kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #33953 from windsonsea/patch-1 

[zh] sync 1.24 ref-k8s-api /authorization-resources/self-subject-.md
pull/34036/head
Kubernetes Prow Robot 2022-05-29 18:32:51 -07:00 committed by GitHub
parent b3ddc91eed b0bb201082
commit 5c988da945
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 777 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

230
content/zh/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1.md Normal file
View File

@ -0,0 +1,230 @@
---
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SelfSubjectAccessReview"
content_type: "api_reference"
description: "SelfSubjectAccessReview 检查当前用户是否可以执行某操作。"
title: "SelfSubjectAccessReview"
weight: 2
---
<!--
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SelfSubjectAccessReview"
content_type: "api_reference"
description: "SelfSubjectAccessReview checks whether or the current user can perform an action."
title: "SelfSubjectAccessReview"
weight: 2
-->
`apiVersion: authorization.k8s.io/v1`
`import "k8s.io/api/authorization/v1"`
## SelfSubjectAccessReview {#SelfSubjectAccessReview}
<!--
SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action
-->
SelfSubjectAccessReview 检查当前用户是否可以执行某操作。
不填写 spec.namespace 表示 “在所有命名空间中”。
Self 是一个特殊情况,因为用户应始终能够检查自己是否可以执行某操作。
<hr>
- **apiVersion**: authorization.k8s.io/v1
- **kind**: SelfSubjectAccessReview
<!--
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReviewSpec" >}}">SelfSubjectAccessReviewSpec</a>), required
Spec holds information about the request being evaluated. user and groups must be empty
Status is filled in by the server and indicates whether the request is allowed or not
-->
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
标准的列表元数据。
更多信息https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReviewSpec" >}}">SelfSubjectAccessReviewSpec</a>),必需
spec 包含有关正在评估的请求的信息。
user 和 group 必须为空。
- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
status 由服务器填写,表示请求是否被允许。
## SelfSubjectAccessReviewSpec {#SelfSubjectAccessReviewSpec}
<!--
SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
-->
SelfSubjectAccessReviewSpec 是访问请求的描述。
resourceAuthorizationAttributes 和 nonResourceAuthorizationAttributes 二者必须设置其一,并且只能设置其一。
<hr>
<!--
- **nonResourceAttributes** (NonResourceAttributes)
NonResourceAttributes describes information for a non-resource access request
<a name="NonResourceAttributes"></a>
*NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface*
- **nonResourceAttributes.path** (string)
Path is the URL path of the request
- **nonResourceAttributes.verb** (string)
Verb is the standard HTTP verb
-->
- **nonResourceAttributes** (NonResourceAttributes)
nonResourceAttributes 描述非资源访问请求的信息。
<a name="NonResourceAttributes"></a>
**nonResourceAttributes 包括提供给 Authorizer 接口进行非资源请求鉴权时所用的属性。**
- **nonResourceAttributes.path** (string)
path 是请求的 URL 路径。
- **nonResourceAttributes.verb** (string)
verb 是标准的 HTTP 动作。
<!--
- **resourceAttributes** (ResourceAttributes)
ResourceAuthorizationAttributes describes information for a resource access request
<a name="ResourceAttributes"></a>
*ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface*
- **resourceAttributes.group** (string)
Group is the API Group of the Resource. "*" means all.
- **resourceAttributes.name** (string)
Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
-->
- **resourceAttributes** (ResourceAttributes)
resourceAuthorizationAttributes 描述资源访问请求的信息。
<a name="ResourceAttributes"></a>
**resourceAttributes 包括提供给 Authorizer 接口进行资源请求鉴权时所用的属性。**
- **resourceAttributes.group** (string)
group 是资源的 API 组。
"*" 表示所有组。
- **resourceAttributes.name** (string)
name 是 "get" 正在请求或 "delete" 已删除的资源的名称。
""(空字符串)表示所有资源。
<!--
- **resourceAttributes.namespace** (string)
Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
- **resourceAttributes.resource** (string)
Resource is one of the existing resource types. "*" means all.
