mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/policy/auth/auth.go
Mariam Fahmy 4d1f040e49
fix: add the resource name to the SubjectAccessReview (#10221) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2024-08-07 12:46:44 +00:00

78 lines
2.8 KiB
Go
Raw Blame History

package auth
import (
"context"
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/auth"
"github.com/kyverno/kyverno/pkg/clients/dclient"
)
// Operations provides methods to performing operations on resource
type Operations interface {
// CanICreate returns 'true' if self can 'create' resource
CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error)
// CanIUpdate returns 'true' if self can 'update' resource
CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error)
// CanIDelete returns 'true' if self can 'delete' resource
CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error)
// CanIGet returns 'true' if self can 'get' resource
CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error)
}
// Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
type Auth struct {
client dclient.Interface
user string
log logr.Logger
}
// NewAuth returns a new instance of Auth for operations
func NewAuth(client dclient.Interface, user string, log logr.Logger) *Auth {
a := Auth{
client: client,
user: user,
log: log,
}
return &a
}
// CanICreate returns 'true' if self can 'create' resource
func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "create", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx)
if err != nil {
return false, err
}
return ok, nil
}
// CanIUpdate returns 'true' if self can 'update' resource
func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "update", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx)
if err != nil {
return false, err
}
return ok, nil
}
// CanIDelete returns 'true' if self can 'delete' resource
func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "delete", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx)
if err != nil {
return false, err
}
return ok, nil
}
// CanIGet returns 'true' if self can 'get' resource
func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "get", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx)
if err != nil {
return false, err
}
return ok, nil
}
View git blame Copy permalink