mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-14 10:53:34 +00:00
rebase: update kubernetes to latest
updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
Madhu Rajanna
committed by
mergify[bot]
mergify[bot]
parent
63c4c05b35
commit
5a66991bb3
153
vendor/k8s.io/apiserver/pkg/cel/library/authz.go
generated
vendored
153
vendor/k8s.io/apiserver/pkg/cel/library/authz.go
generated
vendored
@ -22,6 +22,11 @@ import (
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
genericfeatures "k8s.io/apiserver/pkg/features"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
|
||||
"github.com/google/cel-go/cel"
|
||||
"github.com/google/cel-go/common/types"
|
||||
"github.com/google/cel-go/common/types/ref"
|
||||
@ -194,6 +199,30 @@ import (
|
||||
// Examples:
|
||||
//
|
||||
// authorizer.group('').resource('pods').namespace('default').check('create').error()
|
||||
//
|
||||
// fieldSelector
|
||||
//
|
||||
// Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check.
|
||||
// If the field selector does not parse successfully, no field selector requirements are included in the authorization check.
|
||||
// Added in Kubernetes 1.31+, Authz library version 1.
|
||||
//
|
||||
// <ResourceCheck>.fieldSelector(<string>) <ResourceCheck>
|
||||
//
|
||||
// Examples:
|
||||
//
|
||||
// authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed()
|
||||
//
|
||||
// labelSelector (added in v1, Kubernetes 1.31+)
|
||||
//
|
||||
// Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check.
|
||||
// If the label selector does not parse successfully, no label selector requirements are included in the authorization check.
|
||||
// Added in Kubernetes 1.31+, Authz library version 1.
|
||||
//
|
||||
// <ResourceCheck>.labelSelector(<string>) <ResourceCheck>
|
||||
//
|
||||
// Examples:
|
||||
//
|
||||
// authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed()
|
||||
func Authz() cel.EnvOption {
|
||||
return cel.Lib(authzLib)
|
||||
}
|
||||
@ -259,6 +288,66 @@ func (*authz) ProgramOptions() []cel.ProgramOption {
|
||||
return []cel.ProgramOption{}
|
||||
}
|
||||
|
||||
// AuthzSelectors provides a CEL function library extension for adding fieldSelector and
|
||||
// labelSelector filters to authorization checks. This requires the Authz library.
|
||||
// See documentation of the Authz library for use and availability of the authorizer variable.
|
||||
//
|
||||
// fieldSelector
|
||||
//
|
||||
// Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check.
|
||||
// If the field selector does not parse successfully, no field selector requirements are included in the authorization check.
|
||||
// Added in Kubernetes 1.31+.
|
||||
//
|
||||
// <ResourceCheck>.fieldSelector(<string>) <ResourceCheck>
|
||||
//
|
||||
// Examples:
|
||||
//
|
||||
// authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed()
|
||||
//
|
||||
// labelSelector
|
||||
//
|
||||
// Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check.
|
||||
// If the label selector does not parse successfully, no label selector requirements are included in the authorization check.
|
||||
// Added in Kubernetes 1.31+.
|
||||
//
|
||||
// <ResourceCheck>.labelSelector(<string>) <ResourceCheck>
|
||||
//
|
||||
// Examples:
|
||||
//
|
||||
// authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed()
|
||||
func AuthzSelectors() cel.EnvOption {
|
||||
return cel.Lib(authzSelectorsLib)
|
||||
}
|
||||
|
||||
var authzSelectorsLib = &authzSelectors{}
|
||||
|
||||
type authzSelectors struct{}
|
||||
|
||||
func (*authzSelectors) LibraryName() string {
|
||||
return "k8s.authzSelectors"
|
||||
}
|
||||
|
||||
var authzSelectorsLibraryDecls = map[string][]cel.FunctionOpt{
|
||||
"fieldSelector": {
|
||||
cel.MemberOverload("authorizer_fieldselector", []*cel.Type{ResourceCheckType, cel.StringType}, ResourceCheckType,
|
||||
cel.BinaryBinding(resourceCheckFieldSelector))},
|
||||
"labelSelector": {
|
||||
cel.MemberOverload("authorizer_labelselector", []*cel.Type{ResourceCheckType, cel.StringType}, ResourceCheckType,
|
||||
cel.BinaryBinding(resourceCheckLabelSelector))},
|
||||
}
|
||||
|
||||
func (*authzSelectors) CompileOptions() []cel.EnvOption {
|
||||
options := make([]cel.EnvOption, 0, len(authzSelectorsLibraryDecls))
|
||||
for name, overloads := range authzSelectorsLibraryDecls {
|
||||
options = append(options, cel.Function(name, overloads...))
