From 2d391225789a2821456aeeb985525ab647569d00 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Tue, 10 Jul 2018 15:55:01 -0400 Subject: [PATCH] Aggregate cluster-reader role Turn cluster-reader into an aggregate-able role. Aggregate the view role into cluster-reader and remove duplicates from the stock cluster-reader role. --- pkg/cmd/server/bootstrappolicy/constants.go | 33 +++++++++---------- pkg/cmd/server/bootstrappolicy/policy.go | 35 ++++++++++----------- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go index 548dc5a7f88a..bdbb3ff7d870 100644 --- a/pkg/cmd/server/bootstrappolicy/constants.go +++ b/pkg/cmd/server/bootstrappolicy/constants.go @@ -53,22 +53,23 @@ const ( // Roles const ( - ClusterAdminRoleName = "cluster-admin" - SudoerRoleName = "sudoer" - ScopeImpersonationRoleName = "system:scope-impersonation" - ClusterReaderRoleName = "cluster-reader" - StorageAdminRoleName = "storage-admin" - ClusterDebuggerRoleName = "cluster-debugger" - AdminRoleName = "admin" - EditRoleName = "edit" - ViewRoleName = "view" - AggregatedAdminRoleName = "system:openshift:aggregate-to-admin" - AggregatedEditRoleName = "system:openshift:aggregate-to-edit" - AggregatedViewRoleName = "system:openshift:aggregate-to-view" - SelfProvisionerRoleName = "self-provisioner" - BasicUserRoleName = "basic-user" - StatusCheckerRoleName = "cluster-status" - SelfAccessReviewerRoleName = "self-access-reviewer" + ClusterAdminRoleName = "cluster-admin" + SudoerRoleName = "sudoer" + ScopeImpersonationRoleName = "system:scope-impersonation" + ClusterReaderRoleName = "cluster-reader" + StorageAdminRoleName = "storage-admin" + ClusterDebuggerRoleName = "cluster-debugger" + AdminRoleName = "admin" + EditRoleName = "edit" + ViewRoleName = "view" + AggregatedAdminRoleName = "system:openshift:aggregate-to-admin" + AggregatedEditRoleName = "system:openshift:aggregate-to-edit" + AggregatedViewRoleName = "system:openshift:aggregate-to-view" + AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader" + SelfProvisionerRoleName = "self-provisioner" + BasicUserRoleName = "basic-user" + StatusCheckerRoleName = "cluster-status" + SelfAccessReviewerRoleName = "self-access-reviewer" RegistryAdminRoleName = "registry-admin" RegistryViewerRoleName = "registry-viewer" diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go index 891901ee7d2f..3cef9ce4c803 100644 --- a/pkg/cmd/server/bootstrappolicy/policy.go +++ b/pkg/cmd/server/bootstrappolicy/policy.go @@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { ObjectMeta: metav1.ObjectMeta{ Name: ClusterReaderRoleName, }, + AggregationRule: &rbacv1.AggregationRule{ + ClusterRoleSelectors: []metav1.LabelSelector{{MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}, Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges", "namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes", @@ -173,13 +179,9 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log", - "deploymentconfigs/status").RuleOrDie(), - - rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages", - "imagestreams/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(), // pull images rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(), @@ -187,16 +189,13 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(), - - rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(), @@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(), rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(), - - // backwards compatibility - rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(), }, }, { @@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { { // a role for namespace level viewing. It grants Read-only access to non-escalating resources in // a namespace. - ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}}, + ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{ + "rbac.authorization.k8s.io/aggregate-to-view": "true", + "rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true", + }}, Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/log").RuleOrDie(), @@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding { func GetBootstrapClusterRolesToAggregate() map[string]string { return map[string]string{ - AdminRoleName: AggregatedAdminRoleName, - EditRoleName: AggregatedEditRoleName, - ViewRoleName: AggregatedViewRoleName, + AdminRoleName: AggregatedAdminRoleName, + EditRoleName: AggregatedEditRoleName, + ViewRoleName: AggregatedViewRoleName, + ClusterReaderRoleName: AggregatedClusterReaderRoleName, } }