use cluster role aggregation for admin, edit, and view #17976
Conversation
openshift-ci-robot
added
the
approved
openshift-ci-robot
added
the
size/XXL
|
Oh that's cool. Because integration tests use restricted clients and those no longer have access without the aggregation controller, we don't have project level access without running controllers. |
|
Am I reading it right that we now stop checking the resulting roles, but only check the additional permission we add to kubes roles ? |
I suppose you could special case the aggregation controller in the integration test master? Seems slightly less ugly than always running controllers.
The upstream coverage unit tests handle this partially. @deads2k I assume we will need an integration test to assert the final output of all cluster roles after aggregation? |
We could. We could also choose to structure our roles to be additive. View gets aggregated into edit and admin. I think it probably makes more sense to do that. In this case, I know what gets added, so rules from both admin roles up and downstream are added for coverage checks. The current unit test is still safe.
I could. There's a config option for it. I don't feel very strongly. I'll see what's easiest. |
|
/retest |
This handles the coverage case. I would still like an integration test that fails when we rebase on kube and get the new additions to admin, edit and view. From what I can tell, after this PR merges, we will no longer have a bootstrap file that contains the final, fully aggregated value for those cluster roles. |
You'll get the individuals, right? |
|
/retest |
| }, | ||
| }, | ||
| // a role for a namespace level admin. It is `edit` plus the power to grant permissions to other users. | ||
| ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:aggregate-to-admin", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-admin": "true"}}, |
There was a problem hiding this comment.
Finally, I've been waiting for this. Especially when I was trying to figure out the rights changes during 1.8 rebase.
Right but its the final union I care about. @simo5 WDYT? |
It will be much easier to manage by splitting it into upstream and downstream. We keep a lid on what's going in upstream. We always separate the bootstrap file update into something rather small in the rebase, that's the place to be inspecting these. Duplicating a role to present a whitelist is kind of silly. |
|
@deads2k I do not think that double checking the full role is silly. |
|
I think the diff in the upstream |
It wouldn't have any more attention paid than the diff to the role. Less probably, since it would look like a simple fix up and most people won't even know what the resources being added do. The diff on the list of all roles is a thing we always review and is always reviewed by someone who has a shot at knowing what they all are. |
|
I will write the integration test for my own sake afterwards. Otherwise I think you will have to update the TSB bootstrap to use aggregation since they directly update admin/edit/view IIRC. |
deads2k
force-pushed
the
rbac-7-aggregate
branch
from
bcd2eba to
64d8753
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
needs-rebase
deads2k
force-pushed
the
rbac-7-aggregate
branch
from
64d8753 to
216eaf5
Compare
openshift-merge-robot
removed
the
needs-rebase
deads2k
force-pushed
the
rbac-7-aggregate
branch
from
216eaf5 to
5b068b9
Compare
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
deads2k
force-pushed
the
rbac-7-aggregate
branch
from
5b068b9 to
b81b982
Compare
openshift-merge-robot
removed
the
lgtm
|
/retest |
|
/retest |
1 similar comment
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
1 similar comment
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@deads2k: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 17976, 17195, 18093, 18080, 17922). |
@deads2k you broke SC https://bugzilla.redhat.com/show_bug.cgi?id=1535639 - |
Ouch. Someone was trying to manipulate role subject to reconciliation? |
Automatic merge from submit-queue (batch tested with PRs 18191, 18264, 18235, 18251, 18271). Use cluster role aggregation for service catalog RBAC fixes https://bugzilla.redhat.com/show_bug.cgi?id=1535639 follow on from #17976
Automatic merge from submit-queue (batch tested with PRs 18044, 18372, 18354). Re-fix NetworkPolicy bootstrap policies #17976 "use cluster role aggregation for admin, edit, and view" removed permission for "admin" and "edit" on extensions.NetworkPolicy (but not networking.NetworkPolicy). It appears to have been a mistake? Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1538048
Update to use the aggregated admin, edit, and view from upstream.
@openshift/sig-security
@sub-mod fyi
/assign simo5
/assign enj