github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Delete abac api

pull/58/head
Darren Shepherd 2018-10-08 00:15:23 -07:00
parent 67c5df7176
commit 6c67e944a5
26 changed files with 0 additions and 1308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/apis/abac/BUILD
View File

@ -1,42 +0,0 @@
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = [
"doc.go",
"register.go",
"types.go",
"zz_generated.deepcopy.go",
],
importpath = "k8s.io/kubernetes/pkg/apis/abac",
deps = [
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [
":package-srcs",
"//pkg/apis/abac/fuzzer:all-srcs",
"//pkg/apis/abac/latest:all-srcs",
"//pkg/apis/abac/v0:all-srcs",
"//pkg/apis/abac/v1beta1:all-srcs",
],
tags = ["automanaged"],
)

7
pkg/apis/abac/OWNERS
View File

@ -1,7 +0,0 @@
reviewers:
- lavalamp
- smarterclayton
- deads2k
- liggitt
- mbohlool
- david-mcmahon

19
pkg/apis/abac/doc.go
View File

@ -1,19 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
package abac

26
pkg/apis/abac/fuzzer/BUILD
View File

@ -1,26 +0,0 @@
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = ["fuzzer.go"],
importpath = "k8s.io/kubernetes/pkg/apis/abac/fuzzer",
deps = ["//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library"],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

26
pkg/apis/abac/fuzzer/fuzzer.go
View File

@ -1,26 +0,0 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fuzzer
import (
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
)
// Funcs returns the fuzzer functions for the abac api group.
var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
return []interface{}{}
}

30
pkg/apis/abac/latest/BUILD
View File

@ -1,30 +0,0 @@
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = ["latest.go"],
importpath = "k8s.io/kubernetes/pkg/apis/abac/latest",
deps = [
"//pkg/apis/abac:go_default_library",
"//pkg/apis/abac/v0:go_default_library",
"//pkg/apis/abac/v1beta1:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

26
pkg/apis/abac/latest/latest.go
View File

@ -1,26 +0,0 @@
/*
Copyright 2014 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package latest
import (
_ "k8s.io/kubernetes/pkg/apis/abac"
_ "k8s.io/kubernetes/pkg/apis/abac/v0"
_ "k8s.io/kubernetes/pkg/apis/abac/v1beta1"
)
// TODO: this file is totally wrong, it should look like other latest files.
// lavalamp is in the middle of fixing this code, so wait for the new way of doing things..

55
pkg/apis/abac/register.go
View File

@ -1,55 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package abac
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
)
// GroupName is the API group for abac
const GroupName = "abac.authorization.kubernetes.io"
// SchemeGroupVersion is the API group version used to register abac internal
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
// Scheme is the default instance of runtime.Scheme to which types in the abac API group are api.Registry.
// TODO: remove this, abac should not have its own scheme.
var Scheme = runtime.NewScheme()
// Codecs provides access to encoding and decoding for the scheme
var Codecs = serializer.NewCodecFactory(Scheme)
func init() {
// TODO: delete this, abac should not have its own scheme.
addKnownTypes(Scheme)
}
var (
// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme
AddToScheme = SchemeBuilder.AddToScheme
)
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Policy{},
)
return nil
}

74
pkg/apis/abac/types.go
View File

@ -1,74 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package abac
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Policy contains a single ABAC policy rule
type Policy struct {
metav1.TypeMeta
// Spec describes the policy rule
Spec PolicySpec
}
// PolicySpec contains the attributes for a policy rule
type PolicySpec struct {
// User is the username this rule applies to.
// Either user or group is required to match the request.
// "*" matches all users.
User string
// Group is the group this rule applies to.
// Either user or group is required to match the request.
// "*" matches all groups.
Group string
// Readonly matches readonly requests when true, and all requests when false
Readonly bool
// APIGroup is the name of an API group. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all API groups
APIGroup string
// Resource is the name of a resource. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all resources
Resource string
// Namespace is the name of a namespace. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all namespaces (including unnamespaced requests)
Namespace string
// NonResourcePath matches non-resource request paths.
// "*" matches all paths
// "/foo/*" matches all subpaths of foo
NonResourcePath string
// TODO: "expires" string in RFC3339 format.
// TODO: want a way to allow some users to restart containers of a pod but
// not delete or modify it.
// TODO: want a way to allow a controller to create a pod based only on a
// certain podTemplates.
}

