diff --git a/pkg/cmd/server/bootstrappolicy/all_test.go b/pkg/cmd/server/bootstrappolicy/all_test.go index 7f36dafebded..8b58fa700d54 100644 --- a/pkg/cmd/server/bootstrappolicy/all_test.go +++ b/pkg/cmd/server/bootstrappolicy/all_test.go @@ -16,9 +16,10 @@ const osClusterRoleAggregationPrefix = "system:openshift:" // this map must be manually kept up to date as we make changes to aggregation // we hard code this data with no constants because we cannot change the underlying values var expectedAggregationMap = map[string]sets.String{ - "admin": sets.NewString("system:openshift:aggregate-to-admin", "system:aggregate-to-admin"), - "edit": sets.NewString("system:openshift:aggregate-to-edit", "system:aggregate-to-edit"), - "view": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view"), + "admin": sets.NewString("system:openshift:aggregate-to-admin", "system:aggregate-to-admin"), + "edit": sets.NewString("system:openshift:aggregate-to-edit", "system:aggregate-to-edit"), + "view": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view"), + "cluster-reader": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view", "system:openshift:aggregate-to-cluster-reader"), } func TestPolicyAggregation(t *testing.T) { diff --git a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go index 0416f90c131e..63f0b1583407 100644 --- a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go +++ b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go @@ -65,6 +65,7 @@ var rolesToHide = sets.NewString( "system:openshift:aggregate-to-admin", "system:openshift:aggregate-to-edit", "system:openshift:aggregate-to-view", + "system:openshift:aggregate-to-cluster-reader", "system:kubelet-api-admin", "system:volume-scheduler", ) diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 61908e642711..a6270d27b691 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -66,7 +66,13 @@ items: - userextras/scopes.authorization.openshift.io verbs: - impersonate -- apiVersion: rbac.authorization.k8s.io/v1 +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -74,38 +80,31 @@ items: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null name: cluster-reader + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: system:openshift:aggregate-to-cluster-reader rules: - apiGroups: - "" resources: - - bindings - componentstatuses - - configmaps - - endpoints - - events - - limitranges - - namespaces - - namespaces/status - nodes - nodes/status - - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - - pods - pods/binding - pods/eviction - - pods/log - - pods/status - podtemplates - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - securitycontextconstraints - - serviceaccounts - - services - services/status verbs: - get @@ -124,16 +123,9 @@ items: - apps resources: - controllerrevisions - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - - replicasets - - replicasets/scale - replicasets/status - - statefulsets - - statefulsets/scale - statefulsets/status verbs: - get @@ -160,7 +152,6 @@ items: - apiGroups: - autoscaling resources: - - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get @@ -169,9 +160,7 @@ items: - apiGroups: - batch resources: - - cronjobs - cronjobs/status - - jobs - jobs/status verbs: - get @@ -180,24 +169,16 @@ items: - apiGroups: - extensions resources: - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - horizontalpodautoscalers - horizontalpodautoscalers/status - - ingresses - ingresses/status - jobs - jobs/status - - networkpolicies - podsecuritypolicies - - replicasets - - replicasets/scale - replicasets/status - replicationcontrollers - - replicationcontrollers/scale - storageclasses - thirdpartyresources verbs: @@ -212,18 +193,9 @@ items: - get - list - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - apiGroups: - policy resources: - - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: @@ -293,23 +265,7 @@ items: - "" - build.openshift.io resources: - - buildconfigs - - buildconfigs/webhooks - - builds - builds/details - - builds/log - verbs: - - get - - list - - watch - - apiGroups: - - "" - - apps.openshift.io - resources: - - deploymentconfigs - - deploymentconfigs/log - - deploymentconfigs/scale - - deploymentconfigs/status verbs: - get - list @@ -320,10 +276,6 @@ items: resources: - images - imagesignatures - - imagestreamimages - - imagestreams - - imagestreams/status - - imagestreamtags verbs: - get - list @@ -348,29 +300,25 @@ items: - "" - project.openshift.io resources: - - projectrequests - projects verbs: - - get - list - watch - apiGroups: - "" - - quota.openshift.io + - project.openshift.io resources: - - appliedclusterresourcequotas - - clusterresourcequotas - - clusterresourcequotas/status + - projectrequests verbs: - get - list - watch - apiGroups: - "" - - route.openshift.io + - quota.openshift.io resources: - - routes - - routes/status + - clusterresourcequotas + - clusterresourcequotas/status verbs: - get - list @@ -404,18 +352,6 @@ items: - get - list - watch - - apiGroups: - - "" - - template.openshift.io - resources: - - processedtemplates - - templateconfigs - - templateinstances - - templates - verbs: - - get - - list - - watch - apiGroups: - "" - template.openshift.io @@ -492,23 +428,6 @@ items: - '*' verbs: - get - - apiGroups: - - "" - - build.openshift.io - resources: - - buildlogs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotausages - verbs: - - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml index 47b732877f1a..47504d7c0b78 100644 --- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml @@ -66,7 +66,13 @@ items: - userextras/scopes.authorization.openshift.io verbs: - impersonate -- apiVersion: rbac.authorization.k8s.io/v1 +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -74,38 +80,31 @@ items: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null name: cluster-reader + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: system:openshift:aggregate-to-cluster-reader rules: - apiGroups: - "" resources: - - bindings - componentstatuses - - configmaps - - endpoints - - events - - limitranges - - namespaces - - namespaces/status - nodes - nodes/status - - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - - pods - pods/binding - pods/eviction - - pods/log - - pods/status - podtemplates - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - securitycontextconstraints - - serviceaccounts - - services - services/status verbs: - get @@ -124,16 +123,9 @@ items: - apps resources: - controllerrevisions - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - - replicasets - - replicasets/scale - replicasets/status - - statefulsets - - statefulsets/scale - statefulsets/status verbs: - get @@ -160,7 +152,6 @@ items: - apiGroups: - autoscaling resources: - - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get @@ -169,9 +160,7 @@ items: - apiGroups: - batch resources: - - cronjobs - cronjobs/status - - jobs - jobs/status verbs: - get @@ -180,24 +169,16 @@ items: - apiGroups: - extensions resources: - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - horizontalpodautoscalers - horizontalpodautoscalers/status - - ingresses - ingresses/status - jobs - jobs/status - - networkpolicies - podsecuritypolicies - - replicasets - - replicasets/scale - replicasets/status - replicationcontrollers - - replicationcontrollers/scale - storageclasses - thirdpartyresources verbs: @@ -212,18 +193,9 @@ items: - get - list - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - apiGroups: - policy resources: - - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: @@ -293,23 +265,7 @@ items: - "" - build.openshift.io resources: - - buildconfigs - - buildconfigs/webhooks - - builds - builds/details - - builds/log - verbs: - - get - - list - - watch - - apiGroups: - - "" - - apps.openshift.io - resources: - - deploymentconfigs - - deploymentconfigs/log - - deploymentconfigs/scale - - deploymentconfigs/status verbs: - get - list @@ -320,10 +276,6 @@ items: resources: - images - imagesignatures - - imagestreamimages - - imagestreams - - imagestreams/status - - imagestreamtags verbs: - get - list @@ -348,29 +300,25 @@ items: - "" - project.openshift.io resources: - - projectrequests - projects verbs: - - get - list - watch - apiGroups: - "" - - quota.openshift.io + - project.openshift.io resources: - - appliedclusterresourcequotas - - clusterresourcequotas - - clusterresourcequotas/status + - projectrequests verbs: - get - list - watch - apiGroups: - "" - - route.openshift.io + - quota.openshift.io resources: - - routes - - routes/status + - clusterresourcequotas + - clusterresourcequotas/status verbs: - get - list @@ -404,18 +352,6 @@ items: - get - list - watch - - apiGroups: - - "" - - template.openshift.io - resources: - - processedtemplates - - templateconfigs - - templateinstances - - templates - verbs: - - get - - list - - watch - apiGroups: - "" - template.openshift.io @@ -492,23 +428,6 @@ items: - '*' verbs: - get - - apiGroups: - - "" - - build.openshift.io - resources: - - buildlogs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotausages - verbs: - - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: