NetworkPolicy RBAC fixes

[danwinship]

As part of the k8s 1.8 rebase, the NetworkPolicy code was changed to use networking.NetworkPolicy rather than extensions.NetworkPolicy, but the roles weren't updated to have the right permissions.. (This wasn't caught because only extended-networking-minimal gets run on PRs by default, and that only tests multitenant.)

Fixes test_branch_origin_extended_networking

(kubernetes/kubernetes#56650 hasn't actually merged yet.)

[danwinship]

/test extended_networking

[danwinship]

cc @soltysh for overlap/conflict with #17491

[danwinship]

flake #17519
/retest

[soltysh]

cc @soltysh for overlap/conflict with #17491

Aha, I was right, I was missing these bits when I was going through policies. But since I haven't seen them in k8s I assumed them not needed in origin.

[soltysh]

/lgtm

[simo5]

@enj PTAL

[enj]

/hold

Upstream does not seem to have a decision on who should be able to manipulate these objects by default. I am not sure even an admin for a project should be able to mess with this (do not have enough familiarly with network policy to definitely say).

[enj]

Not sure how this is backwards compatibility.

[danwinship]

oops, just jumped to the bottom of the block and didn't see that comment

[enj]

This one seems fine.

[enj]

Seems a bit powerful for edit?

[danwinship]

The description says that "admin" is just "edit plus the power to grant permissions to other users", and the two have identical rules other than the two under "// additional admin powers" in "admin"

[simo5]

this is in vendor/ shouldn't it go via a backport from upstream PR anyway ?

[enj]

@danwinship I am also unsure how changing the RBAC admin/edit/view upstream does anything for us (we have our own admin/edit/view)?

[danwinship]

I am also unsure how changing the RBAC admin/edit/view upstream does anything for us (we have our own admin/edit/view)?

oh, hm, I was assuming there was some kind of merging between ours and theirs. It's actually the change to SDNReaderRoleName in the second commit that fixes the tests. I guess I can drop the UPSTREAM commit then?

[danwinship]

/test extended_networking

[danwinship]

/retest

[soltysh]

@enj with the upstream bits dropped are you ok with this getting in?

[liggitt]

I want sign-off on the upstream change (that namespace constrained users are expected to be able to modify network policy). There's also the question of whether write access would be limited to the admin role

[danwinship]

This rule is also for the apps group, so don’t add network policies to this one. Make a separate extensions only one

Ah... I just copied from the "admin" policies, but it looks like it's wrong there too now. (Got broken in the kube 1.8.1 rebase). Fixed for both "admin" and "edit" now.

[liggitt]

can make these a single rule: Groups(appsGroup, extensionsGroup)

[liggitt]

here as well

[danwinship]

/retest

[danwinship]

/test extended_conformance_install

[danwinship]

tests pass. @liggitt ? (needs a "/hold cancel" too)

[liggitt]

/lgtm
/hold cancel

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, liggitt, soltysh

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/cmd/OWNERS [liggitt]
• test/testdata/OWNERS [danwinship,liggitt]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[deads2k]

/hold

This will conflict with the rebase. Please merge after that.

[deads2k]

rebase landed

/hold cancel

/test all

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[soltysh]

/retest

[danwinship]

/retest

[danwinship]

/retest

[danwinship]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[openshift-ci-robot]

@danwinship: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/cmd	98b52bf	link	/test cmd
ci/openshift-jenkins/extended_conformance_gce	98b52bf	link	/test extended_conformance_gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 17549, 17785).