-->
- **resourceAttributes.namespace** (string)
namespace 是正在请求的操作的命名空间。
目前,无命名空间和所有命名空间之间没有区别。
对于 LocalSubjectAccessReviews默认为 ""(空字符串)。
对于集群范围的资源,默认为 ""(空字符串)。
对于来自 SubjectAccessReview 或 SelfSubjectAccessReview 的命名空间范围的资源,""(空字符串)表示 "all"(所有资源)。
- **resourceAttributes.resource** (string)
resource 是现有的资源类别之一。
"*" 表示所有资源类别。
<!--
- **resourceAttributes.subresource** (string)
Subresource is one of the existing resource types. "" means none.
- **resourceAttributes.verb** (string)
Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
- **resourceAttributes.version** (string)
Version is the API Version of the Resource. "*" means all.
-->
- **resourceAttributes.subresource** (string)
subresource 是现有的资源类型之一。
"" 表示无。
- **resourceAttributes.verb** (string)
verb 是 kubernetes 资源 API 动作,例如 get、list、watch、create、update、delete、proxy。
"*" 表示所有动作。
- **resourceAttributes.version** (string)
version 是资源的 API 版本。
"*" 表示所有版本。
<!--
## Operations {#Operations}
<hr>
### `create` create a SelfSubjectAccessReview
#### HTTP Request
-->
## 操作 {#Operations}
<hr>
### `create` 创建 SelfSubjectAccessReview
#### HTTP 请求
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
<!--
#### Parameters
- **body**: <a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
-->
#### 参数
- **body**: <a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>,必需
- **dryRun** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
<!--
#### Response
-->
#### 响应
200 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): OK
201 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): Created
202 (<a href="{{< ref "../authorization-resources/self-subject-access-review-v1#SelfSubjectAccessReview" >}}">SelfSubjectAccessReview</a>): Accepted
401: Unauthorized

246
content/zh/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1.md Normal file
View File

@ -0,0 +1,246 @@
---
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SelfSubjectRulesReview"
content_type: "api_reference"
description: "SelfSubjectRulesReview 枚举当前用户可以在某命名空间内执行的操作集合。"
title: "SelfSubjectRulesReview"
weight: 3
---
<!--
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SelfSubjectRulesReview"
content_type: "api_reference"
description: "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace."
title: "SelfSubjectRulesReview"
weight: 3
-->
`apiVersion: authorization.k8s.io/v1`
`import "k8s.io/api/authorization/v1"`
## SelfSubjectRulesReview {#SelfSubjectRulesReview}
<!--
SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
-->
SelfSubjectRulesReview 枚举当前用户可以在某命名空间内执行的操作集合。
返回的操作列表可能不完整,具体取决于服务器的鉴权模式以及评估过程中遇到的任何错误。
SelfSubjectRulesReview 应由 UI 用于显示/隐藏操作,或让最终用户尽快理解自己的权限。
SelfSubjectRulesReview 不得被外部系统使用以驱动鉴权决策,
因为这会引起混淆代理人confused deputy、缓存有效期/吊销cache lifetime/revocation和正确性问题。
SubjectAccessReview 和 LocalAccessReview 是遵从 API 服务器所做鉴权决策的正确方式。
<hr>
- **apiVersion**: authorization.k8s.io/v1
- **kind**: SelfSubjectRulesReview
<!--
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReviewSpec" >}}">SelfSubjectRulesReviewSpec</a>), required
Spec holds information about the request being evaluated.
-->
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
标准的列表元数据。
更多信息https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReviewSpec" >}}">SelfSubjectRulesReviewSpec</a>),必需
spec 包含有关正在评估的请求的信息。
<!--
- **status** (SubjectRulesReviewStatus)
Status is filled in by the server and indicates the set of actions a user can perform.
