Migrate to Kubernetes RBAC #15021
Migrate to Kubernetes RBAC #15021
Conversation
simo5
force-pushed
the
RBAC1
branch
2 times, most recently
from
6e5f1c3 to
5e13b42
Compare
simo5
changed the title
simo5
changed the title
|
Let's see if this causes more [test]s to be run |
|
Try again [test] |
| roleregistry "github.com/openshift/origin/pkg/authorization/registry/role" | ||
| rolestorage "github.com/openshift/origin/pkg/authorization/registry/role/policybased" | ||
| "github.com/openshift/origin/pkg/authorization/rulevalidation" | ||
| authzapi "github.com/openshift/origin/pkg/authorization/apis/authorization" |
There was a problem hiding this comment.
canonical in this project is authorizationapi.
There was a problem hiding this comment.
I changed it initally to make sure I was catching everything (compile error if not)
I can put it back, but man you guys love LOOOOOOOONG lines ...
| ) | ||
|
|
||
| type ClusterRoleStorage struct { | ||
| roleStorage rolestorage.VirtualStorage | ||
| func rbacToClusterRole(in *rbac.ClusterRole) (authzapi.ClusterRole, error) { |
There was a problem hiding this comment.
Warnings here about this not being a deep copy. Seems like you'll want this helper colocated with your conversion functions.
There was a problem hiding this comment.
Why deep copy would be needed ?
| return nil, err | ||
| } | ||
| return authorizationapi.ToClusterRoleList(ret.(*authorizationapi.RoleList)), err | ||
| roles, err := s.client.List(optv1) |
There was a problem hiding this comment.
you definitely need to impersonate or you'll have disabled all the escalation checks.
There was a problem hiding this comment.
Yeah, there is a reason this is not for merge yet :)
| } | ||
|
|
||
| func (m *ClusterRoleStorage) CreateRoleWithEscalation(ctx apirequest.Context, obj *authorizationapi.Role) (*authorizationapi.Role, error) { | ||
| return m.roleStorage.CreateRoleWithEscalation(ctx, obj) | ||
| // FIXME: what's escalation exactly ? |
There was a problem hiding this comment.
it bypasses permissions coverage checks. Shouldn't be needed with RBAC
| ) | ||
|
|
||
| type ClusterRoleStorage struct { |
There was a problem hiding this comment.
You need these old types in a "legacy" bucket used behind a version check inside of the openshift reconcile command until we drop support for the tool against old servers.
simo5
force-pushed
the
RBAC1
branch
3 times, most recently
from
998d5c5 to
10e565a
Compare
|
@deads2k can you check if this way of impersonating works for you ? see the utility file with the impertonatingRESTClient stuff |
simo5
force-pushed
the
RBAC1
branch
2 times, most recently
from
f7cf91d to
300ce8e
Compare
|
Please re [test] |
simo5
force-pushed
the
RBAC1
branch
5 times, most recently
from
969abda to
7df8d1c
Compare
Put it into a utility package for reusability, we'll need it in other places in the next few commits Signed-off-by: Simo Sorce <[email protected]>
… values This allows to set headers that are multivalued directly. The headers variable is not directly accessible and currently SetHeaders allows to set only one value. Signed-off-by: Simo Sorce <[email protected]>
Store them as native RBAC Objects via Kubernetes. Also: - Provides backwards compatible Openshift API. - Kills Policy Sync Controller - Removes init of PolicyRegistry - Move helpers closer to their users - Remove TestRBACController - Remove tests that check only PolicyBindings related stuff - hack around TestAuthorizationResolution Signed-off-by: Simo Sorce <[email protected]> Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Monis Khan <[email protected]>
This change allows the RBAC PostStartHook logic to be reused with different policy data when bootstrapping the cluster. Thus any changes to the bootstrap logic are separated from the policy data. Signed-off-by: Monis Khan <[email protected]>
As we now use K8s' Rbac we need to bootstrap Origin's own additional policies into kube's rbac objects. Also: - Push conversions one step toward the edges - Fix conversion and dont make policy.json - delete TestBootstrapPolicyOverwritePolicyCommand for now Signed-off-by: Monis Khan <[email protected]> Signed-off-by: Simo Sorce <[email protected]>
