Matthias Andreas Benkard | 832a54e | 2019-01-29 09:27:38 +0100 | [diff] [blame^] | 1 | /* |
| 2 | Copyright 2016 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package authorizerfactory |
| 18 | |
| 19 | import ( |
| 20 | "time" |
| 21 | |
| 22 | "k8s.io/apiserver/pkg/authorization/authorizer" |
| 23 | authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1" |
| 24 | |
| 25 | "k8s.io/apiserver/plugin/pkg/authorizer/webhook" |
| 26 | ) |
| 27 | |
| 28 | // DelegatingAuthorizerConfig is the minimal configuration needed to create an authenticator |
| 29 | // built to delegate authorization to a kube API server |
| 30 | type DelegatingAuthorizerConfig struct { |
| 31 | SubjectAccessReviewClient authorizationclient.SubjectAccessReviewInterface |
| 32 | |
| 33 | // AllowCacheTTL is the length of time that a successful authorization response will be cached |
| 34 | AllowCacheTTL time.Duration |
| 35 | |
| 36 | // DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached. |
| 37 | // You generally want more responsive, "deny, try again" flows. |
| 38 | DenyCacheTTL time.Duration |
| 39 | } |
| 40 | |
| 41 | func (c DelegatingAuthorizerConfig) New() (authorizer.Authorizer, error) { |
| 42 | return webhook.NewFromInterface( |
| 43 | c.SubjectAccessReviewClient, |
| 44 | c.AllowCacheTTL, |
| 45 | c.DenyCacheTTL, |
| 46 | ) |
| 47 | } |