49
pkg/apis/abac/v0/BUILD
View File

@ -1,49 +0,0 @@
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
name = "go_default_library",
srcs = [
"conversion.go",
"doc.go",
"register.go",
"types.go",
"zz_generated.deepcopy.go",
],
importpath = "k8s.io/kubernetes/pkg/apis/abac/v0",
deps = [
"//pkg/apis/abac:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
],
)
go_test(
name = "go_default_test",
srcs = ["conversion_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/apis/abac:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

68
pkg/apis/abac/v0/conversion.go
View File

@ -1,68 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v0
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/apimachinery/pkg/runtime"
api "k8s.io/kubernetes/pkg/apis/abac"
)
// allAuthenticated matches k8s.io/apiserver/pkg/authentication/user.AllAuthenticated,
// but we don't want an client library (which must include types), depending on a server library
const allAuthenticated = "system:authenticated"
func addConversionFuncs(scheme *runtime.Scheme) error {
return scheme.AddConversionFuncs(
func(in *Policy, out *api.Policy, s conversion.Scope) error {
// Begin by copying all fields
out.Spec.User = in.User
out.Spec.Group = in.Group
out.Spec.Namespace = in.Namespace
out.Spec.Resource = in.Resource
out.Spec.Readonly = in.Readonly
// In v0, unspecified user and group matches all authenticated subjects
if len(in.User) == 0 && len(in.Group) == 0 {
out.Spec.Group = allAuthenticated
}
// In v0, user or group of * matches all authenticated subjects
if in.User == "*" || in.Group == "*" {
out.Spec.Group = allAuthenticated
out.Spec.User = ""
}
// In v0, leaving namespace empty matches all namespaces
if len(in.Namespace) == 0 {
out.Spec.Namespace = "*"
}
// In v0, leaving resource empty matches all resources
if len(in.Resource) == 0 {
out.Spec.Resource = "*"
}
// Any rule in v0 should match all API groups
out.Spec.APIGroup = "*"
// In v0, leaving namespace and resource blank allows non-resource paths
if len(in.Namespace) == 0 && len(in.Resource) == 0 {
out.Spec.NonResourcePath = "*"
}
return nil
},
)
}

88
pkg/apis/abac/v0/conversion_test.go
View File

@ -1,88 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v0_test
import (
"reflect"
"testing"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac/v0"
)
func TestV0Conversion(t *testing.T) {
testcases := map[string]struct {
old *v0.Policy
expected *abac.Policy
}{
// a completely empty policy rule allows everything to all users
"empty": {
old: &v0.Policy{},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
},
// specifying a user is preserved
"user": {
old: &v0.Policy{User: "bob"},
expected: &abac.Policy{Spec: abac.PolicySpec{User: "bob", Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
},
// specifying a group is preserved (and no longer matches all users)
"group": {
old: &v0.Policy{Group: "mygroup"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: "mygroup", Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
},
// specifying * for user or group maps to all authenticated subjects
"* user": {
old: &v0.Policy{User: "*"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
},
"* group": {
old: &v0.Policy{Group: "*"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "*", Namespace: "*", Resource: "*", APIGroup: "*"}},
},
// specifying a namespace removes the * match on non-resource path
"namespace": {
old: &v0.Policy{Namespace: "myns"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "myns", Resource: "*", APIGroup: "*"}},
},
// specifying a resource removes the * match on non-resource path
"resource": {
old: &v0.Policy{Resource: "myresource"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "*", Resource: "myresource", APIGroup: "*"}},
},
// specifying a namespace+resource removes the * match on non-resource path
"namespace+resource": {
old: &v0.Policy{Namespace: "myns", Resource: "myresource"},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated, Readonly: false, NonResourcePath: "", Namespace: "myns", Resource: "myresource", APIGroup: "*"}},
},
}
for k, tc := range testcases {
internal := &abac.Policy{}
if err := abac.Scheme.Convert(tc.old, internal, nil); err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
}
if !reflect.DeepEqual(internal, tc.expected) {
t.Errorf("%s: expected\n\t%#v, got \n\t%#v", k, tc.expected, internal)
}
}
}

