CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/authorization/v1/schema.cue raw

  1package v1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// FieldSelectorAttributes indicates a field limited access.
  6// Webhook authors are encouraged to * ensure rawSelector and
  7// requirements are not both set * consider the requirements
  8// field if set * not try to parse or consider the rawSelector
  9// field if set. This is to avoid another CVE-2022-2880 (i.e.
 10// getting different systems to agree on how exactly to parse a
 11// query is not something we want), see
 12// https://www.oxeye.io/resources/golang-parameter-smuggling-attack
 13// for more details. For the *SubjectAccessReview endpoints of
 14// the kube-apiserver: * If rawSelector is empty and requirements
 15// are empty, the request is not limited. * If rawSelector is
 16// present and requirements are empty, the rawSelector will be
 17// parsed and limited if the parsing succeeds. * If rawSelector
 18// is empty and requirements are present, the requirements should
 19// be honored * If rawSelector is present and requirements are
 20// present, the request is invalid.
 21#FieldSelectorAttributes: {
 22	// rawSelector is the serialization of a field selector that would
 23	// be included in a query parameter. Webhook implementations are
 24	// encouraged to ignore rawSelector. The kube-apiserver's
 25	// *SubjectAccessReview will parse the rawSelector as long as the
 26	// requirements are not present.
 27	"rawSelector"?: string
 28
 29	// requirements is the parsed interpretation of a field selector.
 30	// All requirements must be met for a resource instance to match
 31	// the selector. Webhook implementations should handle
 32	// requirements, but how to handle them is up to the webhook.
 33	// Since requirements can only limit the request, it is safe to
 34	// authorize as unlimited request if the requirements are not
 35	// understood.
 36	"requirements"?: [...v1.#FieldSelectorRequirement]
 37}
 38
 39// LabelSelectorAttributes indicates a label limited access.
 40// Webhook authors are encouraged to * ensure rawSelector and
 41// requirements are not both set * consider the requirements
 42// field if set * not try to parse or consider the rawSelector
 43// field if set. This is to avoid another CVE-2022-2880 (i.e.
 44// getting different systems to agree on how exactly to parse a
 45// query is not something we want), see
 46// https://www.oxeye.io/resources/golang-parameter-smuggling-attack
 47// for more details. For the *SubjectAccessReview endpoints of
 48// the kube-apiserver: * If rawSelector is empty and requirements
 49// are empty, the request is not limited. * If rawSelector is
 50// present and requirements are empty, the rawSelector will be
 51// parsed and limited if the parsing succeeds. * If rawSelector
 52// is empty and requirements are present, the requirements should
 53// be honored * If rawSelector is present and requirements are
 54// present, the request is invalid.
 55#LabelSelectorAttributes: {
 56	// rawSelector is the serialization of a field selector that would
 57	// be included in a query parameter. Webhook implementations are
 58	// encouraged to ignore rawSelector. The kube-apiserver's
 59	// *SubjectAccessReview will parse the rawSelector as long as the
 60	// requirements are not present.
 61	"rawSelector"?: string
 62
 63	// requirements is the parsed interpretation of a label selector.
 64	// All requirements must be met for a resource instance to match
 65	// the selector. Webhook implementations should handle
 66	// requirements, but how to handle them is up to the webhook.
 67	// Since requirements can only limit the request, it is safe to
 68	// authorize as unlimited request if the requirements are not
 69	// understood.
 70	"requirements"?: [...v1.#LabelSelectorRequirement]
 71}
 72
 73// LocalSubjectAccessReview checks whether or not a user or group
 74// can perform an action in a given namespace. Having a namespace
 75// scoped resource makes it much easier to grant namespace scoped
 76// policy that includes permissions checking.
 77#LocalSubjectAccessReview: {
 78	// APIVersion defines the versioned schema of this representation
 79	// of an object. Servers should convert recognized schemas to the
 80	// latest internal value, and may reject unrecognized values.
