k8s_pb/api/authorization/v1beta1/mod.rs
1// This file is @generated by prost-build.
2/// ExtraValue masks the value so protobuf can generate
3/// +protobuf.nullable=true
4/// +protobuf.options.(gogoproto.goproto_stringer)=false
5///
6/// items, if empty, will result in an empty slice
7#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
8pub struct ExtraValue {
9 #[prost(string, repeated, tag = "1")]
10 pub items: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
11}
12/// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
13/// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
14/// checking.
15#[derive(Clone, PartialEq, ::prost::Message)]
16pub struct LocalSubjectAccessReview {
17 /// Standard list metadata.
18 /// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
19 /// +optional
20 #[prost(message, optional, tag = "1")]
21 pub metadata: ::core::option::Option<super::super::super::apimachinery::pkg::apis::meta::v1::ObjectMeta>,
22 /// Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
23 /// you made the request against. If empty, it is defaulted.
24 #[prost(message, optional, tag = "2")]
25 pub spec: ::core::option::Option<SubjectAccessReviewSpec>,
26 /// Status is filled in by the server and indicates whether the request is allowed or not
27 /// +optional
28 #[prost(message, optional, tag = "3")]
29 pub status: ::core::option::Option<SubjectAccessReviewStatus>,
30}
31/// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
32#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
33pub struct NonResourceAttributes {
34 /// Path is the URL path of the request
35 /// +optional
36 #[prost(string, optional, tag = "1")]
37 pub path: ::core::option::Option<::prost::alloc::string::String>,
38 /// Verb is the standard HTTP verb
39 /// +optional
40 #[prost(string, optional, tag = "2")]
41 pub verb: ::core::option::Option<::prost::alloc::string::String>,
42}
43/// NonResourceRule holds information that describes a rule for the non-resource
44#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
45pub struct NonResourceRule {
46 /// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
47 /// +listType=atomic
48 #[prost(string, repeated, tag = "1")]
49 pub verbs: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
50 /// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
51 /// final step in the path. "*" means all.
52 /// +optional
53 /// +listType=atomic
54 #[prost(string, repeated, tag = "2")]
55 pub non_resource_ur_ls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
56}
57/// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
58#[derive(Clone, PartialEq, ::prost::Message)]
59pub struct ResourceAttributes {
60 /// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
61 /// "" (empty) is defaulted for LocalSubjectAccessReviews
62 /// "" (empty) is empty for cluster-scoped resources
63 /// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
64 /// +optional
65 #[prost(string, optional, tag = "1")]
66 pub namespace: ::core::option::Option<::prost::alloc::string::String>,
67 /// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
68 /// +optional
69 #[prost(string, optional, tag = "2")]
70 pub verb: ::core::option::Option<::prost::alloc::string::String>,
71 /// Group is the API Group of the Resource. "*" means all.
72 /// +optional
73 #[prost(string, optional, tag = "3")]
74 pub group: ::core::option::Option<::prost::alloc::string::String>,
75 /// Version is the API Version of the Resource. "*" means all.
76 /// +optional
77 #[prost(string, optional, tag = "4")]
78 pub version: ::core::option::Option<::prost::alloc::string::String>,
79 /// Resource is one of the existing resource types. "*" means all.
80 /// +optional
81 #[prost(string, optional, tag = "5")]
82 pub resource: ::core::option::Option<::prost::alloc::string::String>,
83 /// Subresource is one of the existing resource types. "" means none.
84 /// +optional
85 #[prost(string, optional, tag = "6")]
86 pub subresource: ::core::option::Option<::prost::alloc::string::String>,
87 /// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
88 /// +optional
89 #[prost(string, optional, tag = "7")]
90 pub name: ::core::option::Option<::prost::alloc::string::String>,
91 /// fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it.
92 /// +optional
93 #[prost(message, optional, tag = "8")]
94 pub field_selector: ::core::option::Option<super::v1::FieldSelectorAttributes>,
95 /// labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it.
96 /// +optional
97 #[prost(message, optional, tag = "9")]
98 pub label_selector: ::core::option::Option<super::v1::LabelSelectorAttributes>,
99}
100/// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
101/// may contain duplicates, and possibly be incomplete.
