-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add subject access review types #18722
Conversation
Labelling this PR as size/XL |
GCE e2e build/test failed for commit 7d6cc022425c3b30ada62535ab3f306b427fa93b. |
unversioned.TypeMeta | ||
|
||
// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace | ||
// you made the request against. If emtpy, it is defaulted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo
GCE e2e build/test failed for commit d2f13d981056606bb1f844f922b7bf0bd6573c87. |
type ResourceAuthorizationAttributes struct { | ||
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces | ||
Namespace string | ||
// Verb is one of: get, list, watch, create, update, delete |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxy?
I'll tweak the comment to indicate that its "one like" and probably mention that you have to pass "*" to mean "all verbs", not empty string.
api types updated, I'll get the rest of the ripples tomorrow. |
GCE e2e build/test failed for commit 7bc5ec644459b637833876139f29b42a4d2c3200. |
All the generated files up to date again. |
Labelling this PR as size/XXL |
GCE e2e test build/test passed for commit 1d8e319b411f10155928d4fc0e88e69cf2eb9e72. |
@erictune @smarterclayton. Comments? |
@lavalamp fyi. |
GCE e2e test build/test passed for commit cb3379714e32ac857a4a1ce9bfb6d1ab8e5ab87d. |
@k8s-bot unit test this please |
unit test says |
Okay, I've decided not to block this on comments from @lavalamp and @bgrant0607 . |
@k8s-bot unit test this please |
rebased, validation typo fixed (unit test), and squashed. |
GCE e2e test build/test passed for commit 14396fc. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test failed for commit 14396fc. |
@k8s-bot e2e test this please |
GCE e2e test build/test passed for commit 14396fc. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e test build/test passed for commit 14396fc. |
Automatic merge from submit-queue |
Auto commit by PR queue bot
unversioned.TypeMeta `json:",inline"` | ||
|
||
// Spec holds information about the request being evaluated | ||
Spec SubjectAccessReviewSpec `json:"spec"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's useful for spec to be optional (omitempty) when posting to /status.
Suggest in follow up PR make Spec and Status of each object be pointers so that Status can be empty on the POST and Spec can be empty in the response? |
Hrm - I don't think making them pointers is required, they're easy
enough to clear, and we can always test for emptiness if it becomes
important. Having them be pointers makes writing them harder (one
more source of nil pointers). We don't make any of the other spec and
status and metadata objects pointers for similar reasons.
|
Fine. But can the specs be omitempty so that they don't have to be duplicated on the respose? |
I don't object. I'll update that when I start the implementation. |
Ref #12209
This adds
SubjectAccessReview
kinds.SubjectAccessReview
is cluster-scoped and allows lookups for arbitrary users and groupsLocalSubjectAccessReview
is namespace-scoped and allows lookups for arbitrary users and groups. This is separate to make it very easy to grant permissions to inspect permissions for users in a particular namespaceSelfSubjectAccessReview
is cluster-scoped and allows lookups only for the current user.@liggitt @smarterclayton @erictune
@kubernetes/kube-iam @kubernetes/kube-api