21
pkg/apis/abac/v0/doc.go
View File

@ -1,21 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +groupName=abac.authorization.kubernetes.io
package v0 // import "k8s.io/kubernetes/pkg/apis/abac/v0"

67
pkg/apis/abac/v0/register.go
View File

@ -1,67 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v0
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/apis/abac"
)
// GroupName is the group name use in this package
const GroupName = "abac.authorization.kubernetes.io"
// SchemeGroupVersion is the API group version used to register abac v0
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v0"}
func init() {
// TODO: Delete this init function, abac should not have its own scheme.
if err := addKnownTypes(abac.Scheme); err != nil {
// Programmer error.
panic(err)
}
if err := addConversionFuncs(abac.Scheme); err != nil {
// Programmer error.
panic(err)
}
}
var (
// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
SchemeBuilder runtime.SchemeBuilder
// localSchemeBuilder ïs a pointer to SchemeBuilder instance. Using localSchemeBuilder
// defaulting and conversion init funcs are registered as well.
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
localSchemeBuilder = &SchemeBuilder
// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addConversionFuncs)
}
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Policy{},
)
return nil
}

56
pkg/apis/abac/v0/types.go
View File

@ -1,56 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:openapi-gen=true
package v0
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Policy contains a single ABAC policy rule
type Policy struct {
metav1.TypeMeta `json:",inline"`
// User is the username this rule applies to.
// Either user or group is required to match the request.
// "*" matches all users.
// +optional
User string `json:"user,omitempty"`
// Group is the group this rule applies to.
// Either user or group is required to match the request.
// "*" matches all groups.
// +optional
Group string `json:"group,omitempty"`
// Readonly matches readonly requests when true, and all requests when false
// +optional
Readonly bool `json:"readonly,omitempty"`
// Resource is the name of a resource
// "*" matches all resources
// +optional
Resource string `json:"resource,omitempty"`
// Namespace is the name of a namespace
// "*" matches all namespaces (including unnamespaced requests)
// +optional
Namespace string `json:"namespace,omitempty"`
}

50
pkg/apis/abac/v0/zz_generated.deepcopy.go generated
View File

@ -1,50 +0,0 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v0
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Policy) DeepCopyInto(out *Policy) {
*out = *in
out.TypeMeta = in.TypeMeta
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (in *Policy) DeepCopy() *Policy {
if in == nil {
return nil
}
out := new(Policy)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Policy) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}

51
pkg/apis/abac/v1beta1/BUILD
View File

@ -1,51 +0,0 @@
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
name = "go_default_library",
srcs = [
"conversion.go",
"doc.go",
"register.go",
"types.go",
"zz_generated.conversion.go",
"zz_generated.deepcopy.go",
"zz_generated.defaults.go",
],
importpath = "k8s.io/kubernetes/pkg/apis/abac/v1beta1",
deps = [
"//pkg/apis/abac:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
],
)
go_test(
name = "go_default_test",
srcs = ["conversion_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/apis/abac:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

46
pkg/apis/abac/v1beta1/conversion.go
View File

@ -1,46 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/apimachinery/pkg/runtime"
api "k8s.io/kubernetes/pkg/apis/abac"
)
// allAuthenticated matches k8s.io/apiserver/pkg/authentication/user.AllAuthenticated,
// but we don't want an client library (which must include types), depending on a server library
const allAuthenticated = "system:authenticated"
func addConversionFuncs(scheme *runtime.Scheme) error {
return scheme.AddConversionFuncs(
func(in *Policy, out *api.Policy, s conversion.Scope) error {
// Begin by copying all fields
if err := autoConvert_v1beta1_Policy_To_abac_Policy(in, out, s); err != nil {
return err
}
// In v1beta1, * user or group maps to all authenticated subjects
if in.Spec.User == "*" || in.Spec.Group == "*" {
out.Spec.Group = allAuthenticated
out.Spec.User = ""
}
return nil
},
)
}