102#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
103pub struct ResourceRule {
104 /// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
105 /// +listType=atomic
106 #[prost(string, repeated, tag = "1")]
107 pub verbs: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
108 /// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
109 /// the enumerated resources in any API group will be allowed. "*" means all.
110 /// +optional
111 /// +listType=atomic
112 #[prost(string, repeated, tag = "2")]
113 pub api_groups: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
114 /// Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
115 /// "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
116 /// +optional
117 /// +listType=atomic
118 #[prost(string, repeated, tag = "3")]
119 pub resources: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
120 /// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
121 /// +optional
122 /// +listType=atomic
123 #[prost(string, repeated, tag = "4")]
124 pub resource_names: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
125}
126/// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
127/// spec.namespace means "in all namespaces". Self is a special case, because users should always be able
128/// to check whether they can perform an action
129#[derive(Clone, PartialEq, ::prost::Message)]
130pub struct SelfSubjectAccessReview {
131 /// Standard list metadata.
132 /// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
133 /// +optional
134 #[prost(message, optional, tag = "1")]
135 pub metadata: ::core::option::Option<super::super::super::apimachinery::pkg::apis::meta::v1::ObjectMeta>,
136 /// Spec holds information about the request being evaluated. user and groups must be empty
137 #[prost(message, optional, tag = "2")]
138 pub spec: ::core::option::Option<SelfSubjectAccessReviewSpec>,
139 /// Status is filled in by the server and indicates whether the request is allowed or not
140 /// +optional
141 #[prost(message, optional, tag = "3")]
142 pub status: ::core::option::Option<SubjectAccessReviewStatus>,
143}
144/// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
145/// and NonResourceAuthorizationAttributes must be set
146#[derive(Clone, PartialEq, ::prost::Message)]
147pub struct SelfSubjectAccessReviewSpec {
148 /// ResourceAuthorizationAttributes describes information for a resource access request
149 /// +optional
150 #[prost(message, optional, tag = "1")]
151 pub resource_attributes: ::core::option::Option<ResourceAttributes>,
152 /// NonResourceAttributes describes information for a non-resource access request
153 /// +optional
154 #[prost(message, optional, tag = "2")]
155 pub non_resource_attributes: ::core::option::Option<NonResourceAttributes>,
156}
157/// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
158/// The returned list of actions may be incomplete depending on the server's authorization mode,
159/// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
160/// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
161/// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
162/// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
163#[derive(Clone, PartialEq, ::prost::Message)]
164pub struct SelfSubjectRulesReview {
165 /// Standard list metadata.
166 /// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
167 /// +optional
168 #[prost(message, optional, tag = "1")]
169 pub metadata: ::core::option::Option<super::super::super::apimachinery::pkg::apis::meta::v1::ObjectMeta>,
170 /// Spec holds information about the request being evaluated.
171 #[prost(message, optional, tag = "2")]
172 pub spec: ::core::option::Option<SelfSubjectRulesReviewSpec>,
173 /// Status is filled in by the server and indicates the set of actions a user can perform.
174 /// +optional
175 #[prost(message, optional, tag = "3")]
176 pub status: ::core::option::Option<SubjectRulesReviewStatus>,
177}
178/// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
179#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
180pub struct SelfSubjectRulesReviewSpec {
181 /// Namespace to evaluate rules for. Required.
182 #[prost(string, optional, tag = "1")]
183 pub namespace: ::core::option::Option<::prost::alloc::string::String>,
184}
185/// SubjectAccessReview checks whether or not a user or group can perform an action.
186#[derive(Clone, PartialEq, ::prost::Message)]
187pub struct SubjectAccessReview {
188 /// Standard list metadata.
