Security Models
V1CertificateSigningRequest
- CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued. Kubelets use this API to obtain: 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1CertificateSigningRequestSpec | |
status | V1CertificateSigningRequestStatus |
V1CertificateSigningRequestCondition
- CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
| Property | Type | Description |
|---|---|---|
lastTransitionTime | Date | lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server... |
lastUpdateTime | Date | lastUpdateTime is the time of the last update to this condition |
message | string | message contains a human readable message with details about the request state |
reason | string | reason indicates a brief reason for the request state |
status | string | status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown". |
type | string | type of the condition. Known conditions are "Approved", "Denied", and "Failed". An "Approved" condition is added via the /approval subresource, indicating the request was approved and should... |
V1CertificateSigningRequestList
- CertificateSigningRequestList is a collection of CertificateSigningRequest objects
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
items | V1CertificateSigningRequest[] | items is a collection of CertificateSigningRequest objects |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ListMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.CertificatesV1Api);
const res: k8s.V1CertificateSigningRequestList = await api.listCertificateSigningRequest({ namespace: 'default' });
for (const item of res.items) {
console.log(item.metadata?.name);
}
Used by: CertificatesV1Api.listCertificateSigningRequest
V1CertificateSigningRequestSpec
- CertificateSigningRequestSpec contains the certificate request.
| Property | Type | Description |
|---|---|---|
expirationSeconds | number | expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta... |
extra | { [key: string]: string[] | extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
groups | string[] | groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
request | string | request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded. |
signerName | string | signerName indicates the requested signer, and is a qualified name. List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. ... |
uid | string | uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
usages | string[] | usages specifies a set of key usages requested in the issued certificate. Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". ... |
username | string | username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
V1CertificateSigningRequestStatus
- CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.
| Property | Type | Description |
|---|---|---|
certificate | string | certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable. If... |
conditions | V1CertificateSigningRequestCondition[] | conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". |
V1ClusterRole
- ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
rules | V1PolicyRule[] | Rules holds all the PolicyRules for this ClusterRole |
aggregationRule | V1AggregationRule | |
metadata | V1ObjectMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const body: k8s.V1ClusterRole = {
metadata: { name: 'example' },
};
const res = await api.createClusterRole({ body });
console.log(res.metadata?.name);
Used by: RbacAuthorizationV1Api.createClusterRole · RbacAuthorizationV1Api.patchClusterRole · RbacAuthorizationV1Api.readClusterRole
V1ClusterRoleBinding
- ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
subjects | RbacV1Subject[] | Subjects holds references to the objects the role applies to. |
metadata | V1ObjectMeta | |
roleRef | V1RoleRef |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const body: k8s.V1ClusterRoleBinding = {
metadata: { name: 'example' },
};
const res = await api.createClusterRoleBinding({ body });
console.log(res.metadata?.name);
Used by: RbacAuthorizationV1Api.createClusterRoleBinding · RbacAuthorizationV1Api.patchClusterRoleBinding · RbacAuthorizationV1Api.readClusterRoleBinding
V1ClusterRoleBindingList
- ClusterRoleBindingList is a collection of ClusterRoleBindings
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
items | V1ClusterRoleBinding[] | Items is a list of ClusterRoleBindings |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ListMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const res: k8s.V1ClusterRoleBindingList = await api.listClusterRoleBinding({ namespace: 'default' });
for (const item of res.items) {
console.log(item.metadata?.name);
}
Used by: RbacAuthorizationV1Api.listClusterRoleBinding
V1ClusterRoleList
- ClusterRoleList is a collection of ClusterRoles
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
items | V1ClusterRole[] | Items is a list of ClusterRoles |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ListMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const res: k8s.V1ClusterRoleList = await api.listClusterRole({ namespace: 'default' });
for (const item of res.items) {
console.log(item.metadata?.name);
}
Used by: RbacAuthorizationV1Api.listClusterRole
V1LocalSubjectAccessReview
- LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1SubjectAccessReviewSpec | |
status | V1SubjectAccessReviewStatus |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.AuthorizationV1Api);
const body: k8s.V1LocalSubjectAccessReview = {
metadata: { name: 'example' },
spec: { /* ... */ },
};
const res = await api.createNamespacedLocalSubjectAccessReview({ namespace: 'default', body });
console.log(res.metadata?.name);
Used by: AuthorizationV1Api.createNamespacedLocalSubjectAccessReview
V1Role
- Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
rules | V1PolicyRule[] | Rules holds all the PolicyRules for this Role |
metadata | V1ObjectMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const body: k8s.V1Role = {
metadata: { name: 'example' },
};
const res = await api.createNamespacedRole({ namespace: 'default', body });
console.log(res.metadata?.name);
Used by: RbacAuthorizationV1Api.createNamespacedRole · RbacAuthorizationV1Api.patchNamespacedRole · RbacAuthorizationV1Api.readNamespacedRole
V1RoleBinding
- RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
