add subject access review types #18722
Conversation
|
Labelling this PR as size/XL |
k8s-github-robot
added
kind/api-change
|
GCE e2e build/test failed for commit 7d6cc022425c3b30ada62535ab3f306b427fa93b. |
| unversioned.TypeMeta | ||
|
|
||
| // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace | ||
| // you made the request against. If emtpy, it is defaulted. |
|
GCE e2e build/test failed for commit d2f13d981056606bb1f844f922b7bf0bd6573c87. |
| type ResourceAuthorizationAttributes struct { | ||
| // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces | ||
| Namespace string | ||
| // Verb is one of: get, list, watch, create, update, delete |
There was a problem hiding this comment.
proxy?
I'll tweak the comment to indicate that its "one like" and probably mention that you have to pass "*" to mean "all verbs", not empty string.
|
api types updated, I'll get the rest of the ripples tomorrow. |
|
GCE e2e build/test failed for commit 7bc5ec644459b637833876139f29b42a4d2c3200. |
|
All the generated files up to date again. |
|
Labelling this PR as size/XXL |
k8s-github-robot
added
size/XXL
|
GCE e2e test build/test passed for commit 1d8e319b411f10155928d4fc0e88e69cf2eb9e72. |
|
@erictune @smarterclayton. Comments? |
k8s-github-robot
added
the
needs-rebase
|
@lavalamp fyi. |
|
GCE e2e test build/test passed for commit cb3379714e32ac857a4a1ce9bfb6d1ab8e5ab87d. |
|
@k8s-bot unit test this please |
|
unit test says |
|
Okay, I've decided not to block this on comments from @lavalamp and @bgrant0607 . |
erictune
added
the
lgtm
|
@k8s-bot unit test this please |
|
rebased, validation typo fixed (unit test), and squashed. |
deads2k
added
lgtm
|
GCE e2e test build/test passed for commit 14396fc. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test failed for commit 14396fc. |
|
@k8s-bot e2e test this please |
|
GCE e2e test build/test passed for commit 14396fc. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e test build/test passed for commit 14396fc. |
|
Automatic merge from submit-queue |
Auto commit by PR queue bot
| unversioned.TypeMeta `json:",inline"` | ||
|
|
||
| // Spec holds information about the request being evaluated | ||
| Spec SubjectAccessReviewSpec `json:"spec"` |
There was a problem hiding this comment.
It's useful for spec to be optional (omitempty) when posting to /status.
|
Suggest in follow up PR make Spec and Status of each object be pointers so that Status can be empty on the POST and Spec can be empty in the response? |
|
Hrm - I don't think making them pointers is required, they're easy
enough to clear, and we can always test for emptiness if it becomes
important. Having them be pointers makes writing them harder (one
more source of nil pointers). We don't make any of the other spec and
status and metadata objects pointers for similar reasons.
|
|
Fine. But can the specs be omitempty so that they don't have to be duplicated on the respose? |
I don't object. I'll update that when I start the implementation. |
Ref #12209
This adds
SubjectAccessReviewkinds.SubjectAccessReviewis cluster-scoped and allows lookups for arbitrary users and groupsLocalSubjectAccessReviewis namespace-scoped and allows lookups for arbitrary users and groups. This is separate to make it very easy to grant permissions to inspect permissions for users in a particular namespaceSelfSubjectAccessReviewis cluster-scoped and allows lookups only for the current user.@liggitt @smarterclayton @erictune
@kubernetes/kube-iam @kubernetes/kube-api