<a name="SubjectRulesReviewStatus"></a>
*SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.*
- **status.incomplete** (boolean), required
Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
- **status.nonResourceRules** ([]NonResourceRule), required
NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
<a name="NonResourceRule"></a>
*NonResourceRule holds information that describes a rule for the non-resource*
-->
- **status** (SubjectRulesReviewStatus)
status 由服务器填写,表示用户可以执行的操作的集合。
<a name="SubjectRulesReviewStatus"></a>
**SubjectRulesReviewStatus 包含规则检查的结果。
此检查可能不完整,具体取决于服务器配置的 Authorizer 的集合以及评估期间遇到的任何错误。
由于鉴权规则是叠加的,所以如果某个规则出现在列表中,即使该列表不完整,也可以安全地假定该主体拥有该权限。**
- **status.incomplete** (boolean),必需
当此调用返回的规则不完整时incomplete 结果为 true。
这种情况常见于 Authorizer例如外部 Authorizer不支持规则评估时。
- **status.nonResourceRules** ([]NonResourceRule),必需
nonResourceRules 是允许主体对非资源执行路径执行的操作列表。
该列表顺序不重要,可以包含重复项,还可能不完整。
<a name="NonResourceRule"></a>
**nonResourceRule 包含描述非资源路径的规则的信息。**
<!--
- **status.nonResourceRules.verbs** ([]string), required
Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
- **status.nonResourceRules.nonResourceURLs** ([]string)
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. "*" means all.
- **status.resourceRules** ([]ResourceRule), required
ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
<a name="ResourceRule"></a>
*ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.*
- **status.resourceRules.verbs** ([]string), required
Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
-->
- **status.nonResourceRules.verbs** ([]string),必需
verb 是 kubernetes 非资源 API 动作的列表,例如 get、post、put、delete、patch、head、options。
"*" 表示所有动作。
- **status.nonResourceRules.nonResourceURLs** ([]string)
nonResourceURLs 是用户应有权访问的一组部分 URL。
允许使用 "*",但仅能作为路径中最后一段且必须用于完整的一段。
"*" 表示全部。
- **status.resourceRules** ([]ResourceRule),必需
resourceRules 是允许主体对资源执行的操作的列表。
该列表顺序不重要,可以包含重复项,还可能不完整。
<a name="ResourceRule"></a>
**resourceRule 是允许主体对资源执行的操作的列表。该列表顺序不重要,可以包含重复项,还可能不完整。**
- **status.resourceRules.verbs** ([]string),必需
verb 是 kubernetes 资源 API 动作的列表,例如 get、list、watch、create、update、delete、proxy。
"*" 表示所有动作。
<!--
- **status.resourceRules.apiGroups** ([]string)
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.
- **status.resourceRules.resourceNames** ([]string)
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
- **status.resourceRules.resources** ([]string)
Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
"*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
- **status.evaluationError** (string)
EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.
-->
- **status.resourceRules.apiGroups** ([]string)
apiGroups 是包含资源的 APIGroup 的名称。
如果指定了多个 API 组,则允许对任何 API 组中枚举的资源之一请求任何操作。
"*" 表示所有 APIGroup。
- **status.resourceRules.resourceNames** ([]string)
resourceNames 是此规则所适用的资源名称白名单,可选。
空集合意味着允许所有资源。
"*" 表示所有资源。
- **status.resourceRules.resources** ([]string)
resources 是此规则所适用的资源的列表。
"*" 表示指定 APIGroup 中的所有资源。
"*/foo" 表示指定 APIGroup 中所有资源的子资源 "foo"。
- **status.evaluationError** (string)
evaluationError 可以与 rules 一起出现。
它表示在规则评估期间发生错误,例如 Authorizer 不支持规则评估以及 resourceRules 和/或 nonResourceRules 可能不完整。
## SelfSubjectRulesReviewSpec {#SelfSubjectRulesReviewSpec}
<!--
SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
<hr>
- **namespace** (string)
Namespace to evaluate rules for. Required.
