LocalSubjectAccessReview [authorization.k8s.io/v1]

    LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.

    Type

    Required

    .spec

    Description

    SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set

    Type

    object

    PropertyTypeDescription

    extra

    object

    Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.

    extra{}

    array (string)

    groups

    array (string)

    Groups is the groups you’re testing for.

    nonResourceAttributes

    object

    NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface

    resourceAttributes

    object

    ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface

    uid

    UID information about the requesting user.

    user

    User is the user you’re testing for. If you specify “User” but not “Groups”, then is it interpreted as “What if User were not a member of any groups

    .spec.extra

    Description

    Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.

    Type

    object

    .spec.nonResourceAttributes

    Description

    NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface

    Type

    object

    PropertyTypeDescription

    path

    string

    Path is the URL path of the request

    verb

    string

    Verb is the standard HTTP verb

    .spec.resourceAttributes

    Description

    ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface

    Type

    object

    .status

    Description

    SubjectAccessReviewStatus

    Type

    Required

    • allowed
    PropertyTypeDescription

    allowed

    boolean

    Allowed is required. True if the action would be allowed, false otherwise.

    denied

    boolean

    Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.

    evaluationError

    string

    EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.

    reason

    string

    Reason is optional. It indicates why a request was allowed or denied.

    API endpoints

    The following API endpoints are available:

    Table 1. Global path parameters
    ParameterTypeDescription

    namespace

    string

    object name and auth scope, such as for teams and projects

    HTTP method

    POST

    Description

    create a LocalSubjectAccessReview

    Table 3. Body parameters
    ParameterTypeDescription

    body

    Table 4. HTTP responses
    HTTP codeReponse body

    200 - OK

    LocalSubjectAccessReview authorization.k8s.io/v1