mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-05-10 19:27:59 +00:00
481 lines
20 KiB
Protocol Buffer
Generated
481 lines
20 KiB
Protocol Buffer
Generated
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = "proto2";
|
|
|
|
package github.com.openshift.api.authorization.v1;
|
|
|
|
import "k8s.io/api/core/v1/generated.proto";
|
|
import "k8s.io/api/rbac/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1";
|
|
|
|
// Action describes a request to the API server
|
|
message Action {
|
|
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
|
|
optional string namespace = 1;
|
|
|
|
// Verb is one of: get, list, watch, create, update, delete
|
|
optional string verb = 2;
|
|
|
|
// Group is the API group of the resource
|
|
// Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined
|
|
optional string resourceAPIGroup = 3;
|
|
|
|
// Version is the API version of the resource
|
|
// Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined
|
|
optional string resourceAPIVersion = 4;
|
|
|
|
// Resource is one of the existing resource types
|
|
optional string resource = 5;
|
|
|
|
// ResourceName is the name of the resource being requested for a "get" or deleted for a "delete"
|
|
optional string resourceName = 6;
|
|
|
|
// Path is the path of a non resource URL
|
|
optional string path = 8;
|
|
|
|
// IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hierarchy)
|
|
optional bool isNonResourceURL = 9;
|
|
|
|
// Content is the actual content of the request for create and update
|
|
// +kubebuilder:pruning:PreserveUnknownFields
|
|
optional k8s.io.apimachinery.pkg.runtime.RawExtension content = 7;
|
|
}
|
|
|
|
// ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings.
|
|
message ClusterRole {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Rules holds all the PolicyRules for this ClusterRole
|
|
repeated PolicyRule rules = 2;
|
|
|
|
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
|
|
// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
|
|
// stomped by the controller.
|
|
optional k8s.io.api.rbac.v1.AggregationRule aggregationRule = 3;
|
|
}
|
|
|
|
// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference any ClusterRole in the same namespace or in the global namespace.
|
|
// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
|
|
// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
|
|
message ClusterRoleBinding {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// UserNames holds all the usernames directly bound to the role.
|
|
// This field should only be specified when supporting legacy clients and servers.
|
|
// See Subjects for further details.
|
|
// +k8s:conversion-gen=false
|
|
// +optional
|
|
optional OptionalNames userNames = 2;
|
|
|
|
// GroupNames holds all the groups directly bound to the role.
|
|
// This field should only be specified when supporting legacy clients and servers.
|
|
// See Subjects for further details.
|
|
// +k8s:conversion-gen=false
|
|
// +optional
|
|
optional OptionalNames groupNames = 3;
|
|
|
|
// Subjects hold object references to authorize with this rule.
|
|
// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
|
|
// Thus newer clients that do not need to support backwards compatibility should send
|
|
// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
|
|
// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
|
|
repeated k8s.io.api.core.v1.ObjectReference subjects = 4;
|
|
|
|
// RoleRef can only reference the current namespace and the global namespace.
|
|
// If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.
|
|
// Since Policy is a singleton, this is sufficient knowledge to locate a role.
|
|
optional k8s.io.api.core.v1.ObjectReference roleRef = 5;
|
|
}
|
|
|
|
// ClusterRoleBindingList is a collection of ClusterRoleBindings
|
|
message ClusterRoleBindingList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is a list of ClusterRoleBindings
|
|
repeated ClusterRoleBinding items = 2;
|
|
}
|
|
|
|
// ClusterRoleList is a collection of ClusterRoles
|
|
message ClusterRoleList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is a list of ClusterRoles
|
|
repeated ClusterRole items = 2;
|
|
}
|
|
|
|
// GroupRestriction matches a group either by a string match on the group name
|
|
// or a label selector applied to group labels.
|
|
message GroupRestriction {
|
|
// Groups is a list of groups used to match against an individual user's
|
|
// groups. If the user is a member of one of the whitelisted groups, the user
|
|
// is allowed to be bound to a role.
|
|
// +nullable
|
|
repeated string groups = 1;
|
|
|
|
// Selectors specifies a list of label selectors over group labels.
|
|
// +nullable
|
|
repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 2;
|
|
}
|
|
|
|
// IsPersonalSubjectAccessReview is a marker for PolicyRule.AttributeRestrictions that denotes that subjectaccessreviews on self should be allowed
|
|
message IsPersonalSubjectAccessReview {
|
|
}
|
|
|
|
// LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace
|
|
message LocalResourceAccessReview {
|
|
// Action describes the action being tested. The Namespace element is FORCED to the current namespace.