|
||||
}
|
||||
return options
|
||||
}
|
||||
|
||||
func (*authzSelectors) ProgramOptions() []cel.ProgramOption {
|
||||
return []cel.ProgramOption{}
|
||||
}
|
||||
|
||||
func authorizerPath(arg1, arg2 ref.Val) ref.Val {
|
||||
authz, ok := arg1.(authorizerVal)
|
||||
if !ok {
|
||||
@ -354,6 +443,38 @@ func resourceCheckSubresource(arg1, arg2 ref.Val) ref.Val {
|
||||
return result
|
||||
}
|
||||
|
||||
func resourceCheckFieldSelector(arg1, arg2 ref.Val) ref.Val {
|
||||
resourceCheck, ok := arg1.(resourceCheckVal)
|
||||
if !ok {
|
||||
return types.MaybeNoSuchOverloadErr(arg1)
|
||||
}
|
||||
|
||||
fieldSelector, ok := arg2.Value().(string)
|
||||
if !ok {
|
||||
return types.MaybeNoSuchOverloadErr(arg1)
|
||||
}
|
||||
|
||||
result := resourceCheck
|
||||
result.fieldSelector = fieldSelector
|
||||
return result
|
||||
}
|
||||
|
||||
func resourceCheckLabelSelector(arg1, arg2 ref.Val) ref.Val {
|
||||
resourceCheck, ok := arg1.(resourceCheckVal)
|
||||
if !ok {
|
||||
return types.MaybeNoSuchOverloadErr(arg1)
|
||||
}
|
||||
|
||||
labelSelector, ok := arg2.Value().(string)
|
||||
if !ok {
|
||||
return types.MaybeNoSuchOverloadErr(arg1)
|
||||
}
|
||||
|
||||
result := resourceCheck
|
||||
result.labelSelector = labelSelector
|
||||
return result
|
||||
}
|
||||
|
||||
func resourceCheckNamespace(arg1, arg2 ref.Val) ref.Val {
|
||||
resourceCheck, ok := arg1.(resourceCheckVal)
|
||||
if !ok {
|
||||
@ -544,11 +665,13 @@ func (g groupCheckVal) resourceCheck(resource string) resourceCheckVal {
|
||||
|
||||
type resourceCheckVal struct {
|
||||
receiverOnlyObjectVal
|
||||
groupCheck groupCheckVal
|
||||
resource string
|
||||
subresource string
|
||||
namespace string
|
||||
name string
|
||||
groupCheck groupCheckVal
|
||||
resource string
|
||||
subresource string
|
||||
namespace string
|
||||
name string
|
||||
fieldSelector string
|
||||
labelSelector string
|
||||
}
|
||||
|
||||
func (a resourceCheckVal) Authorize(ctx context.Context, verb string) ref.Val {
|
||||
@ -563,6 +686,26 @@ func (a resourceCheckVal) Authorize(ctx context.Context, verb string) ref.Val {
|
||||
Verb: verb,
|
||||
User: a.groupCheck.authorizer.userInfo,
|
||||
}
|
||||
|
||||
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AuthorizeWithSelectors) {
|
||||
if len(a.fieldSelector) > 0 {
|
||||
selector, err := fields.ParseSelector(a.fieldSelector)
|
||||
if err != nil {
|
||||
attr.FieldSelectorRequirements, attr.FieldSelectorParsingErr = nil, err
|
||||
} else {
|
||||
attr.FieldSelectorRequirements, attr.FieldSelectorParsingErr = selector.Requirements(), nil
|
||||
}
|
||||
}
|
||||
if len(a.labelSelector) > 0 {
|
||||
requirements, err := labels.ParseToRequirements(a.labelSelector)
|
||||
if err != nil {
|
||||
attr.LabelSelectorRequirements, attr.LabelSelectorParsingErr = nil, err
|
||||
} else {
|
||||
attr.LabelSelectorRequirements, attr.LabelSelectorParsingErr = requirements, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
decision, reason, err := a.groupCheck.authorizer.authAuthorizer.Authorize(ctx, attr)
|
||||
return newDecision(decision, err, reason)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user