kubernetes/staging/src/k8s.io/apiserver/pkg/cel/library/authz.go

// Authz provides a CEL function library extension for performing authorization checks.
// Note that authorization checks are only supported for CEL expression fields in the API
// where an 'authorizer' variable is provided to the CEL expression. See the
// documentation of API fields where CEL expressions are used to learn if the 'authorizer'
// variable is provided.
//
// path
//
// Returns a PathCheck configured to check authorization for a non-resource request
// path (e.g. /healthz). If path is an empty string, an error is returned.
// Note that the leading '/' is not required.
//
//	<Authorizer>.path(<string>) <PathCheck>
//
// Examples:
//
//	authorizer.path('/healthz') // returns a PathCheck for the '/healthz' API path
//	authorizer.path('') // results in "path must not be empty" error
//	authorizer.path('  ') // results in "path must not be empty" error
//
// group
//
// Returns a GroupCheck configured to check authorization for the API resources for
// a particular API group.
// Note that authorization checks are only supported for CEL expression fields in the API
// where an 'authorizer' variable is provided to the CEL expression. Check the
// documentation of API fields where CEL expressions are used to learn if the 'authorizer'
// variable is provided.
//
//	<Authorizer>.group(<string>) <GroupCheck>
//
// Examples:
//
//	authorizer.group('apps') // returns a GroupCheck for the 'apps' API group
//	authorizer.group('') // returns a GroupCheck for the core API group
//	authorizer.group('example.com') // returns a GroupCheck for the custom resources in the 'example.com' API group
//
// serviceAccount
//
// Returns an Authorizer configured to check authorization for the provided service account namespace and name.
// If the name is not a valid DNS subdomain string (as defined by RFC 1123), an error is returned.
// If the namespace is not a valid DNS label (as defined by RFC 1123), an error is returned.
//
//	<Authorizer>.serviceAccount(<string>, <string>) <Authorizer>
//
// Examples:
//
//	authorizer.serviceAccount('default', 'myserviceaccount') // returns an Authorizer for the service account with namespace 'default' and name 'myserviceaccount'
//	authorizer.serviceAccount('not@a#valid!namespace', 'validname') // returns an error
//	authorizer.serviceAccount('valid.example.com', 'invalid@*name') // returns an error
//
// resource
//
// Returns a ResourceCheck configured to check authorization for a particular API resource.
// Note that the provided resource string should be a lower case plural name of a Kubernetes API resource.
//
//	<GroupCheck>.resource(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('apps').resource('deployments') // returns a ResourceCheck for the 'deployments' resources in the 'apps' group.
//	authorizer.group('').resource('pods') // returns a ResourceCheck for the 'pods' resources in the core group.
//	authorizer.group('apps').resource('') // results in "resource must not be empty" error
//	authorizer.group('apps').resource('  ') // results in "resource must not be empty" error
//
// subresource
//
// Returns a ResourceCheck configured to check authorization for a particular subresource of an API resource.
// If subresource is set to "", the subresource field of this ResourceCheck is considered unset.
//
//	<ResourceCheck>.subresource(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('').resource('pods').subresource('status') // returns a ResourceCheck the 'status' subresource of 'pods'
//	authorizer.group('apps').resource('deployments').subresource('scale') // returns a ResourceCheck the 'scale' subresource of 'deployments'
//	authorizer.group('example.com').resource('widgets').subresource('scale') // returns a ResourceCheck for the 'scale' subresource of the 'widgets' custom resource
//	authorizer.group('example.com').resource('widgets').subresource('') // returns a ResourceCheck for the 'widgets' resource.
//
// namespace
//
// Returns a ResourceCheck configured to check authorization for a particular namespace.
// For cluster scoped resources, namespace() does not need to be called; namespace defaults