|
|
optional Action Action = 1;
|
|
}
|
|
|
|
// LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
|
|
message LocalSubjectAccessReview {
|
|
// Action describes the action being tested. The Namespace element is FORCED to the current namespace.
|
|
optional Action Action = 1;
|
|
|
|
// User is optional. If both User and Groups are empty, the current authenticated user is used.
|
|
optional string user = 2;
|
|
|
|
// Groups is optional. Groups is the list of groups to which the User belongs.
|
|
// +k8s:conversion-gen=false
|
|
repeated string groups = 3;
|
|
|
|
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
|
|
// Nil for a self-SAR, means "use the scopes on this request".
|
|
// Nil for a regular SAR, means the same as empty.
|
|
// +k8s:conversion-gen=false
|
|
optional OptionalScopes scopes = 4;
|
|
}
|
|
|
|
// NamedClusterRole relates a name with a cluster role
|
|
message NamedClusterRole {
|
|
// Name is the name of the cluster role
|
|
optional string name = 1;
|
|
|
|
// Role is the cluster role being named
|
|
optional ClusterRole role = 2;
|
|
}
|
|
|
|
// NamedClusterRoleBinding relates a name with a cluster role binding
|
|
message NamedClusterRoleBinding {
|
|
// Name is the name of the cluster role binding
|
|
optional string name = 1;
|
|
|
|
// RoleBinding is the cluster role binding being named
|
|
optional ClusterRoleBinding roleBinding = 2;
|
|
}
|
|
|
|
// NamedRole relates a Role with a name
|
|
message NamedRole {
|
|
// Name is the name of the role
|
|
optional string name = 1;
|
|
|
|
// Role is the role being named
|
|
optional Role role = 2;
|
|
}
|
|
|
|
// NamedRoleBinding relates a role binding with a name
|
|
message NamedRoleBinding {
|
|
// Name is the name of the role binding
|
|
optional string name = 1;
|
|
|
|
// RoleBinding is the role binding being named
|
|
optional RoleBinding roleBinding = 2;
|
|
}
|
|
|
|
// OptionalNames is an array that may also be left nil to distinguish between set and unset.
|
|
// +protobuf.nullable=true
|
|
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
|
message OptionalNames {
|
|
// items, if empty, will result in an empty slice
|
|
|
|
repeated string items = 1;
|
|
}
|
|
|
|
// OptionalScopes is an array that may also be left nil to distinguish between set and unset.
|
|
// +protobuf.nullable=true
|
|
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
|
message OptionalScopes {
|
|
// items, if empty, will result in an empty slice
|
|
|
|
repeated string items = 1;
|
|
}
|
|
|
|
// PolicyRule holds information that describes a policy rule, but does not contain information
|
|
// about who the rule applies to or which namespace the rule applies to.
|
|
message PolicyRule {
|
|
// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
|
|
repeated string verbs = 1;
|
|
|
|
// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
|
|
// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
|
|
// +kubebuilder:pruning:PreserveUnknownFields
|
|
optional k8s.io.apimachinery.pkg.runtime.RawExtension attributeRestrictions = 2;
|
|
|
|
// APIGroups is the name of the APIGroup that contains the resources. If this field is empty, then both kubernetes and origin API groups are assumed.
|
|
// That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request
|
|
// will be allowed
|
|
// +optional
|
|
// +nullable
|
|
repeated string apiGroups = 3;
|
|
|
|
// Resources is a list of resources this rule applies to. ResourceAll represents all resources.
|
|
repeated string resources = 4;
|
|
|
|
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
|
|
repeated string resourceNames = 5;
|
|
|
|
// NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
|
|
// This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
|
|
repeated string nonResourceURLs = 6;
|
|
}
|
|
|
|
// ResourceAccessReview is a means to request a list of which users and groups are authorized to perform the
|
|
// action specified by spec
|
|
message ResourceAccessReview {
|
|
// Action describes the action being tested.
