authorization.v1.selfSubjectAccessReviewSpec

"SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set"

Index

• obj nonResourceAttributes
  • fn withPath(path)
  • fn withVerb(verb)
• obj resourceAttributes
  • fn withGroup(group)
  • fn withName(name)
  • fn withNamespace(namespace)
  • fn withResource(resource)
  • fn withSubresource(subresource)
  • fn withVerb(verb)
  • fn withVersion(version)
  • obj resourceAttributes.fieldSelector
    • fn withRawSelector(rawSelector)
    • fn withRequirements(requirements)
    • fn withRequirementsMixin(requirements)
  • obj resourceAttributes.labelSelector
    • fn withRawSelector(rawSelector)
    • fn withRequirements(requirements)
    • fn withRequirementsMixin(requirements)

Fields

obj nonResourceAttributes

"NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface"

fn nonResourceAttributes.withPath

withPath(path)

"Path is the URL path of the request"

fn nonResourceAttributes.withVerb

withVerb(verb)

"Verb is the standard HTTP verb"

obj resourceAttributes

"ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface"

fn resourceAttributes.withGroup

withGroup(group)

"Group is the API Group of the Resource. \"*\" means all."

fn resourceAttributes.withName

withName(name)

"Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all."

fn resourceAttributes.withNamespace

withNamespace(namespace)

"Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview"

fn resourceAttributes.withResource

withResource(resource)

"Resource is one of the existing resource types. \"*\" means all."

fn resourceAttributes.withSubresource

withSubresource(subresource)

"Subresource is one of the existing resource types. \"\" means none."

fn resourceAttributes.withVerb

withVerb(verb)

"Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. \"*\" means all."

fn resourceAttributes.withVersion

withVersion(version)

"Version is the API Version of the Resource. \"*\" means all."

obj resourceAttributes.fieldSelector

"FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid."

fn resourceAttributes.fieldSelector.withRawSelector

withRawSelector(rawSelector)

"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present."

fn resourceAttributes.fieldSelector.withRequirements

withRequirements(requirements)

"requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."

fn resourceAttributes.fieldSelector.withRequirementsMixin

withRequirementsMixin(requirements)

"requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."

Note: This function appends passed data to existing values

obj resourceAttributes.labelSelector

"LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid."

fn resourceAttributes.labelSelector.withRawSelector

withRawSelector(rawSelector)

"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present."

fn resourceAttributes.labelSelector.withRequirements

withRequirements(requirements)

"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."

fn resourceAttributes.labelSelector.withRequirementsMixin

withRequirementsMixin(requirements)

"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood."

Note: This function appends passed data to existing values