authorization.v1.subjectAccessReviewSpec
"SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set"
Index
fn withExtra(extra)fn withExtraMixin(extra)fn withGroups(groups)fn withGroupsMixin(groups)fn withUid(uid)fn withUser(user)obj nonResourceAttributesobj resourceAttributes
Fields
fn withExtra
withExtra(extra)
"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here."
fn withExtraMixin
withExtraMixin(extra)
"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here."
Note: This function appends passed data to existing values
fn withGroups
withGroups(groups)
"Groups is the groups you're testing for."
fn withGroupsMixin
withGroupsMixin(groups)
"Groups is the groups you're testing for."
Note: This function appends passed data to existing values
fn withUid
withUid(uid)
"UID information about the requesting user."
fn withUser
withUser(user)
"User is the user you're testing for. If you specify \"User\" but not \"Groups\", then is it interpreted as \"What if User were not a member of any groups"
obj nonResourceAttributes
"NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface"
fn nonResourceAttributes.withPath
withPath(path)
"Path is the URL path of the request"
fn nonResourceAttributes.withVerb
withVerb(verb)
"Verb is the standard HTTP verb"
obj resourceAttributes
"ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface"
fn resourceAttributes.withGroup
withGroup(group)
"Group is the API Group of the Resource. \"*\" means all."
fn resourceAttributes.withName
withName(name)
"Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all."
fn resourceAttributes.withNamespace
withNamespace(namespace)
"Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview"
fn resourceAttributes.withResource
withResource(resource)
"Resource is one of the existing resource types. \"*\" means all."
fn resourceAttributes.withSubresource
withSubresource(subresource)
"Subresource is one of the existing resource types. \"\" means none."
fn resourceAttributes.withVerb
withVerb(verb)
"Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. \"*\" means all."
fn resourceAttributes.withVersion
withVersion(version)
"Version is the API Version of the Resource. \"*\" means all."
obj resourceAttributes.fieldSelector
"FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid."
fn resourceAttributes.fieldSelector.withRawSelector
withRawSelector(rawSelector)
"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present."
fn resourceAttributes.fieldSelector.withRequirements
withRequirements(requirements)
"requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."
fn resourceAttributes.fieldSelector.withRequirementsMixin
withRequirementsMixin(requirements)
"requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."
Note: This function appends passed data to existing values
obj resourceAttributes.labelSelector
"LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid."
fn resourceAttributes.labelSelector.withRawSelector
withRawSelector(rawSelector)
"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present."
fn resourceAttributes.labelSelector.withRequirements
withRequirements(requirements)
"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."
fn resourceAttributes.labelSelector.withRequirementsMixin
withRequirementsMixin(requirements)
"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."
Note: This function appends passed data to existing values