Introduce RestrictUsersAdmission plugin for collaboration

[Miciah]

Add the RestrictUsersAdmission admission plugin for collaboration.

---

openshift-bot, please [test]!

[Miciah]

Looks like flake #10988. Please [test] again!

[Miciah]

Looks like flake #11649. Please [test] again!

[Miciah]

This PR implements proposal #9932 to restrict role bindings based on project annotations. The implementation is based on deads's WIP PR #9885. @deads2k, @smarterclayton, do you have time to review the approach in this PR?

[deads2k]

In 3.3, the kube infrastructure to register different groups was hopelessly broken. In 3.4, it's only mostly broken. In 3.5, it mostly works.

I think I'd prefer to see this as a separate API group and resource. That would allow "clean" management via oc and all of our usual tooling.

[deads2k]

Wrap these and call them Spec. I can envision a world where this controller driven and a controller drives updates to status to describe matches. That would prevent multiple lookup/matching calls on every API server and allow an admin to see who actually matches for something like content assist from a Status field.

[deads2k]

// only one may be non-nil
type CollaboratorMatcherSpec struct{
    UserMatcher *UserMatcher
    GroupMatcher *GroupMatcher
    ServiceAccountMatcher *ServiceAccountMatcher
}

type UserMatcher struct{
    Users []string
    UsersInTheseGroups []string
    UsersMatchingTheseSelectors []*unversioned.LabelSelector
}


type GroupMatcher struct{
    Groups []string
    GroupsMatchingTheseSelectors []*unversioned.LabelSelector
}


type ServiceAccountMatcher struct{
    ServiceAccounts []string
    ServiceAccountsInTheseNamespaces []string
}

[smarterclayton]

The previous proposal never addressed the question of how an end user would get access to add other people to collaborate in a system where this was primarily to prevent abuse. How would this be used to allow for an online-like cluster (where collaboration was reasonable for arbitrary user emails)? Does this presuppose a higher level system for that? I'd like to be able to answer that question before we add that code.

[deads2k]

Does this presuppose a higher level system for that?

Yes. This assumes an external workflow could be built to handle workflow problems like "apply, approve" and "invite, accept" flows.

[Miciah]

I don't know why this is getting deleted.

[Miciah]

@deads2k, could you give this PR another look?

[deads2k]

godoc all API fields.
I'm assuming these are literal string matches.

[deads2k]

I think Selector will do.

[deads2k]

Groups with good docs.

[deads2k]

Namespaces?

[deads2k]

This needs to a slice of structs which have namespace and name.

[deads2k]

The sub-package here is in admission. I was actually expecting you to add these directly to authorization/api/types.go and then read them inside of admission.

[deads2k]

The old object is provided via a.GetOldObject(). Use that instead of a cached. copy.

[deads2k]

I'd like to see an interface defined that checks a subject. Something like Allowed(subject) error. I would be able to take a collaboratormatcherspec and get an allowed back out and then something that provides a union of subjectcheckers. It'll make it easier to read.

[Miciah]

Are you suggesting something like the following?

func (q *restrictUsersAdmission) Admit(a admission.Attributes) (err error) {
  // ...
  allowed := NewEmptyAllowed()
  allowed.SetNamespace(ns)
  allowed.SetClients(q.kclient, q.oclient)

  for _, matcher := range matchersList.Items {
    // NewAllowed(nil) is the same as NewEmptyAllowed().
    // allowed.Merge(NewEmptyAllowed()) is a no-op.
    allowed = allowed.Merge(NewAllowed(matcher.UserMatcher))
    allowed = allowed.Merge(NewAllowed(matcher.GroupMatcher))
    allowed = allowed.Merge(NewAllowed(matcher.ServiceAccountMatcher))
  }
  // ...
}

For comparison, here is what I have now:

func (q *restrictUsersAdmission) Admit(a admission.Attributes) (err error) {
  // ...
  checker, err := NewRoleBindingRestrictions(ns, q.kclient, q.oclient)
  if err != nil {
    return admission.NewForbidden(a, err)
  }

  for _, matcher := range matchersList.Items {
    checker.AddMatcher(&matcher)
  }
  // ...
}

The latter seems simpler to me, but maybe I misunderstand the suggestion.

[deads2k]

There should be a groupcache which the API server already maintains to get group information for a user. Use that instead of hitting the API for it.

[deads2k]

Oh, I see. You need labels too. nevermind.

[deads2k]

Let's the types well documented and then make the SubjectChecker (or a better name if you have it) build for each kind of matcher. That's going to be the easiest thing for api-review to look at to understand behavior.

Also, RoleBindingRestrictions as the overall type?

[deads2k]

If I have no matchers, seems like I should let anyone bind in. That would be backwards compatible.