subjects | RbacV1Subject[] | Subjects holds references to the objects the role applies to. |
metadata | V1ObjectMeta | |
roleRef | V1RoleRef |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const body: k8s.V1RoleBinding = {
metadata: { name: 'example' },
};
const res = await api.createNamespacedRoleBinding({ namespace: 'default', body });
console.log(res.metadata?.name);
Used by: RbacAuthorizationV1Api.createNamespacedRoleBinding · RbacAuthorizationV1Api.patchNamespacedRoleBinding · RbacAuthorizationV1Api.readNamespacedRoleBinding
V1RoleBindingList
- RoleBindingList is a collection of RoleBindings
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
items | V1RoleBinding[] | Items is a list of RoleBindings |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ListMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const res: k8s.V1RoleBindingList = await api.listNamespacedRoleBinding({ namespace: 'default' });
for (const item of res.items) {
console.log(item.metadata?.name);
}
Used by: RbacAuthorizationV1Api.listNamespacedRoleBinding · RbacAuthorizationV1Api.listRoleBindingForAllNamespaces
V1RoleList
- RoleList is a collection of Roles
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
items | V1Role[] | Items is a list of Roles |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ListMeta |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.RbacAuthorizationV1Api);
const res: k8s.V1RoleList = await api.listNamespacedRole({ namespace: 'default' });
for (const item of res.items) {
console.log(item.metadata?.name);
}
Used by: RbacAuthorizationV1Api.listNamespacedRole · RbacAuthorizationV1Api.listRoleForAllNamespaces
V1RoleRef
- RoleRef contains information that points to the role being used
| Property | Type | Description |
|---|---|---|
apiGroup | string | APIGroup is the group for the resource being referenced |
kind | string | Kind is the type of resource being referenced |
name | string | Name is the name of resource being referenced |
V1SelfSubjectAccessReview
- SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1SelfSubjectAccessReviewSpec | |
status | V1SubjectAccessReviewStatus |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.AuthorizationV1Api);
const body: k8s.V1SelfSubjectAccessReview = {
metadata: { name: 'example' },
spec: { /* ... */ },
};
const res = await api.createSelfSubjectAccessReview({ body });
console.log(res.metadata?.name);
Used by: AuthorizationV1Api.createSelfSubjectAccessReview
V1SelfSubjectAccessReviewSpec
- SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
| Property | Type | Description |
|---|---|---|
nonResourceAttributes | V1NonResourceAttributes | |
resourceAttributes | V1ResourceAttributes |
V1SelfSubjectRulesReview
- SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1SelfSubjectRulesReviewSpec | |
status | V1SubjectRulesReviewStatus |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.AuthorizationV1Api);
const body: k8s.V1SelfSubjectRulesReview = {
metadata: { name: 'example' },
spec: { /* ... */ },
};
const res = await api.createSelfSubjectRulesReview({ body });
console.log(res.metadata?.name);
Used by: AuthorizationV1Api.createSelfSubjectRulesReview
V1SelfSubjectRulesReviewSpec
- SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
| Property | Type | Description |
|---|---|---|
namespace | string | Namespace to evaluate rules for. Required. |
V1SubjectAccessReview
- SubjectAccessReview checks whether or not a user or group can perform an action.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1SubjectAccessReviewSpec | |
status | V1SubjectAccessReviewStatus |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.AuthorizationV1Api);
const body: k8s.V1SubjectAccessReview = {
metadata: { name: 'example' },
spec: { /* ... */ },
};
const res = await api.createSubjectAccessReview({ body });
console.log(res.metadata?.name);
Used by: AuthorizationV1Api.createSubjectAccessReview
V1SubjectAccessReviewSpec
- SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
| Property | Type | Description |
|---|---|---|
extra | { [key: string]: string[] | Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here. |
groups | string[] | Groups is the groups you're testing for. |
uid | string | UID information about the requesting user. |
user | string | User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups |
nonResourceAttributes | V1NonResourceAttributes | |
resourceAttributes | V1ResourceAttributes |
V1SubjectAccessReviewStatus
- SubjectAccessReviewStatus
| Property | Type | Description |
|---|---|---|
allowed | boolean | Allowed is required. True if the action would be allowed, false otherwise. |
denied | boolean | Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied... |
evaluationError | string | EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of... |
reason | string | Reason is optional. It indicates why a request was allowed or denied. |
V1TokenReview
- TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.
| Property | Type | Description |
|---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:... |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info:... |
metadata | V1ObjectMeta | |
spec | V1TokenReviewSpec | |
status | V1TokenReviewStatus |
Example
import * as k8s from '@kubernetes/client-node';
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const api = kc.makeApiClient(k8s.AuthenticationV1Api);
const body: k8s.V1TokenReview = {
metadata: { name: 'example' },
spec: { /* ... */ },
};
const res = await api.createTokenReview({ body });
console.log(res.metadata?.name);
Used by: AuthenticationV1Api.createTokenReview
V1TokenReviewSpec
- TokenReviewSpec is a description of the token authentication request.
| Property | Type | Description |
|---|---|---|
audiences | string[] | Audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of... |
token | string | Token is the opaque bearer token. |
V1TokenReviewStatus
- TokenReviewStatus is the result of the token authentication request.
| Property | Type | Description |
|---|---|---|
audiences | string[] | Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec... |
authenticated | boolean | Authenticated indicates that the token was associated with a known user. |
error | string | Error indicates that the token couldn't be checked |
user | V1UserInfo |