You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: api-config.yaml
+5-4Lines changed: 5 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -599,12 +599,13 @@ apiMap:
599
599
- kind: CatalogSource
600
600
group: operators.coreos.com
601
601
version: v1alpha1
602
+
# ERROR (objects/index.adoc): "xref:../operatorhub_apis/olm-operator-openshift-io-v1.adoc#olm-operator-openshift-io-v1[`array (OLM)`]" appears to try to reference a file not included in the "openshift-enterprise" distro
Copy file name to clipboardExpand all lines: rest_api/authorization_apis/localsubjectaccessreview-authorization-k8s-io-v1.adoc
+60Lines changed: 60 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -150,10 +150,18 @@ Type::
150
150
|===
151
151
| Property | Type | Description
152
152
153
+
| `fieldSelector`
154
+
| `object`
155
+
| FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
156
+
153
157
| `group`
154
158
| `string`
155
159
| Group is the API Group of the Resource. "*" means all.
156
160
161
+
| `labelSelector`
162
+
| `object`
163
+
| LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
164
+
157
165
| `name`
158
166
| `string`
159
167
| Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
@@ -178,6 +186,58 @@ Type::
178
186
| `string`
179
187
| Version is the API Version of the Resource. "*" means all.
180
188
189
+
|===
190
+
=== .spec.resourceAttributes.fieldSelector
191
+
Description::
192
+
+
193
+
--
194
+
FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
195
+
--
196
+
197
+
Type::
198
+
`object`
199
+
200
+
201
+
202
+
203
+
[cols="1,1,1",options="header"]
204
+
|===
205
+
| Property | Type | Description
206
+
207
+
| `rawSelector`
208
+
| `string`
209
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
214
+
215
+
|===
216
+
=== .spec.resourceAttributes.labelSelector
217
+
Description::
218
+
+
219
+
--
220
+
LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
221
+
--
222
+
223
+
Type::
224
+
`object`
225
+
226
+
227
+
228
+
229
+
[cols="1,1,1",options="header"]
230
+
|===
231
+
| Property | Type | Description
232
+
233
+
| `rawSelector`
234
+
| `string`
235
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
Copy file name to clipboardExpand all lines: rest_api/authorization_apis/selfsubjectaccessreview-authorization-k8s-io-v1.adoc
+60Lines changed: 60 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -117,10 +117,18 @@ Type::
117
117
|===
118
118
| Property | Type | Description
119
119
120
+
| `fieldSelector`
121
+
| `object`
122
+
| FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
123
+
120
124
| `group`
121
125
| `string`
122
126
| Group is the API Group of the Resource. "*" means all.
123
127
128
+
| `labelSelector`
129
+
| `object`
130
+
| LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
131
+
124
132
| `name`
125
133
| `string`
126
134
| Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
@@ -145,6 +153,58 @@ Type::
145
153
| `string`
146
154
| Version is the API Version of the Resource. "*" means all.
147
155
156
+
|===
157
+
=== .spec.resourceAttributes.fieldSelector
158
+
Description::
159
+
+
160
+
--
161
+
FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
162
+
--
163
+
164
+
Type::
165
+
`object`
166
+
167
+
168
+
169
+
170
+
[cols="1,1,1",options="header"]
171
+
|===
172
+
| Property | Type | Description
173
+
174
+
| `rawSelector`
175
+
| `string`
176
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
181
+
182
+
|===
183
+
=== .spec.resourceAttributes.labelSelector
184
+
Description::
185
+
+
186
+
--
187
+
LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
188
+
--
189
+
190
+
Type::
191
+
`object`
192
+
193
+
194
+
195
+
196
+
[cols="1,1,1",options="header"]
197
+
|===
198
+
| Property | Type | Description
199
+
200
+
| `rawSelector`
201
+
| `string`
202
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
Copy file name to clipboardExpand all lines: rest_api/authorization_apis/subjectaccessreview-authorization-k8s-io-v1.adoc
+60Lines changed: 60 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -150,10 +150,18 @@ Type::
150
150
|===
151
151
| Property | Type | Description
152
152
153
+
| `fieldSelector`
154
+
| `object`
155
+
| FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
156
+
153
157
| `group`
154
158
| `string`
155
159
| Group is the API Group of the Resource. "*" means all.
156
160
161
+
| `labelSelector`
162
+
| `object`
163
+
| LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
164
+
157
165
| `name`
158
166
| `string`
159
167
| Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
@@ -178,6 +186,58 @@ Type::
178
186
| `string`
179
187
| Version is the API Version of the Resource. "*" means all.
180
188
189
+
|===
190
+
=== .spec.resourceAttributes.fieldSelector
191
+
Description::
192
+
+
193
+
--
194
+
FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
195
+
--
196
+
197
+
Type::
198
+
`object`
199
+
200
+
201
+
202
+
203
+
[cols="1,1,1",options="header"]
204
+
|===
205
+
| Property | Type | Description
206
+
207
+
| `rawSelector`
208
+
| `string`
209
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
214
+
215
+
|===
216
+
=== .spec.resourceAttributes.labelSelector
217
+
Description::
218
+
+
219
+
--
220
+
LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
221
+
--
222
+
223
+
Type::
224
+
`object`
225
+
226
+
227
+
228
+
229
+
[cols="1,1,1",options="header"]
230
+
|===
231
+
| Property | Type | Description
232
+
233
+
| `rawSelector`
234
+
| `string`
235
+
| rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
| requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
0 commit comments