// to "", which is the correct namespace value to use to check cluster scoped resources.
// If namespace is set to "", the ResourceCheck will check authorization for the cluster scope.
//
//	<ResourceCheck>.namespace(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('apps').resource('deployments').namespace('test') // returns a ResourceCheck for 'deployments' in the 'test' namespace
//	authorizer.group('').resource('pods').namespace('default') // returns a ResourceCheck for 'pods' in the 'default' namespace
//	authorizer.group('').resource('widgets').namespace('') // returns a ResourceCheck for 'widgets' in the cluster scope
//
// name
//
// Returns a ResourceCheck configured to check authorization for a particular resource name.
// If name is set to "", the name field of this ResourceCheck is considered unset.
//
//	<ResourceCheck>.name(<name>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('apps').resource('deployments').namespace('test').name('backend') // returns a ResourceCheck for the 'backend' 'deployments' resource in the 'test' namespace
//	authorizer.group('apps').resource('deployments').namespace('test').name('') // returns a ResourceCheck for the 'deployments' resource in the 'test' namespace
//
// check
//
// For PathCheck, checks if the principal (user or service account) that sent the request is authorized for the HTTP request verb of the path.
// For ResourceCheck, checks if the principal (user or service account) that sent the request is authorized for the API verb and the configured authorization checks of the ResourceCheck.
// The check operation can be expensive, particularly in clusters using the webhook authorization mode.
//
//	<PathCheck>.check(<check>) <Decision>
//	<ResourceCheck>.check(<check>) <Decision>
//
// Examples:
//
//	authorizer.group('').resource('pods').namespace('default').check('create') // Checks if the principal (user or service account) is authorized create pods in the 'default' namespace.
//	authorizer.path('/healthz').check('get') // Checks if the principal (user or service account) is authorized to make HTTP GET requests to the /healthz API path.
//
// allowed
//
// Returns true if the authorizer's decision for the check is "allow".  Note that if the authorizer's decision is
// "no opinion", that the 'allowed' function will return false.
//
//	<Decision>.allowed() <bool>
//
// Examples:
//
//	authorizer.group('').resource('pods').namespace('default').check('create').allowed() // Returns true if the principal (user or service account) is allowed create pods in the 'default' namespace.
//	authorizer.path('/healthz').check('get').allowed()  // Returns true if the principal (user or service account) is allowed to make HTTP GET requests to the /healthz API path.
//
// reason
//
// Returns a string reason for the authorization decision
//
//	<Decision>.reason() <string>
//
// Examples:
//
//	authorizer.path('/healthz').check('GET').reason()
//
// errored
//
// Returns true if the authorization check resulted in an error.
//
//	<Decision>.errored() <bool>
//
// Examples:
//
//	authorizer.group('').resource('pods').namespace('default').check('create').errored() // Returns true if the authorization check resulted in an error
//
// error
//
// If the authorization check resulted in an error, returns the error. Otherwise, returns the empty string.
//
//	<Decision>.error() <string>
//
// Examples:
//
//	authorizer.group('').resource('pods').namespace('default').check('create').error()
//
// fieldSelector
//
// Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check.
// If the field selector does not parse successfully, no field selector requirements are included in the authorization check.
// Added in Kubernetes 1.31+, Authz library version 1.
//
//	<ResourceCheck>.fieldSelector(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed()
//
// labelSelector (added in v1, Kubernetes 1.31+)
//
// Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check.
// If the label selector does not parse successfully, no label selector requirements are included in the authorization check.
// Added in Kubernetes 1.31+, Authz library version 1.
//
//	<ResourceCheck>.labelSelector(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed()
func Authz() cel.EnvOption {}