64
pkg/apis/abac/v1beta1/conversion_test.go
View File

@ -1,64 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1_test
import (
"reflect"
"testing"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac/v1beta1"
)
func TestV1Beta1Conversion(t *testing.T) {
testcases := map[string]struct {
old *v1beta1.Policy
expected *abac.Policy
}{
// specifying a user is preserved
"user": {
old: &v1beta1.Policy{Spec: v1beta1.PolicySpec{User: "bob"}},
expected: &abac.Policy{Spec: abac.PolicySpec{User: "bob"}},
},
// specifying a group is preserved
"group": {
old: &v1beta1.Policy{Spec: v1beta1.PolicySpec{Group: "mygroup"}},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: "mygroup"}},
},
// specifying * for user or group maps to all authenticated subjects
"* user": {
old: &v1beta1.Policy{Spec: v1beta1.PolicySpec{User: "*"}},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated}},
},
"* group": {
old: &v1beta1.Policy{Spec: v1beta1.PolicySpec{Group: "*"}},
expected: &abac.Policy{Spec: abac.PolicySpec{Group: user.AllAuthenticated}},
},
}
for k, tc := range testcases {
internal := &abac.Policy{}
if err := abac.Scheme.Convert(tc.old, internal, nil); err != nil {
t.Errorf("%s: unexpected error: %v", k, err)
}
if !reflect.DeepEqual(internal, tc.expected) {
t.Errorf("%s: expected\n\t%#v, got \n\t%#v", k, tc.expected, internal)
}
}
}

24
pkg/apis/abac/v1beta1/doc.go
View File

@ -1,24 +0,0 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/abac
// +k8s:openapi-gen=true
// +k8s:defaulter-gen=TypeMeta
// +groupName=abac.authorization.kubernetes.io
package v1beta1 // import "k8s.io/kubernetes/pkg/apis/abac/v1beta1"

67
pkg/apis/abac/v1beta1/register.go
View File

@ -1,67 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/apis/abac"
)
// GroupName is the group name use in this package
const GroupName = "abac.authorization.kubernetes.io"
// SchemeGroupVersion is the API group and version for abac v1beta1
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
func init() {
// TODO: delete this, abac should not have its own scheme.
if err := addKnownTypes(abac.Scheme); err != nil {
// Programmer error.
panic(err)
}
if err := addConversionFuncs(abac.Scheme); err != nil {
// Programmer error.
panic(err)
}
}
var (
// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
SchemeBuilder runtime.SchemeBuilder
// localSchemeBuilder ïs a pointer to SchemeBuilder instance. Using localSchemeBuilder
// defaulting and conversion init funcs are registered as well.
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
localSchemeBuilder = &SchemeBuilder
// AddToScheme is a common registration function for mapping packaged scoped group & version keys to a scheme
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addConversionFuncs, RegisterDefaults)
}
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Policy{},
)
return nil
}

73
pkg/apis/abac/v1beta1/types.go
View File

@ -1,73 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:openapi-gen=true
package v1beta1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Policy contains a single ABAC policy rule
type Policy struct {
metav1.TypeMeta `json:",inline"`
// Spec describes the policy rule
Spec PolicySpec `json:"spec"`
}
// PolicySpec contains the attributes for a policy rule
type PolicySpec struct {
// User is the username this rule applies to.
// Either user or group is required to match the request.
// "*" matches all users.
// +optional
User string `json:"user,omitempty"`
// Group is the group this rule applies to.
// Either user or group is required to match the request.
// "*" matches all groups.
// +optional
Group string `json:"group,omitempty"`
// Readonly matches readonly requests when true, and all requests when false
// +optional
Readonly bool `json:"readonly,omitempty"`
// APIGroup is the name of an API group. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all API groups
// +optional
APIGroup string `json:"apiGroup,omitempty"`
// Resource is the name of a resource. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all resources
// +optional
Resource string `json:"resource,omitempty"`
// Namespace is the name of a namespace. APIGroup, Resource, and Namespace are required to match resource requests.
// "*" matches all namespaces (including unnamespaced requests)
// +optional
Namespace string `json:"namespace,omitempty"`
// NonResourcePath matches non-resource request paths.
// "*" matches all paths
// "/foo/*" matches all subpaths of foo
// +optional
NonResourcePath string `json:"nonResourcePath,omitempty"`
}

