- Documentation
- OKD
- API reference
- authorization.openshift.io
- SubjectAccessReview [authorization.openshift.io/v1]
- About
- What's New?
- Getting Started
- Architecture
- Container Security Guide
- Installing Clusters
- Upgrading Clusters
- Configuring Clusters
- Overview
- Setting up the Registry
- Setting up a Router
- Deploying Red Hat CloudForms
- Prometheus Cluster Monitoring
- Accessing and Configuring the Red Hat Registry
- Master and Node Configuration
- OpenShift Ansible Broker Configuration
- Adding Hosts to an Existing Cluster
- Loading the Default Image Streams and Templates
- Configuring Custom Certificates
- Redeploying Certificates
- Configuring Authentication and User Agent
- Syncing groups with LDAP
- Configuring LDAP failover
- Configuring the SDN
- Configuring Nuage SDN
- Configuring NSX-T SDN
- Configuring Kuryr SDN
- Configuring for AWS
- Configuring for Red Hat Virtualization
- Configuring for OpenStack
- Configuring for Google Compute Engine
- Configuring for Azure
- Configuring for VMware vSphere
- Configuring Local Volumes
- Configuring Persistent Storage
- Overview
- Using NFS
- Using GlusterFS
- Using OpenStack Cinder
- Using Ceph RBD
- Using AWS Elastic Block Store
- Using GCE Persistent Disk
- Using iSCSI
- Using Fibre Channel
- Using Azure Disk
- Using Azure File
- Using FlexVolume
- Using VMware vSphere volumes for persistent storage
- Using Local Volume
- Using Container Storage Interface (CSI)
- Using OpenStack Manila shares
- Dynamic Provisioning and Creating Storage Classes
- Volume Security
- Selector-Label Volume Binding
- Enabling Controller-managed Attachment and Detachment
- Persistent Volume Snapshots
- Using hostPath
- Persistent Storage Examples
- Overview
- Sharing an NFS PV Across Two Pods
- Using Ceph RBD for Persistent Storage
- Using Ceph RBD for dynamic provisioning
- Complete Example Using GlusterFS
- Complete Example Using GlusterFS for Dynamic Provisioning
- Mounting Volumes To Privileged Pods
- Mount Propagation
- Switching an Integrated OpenShift Container Registry to GlusterFS
- Binding Persistent Volumes by Label
- Using StorageClasses for Dynamic Provisioning
- Using StorageClasses for Existing Legacy Storage
- Configuring Azure Blob Storage for Integrated Container Image Registry
- Configuring Ephemeral Storage
- Working with HTTP Proxies
- Configuring Global Build Defaults and Overrides
- Configuring Pipeline Execution
- Configuring Route Timeouts
- Configuring Native Container Routing
- Routing from Edge Load Balancers
- Aggregating Container Logs
- Aggregate Logging Sizing Guidelines
- Enabling Cluster Metrics
- Customizing the Web Console
- Deploying External Persistent Volume Provisioners
- Installing the Operator Framework (Technology Preview)
- Uninstalling Operator Lifecycle Manager
- Day Two Operations Guide
- Cluster Administration
- Overview
- Managing Nodes
- Restoring your cluster
- Replacing a master host
- Managing Users
- Managing Projects
- Managing Pods
- Managing Networking
- Configuring Service Accounts
- Managing Role-based Access Control
- Image Policy
- Image Signatures
- Scoped Tokens
- Monitoring Images
- Managing Security Context Constraints
- Scheduling
- Overview
- Default Scheduling
- Descheduling
- Custom Scheduling
- Controlling Pod Placement
- Pod Priority and Preemption
- Advanced Scheduling
- Advanced Scheduling and Node Affinity
- Advanced Scheduling and Pod Affinity/Anti-affinity
- Advanced Scheduling and Node Selectors
- Advanced Scheduling and Taints and Tolerations
- Setting Quotas
- Setting Multi-Project Quotas
- Pruning objects
- Extending the Kubernetes API with Custom Resources
- Garbage Collection
- Allocating Node Resources
- Overcommitting
- Out of Resource Handling
- Setting Limit Ranges
- Node Problem Detector
- Assigning Unique External IPs for Ingress Traffic
- Monitoring and Debugging Routers
- High Availability
- IPtables
- Securing Builds by Strategy
- Restricting Application Capabilities Using Seccomp
- Sysctls
- Encrypting Data at Datastore Layer
- Encrypting traffic between nodes with IPsec
- Building Dependency Trees
- Replacing a failed etcd member
- Restoring etcd quorum
- Troubleshooting Networking
- Diagnostics Tool
- Idling Applications
- Analyzing Cluster Capacity
- Configuring the cluster auto-scaler in AWS
- Disabling Features using Feature Gates
- Kuryr SDN Administration
- Scaling and Performance Guide
- Overview
- Recommended Installation Practices
- Recommended Host Practices
- Optimizing Compute Resources
- Optimizing Persistent Storage
- Optimizing Ephemeral Storage
- Network Optimization