189 /// More info: <https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata>
190 /// +optional
191 #[prost(message, optional, tag = "1")]
192 pub metadata: ::core::option::Option<super::super::super::apimachinery::pkg::apis::meta::v1::ObjectMeta>,
193 /// Spec holds information about the request being evaluated
194 #[prost(message, optional, tag = "2")]
195 pub spec: ::core::option::Option<SubjectAccessReviewSpec>,
196 /// Status is filled in by the server and indicates whether the request is allowed or not
197 /// +optional
198 #[prost(message, optional, tag = "3")]
199 pub status: ::core::option::Option<SubjectAccessReviewStatus>,
200}
201/// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
202/// and NonResourceAuthorizationAttributes must be set
203#[derive(Clone, PartialEq, ::prost::Message)]
204pub struct SubjectAccessReviewSpec {
205 /// ResourceAuthorizationAttributes describes information for a resource access request
206 /// +optional
207 #[prost(message, optional, tag = "1")]
208 pub resource_attributes: ::core::option::Option<ResourceAttributes>,
209 /// NonResourceAttributes describes information for a non-resource access request
210 /// +optional
211 #[prost(message, optional, tag = "2")]
212 pub non_resource_attributes: ::core::option::Option<NonResourceAttributes>,
213 /// User is the user you're testing for.
214 /// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
215 /// +optional
216 #[prost(string, optional, tag = "3")]
217 pub user: ::core::option::Option<::prost::alloc::string::String>,
218 /// Groups is the groups you're testing for.
219 /// +optional
220 /// +listType=atomic
221 #[prost(string, repeated, tag = "4")]
222 pub group: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
223 /// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
224 /// it needs a reflection here.
225 /// +optional
226 #[prost(btree_map = "string, message", tag = "5")]
227 pub extra: ::prost::alloc::collections::BTreeMap<::prost::alloc::string::String, ExtraValue>,
228 /// UID information about the requesting user.
229 /// +optional
230 #[prost(string, optional, tag = "6")]
231 pub uid: ::core::option::Option<::prost::alloc::string::String>,
232}
233/// SubjectAccessReviewStatus
234#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
235pub struct SubjectAccessReviewStatus {
236 /// Allowed is required. True if the action would be allowed, false otherwise.
237 #[prost(bool, optional, tag = "1")]
238 pub allowed: ::core::option::Option<bool>,
239 /// Denied is optional. True if the action would be denied, otherwise
240 /// false. If both allowed is false and denied is false, then the
241 /// authorizer has no opinion on whether to authorize the action. Denied
242 /// may not be true if Allowed is true.
243 /// +optional
244 #[prost(bool, optional, tag = "4")]
245 pub denied: ::core::option::Option<bool>,
246 /// Reason is optional. It indicates why a request was allowed or denied.
247 /// +optional
248 #[prost(string, optional, tag = "2")]
249 pub reason: ::core::option::Option<::prost::alloc::string::String>,
250 /// EvaluationError is an indication that some error occurred during the authorization check.
251 /// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
252 /// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
253 /// +optional
254 #[prost(string, optional, tag = "3")]
255 pub evaluation_error: ::core::option::Option<::prost::alloc::string::String>,
256}
257/// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
258/// the set of authorizers the server is configured with and any errors experienced during evaluation.
259/// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
260/// even if that list is incomplete.
261#[derive(Clone, PartialEq, ::prost::Message)]
262pub struct SubjectRulesReviewStatus {
263 /// ResourceRules is the list of actions the subject is allowed to perform on resources.
264 /// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
265 /// +listType=atomic
266 #[prost(message, repeated, tag = "1")]
267 pub resource_rules: ::prost::alloc::vec::Vec<ResourceRule>,
268 /// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
269 /// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
270 /// +listType=atomic
271 #[prost(message, repeated, tag = "2")]
272 pub non_resource_rules: ::prost::alloc::vec::Vec<NonResourceRule>,
273 /// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
274 /// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
275 #[prost(bool, optional, tag = "3")]
276 pub incomplete: ::core::option::Option<bool>,
277 /// EvaluationError can appear in combination with Rules. It indicates an error occurred during
278 /// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
279 /// ResourceRules and/or NonResourceRules may be incomplete.
280 /// +optional
281 #[prost(string, optional, tag = "4")]
282 pub evaluation_error: ::core::option::Option<::prost::alloc::string::String>,
283}