||
// This field is alpha-level. To use this field, you must enable the
|
||||
// `AuthorizeWithSelectors` feature gate (disabled by default).
|
||||
// +optional
|
||||
LabelSelector *LabelSelectorAttributes
|
||||
}
|
||||
|
||||
// LabelSelectorAttributes indicates a label limited access.
|
||||
// Webhook authors are encouraged to
|
||||
// * ensure rawSelector and requirements are not both set
|
||||
// * consider the requirements field if set
|
||||
// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
|
||||
// For the *SubjectAccessReview endpoints of the kube-apiserver:
|
||||
// * If rawSelector is empty and requirements are empty, the request is not limited.
|
||||
// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
|
||||
// * If rawSelector is empty and requirements are present, the requirements should be honored
|
||||
// * If rawSelector is present and requirements are present, the request is invalid.
|
||||
type LabelSelectorAttributes struct {
|
||||
// rawSelector is the serialization of a field selector that would be included in a query parameter.
|
||||
// Webhook implementations are encouraged to ignore rawSelector.
|
||||
// The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
|
||||
// +optional
|
||||
RawSelector string
|
||||
|
||||
// requirements is the parsed interpretation of a label selector.
|
||||
// All requirements must be met for a resource instance to match the selector.
|
||||
// Webhook implementations should handle requirements, but how to handle them is up to the webhook.
|
||||
// Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
|
||||
// are not understood.
|
||||
// +optional
|
||||
// +listType=atomic
|
||||
Requirements []metav1.LabelSelectorRequirement
|
||||
}
|
||||
|
||||
// FieldSelectorAttributes indicates a field limited access.
|
||||
// Webhook authors are encouraged to
|
||||
// * ensure rawSelector and requirements are not both set
|
||||
// * consider the requirements field if set
|
||||
// * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details.
|
||||
// For the *SubjectAccessReview endpoints of the kube-apiserver:
|
||||
// * If rawSelector is empty and requirements are empty, the request is not limited.
|
||||
// * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds.
|
||||
// * If rawSelector is empty and requirements are present, the requirements should be honored
|
||||
// * If rawSelector is present and requirements are present, the request is invalid.
|
||||
type FieldSelectorAttributes struct {
|
||||
// rawSelector is the serialization of a field selector that would be included in a query parameter.
|
||||
// Webhook implementations are encouraged to ignore rawSelector.
|
||||
// The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
|
||||
// +optional
|
||||
RawSelector string
|
||||
|
||||
// requirements is the parsed interpretation of a field selector.
|
||||
// All requirements must be met for a resource instance to match the selector.
|
||||
// Webhook implementations should handle requirements, but how to handle them is up to the webhook.
|
||||
// Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements
|
||||
// are not understood.
|
||||
// +optional
|
||||
// +listType=atomic
|
||||
Requirements []metav1.FieldSelectorRequirement
|
||||
}
|
||||
|
||||
// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
|
||||
|
||||
Reference in New Issue
Block a user