-->
SelfSubjectRulesReviewSpec 定义 SelfSubjectRulesReview 的规范。
<hr>
- **namespace** (string)
namespace 是要评估规则的命名空间。
必需。
<!--
## Operations {#Operations}
<hr>
### `create` create a SelfSubjectRulesReview
#### HTTP Request
-->
## 操作 {#Operations}
<hr>
### `create` 创建 SelfSubjectRulesReview
#### HTTP 请求
POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews
<!--
#### Parameters
- **body**: <a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
-->
#### 参数
- **body**: <a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>,必需
- **dryRun** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
<!--
#### Response
-->
#### 响应
200 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): OK
201 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): Created
202 (<a href="{{< ref "../authorization-resources/self-subject-rules-review-v1#SelfSubjectRulesReview" >}}">SelfSubjectRulesReview</a>): Accepted
401: Unauthorized

301
content/zh/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1.md Normal file
View File

@ -0,0 +1,301 @@
---
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SubjectAccessReview"
content_type: "api_reference"
description: "SubjectAccessReview 检查用户或组是否可以执行某操作。"
title: "SubjectAccessReview"
weight: 4
---
<!--
api_metadata:
apiVersion: "authorization.k8s.io/v1"
import: "k8s.io/api/authorization/v1"
kind: "SubjectAccessReview"
content_type: "api_reference"
description: "SubjectAccessReview checks whether or not a user or group can perform an action."
title: "SubjectAccessReview"
weight: 4
-->
`apiVersion: authorization.k8s.io/v1`
`import "k8s.io/api/authorization/v1"`
## SubjectAccessReview {#SubjectAccessReview}
<!--
SubjectAccessReview checks whether or not a user or group can perform an action.
-->
SubjectAccessReview 检查用户或组是否可以执行某操作。
<hr>
- **apiVersion**: authorization.k8s.io/v1
- **kind**: SubjectAccessReview
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
<!--
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>), required
Spec holds information about the request being evaluated
- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
Status is filled in by the server and indicates whether the request is allowed or not
-->
标准的列表元数据。
更多信息https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewSpec" >}}">SubjectAccessReviewSpec</a>),必需
spec 包含有关正在评估的请求的信息。
- **status** (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReviewStatus" >}}">SubjectAccessReviewStatus</a>)
status 由服务器填写,表示请求是否被允许。
## SubjectAccessReviewSpec {#SubjectAccessReviewSpec}
<!--
SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
-->
SubjectAccessReviewSpec 是访问请求的描述。
resourceAuthorizationAttributes 和 nonResourceAuthorizationAttributes 二者必须设置其一,并且只能设置其一。
<hr>
<!--
- **extra** (map[string][]string)
Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.
- **groups** ([]string)
Groups is the groups you're testing for.
-->
- **extra** (map[string][]string)
extra 对应于来自鉴权器的 user.Info.GetExtra() 方法。
由于这是针对 Authorizer 的输入,所以它需要在此处反映。
- **groups** ([]string)
groups 是你正在测试的组。
<!--
- **nonResourceAttributes** (NonResourceAttributes)
NonResourceAttributes describes information for a non-resource access request
<a name="NonResourceAttributes"></a>
*NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface*
- **nonResourceAttributes.path** (string)
Path is the URL path of the request
- **nonResourceAttributes.verb** (string)
Verb is the standard HTTP verb
-->
- **nonResourceAttributes** (NonResourceAttributes)
nonResourceAttributes 描述非资源访问请求的信息。
<a name="NonResourceAttributes"></a>
**nonResourceAttributes 包括提供给 Authorizer 接口进行非资源请求鉴权时所用的属性。**
- **nonResourceAttributes.path** (string)
path 是请求的 URL 路径。
- **nonResourceAttributes.verb** (string)
verb 是标准的 HTTP 动作。
<!--
- **resourceAttributes** (ResourceAttributes)
ResourceAuthorizationAttributes describes information for a resource access request
<a name="ResourceAttributes"></a>
*ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface*
- **resourceAttributes.group** (string)
Group is the API Group of the Resource. "*" means all.
