Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 04f1c641a7
Branches Tags
custom-kube-...
/
kubernetes
/
pkg
/
apis
/
authorization
/
validation
/
validation.go

validation.go 5.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 
  1. /*
    2. 

  2. Copyright 2015 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package validation
    18. 

  18. 

  19. import (
    20. 

  20. 	apiequality "k8s.io/apimachinery/pkg/api/equality"
    21. 

  21. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    22. 

  22. 	"k8s.io/apimachinery/pkg/util/validation/field"
    23. 

  23. 	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
    24. 

  24. )
    25. 

  25. 

  26. // ValidateSubjectAccessReviewSpec validates a SubjectAccessReviewSpec and returns an
    27. 

  27. // ErrorList with any errors.
    28. 

  28. func ValidateSubjectAccessReviewSpec(spec authorizationapi.SubjectAccessReviewSpec, fldPath *field.Path) field.ErrorList {
    29. 

  29. 	allErrs := field.ErrorList{}
    30. 

  30. 	if spec.ResourceAttributes != nil && spec.NonResourceAttributes != nil {
    31. 

  31. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("nonResourceAttributes"), spec.NonResourceAttributes, `cannot be specified in combination with resourceAttributes`))
    32. 

  32. 	}
    33. 

  33. 	if spec.ResourceAttributes == nil && spec.NonResourceAttributes == nil {
    34. 

  34. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resourceAttributes"), spec.NonResourceAttributes, `exactly one of nonResourceAttributes or resourceAttributes must be specified`))
    35. 

  35. 	}
    36. 

  36. 	if len(spec.User) == 0 && len(spec.Groups) == 0 {
    37. 

  37. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("user"), spec.User, `at least one of user or group must be specified`))
    38. 

  38. 	}
    39. 

  39. 

  40. 	return allErrs
    41. 

  41. }
    42. 

  42. 

  43. // ValidateSelfSubjectAccessReviewSpec validates a SelfSubjectAccessReviewSpec and returns an
    44. 

  44. // ErrorList with any errors.
    45. 

  45. func ValidateSelfSubjectAccessReviewSpec(spec authorizationapi.SelfSubjectAccessReviewSpec, fldPath *field.Path) field.ErrorList {
    46. 

  46. 	allErrs := field.ErrorList{}
    47. 

  47. 	if spec.ResourceAttributes != nil && spec.NonResourceAttributes != nil {
    48. 

  48. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("nonResourceAttributes"), spec.NonResourceAttributes, `cannot be specified in combination with resourceAttributes`))
    49. 

  49. 	}
    50. 

  50. 	if spec.ResourceAttributes == nil && spec.NonResourceAttributes == nil {
    51. 

  51. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resourceAttributes"), spec.NonResourceAttributes, `exactly one of nonResourceAttributes or resourceAttributes must be specified`))
    52. 

  52. 	}
    53. 

  53. 

  54. 	return allErrs
    55. 

  55. }
    56. 

  56. 

  57. // ValidateSelfSubjectRulesReview validates a SelfSubjectRulesReview and returns an
    58. 

  58. // ErrorList with any errors.
    59. 

  59. func ValidateSelfSubjectRulesReview(review *authorizationapi.SelfSubjectRulesReview) field.ErrorList {
    60. 

  60. 	return field.ErrorList{}
    61. 

  61. }
    62. 

  62. 

  63. // ValidateSubjectAccessReview validates a SubjectAccessReview and returns an
    64. 

  64. // ErrorList with any errors.
    65. 

  65. func ValidateSubjectAccessReview(sar *authorizationapi.SubjectAccessReview) field.ErrorList {
    66. 

  66. 	allErrs := ValidateSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
    67. 

  67. 	objectMetaShallowCopy := sar.ObjectMeta
    68. 

  68. 	objectMetaShallowCopy.ManagedFields = nil
    69. 

  69. 	if !apiequality.Semantic.DeepEqual(metav1.ObjectMeta{}, objectMetaShallowCopy) {
    70. 

  70. 		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty`))
    71. 

  71. 	}
    72. 

  72. 	return allErrs
    73. 

  73. }
    74. 

  74. 

  75. // ValidateSelfSubjectAccessReview validates a SelfSubjectAccessReview and returns an
    76. 

  76. // ErrorList with any errors.
    77. 

  77. func ValidateSelfSubjectAccessReview(sar *authorizationapi.SelfSubjectAccessReview) field.ErrorList {
    78. 

  78. 	allErrs := ValidateSelfSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
    79. 

  79. 	objectMetaShallowCopy := sar.ObjectMeta
    80. 

  80. 	objectMetaShallowCopy.ManagedFields = nil
    81. 

  81. 	if !apiequality.Semantic.DeepEqual(metav1.ObjectMeta{}, objectMetaShallowCopy) {
    82. 

  82. 		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty`))
    83. 

  83. 	}
    84. 

  84. 	return allErrs
    85. 

  85. }
    86. 

  86. 

  87. // ValidateLocalSubjectAccessReview validates a LocalSubjectAccessReview and returns an
    88. 

  88. // ErrorList with any errors.
    89. 

  89. func ValidateLocalSubjectAccessReview(sar *authorizationapi.LocalSubjectAccessReview) field.ErrorList {
    90. 

  90. 	allErrs := ValidateSubjectAccessReviewSpec(sar.Spec, field.NewPath("spec"))
    91. 

  91. 

  92. 	objectMetaShallowCopy := sar.ObjectMeta
    93. 

  93. 	objectMetaShallowCopy.Namespace = ""
    94. 

  94. 	objectMetaShallowCopy.ManagedFields = nil
    95. 

  95. 	if !apiequality.Semantic.DeepEqual(metav1.ObjectMeta{}, objectMetaShallowCopy) {
    96. 

  96. 		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata"), sar.ObjectMeta, `must be empty except for namespace`))
    97. 

  97. 	}
    98. 

  98. 

  99. 	if sar.Spec.ResourceAttributes != nil && sar.Spec.ResourceAttributes.Namespace != sar.Namespace {
    100. 

  100. 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec.resourceAttributes.namespace"), sar.Spec.ResourceAttributes.Namespace, `must match metadata.namespace`))
    101. 

  101. 	}
    102. 

  102. 	if sar.Spec.NonResourceAttributes != nil {
    103. 

  103. 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec.nonResourceAttributes"), sar.Spec.NonResourceAttributes, `disallowed on this kind of request`))
    104. 

  104. 	}
    105. 

  105. 

  106. 	return allErrs
    107. 

  107. }
    108. 

  108.