The following commands were version gated: - oc create policybinding - oc adm overwrite-policy - oc adm migrate authorization This is because in 3.7 we will store only k8s.io RBAC objects and not the Origin Policy Objects. All of the gated commands assume the presence of policy objects, and thus it does not make sense to let users run these against newer clusters. Signed-off-by: Simo Sorce <[email protected]> Signed-off-by: Monis Khan <[email protected]>
This change refactors various RBAC authorizer functions to be more flexible in their inputs. This makes it easier to reuse the various components that make up the authorizer. Signed-off-by: Monis Khan <[email protected]>
- Origin Authorizer now a thin wrapper around k8s Rbac Authorizer - Remove redundant authorizer tests Now that we delegate nearly 100% of the authorizer work to the upstream Rbac authorizer these tests are basically redundant, as upstream already has its battery of tests. Signed-off-by: Simo Sorce <[email protected]> Signed-off-by: Monis Khan <[email protected]>
This change makes it so that no escalation check is performed when updating only the garbage collector fields (owner references and finalizers) of RBAC resources. This allows the garbage collector to delete roles that grant permissions such as "create", which it will never have. Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Monis Khan <[email protected]>
- Increase timeout to avoid TestGCDefault flaking Locally raising timeout from 1 to 2 seconds made the test always pass, as opposed to always fail. - Make TestOadmPodNetwork less flakey Signed-off-by: Simo Sorce <[email protected]> Signed-off-by: Monis Khan <[email protected]>
- Fix test/cmd/admin.sh - Fix images-old-policy - Fix test/cmd/policy.sh - Temp fix for test/cmd/router.sh Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Simo Sorce <[email protected]>
openshift-merge-robot
removed
the
needs-rebase
|
/test extended_builds |
enj
changed the title
|
/retest |
|
@smarterclayton we talked about this yesterday. It needs the extra bake time. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, simo5 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
@simo5: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Trello xref: https://trello.com/c/n3bR3Ys9
Fixes #12303
Fixes #13549
Fixes #13432
Fixes #15338
Fixes #14168
Fixes #10056
Need to investigate:
Dependencies:
Followups:
rulevalidation.Coversshould not useauthorizationapi.NormalizeResources#13430_ bool is includeUnintialized, which we should really be passing through to the underlying API... it's odd there's not a CreateOptions parameter to Createif initializers use Update() to initialize objects (which I think they do), we may need to pass GetOptions{IncludeUninitialized: true} here...clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"and move to point of usesubject_locator_testwith origin's extensive testing_test.gofilesTestAuthorizationResolutionandTestAuthorizationResourceAccessReviewintest/integration/authorization_test.goTestPolicyCache?openshiftSubjectLocatorglog.Fatalon post stark hook errornormalizeResourcesfrompkg/cmd/server/bootstrappolicy/policy.goignoreErrorinpkg/oc/admin/router/router.gogetAPIGroupLegacyfrompkg/authorization/authorizer/scope/converter.gopkg/cmd/server/admin/create_bootstrappolicy_file.gopkg/authorization/apis/authorization/types.go{System}(User|Group)kindsDone:
TODO:
oc create policybindingpkg/auth/client/impersonate.goproxy.gofilesallowed by rule in ...pkg/authorization/util/convert/convert.goSupport watch on proxied endpointsNewCmdMigrateAuthorizationWrap other errors in proxy files?Remove all error wrappingNewImpersonatingRBACFromContextmore genericImpersonatingRESTClientinpkg/auth/client/impersonate.gok8s.io/kubernetes/staging/src/k8s.io/client-go/rest/request.gopkg/project/auth/cache.goandpkg/project/auth/cache_test.gopkg/authorization/authorizer/scope/converter_test.go