|
|
optional Action Action = 1;
|
|
}
|
|
|
|
// ResourceAccessReviewResponse describes who can perform the action
|
|
message ResourceAccessReviewResponse {
|
|
// Namespace is the namespace used for the access review
|
|
optional string namespace = 1;
|
|
|
|
// UsersSlice is the list of users who can perform the action
|
|
// +k8s:conversion-gen=false
|
|
repeated string users = 2;
|
|
|
|
// GroupsSlice is the list of groups who can perform the action
|
|
// +k8s:conversion-gen=false
|
|
repeated string groups = 3;
|
|
|
|
// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
|
|
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
|
|
// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
|
|
optional string evalutionError = 4;
|
|
}
|
|
|
|
// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.
|
|
message Role {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Rules holds all the PolicyRules for this Role
|
|
repeated PolicyRule rules = 2;
|
|
}
|
|
|
|
// RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace.
|
|
// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
|
|
// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
|
|
message RoleBinding {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// UserNames holds all the usernames directly bound to the role.
|
|
// This field should only be specified when supporting legacy clients and servers.
|
|
// See Subjects for further details.
|
|
// +k8s:conversion-gen=false
|
|
// +optional
|
|
optional OptionalNames userNames = 2;
|
|
|
|
// GroupNames holds all the groups directly bound to the role.
|
|
// This field should only be specified when supporting legacy clients and servers.
|
|
// See Subjects for further details.
|
|
// +k8s:conversion-gen=false
|
|
// +optional
|
|
optional OptionalNames groupNames = 3;
|
|
|
|
// Subjects hold object references to authorize with this rule.
|
|
// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
|
|
// Thus newer clients that do not need to support backwards compatibility should send
|
|
// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
|
|
// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
|
|
repeated k8s.io.api.core.v1.ObjectReference subjects = 4;
|
|
|
|
// RoleRef can only reference the current namespace and the global namespace.
|
|
// If the RoleRef cannot be resolved, the Authorizer must return an error.
|
|
// Since Policy is a singleton, this is sufficient knowledge to locate a role.
|
|
optional k8s.io.api.core.v1.ObjectReference roleRef = 5;
|
|
}
|
|
|
|
// RoleBindingList is a collection of RoleBindings
|
|
message RoleBindingList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is a list of RoleBindings
|
|
repeated RoleBinding items = 2;
|
|
}
|
|
|
|
// RoleBindingRestriction is an object that can be matched against a subject
|
|
// (user, group, or service account) to determine whether rolebindings on that
|
|
// subject are allowed in the namespace to which the RoleBindingRestriction
|
|
// belongs. If any one of those RoleBindingRestriction objects matches
|
|
// a subject, rolebindings on that subject in the namespace are allowed.
|
|
message RoleBindingRestriction {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Spec defines the matcher.
|
|
optional RoleBindingRestrictionSpec spec = 2;
|
|
}
|
|
|
|
// RoleBindingRestrictionList is a collection of RoleBindingRestriction objects.
|
|
message RoleBindingRestrictionList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is a list of RoleBindingRestriction objects.
|
|
repeated RoleBindingRestriction items = 2;
|
|
}
|
|
|
|
// RoleBindingRestrictionSpec defines a rolebinding restriction. Exactly one
|
|
// field must be non-nil.
|
|
message RoleBindingRestrictionSpec {
|
|
// UserRestriction matches against user subjects.
|
|
// +nullable
|
|
optional UserRestriction userrestriction = 1;
|
|
|
|
// GroupRestriction matches against group subjects.
|
|
// +nullable
|
|
optional GroupRestriction grouprestriction = 2;
|
|
|
|
// ServiceAccountRestriction matches against service-account subjects.
|
|
// +nullable
|
|
optional ServiceAccountRestriction serviceaccountrestriction = 3;
|
|
}
|
|
|
|
// RoleList is a collection of Roles
|
|
message RoleList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is a list of Roles
|
|
repeated Role items = 2;
|
|
}
|
|
|
|
// SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace
|
|
message SelfSubjectRulesReview {
|
|
// Spec adds information about how to conduct the check
|
|
optional SelfSubjectRulesReviewSpec spec = 1;
|
|
|
|
// Status is completed by the server to tell which permissions you have
|
|
optional SubjectRulesReviewStatus status = 2;
|
|
}
|
|
|
|
// SelfSubjectRulesReviewSpec adds information about how to conduct the check
|
|
message SelfSubjectRulesReviewSpec {
|
|
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
|
|
// Nil means "use the scopes on this request".
