mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
6249ab70e8
* debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
37 lines
1.4 KiB
Go
37 lines
1.4 KiB
Go
package mutate
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/kyverno/kyverno/pkg/auth"
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
|
)
|
|
|
|
type authChecker struct {
|
|
client dclient.Interface
|
|
}
|
|
|
|
type AuthChecker interface {
|
|
CanICreate(ctx context.Context, kind, namespace, subresource string) (bool, error)
|
|
CanIUpdate(ctx context.Context, kind, namespace, subresource string) (bool, error)
|
|
CanIGet(ctx context.Context, kind, namespace, subresource string) (bool, error)
|
|
}
|
|
|
|
func newAuthChecker(client dclient.Interface) AuthChecker {
|
|
return &authChecker{client: client}
|
|
}
|
|
|
|
func (a *authChecker) CanICreate(ctx context.Context, kind, namespace, subresource string) (bool, error) {
|
|
checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "create", subresource)
|
|
return checker.RunAccessCheck(ctx)
|
|
}
|
|
|
|
func (a *authChecker) CanIUpdate(ctx context.Context, kind, namespace, subresource string) (bool, error) {
|
|
checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "update", subresource)
|
|
return checker.RunAccessCheck(ctx)
|
|
}
|
|
|
|
func (a *authChecker) CanIGet(ctx context.Context, kind, namespace, subresource string) (bool, error) {
|
|
checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "get", subresource)
|
|
return checker.RunAccessCheck(ctx)
|
|
}
|