SubjectAccessReviewSpec

SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set

Schema URL

https://raw.githubusercontent.com/nlamirault/schema-hub/main/schemas/authorization.api.k8s.io/SubjectAccessReviewSpec_v1.json

▶ Usage examples

VS Code / yaml-language-server

# yaml-language-server: $schema=https://raw.githubusercontent.com/nlamirault/schema-hub/main/schemas/authorization.api.k8s.io/SubjectAccessReviewSpec_v1.json

kubeconform

kubeconform -schema-location 'https://raw.githubusercontent.com/nlamirault/schema-hub/main/schemas/{{ .Group }}/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json' manifest.yaml

Resource Structure

extraobject

Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.

groupsarray

Groups is the groups you're testing for.

nonResourceAttributesobject

NonResourceAttributes describes information for a non-resource access request

resourceAttributesobject

ResourceAuthorizationAttributes describes information for a resource access request

uidstring

UID information about the requesting user.

userstring

User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups