func PolicyBindingNameValidator(policyRefNamespace string) validation.ValidateNameFunc {
return func(name string, prefix bool) (bool, string) {
if ok, reason := oapi.MinimalNameRequirements(name, prefix); !ok {
return ok, reason
}
if name != authorizationapi.GetPolicyBindingName(policyRefNamespace) {
return false, "name must be " + authorizationapi.GetPolicyBindingName(policyRefNamespace)
}
return true, ""
}
}
func testNewLocalBindings() []authorizationapi.PolicyBinding {
return []authorizationapi.PolicyBinding{
{
ObjectMeta: kapi.ObjectMeta{Name: authorizationapi.GetPolicyBindingName("unittest"), Namespace: "unittest"},
RoleBindings: map[string]*authorizationapi.RoleBinding{},
},
}
}
// PrepareForCreate clears fields that are not allowed to be set by end users on creation.
func (s strategy) PrepareForCreate(obj runtime.Object) {
binding := obj.(*authorizationapi.PolicyBinding)
s.scrubBindingRefs(binding)
// force a delimited name, just in case we someday allow a reference to a global object that won't have a namespace. We'll end up with a name like ":default".
// ":" is not in the value space of namespaces, so no escaping is necessary
binding.Name = authorizationapi.GetPolicyBindingName(binding.PolicyRef.Namespace)
}
// getPolicyBindingForPolicy returns a PolicyBinding that points to the specified policyNamespace. It will autocreate ONLY if policyNamespace equals the master namespace
func (m *VirtualStorage) getPolicyBindingForPolicy(ctx kapi.Context, policyNamespace string, allowAutoProvision bool) (*authorizationapi.PolicyBinding, error) {
// we can autocreate a PolicyBinding object if the RoleBinding is for the master namespace OR if we've been explicity told to create the policying binding.
// the latter happens during priming
if (policyNamespace == "") || allowAutoProvision {
return m.ensurePolicyBindingToMaster(ctx, policyNamespace, authorizationapi.GetPolicyBindingName(policyNamespace))
}
policyBinding, err := m.BindingRegistry.GetPolicyBinding(ctx, authorizationapi.GetPolicyBindingName(policyNamespace))
if err != nil {
return nil, err
}
if policyBinding.RoleBindings == nil {
policyBinding.RoleBindings = make(map[string]*authorizationapi.RoleBinding)
}
return policyBinding, nil
}
func (a LocalRoleBindingAccessor) GetExistingRoleBindingsForRole(roleNamespace, role string) ([]*authorizationapi.RoleBinding, error) {
existingBindings, err := a.Client.PolicyBindings(a.BindingNamespace).Get(authorizationapi.GetPolicyBindingName(roleNamespace))
if err != nil && !kapierrors.IsNotFound(err) {
return nil, err
}
ret := make([]*authorizationapi.RoleBinding, 0)
// see if we can find an existing binding that points to the role in question.
for _, currBinding := range existingBindings.RoleBindings {
if currBinding.RoleRef.Name == role {
t := currBinding
ret = append(ret, t)
}
}
return ret, nil
}