113
pkg/apis/abac/v1beta1/zz_generated.conversion.go generated
View File

@ -1,113 +0,0 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1beta1
import (
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
abac "k8s.io/kubernetes/pkg/apis/abac"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*Policy)(nil), (*abac.Policy)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_Policy_To_abac_Policy(a.(*Policy), b.(*abac.Policy), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*abac.Policy)(nil), (*Policy)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_abac_Policy_To_v1beta1_Policy(a.(*abac.Policy), b.(*Policy), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*PolicySpec)(nil), (*abac.PolicySpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_PolicySpec_To_abac_PolicySpec(a.(*PolicySpec), b.(*abac.PolicySpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*abac.PolicySpec)(nil), (*PolicySpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_abac_PolicySpec_To_v1beta1_PolicySpec(a.(*abac.PolicySpec), b.(*PolicySpec), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1beta1_Policy_To_abac_Policy(in *Policy, out *abac.Policy, s conversion.Scope) error {
if err := Convert_v1beta1_PolicySpec_To_abac_PolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_v1beta1_Policy_To_abac_Policy is an autogenerated conversion function.
func Convert_v1beta1_Policy_To_abac_Policy(in *Policy, out *abac.Policy, s conversion.Scope) error {
return autoConvert_v1beta1_Policy_To_abac_Policy(in, out, s)
}
func autoConvert_abac_Policy_To_v1beta1_Policy(in *abac.Policy, out *Policy, s conversion.Scope) error {
if err := Convert_abac_PolicySpec_To_v1beta1_PolicySpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_abac_Policy_To_v1beta1_Policy is an autogenerated conversion function.
func Convert_abac_Policy_To_v1beta1_Policy(in *abac.Policy, out *Policy, s conversion.Scope) error {
return autoConvert_abac_Policy_To_v1beta1_Policy(in, out, s)
}
func autoConvert_v1beta1_PolicySpec_To_abac_PolicySpec(in *PolicySpec, out *abac.PolicySpec, s conversion.Scope) error {
out.User = in.User
out.Group = in.Group
out.Readonly = in.Readonly
out.APIGroup = in.APIGroup
out.Resource = in.Resource
out.Namespace = in.Namespace
out.NonResourcePath = in.NonResourcePath
return nil
}
// Convert_v1beta1_PolicySpec_To_abac_PolicySpec is an autogenerated conversion function.
func Convert_v1beta1_PolicySpec_To_abac_PolicySpec(in *PolicySpec, out *abac.PolicySpec, s conversion.Scope) error {
return autoConvert_v1beta1_PolicySpec_To_abac_PolicySpec(in, out, s)
}
func autoConvert_abac_PolicySpec_To_v1beta1_PolicySpec(in *abac.PolicySpec, out *PolicySpec, s conversion.Scope) error {
out.User = in.User
out.Group = in.Group
out.Readonly = in.Readonly
out.APIGroup = in.APIGroup
out.Resource = in.Resource
out.Namespace = in.Namespace
out.NonResourcePath = in.NonResourcePath
return nil
}
// Convert_abac_PolicySpec_To_v1beta1_PolicySpec is an autogenerated conversion function.
func Convert_abac_PolicySpec_To_v1beta1_PolicySpec(in *abac.PolicySpec, out *PolicySpec, s conversion.Scope) error {
return autoConvert_abac_PolicySpec_To_v1beta1_PolicySpec(in, out, s)
}

67
pkg/apis/abac/v1beta1/zz_generated.deepcopy.go generated
View File

@ -1,67 +0,0 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1beta1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Policy) DeepCopyInto(out *Policy) {
*out = *in
out.TypeMeta = in.TypeMeta
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (in *Policy) DeepCopy() *Policy {
if in == nil {
return nil
}
out := new(Policy)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Policy) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (in *PolicySpec) DeepCopy() *PolicySpec {
if in == nil {
return nil
}
out := new(PolicySpec)
in.DeepCopyInto(out)
return out
}

32
pkg/apis/abac/v1beta1/zz_generated.defaults.go generated
View File

@ -1,32 +0,0 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1beta1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

67
pkg/apis/abac/zz_generated.deepcopy.go generated
View File

@ -1,67 +0,0 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package abac
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Policy) DeepCopyInto(out *Policy) {
*out = *in
out.TypeMeta = in.TypeMeta
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (in *Policy) DeepCopy() *Policy {
if in == nil {
return nil
}
out := new(Policy)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Policy) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicySpec) DeepCopyInto(out *PolicySpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (in *PolicySpec) DeepCopy() *PolicySpec {
if in == nil {
return nil
}
out := new(PolicySpec)
in.DeepCopyInto(out)
return out
}