// Authz provides a CEL function library extension for performing authorization checks. // Note that authorization checks are only supported for CEL expression fields in the API // where an 'authorizer' variable is provided to the CEL expression. See the // documentation of API fields where CEL expressions are used to learn if the 'authorizer' // variable is provided. // // path // // Returns a PathCheck configured to check authorization for a non-resource request // path (e.g. /healthz). If path is an empty string, an error is returned. // Note that the leading '/' is not required. // // <Authorizer>.path(<string>) <PathCheck> // // Examples: // // authorizer.path('/healthz') // returns a PathCheck for the '/healthz' API path // authorizer.path('') // results in "path must not be empty" error // authorizer.path(' ') // results in "path must not be empty" error // // group // // Returns a GroupCheck configured to check authorization for the API resources for // a particular API group. // Note that authorization checks are only supported for CEL expression fields in the API // where an 'authorizer' variable is provided to the CEL expression. Check the // documentation of API fields where CEL expressions are used to learn if the 'authorizer' // variable is provided. // // <Authorizer>.group(<string>) <GroupCheck> // // Examples: // // authorizer.group('apps') // returns a GroupCheck for the 'apps' API group // authorizer.group('') // returns a GroupCheck for the core API group // authorizer.group('example.com') // returns a GroupCheck for the custom resources in the 'example.com' API group // // serviceAccount // // Returns an Authorizer configured to check authorization for the provided service account namespace and name. // If the name is not a valid DNS subdomain string (as defined by RFC 1123), an error is returned. // If the namespace is not a valid DNS label (as defined by RFC 1123), an error is returned. // // <Authorizer>.serviceAccount(<string>, <string>) <Authorizer> // // Examples: // // authorizer.serviceAccount('default', 'myserviceaccount') // returns an Authorizer for the service account with namespace 'default' and name 'myserviceaccount' // authorizer.serviceAccount('not@a#valid!namespace', 'validname') // returns an error // authorizer.serviceAccount('valid.example.com', 'invalid@*name') // returns an error // // resource // // Returns a ResourceCheck configured to check authorization for a particular API resource. // Note that the provided resource string should be a lower case plural name of a Kubernetes API resource. // // <GroupCheck>.resource(<string>) <ResourceCheck> // // Examples: // // authorizer.group('apps').resource('deployments') // returns a ResourceCheck for the 'deployments' resources in the 'apps' group. // authorizer.group('').resource('pods') // returns a ResourceCheck for the 'pods' resources in the core group. // authorizer.group('apps').resource('') // results in "resource must not be empty" error // authorizer.group('apps').resource(' ') // results in "resource must not be empty" error // // subresource // // Returns a ResourceCheck configured to check authorization for a particular subresource of an API resource. // If subresource is set to "", the subresource field of this ResourceCheck is considered unset. // // <ResourceCheck>.subresource(<string>) <ResourceCheck> // // Examples: // // authorizer.group('').resource('pods').subresource('status') // returns a ResourceCheck the 'status' subresource of 'pods' // authorizer.group('apps').resource('deployments').subresource('scale') // returns a ResourceCheck the 'scale' subresource of 'deployments' // authorizer.group('example.com').resource('widgets').subresource('scale') // returns a ResourceCheck for the 'scale' subresource of the 'widgets' custom resource // authorizer.group('example.com').resource('widgets').subresource('') // returns a ResourceCheck for the 'widgets' resource. // // namespace // // Returns a ResourceCheck configured to check authorization for a particular namespace. // For cluster scoped resources, namespace() does not need to be called; namespace defaults // to "", which is the correct namespace value to use to check cluster scoped resources. // If namespace is set to "", the ResourceCheck will check authorization for the cluster scope. // // <ResourceCheck>.namespace(<string>) <ResourceCheck> // // Examples: // // authorizer.group('apps').resource('deployments').namespace('test') // returns a ResourceCheck for 'deployments' in the 'test' namespace // authorizer.group('').resource('pods').namespace('default') // returns a ResourceCheck for 'pods' in the 'default' namespace // authorizer.group('').resource('widgets').namespace('') // returns a ResourceCheck for 'widgets' in the cluster scope // // name // // Returns a ResourceCheck configured to check authorization for a particular resource name. // If name is set to "", the name field of this ResourceCheck is considered unset. // // <ResourceCheck>.name(<name>) <ResourceCheck> // // Examples: // // authorizer.group('apps').resource('deployments').namespace('test').name('backend') // returns a ResourceCheck for the 'backend' 'deployments' resource in the 'test' namespace // authorizer.group('apps').resource('deployments').namespace('test').name('') // returns a ResourceCheck for the 'deployments' resource in the 'test' namespace // // check // // For PathCheck, checks if the principal (user or service account) that sent the request is authorized for the HTTP request verb of the path. // For ResourceCheck, checks if the principal (user or service account) that sent the request is authorized for the API verb and the configured authorization checks of the ResourceCheck. // The check operation can be expensive, particularly in clusters using the webhook authorization mode. // // <PathCheck>.check(<check>) <Decision> // <ResourceCheck>.check(<check>) <Decision> // // Examples: // // authorizer.group('').resource('pods').namespace('default').check('create') // Checks if the principal (user or service account) is authorized create pods in the 'default' namespace. // authorizer.path('/healthz').check('get') // Checks if the principal (user or service account) is authorized to make HTTP GET requests to the /healthz API path. // // allowed // // Returns true if the authorizer's decision for the check is "allow". Note that if the authorizer's decision is // "no