 81	// More info:
 82	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 83	"apiVersion": "authorization.k8s.io/v1"
 84
 85	// Kind is a string value representing the REST resource this
 86	// object represents. Servers may infer this from the endpoint
 87	// the client submits requests to. Cannot be updated. In
 88	// CamelCase. More info:
 89	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 90	"kind": "LocalSubjectAccessReview"
 91
 92	// Standard list metadata. More info:
 93	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 94	"metadata"?: v1.#ObjectMeta
 95
 96	// Spec holds information about the request being evaluated.
 97	// spec.namespace must be equal to the namespace you made the
 98	// request against. If empty, it is defaulted.
 99	"spec"!: #SubjectAccessReviewSpec
100
101	// Status is filled in by the server and indicates whether the
102	// request is allowed or not
103	"status"?: #SubjectAccessReviewStatus
104}
105
106// NonResourceAttributes includes the authorization attributes
107// available for non-resource requests to the Authorizer
108// interface
109#NonResourceAttributes: {
110	// Path is the URL path of the request
111	"path"?: string
112
113	// Verb is the standard HTTP verb
114	"verb"?: string
115}
116
117// NonResourceRule holds information that describes a rule for the
118// non-resource
119#NonResourceRule: {
120	// NonResourceURLs is a set of partial urls that a user should
121	// have access to. *s are allowed, but only as the full, final
122	// step in the path. "*" means all.
123	"nonResourceURLs"?: [...string]
124
125	// Verb is a list of kubernetes non-resource API verbs, like: get,
126	// post, put, delete, patch, head, options. "*" means all.
127	"verbs"!: [...string]
128}
129
130// ResourceAttributes includes the authorization attributes
131// available for resource requests to the Authorizer interface
132#ResourceAttributes: {
133	// fieldSelector describes the limitation on access based on
134	// field. It can only limit access, not broaden it.
135	"fieldSelector"?: #FieldSelectorAttributes
136
137	// Group is the API Group of the Resource. "*" means all.
138	"group"?: string
139
140	// labelSelector describes the limitation on access based on
141	// labels. It can only limit access, not broaden it.
142	"labelSelector"?: #LabelSelectorAttributes
143
144	// Name is the name of the resource being requested for a "get" or
145	// deleted for a "delete". "" (empty) means all.
146	"name"?: string
147
148	// Namespace is the namespace of the action being requested.
149	// Currently, there is no distinction between no namespace and
150	// all namespaces "" (empty) is defaulted for
151	// LocalSubjectAccessReviews "" (empty) is empty for
152	// cluster-scoped resources "" (empty) means "all" for namespace
153	// scoped resources from a SubjectAccessReview or
154	// SelfSubjectAccessReview
155	"namespace"?: string
156
157	// Resource is one of the existing resource types. "*" means all.
158	"resource"?: string
159
160	// Subresource is one of the existing resource types. "" means
161	// none.
162	"subresource"?: string
163
164	// Verb is a kubernetes resource API verb, like: get, list, watch,
165	// create, update, delete, proxy. "*" means all.
166	"verb"?: string
167
168	// Version is the API Version of the Resource. "*" means all.
169	"version"?: string
170}
171
172// ResourceRule is the list of actions the subject is allowed to
173// perform on resources. The list ordering isn't significant, may
174// contain duplicates, and possibly be incomplete.
175#ResourceRule: {
176	// APIGroups is the name of the APIGroup that contains the
177	// resources. If multiple API groups are specified, any action
178	// requested against one of the enumerated resources in any API
179	// group will be allowed. "*" means all.
180	"apiGroups"?: [...string]
181
182	// ResourceNames is an optional white list of names that the rule
183	// applies to. An empty set means that everything is allowed. "*"
184	// means all.
185	"resourceNames"?: [...string]
186
187	// Resources is a list of resources this rule applies to. "*"
188	// means all in the specified apiGroups.
189	// "*/foo" represents the subresource 'foo' for all resources in
190	// the specified apiGroups.