- **resourceAttributes.name** (string)
Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
-->
- **resourceAttributes** (ResourceAttributes)
resourceAuthorizationAttributes 描述资源访问请求的信息。
<a name="ResourceAttributes"></a>
**resourceAttributes 包括提供给 Authorizer 接口进行资源请求鉴权时所用的属性。**
- **resourceAttributes.group** (string)
group 是资源的 API 组。
"*" 表示所有资源。
- **resourceAttributes.name** (string)
name 是 "get" 正在请求或 "delete" 已删除的资源。
""(空字符串)表示所有资源。
<!--
- **resourceAttributes.namespace** (string)
Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
- **resourceAttributes.resource** (string)
Resource is one of the existing resource types. "*" means all.
- **resourceAttributes.subresource** (string)
Subresource is one of the existing resource types. "" means none.
-->
- **resourceAttributes.namespace** (string)
namespace 是正在请求的操作的命名空间。
目前,无命名空间和所有命名空间之间没有区别。
对于 LocalSubjectAccessReviews默认为 ""(空字符串)。
对于集群范围的资源,默认为 ""(空字符串)。
对于来自 SubjectAccessReview 或 SelfSubjectAccessReview 的命名空间范围的资源,
""(空字符串)表示 "all"(所有资源)。
- **resourceAttributes.resource** (string)
resource 是现有的资源类别之一。
"*" 表示所有资源类别。
- **resourceAttributes.subresource** (string)
subresource 是现有的资源类别之一。
"" 表示无子资源。
<!--
- **resourceAttributes.verb** (string)
Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
- **resourceAttributes.version** (string)
Version is the API Version of the Resource. "*" means all.
- **uid** (string)
UID information about the requesting user.
- **user** (string)
User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
-->
- **resourceAttributes.verb** (string)
verb 是 kubernetes 资源的 API 动作,例如 get、list、watch、create、update、delete、proxy。
"*" 表示所有动作。
- **resourceAttributes.version** (string)
version 是资源的 API 版本。
"*" 表示所有版本。
- **uid** (string)
有关正在请求的用户的 UID 信息。
- **user** (string)
user 是你正在测试的用户。
如果你指定 “user” 而不是 “groups”它将被解读为“如果 user 不是任何组的成员,将会怎样”。
## SubjectAccessReviewStatus {#SubjectAccessReviewStatus}
SubjectAccessReviewStatus
<hr>
<!--
- **allowed** (boolean), required
Allowed is required. True if the action would be allowed, false otherwise.
- **denied** (boolean)
Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.
-->
- **allowed** (boolean),必需
allowed 是必需的。
如果允许该操作,则为 true否则为 false。
- **denied** (boolean)
denied 是可选的。
如果拒绝该操作,则为 true否则为 false。
如果 allowed 和 denied 均为 false则 Authorizer 对是否鉴权操作没有意见。
如果 allowed 为 true则 denied 不能为 true。
<!--
- **evaluationError** (string)
EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
- **reason** (string)
Reason is optional. It indicates why a request was allowed or denied.
-->
- **evaluationError** (string)
evaluationError 表示鉴权检查期间发生一些错误。
出现错误的情况下完全有可能继续确定鉴权状态。
例如RBAC 可能缺少一个角色,但仍存在足够多的角色进行绑定,进而了解请求有关的原因。
- **reason** (string)
reason 是可选的。
它表示为什么允许或拒绝请求。
<!--
## Operations {#Operations}
<hr>
### `create` create a SubjectAccessReview
#### HTTP Request
-->
## 操作 {#Operations}
<hr>
### `create` 创建 SubjectAccessReview
#### HTTP 请求
POST /apis/authorization.k8s.io/v1/subjectaccessreviews
<!--
#### Parameters
- **body**: <a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
-->
#### 参数
- **body**: <a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>,必需
- **dryRun** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (**查询参数**): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
<!--
#### Response
-->
#### 响应
200 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): OK
201 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): Created
202 (<a href="{{< ref "../authorization-resources/subject-access-review-v1#SubjectAccessReview" >}}">SubjectAccessReview</a>): Accepted
401: Unauthorized