Skip to content

Commit

Permalink
Aggregate cluster-reader role
Browse files Browse the repository at this point in the history 
Turn cluster-reader into an aggregate-able role. Aggregate the view role
into cluster-reader and remove duplicates from the stock cluster-reader
role. Update test fixtures.
  • Loading branch information
Matt Rogers committed Jul 10, 2018
1 parent 528fc4b commit aadac85
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 95 deletions.
33 changes: 17 additions & 16 deletions pkg/cmd/server/bootstrappolicy/constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,22 +53,23 @@ const (

// Roles
const (
ClusterAdminRoleName = "cluster-admin"
SudoerRoleName = "sudoer"
ScopeImpersonationRoleName = "system:scope-impersonation"
ClusterReaderRoleName = "cluster-reader"
StorageAdminRoleName = "storage-admin"
ClusterDebuggerRoleName = "cluster-debugger"
AdminRoleName = "admin"
EditRoleName = "edit"
ViewRoleName = "view"
AggregatedAdminRoleName = "system:openshift:aggregate-to-admin"
AggregatedEditRoleName = "system:openshift:aggregate-to-edit"
AggregatedViewRoleName = "system:openshift:aggregate-to-view"
SelfProvisionerRoleName = "self-provisioner"
BasicUserRoleName = "basic-user"
StatusCheckerRoleName = "cluster-status"
SelfAccessReviewerRoleName = "self-access-reviewer"
ClusterAdminRoleName = "cluster-admin"
SudoerRoleName = "sudoer"
ScopeImpersonationRoleName = "system:scope-impersonation"
ClusterReaderRoleName = "cluster-reader"
StorageAdminRoleName = "storage-admin"
ClusterDebuggerRoleName = "cluster-debugger"
AdminRoleName = "admin"
EditRoleName = "edit"
ViewRoleName = "view"
AggregatedAdminRoleName = "system:openshift:aggregate-to-admin"
AggregatedEditRoleName = "system:openshift:aggregate-to-edit"
AggregatedViewRoleName = "system:openshift:aggregate-to-view"
AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader"
SelfProvisionerRoleName = "self-provisioner"
BasicUserRoleName = "basic-user"
StatusCheckerRoleName = "cluster-status"
SelfAccessReviewerRoleName = "self-access-reviewer"

RegistryAdminRoleName = "registry-admin"
RegistryViewerRoleName = "registry-viewer"
Expand Down
35 changes: 17 additions & 18 deletions pkg/cmd/server/bootstrappolicy/policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
ObjectMeta: metav1.ObjectMeta{
Name: ClusterReaderRoleName,
},
AggregationRule: &rbacv1.AggregationRule{
ClusterRoleSelectors: []metav1.LabelSelector{{MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}},
},
},
{
ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges",
"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
Expand Down Expand Up @@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {

rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log",
"deploymentconfigs/status").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages",
"imagestreams/status").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(),
// pull images
rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(oauthGroup, legacyOauthGroup).Resources("oauthclientauthorizations").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(),

rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(),
Expand All @@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(),

rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(),

// backwards compatibility
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(),
},
},
{
Expand Down Expand Up @@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
{
// a role for namespace level viewing. It grants Read-only access to non-escalating resources in
// a namespace.
ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{
"rbac.authorization.k8s.io/aggregate-to-view": "true",
"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true",
}},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(),
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/log").RuleOrDie(),
Expand Down Expand Up @@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding {

func GetBootstrapClusterRolesToAggregate() map[string]string {
return map[string]string{
AdminRoleName: AggregatedAdminRoleName,
EditRoleName: AggregatedEditRoleName,
ViewRoleName: AggregatedViewRoleName,
AdminRoleName: AggregatedAdminRoleName,
EditRoleName: AggregatedEditRoleName,
ViewRoleName: AggregatedViewRoleName,
ClusterReaderRoleName: AggregatedClusterReaderRoleName,
}
}
78 changes: 17 additions & 61 deletions test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,29 @@ items:
- userextras/scopes.authorization.openshift.io
verbs:
- impersonate
- apiVersion: rbac.authorization.k8s.io/v1
- aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
authorization.openshift.io/system-only: "true"
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
name: cluster-reader
rules: null
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
authorization.openshift.io/system-only: "true"
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
name: system:openshift:aggregate-to-cluster-reader
rules:
- apiGroups:
- ""
Expand Down Expand Up @@ -293,23 +308,7 @@ items:
- ""
- build.openshift.io
resources:
- buildconfigs
- buildconfigs/webhooks
- builds
- builds/details
- builds/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
- apps.openshift.io
resources:
- deploymentconfigs
- deploymentconfigs/log
- deploymentconfigs/scale
- deploymentconfigs/status
verbs:
- get
- list
Expand All @@ -320,10 +319,6 @@ items:
resources:
- images
- imagesignatures
- imagestreamimages
- imagestreams
- imagestreams/status
- imagestreamtags
verbs:
- get
- list
Expand Down Expand Up @@ -358,23 +353,12 @@ items:
- ""
- quota.openshift.io
resources:
- appliedclusterresourcequotas
- clusterresourcequotas
- clusterresourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
- route.openshift.io
resources:
- routes
- routes/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
- network.openshift.io
Expand Down Expand Up @@ -404,18 +388,6 @@ items:
- get
- list
- watch
- apiGroups:
- ""
- template.openshift.io
resources:
- processedtemplates
- templateconfigs
- templateinstances
- templates
verbs:
- get
- list
- watch
- apiGroups:
- ""
- template.openshift.io
Expand Down Expand Up @@ -492,23 +464,6 @@ items:
- '*'
verbs:
- get
- apiGroups:
- ""
- build.openshift.io
resources:
- buildlogs
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- resourcequotausages
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -1170,6 +1125,7 @@ items:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:openshift:aggregate-to-view
rules:
Expand Down

0 comments on commit aadac85

Please sign in to comment.