|
|
// +k8s:conversion-gen=false
|
|
optional OptionalScopes scopes = 1;
|
|
}
|
|
|
|
// ServiceAccountReference specifies a service account and namespace by their
|
|
// names.
|
|
message ServiceAccountReference {
|
|
// Name is the name of the service account.
|
|
optional string name = 1;
|
|
|
|
// Namespace is the namespace of the service account. Service accounts from
|
|
// inside the whitelisted namespaces are allowed to be bound to roles. If
|
|
// Namespace is empty, then the namespace of the RoleBindingRestriction in
|
|
// which the ServiceAccountReference is embedded is used.
|
|
optional string namespace = 2;
|
|
}
|
|
|
|
// ServiceAccountRestriction matches a service account by a string match on
|
|
// either the service-account name or the name of the service account's
|
|
// namespace.
|
|
message ServiceAccountRestriction {
|
|
// ServiceAccounts specifies a list of literal service-account names.
|
|
repeated ServiceAccountReference serviceaccounts = 1;
|
|
|
|
// Namespaces specifies a list of literal namespace names.
|
|
repeated string namespaces = 2;
|
|
}
|
|
|
|
// SubjectAccessReview is an object for requesting information about whether a user or group can perform an action
|
|
message SubjectAccessReview {
|
|
// Action describes the action being tested.
|
|
optional Action Action = 1;
|
|
|
|
// User is optional. If both User and Groups are empty, the current authenticated user is used.
|
|
optional string user = 2;
|
|
|
|
// GroupsSlice is optional. Groups is the list of groups to which the User belongs.
|
|
// +k8s:conversion-gen=false
|
|
repeated string groups = 3;
|
|
|
|
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
|
|
// Nil for a self-SAR, means "use the scopes on this request".
|
|
// Nil for a regular SAR, means the same as empty.
|
|
// +k8s:conversion-gen=false
|
|
optional OptionalScopes scopes = 4;
|
|
}
|
|
|
|
// SubjectAccessReviewResponse describes whether or not a user or group can perform an action
|
|
message SubjectAccessReviewResponse {
|
|
// Namespace is the namespace used for the access review
|
|
optional string namespace = 1;
|
|
|
|
// Allowed is required. True if the action would be allowed, false otherwise.
|
|
optional bool allowed = 2;
|
|
|
|
// Reason is optional. It indicates why a request was allowed or denied.
|
|
optional string reason = 3;
|
|
|
|
// EvaluationError is an indication that some error occurred during the authorization check.
|
|
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is
|
|
// most common when a bound role is missing, but enough roles are still present and bound to reason about the request.
|
|
optional string evaluationError = 4;
|
|
}
|
|
|
|
// SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace
|
|
message SubjectRulesReview {
|
|
// Spec adds information about how to conduct the check
|
|
optional SubjectRulesReviewSpec spec = 1;
|
|
|
|
// Status is completed by the server to tell which permissions you have
|
|
optional SubjectRulesReviewStatus status = 2;
|
|
}
|
|
|
|
// SubjectRulesReviewSpec adds information about how to conduct the check
|
|
message SubjectRulesReviewSpec {
|
|
// User is optional. At least one of User and Groups must be specified.
|
|
optional string user = 1;
|
|
|
|
// Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified.
|
|
repeated string groups = 2;
|
|
|
|
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
|
|
optional OptionalScopes scopes = 3;
|
|
}
|
|
|
|
// SubjectRulesReviewStatus is contains the result of a rules check
|
|
message SubjectRulesReviewStatus {
|
|
// Rules is the list of rules (no particular sort) that are allowed for the subject
|
|
repeated PolicyRule rules = 1;
|
|
|
|
// EvaluationError can appear in combination with Rules. It means some error happened during evaluation
|
|
// that may have prevented additional rules from being populated.
|
|
optional string evaluationError = 2;
|
|
}
|
|
|
|
// UserRestriction matches a user either by a string match on the user name,
|
|
// a string match on the name of a group to which the user belongs, or a label
|
|
// selector applied to the user labels.
|
|
message UserRestriction {
|
|
// Users specifies a list of literal user names.
|
|
repeated string users = 1;
|
|
|
|
// Groups specifies a list of literal group names.
|
|
// +nullable
|
|
repeated string groups = 2;
|
|
|
|
// Selectors specifies a list of label selectors over user labels.
|
|
// +nullable
|
|
repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labels = 3;
|
|
}
|
|
|