mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-19 05:39:51 +00:00
aa698bc3e1
Kubernetes v1.22 version has been released and this update ceph csi dependencies to use the same version. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
247 lines
11 KiB
Go
247 lines
11 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package v1alpha1
|
|
|
|
import (
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
// Authorization is calculated against
|
|
// 1. evaluation of ClusterRoleBindings - short circuit on match
|
|
// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
|
|
// 3. deny by default
|
|
|
|
const (
|
|
APIGroupAll = "*"
|
|
ResourceAll = "*"
|
|
VerbAll = "*"
|
|
NonResourceAll = "*"
|
|
|
|
GroupKind = "Group"
|
|
ServiceAccountKind = "ServiceAccount"
|
|
UserKind = "User"
|
|
|
|
// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
|
|
AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate"
|
|
)
|
|
|
|
// Authorization is calculated against
|
|
// 1. evaluation of ClusterRoleBindings - short circuit on match
|
|
// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
|
|
// 3. deny by default
|
|
|
|
// PolicyRule holds information that describes a policy rule, but does not contain information
|
|
// about who the rule applies to or which namespace the rule applies to.
|
|
type PolicyRule struct {
|
|
// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. '*' represents all verbs.
|
|
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
|
|
|
|
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
|
|
// the enumerated resources in any API group will be allowed.
|
|
// +optional
|
|
APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"`
|
|
// Resources is a list of resources this rule applies to. '*' represents all resources.
|
|
// +optional
|
|
Resources []string `json:"resources,omitempty" protobuf:"bytes,4,rep,name=resources"`
|
|
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
|
|
// +optional
|
|
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"`
|
|
|
|
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
|
|
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
|
|
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
|
|
// +optional
|
|
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"`
|
|
}
|
|
|
|
// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
// or a value for non-objects such as user and group names.
|
|
type Subject struct {
|
|
// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
|
|
// APIVersion holds the API group and version of the referenced subject.
|
|
// Defaults to "v1" for ServiceAccount subjects.
|
|
// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
|
|
// +k8s:conversion-gen=false
|
|
// +optional
|
|
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"`
|
|
// Name of the object being referenced.
|
|
Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
|
|
// Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
// the Authorizer should report an error.
|
|
// +optional
|
|
Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
|
|
}
|
|
|
|
// RoleRef contains information that points to the role being used
|
|
type RoleRef struct {
|
|
// APIGroup is the group for the resource being referenced
|
|
APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
|
|
// Kind is the type of resource being referenced
|
|
Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
|
|
// Name is the name of resource being referenced
|
|
Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
|
|
}
|
|
|
|
// +genclient
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
|
|
type Role struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Rules holds all the PolicyRules for this Role
|
|
// +optional
|
|
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
|
|
}
|
|
|
|
// +genclient
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace.
|
|
// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given
|
|
// namespace only have effect in that namespace.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
|
|
type RoleBinding struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Subjects holds references to the objects the role applies to.
|
|
// +optional
|
|
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
|
|
|
|
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
|
|
// If the RoleRef cannot be resolved, the Authorizer must return an error.
|
|
RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// RoleBindingList is a collection of RoleBindings
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.
|
|
type RoleBindingList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Items is a list of RoleBindings
|
|
Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// RoleList is a collection of Roles.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.
|
|
type RoleList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Items is a list of Roles
|
|
Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"`
|
|
}
|
|
|
|
// +genclient
|
|
// +genclient:nonNamespaced
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
|
|
type ClusterRole struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Rules holds all the PolicyRules for this ClusterRole
|
|
// +optional
|
|
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
|
|
|
|
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
|
|
// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
|
|
// stomped by the controller.
|
|
// +optional
|
|
AggregationRule *AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"`
|
|
}
|
|
|
|
// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
|
|
type AggregationRule struct {
|
|
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
|
|
// If any of the selectors match, then the ClusterRole's permissions will be added
|
|
// +optional
|
|
ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
|
|
}
|
|
|
|
// +genclient
|
|
// +genclient:nonNamespaced
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace,
|
|
// and adds who information via Subject.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
|
|
type ClusterRoleBinding struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Subjects holds references to the objects the role applies to.
|
|
// +optional
|
|
Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"`
|
|
|
|
// RoleRef can only reference a ClusterRole in the global namespace.
|
|
// If the RoleRef cannot be resolved, the Authorizer must return an error.
|
|
RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// ClusterRoleBindingList is a collection of ClusterRoleBindings.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindings, and will no longer be served in v1.22.
|
|
type ClusterRoleBindingList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Items is a list of ClusterRoleBindings
|
|
Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// ClusterRoleList is a collection of ClusterRoles.
|
|
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.
|
|
type ClusterRoleList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// +optional
|
|
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Items is a list of ClusterRoles
|
|
Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"`
|
|
}
|