- Routing Optimization
- Scaling Cluster Metrics
- Scaling Cluster Monitoring
- Tested Maximums per Cluster
- Using Cluster Loader
- Using CPU Manager
- Managing Huge Pages
- Optimizing On GlusterFS Storage
- Developer Guide
- Overview
- Application Life Cycle Management
- Authentication
- Authorization
- Projects
- Migrating Applications
- Tutorials
- Builds
- Deployments
- Templates
- Opening a Remote Shell to Containers
- Service Accounts
- Managing Images
- Quotas and Limit Ranges
- Getting Traffic into a Cluster
- Routes
- Integrating External Services
- Using Device Manager
- Using Device Plug-ins
- Secrets
- ConfigMaps
- Downward API
- Projected Volumes
- Using Daemonsets
- Pod Autoscaling
- Managing Volumes
- Using Persistent Volumes
- Expanding Persistent Volumes
- Executing Remote Commands
- Copying Files
- Port Forwarding
- Shared Memory
- Application Health
- Events
- Managing Environment Variables
- Jobs
- OpenShift Pipeline
- Cron Jobs
- Create from URL
- Creating an object from a custom resource definition
- Application memory sizing
- Creating Images
- Using Images
- CLI Reference
- Ansible Playbook Bundle Development Guide
- Operators
- API reference
- API list
- Common object reference
- core
- About core
- Binding [core/v1]
- ComponentStatus [core/v1]
- ConfigMap [core/v1]
- Endpoints [core/v1]
- Event [core/v1]
- LimitRange [core/v1]
- Namespace [core/v1]
- Node [core/v1]
- PersistentVolumeClaim [core/v1]
- PersistentVolume [core/v1]
- Pod [core/v1]
- PodTemplate [core/v1]
- ReplicationController [core/v1]
- ResourceQuota [core/v1]
- Secret [core/v1]
- ServiceAccount [core/v1]
- Service [core/v1]
- admissionregistration.k8s.io
- apiregistration.k8s.io
- apps
- apps.openshift.io
- authentication.k8s.io
- authorization.k8s.io
- authorization.openshift.io
- About authorization.openshift.io
- ClusterRoleBinding [authorization.openshift.io/v1]
- ClusterRole [authorization.openshift.io/v1]
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- RoleBindingRestriction [authorization.openshift.io/v1]
- RoleBinding [authorization.openshift.io/v1]
- Role [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- autoscaling
- batch
- build.openshift.io
- certificates.k8s.io
- events.k8s.io
- image.openshift.io
- network.openshift.io
- networking.k8s.io
- oauth.openshift.io
- policy
- project.openshift.io
- quota.openshift.io
- rbac.authorization.k8s.io
- route.openshift.io
- scheduling.k8s.io
- security.openshift.io
- storage.k8s.io
- template.openshift.io
- user.openshift.io
- CRI-O Runtime
SubjectAccessReview [authorization.openshift.io/v1]
- Description
-
SubjectAccessReview is an object for requesting information about whether a user or group can perform an action
- Type
-
object - Required
-
-
namespace -
verb -
resourceAPIGroup -
resourceAPIVersion -
resource -
resourceName -
path -
isNonResourceURL -
user -
groups -
scopes
-
Specification
| Property | Type | Description |
|---|---|---|
|
|
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources |
|
Content is the actual content of the request for create and update |
|
|
|
GroupsSlice is optional. Groups is the list of groups to which the User belongs. |
|
|
IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hierarchy) |
|
|
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds |
|
|
Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces |
|
|
Path is the path of a non resource URL |
|
|
Resource is one of the existing resource types |
|
|
Group is the API group of the resource Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined |
|
|
Version is the API version of the resource Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined |
|
|
ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" |
|
|
Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". Nil for a self-SAR, means "use the scopes on this request". Nil for a regular SAR, means the same as empty. |
|
|
User is optional. If both User and Groups are empty, the current authenticated user is used. |
|
|
Verb is one of: get, list, watch, create, update, delete |
API endpoints
The following API endpoints are available:
-
/apis/authorization.openshift.io/v1/subjectaccessreviews-
POST: create a SubjectAccessReview
-
/apis/authorization.openshift.io/v1/subjectaccessreviews
| Parameter | Type | Description |
|---|---|---|
|
|
If 'true', then the output is pretty printed. |
- HTTP method
-
POST - Description
-
create a SubjectAccessReview
| Parameter | Type | Description |
|---|---|---|
|
| HTTP code | Reponse body |
|---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized |
Empty |