191	"resources"?: [...string]
192
193	// Verb is a list of kubernetes resource API verbs, like: get,
194	// list, watch, create, update, delete, proxy. "*" means all.
195	"verbs"!: [...string]
196}
197
198// SelfSubjectAccessReview checks whether or the current user can
199// perform an action. Not filling in a spec.namespace means "in
200// all namespaces". Self is a special case, because users should
201// always be able to check whether they can perform an action
202#SelfSubjectAccessReview: {
203	// APIVersion defines the versioned schema of this representation
204	// of an object. Servers should convert recognized schemas to the
205	// latest internal value, and may reject unrecognized values.
206	// More info:
207	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
208	"apiVersion": "authorization.k8s.io/v1"
209
210	// Kind is a string value representing the REST resource this
211	// object represents. Servers may infer this from the endpoint
212	// the client submits requests to. Cannot be updated. In
213	// CamelCase. More info:
214	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
215	"kind": "SelfSubjectAccessReview"
216
217	// Standard list metadata. More info:
218	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
219	"metadata"?: v1.#ObjectMeta
220
221	// Spec holds information about the request being evaluated. user
222	// and groups must be empty
223	"spec"!: #SelfSubjectAccessReviewSpec
224
225	// Status is filled in by the server and indicates whether the
226	// request is allowed or not
227	"status"?: #SubjectAccessReviewStatus
228}
229
230// SelfSubjectAccessReviewSpec is a description of the access
231// request. Exactly one of ResourceAuthorizationAttributes and
232// NonResourceAuthorizationAttributes must be set
233#SelfSubjectAccessReviewSpec: {
234	// NonResourceAttributes describes information for a non-resource
235	// access request
236	"nonResourceAttributes"?: #NonResourceAttributes
237
238	// ResourceAuthorizationAttributes describes information for a
239	// resource access request
240	"resourceAttributes"?: #ResourceAttributes
241}
242
243// SelfSubjectRulesReview enumerates the set of actions the
244// current user can perform within a namespace. The returned list
245// of actions may be incomplete depending on the server's
246// authorization mode, and any errors experienced during the
247// evaluation. SelfSubjectRulesReview should be used by UIs to
248// show/hide actions, or to quickly let an end user reason about
249// their permissions. It should NOT Be used by external systems
250// to drive authorization decisions as this raises confused
251// deputy, cache lifetime/revocation, and correctness concerns.
252// SubjectAccessReview, and LocalAccessReview are the correct way
253// to defer authorization decisions to the API server.
254#SelfSubjectRulesReview: {
255	// APIVersion defines the versioned schema of this representation
256	// of an object. Servers should convert recognized schemas to the
257	// latest internal value, and may reject unrecognized values.
258	// More info:
259	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
260	"apiVersion": "authorization.k8s.io/v1"
261
262	// Kind is a string value representing the REST resource this
263	// object represents. Servers may infer this from the endpoint
264	// the client submits requests to. Cannot be updated. In
265	// CamelCase. More info:
266	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
267	"kind": "SelfSubjectRulesReview"
268
269	// Standard list metadata. More info:
270	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
271	"metadata"?: v1.#ObjectMeta
272
273	// Spec holds information about the request being evaluated.
274	"spec"!: #SelfSubjectRulesReviewSpec
275
276	// Status is filled in by the server and indicates the set of
277	// actions a user can perform.
278	"status"?: #SubjectRulesReviewStatus
279}
280
281// SelfSubjectRulesReviewSpec defines the specification for
282// SelfSubjectRulesReview.
283#SelfSubjectRulesReviewSpec: {
284	// Namespace to evaluate rules for. Required.
285	"namespace"?: string
286}
287
288// SubjectAccessReview checks whether or not a user or group can
289// perform an action.
290#SubjectAccessReview: {
291	// APIVersion defines the versioned schema of this representation
292	// of an object. Servers should convert recognized schemas to the
293	// latest internal value, and may reject unrecognized values.
