just disable the plugin on configuration

Signed-off-by: Bryce Palmer <[email protected]>

openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go

@@ -27,15 +27,22 @@ import (
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/usercache"
 )
 
+const RestrictSubjectBindingsPluginName = "authorization.openshift.io/RestrictSubjectBindings"
+
 func Register(plugins *admission.Plugins) {
-	plugins.Register("authorization.openshift.io/RestrictSubjectBindings",
+	plugins.Register(RestrictSubjectBindingsPluginName,
 		func(config io.Reader) (admission.Interface, error) {
 			cfg, err := readConfig(config)
 			if err != nil {
 				return nil, err
 			}
 
-			return NewRestrictUsersAdmission(cfg)
+            if cfg.OpenShiftOAuthDesiredState == v1alpha1.OpenShiftOAuthStateNotDesired {
+				klog.Infof("Admission plugin %q configured to expect the OpenShift oauth-apiserver as not being available. This is effectively the same as disabling the plugin, so it will be disabled.", RestrictSubjectBindingsPluginName)
+                return nil, nil
+            }
+
+			return NewRestrictUsersAdmission()
 		})
 }
 
@@ -84,7 +91,6 @@ type restrictUsersAdmission struct {
 	userClient                    userclient.Interface
 	kubeClient                    kubernetes.Interface
 	groupCache                    GroupCache
-	oauthState                    v1alpha1.OpenShiftOAuthState
 }
 
 var (
@@ -96,15 +102,9 @@ var (
 
 // NewRestrictUsersAdmission configures an admission plugin that enforces
 // restrictions on adding role bindings in a project.
-func NewRestrictUsersAdmission(cfg *v1alpha1.RestrictSubjectBindingsAdmissionConfig) (admission.Interface, error) {
+func NewRestrictUsersAdmission() (admission.Interface, error) {
 	return &restrictUsersAdmission{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
-		oauthState: func() v1alpha1.OpenShiftOAuthState {
-			if cfg != nil {
-				return cfg.OpenShiftOAuthDesiredState
-			}
-			return v1alpha1.OpenShiftOAuthStateDesired
-		}(),
 	}, nil
 }
 
@@ -134,10 +134,6 @@ func (q *restrictUsersAdmission) SetRESTClientConfig(restClientConfig rest.Confi
 }
 
 func (q *restrictUsersAdmission) SetUserInformer(userInformers userinformer.SharedInformerFactory) {
-	if q.oauthState == v1alpha1.OpenShiftOAuthStateNotDesired {
-		return
-	}
-
 	if err := userInformers.User().V1().Groups().Informer().AddIndexers(cache.Indexers{
 		usercache.ByUserIndexName: usercache.ByUserIndexKeys,
 	}); err != nil {
@@ -172,11 +168,6 @@ func subjectsDelta(elementsToIgnore, elements []rbac.Subject) []rbac.Subject {
 // each subject in the binding must be matched by some rolebinding restriction
 // in the namespace.
 func (q *restrictUsersAdmission) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) (err error) {
-	if q.oauthState == v1alpha1.OpenShiftOAuthStateNotDesired {
-		klog.V(2).Info("admission plugin authorization.openshift.io/RestrictSubjectBindings is configured to act as if the OpenShift oauth-apiserver is not present. This admission plugin relies on the OpenShift oauth-apiserver to function as expected and should be disabled when it is not present. Acting as if disabled and not enforcing subject bindings.")
-		return nil
-	}
-
 	// We only care about rolebindings
 	if a.GetResource().GroupResource() != rbac.Resource("rolebindings") {
 		return nil
@@ -286,7 +277,7 @@ func (q *restrictUsersAdmission) ValidateInitialization() error {
 	if q.userClient == nil {
 		return errors.New("RestrictUsersAdmission plugin requires an OpenShift user client")
 	}
-	if q.groupCache == nil && q.oauthState == v1alpha1.OpenShiftOAuthStateDesired {
+	if q.groupCache == nil {
 		return errors.New("RestrictUsersAdmission plugin requires a group cache")
 	}
 

openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers_test.go

@@ -359,7 +359,7 @@ func TestAdmission(t *testing.T) {
 		fakeUserClient := fakeuserclient.NewSimpleClientset(tc.userObjects...)
 		fakeAuthorizationClient := fakeauthorizationclient.NewSimpleClientset(tc.authorizationObjects...)
 
-		plugin, err := NewRestrictUsersAdmission(nil)
+		plugin, err := NewRestrictUsersAdmission()
 		if err != nil {
 			t.Errorf("unexpected error initializing admission plugin: %v", err)
 		}