var authzLib

type authz

func (*authz) LibraryName() string {}

func (*authz) Types() []*cel.Type {}

func (*authz) declarations() map[string][]cel.FunctionOpt {}

var authzLibraryDecls

func (*authz) CompileOptions() []cel.EnvOption {}

func (*authz) ProgramOptions() []cel.ProgramOption {}

// AuthzSelectors provides a CEL function library extension for adding fieldSelector and
// labelSelector filters to authorization checks. This requires the Authz library.
// See documentation of the Authz library for use and availability of the authorizer variable.
//
// fieldSelector
//
// Takes a string field selector, parses it to field selector requirements, and includes it in the authorization check.
// If the field selector does not parse successfully, no field selector requirements are included in the authorization check.
// Added in Kubernetes 1.31+.
//
//	<ResourceCheck>.fieldSelector(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('').resource('pods').fieldSelector('spec.nodeName=mynode').check('list').allowed()
//
// labelSelector
//
// Takes a string label selector, parses it to label selector requirements, and includes it in the authorization check.
// If the label selector does not parse successfully, no label selector requirements are included in the authorization check.
// Added in Kubernetes 1.31+.
//
//	<ResourceCheck>.labelSelector(<string>) <ResourceCheck>
//
// Examples:
//
//	authorizer.group('').resource('pods').labelSelector('app=example').check('list').allowed()
func AuthzSelectors() cel.EnvOption {}

var authzSelectorsLib

type authzSelectors

func (*authzSelectors) LibraryName() string {}

func (*authzSelectors) Types() []*cel.Type {}

func (*authzSelectors) declarations() map[string][]cel.FunctionOpt {}

var authzSelectorsLibraryDecls

func (*authzSelectors) CompileOptions() []cel.EnvOption {}

func (*authzSelectors) ProgramOptions() []cel.ProgramOption {}

func authorizerPath(arg1, arg2 ref.Val) ref.Val {}

func authorizerGroup(arg1, arg2 ref.Val) ref.Val {}

func authorizerServiceAccount(args ...ref.Val) ref.Val {}

func groupCheckResource(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckSubresource(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckFieldSelector(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckLabelSelector(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckNamespace(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckName(arg1, arg2 ref.Val) ref.Val {}

func pathCheckCheck(arg1, arg2 ref.Val) ref.Val {}

func resourceCheckCheck(arg1, arg2 ref.Val) ref.Val {}

func decisionErrored(arg ref.Val) ref.Val {}

func decisionError(arg ref.Val) ref.Val {}

func decisionAllowed(arg ref.Val) ref.Val {}

func decisionReason(arg ref.Val) ref.Val {}

var AuthorizerType

var PathCheckType

var GroupCheckType

var ResourceCheckType

var DecisionType

type Resource

func NewAuthorizerVal(userInfo user.Info, authorizer authorizer.Authorizer) ref.Val {}

func NewResourceAuthorizerVal(userInfo user.Info, authorizer authorizer.Authorizer, requestResource Resource) ref.Val {}

type authorizerVal

func (a authorizerVal) pathCheck(path string) pathCheckVal {}

func (a authorizerVal) groupCheck(group string) groupCheckVal {}

func (a authorizerVal) serviceAccount(namespace, name string) authorizerVal {}

type pathCheckVal

func (a pathCheckVal) Authorize(ctx context.Context, verb string) ref.Val {}

type groupCheckVal

func (g groupCheckVal) resourceCheck(resource string) resourceCheckVal {}

type resourceCheckVal

func (a resourceCheckVal) Authorize(ctx context.Context, verb string) ref.Val {}

func newDecision(authDecision authorizer.Decision, err error, reason string) decisionVal {}

type decisionVal

type receiverOnlyObjectVal

// receiverOnlyVal returns a receiverOnlyObjectVal for the given type.
func receiverOnlyVal(objectType *cel.Type) receiverOnlyObjectVal {}

// ConvertToNative implements ref.Val.ConvertToNative.
func (a receiverOnlyObjectVal) ConvertToNative(typeDesc reflect.Type) (any, error) {}

// ConvertToType implements ref.Val.ConvertToType.
func (a receiverOnlyObjectVal) ConvertToType(typeVal ref.Type) ref.Val {}

// Equal implements ref.Val.Equal.
func (a receiverOnlyObjectVal) Equal(other ref.Val) ref.Val {}

// Type implements ref.Val.Type.
func (a receiverOnlyObjectVal) Type() ref.Type {}

// Value implements ref.Val.Value.
func (a receiverOnlyObjectVal) Value() any {}