opinion", that the 'allowed' function will return false. // // <Decision>.allowed() <bool> // // Examples: // // authorizer.group('').resource('pods').namespace('default').check('create').allowed() // Returns true if the principal (user or service account) is allowed create pods in the 'default' namespace. // authorizer.path('/healthz').check('get').allowed() // Returns true if the principal (user or service account) is allowed to make HTTP GET requests to the /healthz API path. // // reason // // Returns a string reason for the authorization decision // // <Decision>.reason() <string> // // Examples: // // authorizer.path('/healthz').check('GET').reason() // // errored // // Returns true if the authorization check resulted in an error. // // <Decision>.errored() <bool> // // Examples: // // authorizer.group('').resource('pods').namespace('default').check('create').errored() // Returns true if the authorization check resulted in an error // // error // // If the authorization check resulted in an error, returns the error. Otherwise, returns the empty string. // // <Decision>.error() <string> // // Examples: // // authorizer.group('').resource('pods').namespace('default').check('create').error() // // fieldSelector // // Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check. // If the field selector does not parse successfully, no field selector requirements are included in the authorization check. // Added in Kubernetes 1.31+, Authz library version 1. // // <ResourceCheck>.fieldSelector(<string>) <ResourceCheck> // // Examples: // // authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed() // // labelSelector (added in v1, Kubernetes 1.31+) // // Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check. // If the label selector does not parse successfully, no label selector requirements are included in the authorization check. // Added in Kubernetes 1.31+, Authz library version 1. // // <ResourceCheck>.labelSelector(<string>) <ResourceCheck> // // Examples: // // authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed() func Authz() cel.EnvOption { … } var authzLib … type authz … func (*authz) LibraryName() string { … } func (*authz) Types() []*cel.Type { … } func (*authz) declarations() map[string][]cel.FunctionOpt { … } var authzLibraryDecls … func (*authz) CompileOptions() []cel.EnvOption { … } func (*authz) ProgramOptions() []cel.ProgramOption { … } // AuthzSelectors provides a CEL function library extension for adding fieldSelector and // labelSelector filters to authorization checks. This requires the Authz library. // See documentation of the Authz library for use and availability of the authorizer variable. // // fieldSelector // // Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check. // If the field selector does not parse successfully, no field selector requirements are included in the authorization check. // Added in Kubernetes 1.31+. // // <ResourceCheck>.fieldSelector(<string>) <ResourceCheck> // // Examples: // // authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed() // // labelSelector // // Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check. // If the label selector does not parse successfully, no label selector requirements are included in the authorization check. // Added in Kubernetes 1.31+. // // <ResourceCheck>.labelSelector(<string>) <ResourceCheck> // // Examples: // // authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed() func AuthzSelectors() cel.EnvOption { … } var authzSelectorsLib … type authzSelectors … func (*authzSelectors) LibraryName() string { … } func (*authzSelectors) Types() []*cel.Type { … } func (*authzSelectors) declarations() map[string][]cel.FunctionOpt { … } var authzSelectorsLibraryDecls … func (*authzSelectors) CompileOptions() []cel.EnvOption { … } func (*authzSelectors) ProgramOptions() []cel.ProgramOption { … } func authorizerPath(arg1, arg2 ref.Val) ref.Val { … } func authorizerGroup(arg1, arg2 ref.Val) ref.Val { … } func authorizerServiceAccount(args ...ref.Val) ref.Val { … } func groupCheckResource(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckSubresource(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckFieldSelector(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckLabelSelector(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckNamespace(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckName(arg1, arg2 ref.Val) ref.Val { … } func pathCheckCheck(arg1, arg2 ref.Val) ref.Val { … } func resourceCheckCheck(arg1, arg2 ref.Val) ref.Val { … } func decisionErrored(arg ref.Val) ref.Val { … } func decisionError(arg ref.Val) ref.Val { … } func decisionAllowed(arg ref.Val) ref.Val { … } func decisionReason(arg ref.Val) ref.Val { … } var AuthorizerType … var PathCheckType … var GroupCheckType … var ResourceCheckType … var DecisionType … type Resource … func NewAuthorizerVal(userInfo user.Info, authorizer authorizer.Authorizer) ref.Val { … } func NewResourceAuthorizerVal(userInfo user.Info, authorizer authorizer.Authorizer, requestResource Resource) ref.Val { … } type authorizerVal … func (a authorizerVal) pathCheck(path string) pathCheckVal { … } func (a authorizerVal) groupCheck(group string) groupCheckVal { … } func (a authorizerVal) serviceAccount(namespace, name string) authorizerVal { … } type pathCheckVal … func (a pathCheckVal) Authorize(ctx context.Context, verb string) ref.Val { … } type groupCheckVal … func (g groupCheckVal) resourceCheck(resource string) resourceCheckVal { … } type resourceCheckVal … func (a resourceCheckVal) Authorize(ctx context.Context, verb string) ref.Val { … } func newDecision(authDecision authorizer.Decision, err error, reason string) decisionVal { … } type decisionVal … type receiverOnlyObjectVal … // receiverOnlyVal returns a receiverOnlyObjectVal for the given type. func receiverOnlyVal(objectType *cel.Type) receiverOnlyObjectVal { … } // ConvertToNative implements ref.Val.ConvertToNative. func (a receiverOnlyObjectVal) ConvertToNative(typeDesc reflect.Type) (any, error) { … } // ConvertToType implements ref.Val.ConvertToType. func (a receiverOnlyObjectVal) ConvertToType(typeVal ref.Type) ref.Val { … } // Equal implements ref.Val.Equal. func (a receiverOnlyObjectVal) Equal(other ref.Val) ref.Val { … } // Type implements ref.Val.Type. func (a receiverOnlyObjectVal) Type() ref.Type { … } // Value implements ref.Val.Value. func (a receiverOnlyObjectVal) Value() any { … }