You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| path | Authorizer.(path string) -> PathCheck | Defines a check for an non-resource request path (e.g. /healthz) |
1418
-
| check | PathCheck.(httpRequestVerb string) -> Decision | Checks if the user is authorized for the HTTP request verb on the path |
1419
-
| resource | Authorizer.(kind string, group string, version string) -> ResourceCheck | Defines a check for API resources |
1420
-
| subresource | ResourceCheck.(subresource string) -> ResourceCheck | Specifies thath the check is for a subresource |
1421
-
| namespace | ResourceCheck.(namespace string) -> ResourceCheck | Specifies that the check is for a namespace (if not called, the check is for the cluster scope) |
1422
-
| name | ResourceCheck.(name string) -> ResourceCheck | Specifies that the check is for a specific resource name |
1423
-
| check | ResourceCheck.(apiVerb string) -> Decision | Checks if the admission request user is authorized for the API verb on the resource |
1424
-
| allowed | Decision.() -> bool | Is the admission request user authorized? |
1425
-
| denied | Decision.() -> bool | Is the admission request user denied authorization? |
1410
+
To depend on an authz decision, validation expressions can use the `authorizer` variable, which
1411
+
performs authz checks for the admission request user (the same use as identified by
1412
+
`request.userInfo`) by default, and which will be bound at evaluation time to an Authorizer object
| serviceAccount | Authorizer.(namespace string, name string) -> Authorizer | Returns an authorizer whose subject is the named serviceaccount (instead of admission request user) |
1418
+
| path | Authorizer.(path string) -> PathCheck | Defines a check for an non-resource request path (e.g. /healthz) |
1419
+
| check | PathCheck.(httpRequestVerb string) -> Decision | Checks if the user is authorized for the HTTP request verb on the path |
1420
+
| group | Authorizer.(group string) -> GroupCheck | Defines a check for API resources within a group |
1421
+
| resource | GroupCheck.(resource string) -> ResourceCheck | Specifies the resource to be checked within the group |
1422
+
| subresource | ResourceCheck.(subresource string) -> ResourceCheck | Specifies that the check is for a subresource |
1423
+
| namespace | ResourceCheck.(namespace string) -> ResourceCheck | Specifies that the check is for a namespace (if not called, the check is for the cluster scope) |
1424
+
| name | ResourceCheck.(name string) -> ResourceCheck | Specifies that the check is for a specific resource name |
1425
+
| check | ResourceCheck.(apiVerb string) -> Decision | Checks if the subject is authorized for the API verb on the resource |
1426
+
| allowed | Decision.() -> bool | Is the subject authorized? |
1427
+
| reason | Decision.() -> string | Returns a human-readable explanation of why this decision was made |
1428
+
| errored | Decision.() -> bool | Returns true if and only if an error occurred while making this decision |
1429
+
| error | Decision.() -> string | Returns the text of the error that occurred. If no error occurred, returns the empty string |
1426
1430
1427
1431
xref: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes for a details on
0 commit comments