294	// More info:
295	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
296	"apiVersion": "authorization.k8s.io/v1"
297
298	// Kind is a string value representing the REST resource this
299	// object represents. Servers may infer this from the endpoint
300	// the client submits requests to. Cannot be updated. In
301	// CamelCase. More info:
302	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
303	"kind": "SubjectAccessReview"
304
305	// Standard list metadata. More info:
306	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
307	"metadata"?: v1.#ObjectMeta
308
309	// Spec holds information about the request being evaluated
310	"spec"!: #SubjectAccessReviewSpec
311
312	// Status is filled in by the server and indicates whether the
313	// request is allowed or not
314	"status"?: #SubjectAccessReviewStatus
315}
316
317// SubjectAccessReviewSpec is a description of the access request.
318// Exactly one of ResourceAuthorizationAttributes and
319// NonResourceAuthorizationAttributes must be set
320#SubjectAccessReviewSpec: {
321	// Extra corresponds to the user.Info.GetExtra() method from the
322	// authenticator. Since that is input to the authorizer it needs
323	// a reflection here.
324	"extra"?: [string]: [...string]
325
326	// Groups is the groups you're testing for.
327	"groups"?: [...string]
328
329	// NonResourceAttributes describes information for a non-resource
330	// access request
331	"nonResourceAttributes"?: #NonResourceAttributes
332
333	// ResourceAuthorizationAttributes describes information for a
334	// resource access request
335	"resourceAttributes"?: #ResourceAttributes
336
337	// UID information about the requesting user.
338	"uid"?: string
339
340	// User is the user you're testing for. If you specify "User" but
341	// not "Groups", then is it interpreted as "What if User were not
342	// a member of any groups
343	"user"?: string
344}
345
346// SubjectAccessReviewStatus
347#SubjectAccessReviewStatus: {
348	// Allowed is required. True if the action would be allowed, false
349	// otherwise.
350	"allowed"!: bool
351
352	// Denied is optional. True if the action would be denied,
353	// otherwise false. If both allowed is false and denied is false,
354	// then the authorizer has no opinion on whether to authorize the
355	// action. Denied may not be true if Allowed is true.
356	"denied"?: bool
357
358	// EvaluationError is an indication that some error occurred
359	// during the authorization check. It is entirely possible to get
360	// an error and be able to continue determine authorization
361	// status in spite of it. For instance, RBAC can be missing a
362	// role, but enough roles are still present and bound to reason
363	// about the request.
364	"evaluationError"?: string
365
366	// Reason is optional. It indicates why a request was allowed or
367	// denied.
368	"reason"?: string
369}
370
371// SubjectRulesReviewStatus contains the result of a rules check.
372// This check can be incomplete depending on the set of
373// authorizers the server is configured with and any errors
374// experienced during evaluation. Because authorization rules are
375// additive, if a rule appears in a list it's safe to assume the
376// subject has that permission, even if that list is incomplete.
377#SubjectRulesReviewStatus: {
378	// EvaluationError can appear in combination with Rules. It
379	// indicates an error occurred during rule evaluation, such as an
380	// authorizer that doesn't support rule evaluation, and that
381	// ResourceRules and/or NonResourceRules may be incomplete.
382	"evaluationError"?: string
383
384	// Incomplete is true when the rules returned by this call are
385	// incomplete. This is most commonly encountered when an
386	// authorizer, such as an external authorizer, doesn't support
387	// rules evaluation.
388	"incomplete"!: bool
389
390	// NonResourceRules is the list of actions the subject is allowed
391	// to perform on non-resources. The list ordering isn't
392	// significant, may contain duplicates, and possibly be
393	// incomplete.
394	"nonResourceRules"!: [...#NonResourceRule]
395
396	// ResourceRules is the list of actions the subject is allowed to
397	// perform on resources. The list ordering isn't significant, may
398	// contain duplicates, and possibly be incomplete.
399	"resourceRules"!: [...#ResourceRule]
400}