[Miciah]

I have updated the PR:

• Renamed fields in UserMatcher, GroupMatcher, and ServiceAccountMatcher to be more succinct.
• Made ServiceAccountMatcher into a tuple of serviceaccount name and namespace.
• Copied docstrings from v1/api/types.go into api/types.go.
• Merged pkg/authorization/admission/restrictusers/api/ into pkg/authorization/api/.
• Moved pkg/authorization/admission/restrictusers/registry/collaboratormatcherregistry under pkg/authorization/registry/.
• Changed func (r *restrictUsersAdmission) Admit to use a.GetOldObject() and deleted all obviated informer code.
• Defined a SubjectChecker interface with AddMatcher and Allowed methods.
• Defined a RoleBindingRestrictions type that implements SubjectChecker, and changed RestrictUsersAdmission to use it.
• Updated tests, added some docstrings, probably made some other minor changes.

@deads2k, what do you think now?

[deads2k]

I don't want this on the interface

[deads2k]

I'd like one struct for each kind of Matcher.

[deads2k]

I'd like to start by managing these inside their respect user and group restrictions, but match them based only on literals.

[deads2k]

users don't have namespaces.

[deads2k]

I expected you to get these automatically. Can you delete them and have it still compile/work?

[deads2k]

a project admin should be allowed to see the rolebindingrestrictions

[deads2k]

run after originnamespacelifecycle

[deads2k]

Comments in a separate commit if you would. Almost done.

[Miciah]

I've updated generated files and pushed a new commit addressing the latest review comments.

[Miciah]

Saw what could be flake #9681 again:

deploymentconfigs
/data/src/github.com/openshift/origin/test/extended/deployments/deployments.go:845
  with multiple image change triggers [Conformance]
  /data/src/github.com/openshift/origin/test/extended/deployments/deployments.go:335
    should run a successful deployment with multiple triggers [It]
    /data/src/github.com/openshift/origin/test/extended/deployments/deployments.go:326

    Expected error:
        <*errors.errorString | 0xc8200d3780>: {
            s: "timed out waiting for the condition",
        }
        timed out waiting for the condition
    not to have occurred

    /data/src/github.com/openshift/origin/test/extended/deployments/deployments.go:325

https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_conformance/9550/consoleFull

[Miciah]

Flake #12235 (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_conformance/9552/consoleFull).

New flake #12251 (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_networking/2380/consoleFull).

Also, fixed the bootstrap policy again. We want to allow admin and cluster-reader to be able to read rolebindingrestrictions, right? With only the former, I get the following error:

--- FAIL: TestClusterReaderCoverage (4.09s)
	authorization_test.go:171: cluster-reader role is missing map[{ rolebindingrestrictions}:true].  Check pkg/cmd/server/bootstrappolicy/policy.go.

[deads2k]

return true, nil. We don't want the errors bubbling back since it will make the impl harder in the admission plugin and ultimately they don't matter if we're allowed.

[deads2k]

duplicate these switch checks at the top of the method, no impl inside of it. That way we get a 4 line check everyone can see:

// we only care about rolebindings and policybindings
switch resource{
case rolebindings:
case policybindings:
default:
   return nil
}

[deads2k]

Two minor comments I'd like to see fixed before merge. Go ahead and squash them in and this will be ready.

[Miciah]

I've made those two changes:
https://github.com/openshift/origin/pull/11743/files#diff-93fae1b66fbece23edf504e5e5aebf1aR42
https://github.com/openshift/origin/pull/11743/files#diff-cbe61dec94c120466223271f21bcd664R88
and squashed.

[openshift-bot]

Evaluated for origin test up to 471d717

[openshift-bot]

continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/12390/) (Base Commit: e9e7618)

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS

[deads2k]

lgtm merge

[deads2k]

Disabled the merge tag.

@ncdc Are we good to merge this or are you close enough we should hold it?

[ncdc]

I am probably still a few days away.

[deads2k]

[merge]

[openshift-bot]

Evaluated for origin merge up to 471d717

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/12405/) (Base Commit: 46585f4) (Image: devenv-rhel7_5549)

[Miciah]

Flake #11016.
https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_conformance/9597/consoleFull

[networking][router] openshift routers
/data/src/github.com/openshift/origin/test/extended/router/scoped.go:135
  The HAProxy router
  /data/src/github.com/openshift/origin/test/extended/router/scoped.go:134
    should override the route host with a custom value [It]
    /data/src/github.com/openshift/origin/test/extended/router/scoped.go:133

    Expected error:
        <*errors.errorString | 0xc8200f5600>: {
            s: "timed out waiting for the condition",
        }
        timed out waiting for the condition
    not to have occurred

    /data/src/github.com/openshift/origin/test/extended/router/scoped.go:95