mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-14 02:43:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

vendor update for CSI 0.3.0

Browse Source
This commit is contained in:
gman
2018-07-18 16:47:22 +02:00
parent 6f484f92fc
commit 8ea659f0d5
6810 changed files with 438061 additions and 193861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/BUILD generated vendored
View File

@ -16,12 +16,12 @@ go_library(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/apis/rbac/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",

1
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD generated vendored
View File

@ -16,7 +16,6 @@ go_library(
"//pkg/registry/rbac/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
],
)

20
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go generated vendored
View File

@ -18,11 +18,11 @@ limitations under the License.
package policybased
import (
"context"
"errors"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
@ -42,24 +42,28 @@ func NewStorage(s rest.StandardStorage, ruleResolver rbacregistryvalidation.Auth
return &Storage{s, ruleResolver}
}
func (r *Storage) NamespaceScoped() bool {
return false
}
var fullAuthority = []rbac.PolicyRule{
rbac.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
rbac.NewRule("*").URLs("*").RuleOrDie(),
}
func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, createValidatingAdmission rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidatingAdmission rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, includeUninitialized)
}
clusterRole := obj.(*rbac.ClusterRole)
rules := clusterRole.Rules
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err)
}
// to set the aggregation rule, since it can gather anything, requires * on *.*
if hasAggregationRule(clusterRole) {
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, fullAuthority); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil {
return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule"))
}
}
@ -67,12 +71,12 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, crea
return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, includeUninitialized)
}
func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation)
}
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx genericapirequest.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
clusterRole := obj.(*rbac.ClusterRole)
oldClusterRole := oldObj.(*rbac.ClusterRole)
@ -82,12 +86,12 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
}
rules := clusterRole.Rules
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err)
}
// to change the aggregation rule, since it can gather anything and prevent tightening, requires * on *.*
if hasAggregationRule(clusterRole) || hasAggregationRule(oldClusterRole) {
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, fullAuthority); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil {
return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule"))
}
}

52
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/registry.go generated vendored
View File

@ -17,27 +17,24 @@ limitations under the License.
package clusterrole
import (
metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
"context"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
// Registry is an interface for things that know how to store ClusterRoles.
type Registry interface {
ListClusterRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.ClusterRoleList, error)
CreateClusterRole(ctx genericapirequest.Context, clusterRole *rbac.ClusterRole, createValidation rest.ValidateObjectFunc) error
UpdateClusterRole(ctx genericapirequest.Context, clusterRole *rbac.ClusterRole, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error
GetClusterRole(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.ClusterRole, error)
DeleteClusterRole(ctx genericapirequest.Context, name string) error
WatchClusterRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error)
GetClusterRole(ctx context.Context, name string, options *metav1.GetOptions) (*rbacv1.ClusterRole, error)
}
// storage puts strong typing around storage calls
type storage struct {
rest.StandardStorage
rest.Getter
}
// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
@ -46,40 +43,17 @@ func NewRegistry(s rest.StandardStorage) Registry {
return &storage{s}
}
func (s *storage) ListClusterRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.ClusterRoleList, error) {
obj, err := s.List(ctx, options)
if err != nil {
return nil, err
}
return obj.(*rbac.ClusterRoleList), nil
}
func (s *storage) CreateClusterRole(ctx genericapirequest.Context, clusterRole *rbac.ClusterRole, createValidation rest.ValidateObjectFunc) error {
_, err := s.Create(ctx, clusterRole, createValidation, false)
return err
}
func (s *storage) UpdateClusterRole(ctx genericapirequest.Context, clusterRole *rbac.ClusterRole, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error {
_, _, err := s.Update(ctx, clusterRole.Name, rest.DefaultUpdatedObjectInfo(clusterRole), createValidation, updateValidation)
return err
}
func (s *storage) WatchClusterRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) {
return s.Watch(ctx, options)
}
func (s *storage) GetClusterRole(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.ClusterRole, error) {
func (s *storage) GetClusterRole(ctx context.Context, name string, options *metav1.GetOptions) (*rbacv1.ClusterRole, error) {
obj, err := s.Get(ctx, name, options)
if err != nil {
return nil, err
}
return obj.(*rbac.ClusterRole), nil
}
func (s *storage) DeleteClusterRole(ctx genericapirequest.Context, name string) error {
_, _, err := s.Delete(ctx, name, nil)
return err
ret := &rbacv1.ClusterRole{}
if err := rbacv1helpers.Convert_rbac_ClusterRole_To_v1_ClusterRole(obj.(*rbac.ClusterRole), ret, nil); err != nil {
return nil, err
}
return ret, nil
}
// AuthorizerAdapter adapts the registry to the authorizer interface
@ -87,6 +61,6 @@ type AuthorizerAdapter struct {
Registry Registry
}
func (a AuthorizerAdapter) GetClusterRole(name string) (*rbac.ClusterRole, error) {
func (a AuthorizerAdapter) GetClusterRole(name string) (*rbacv1.ClusterRole, error) {
return a.Registry.GetClusterRole(genericapirequest.NewContext(), name, &metav1.GetOptions{})
}

11
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/strategy.go generated vendored
View File

@ -17,9 +17,10 @@ limitations under the License.
package clusterrole
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme"
@ -55,12 +56,12 @@ func (strategy) AllowCreateOnUpdate() bool {
// PrepareForCreate clears fields that are not allowed to be set by end users
// on creation.
func (strategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.Object) {
func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
_ = obj.(*rbac.ClusterRole)
}
// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
newClusterRole := obj.(*rbac.ClusterRole)
oldClusterRole := old.(*rbac.ClusterRole)
@ -68,7 +69,7 @@ func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime
}
// Validate validates a new ClusterRole. Validation must check for a correct signature.
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
clusterRole := obj.(*rbac.ClusterRole)
return validation.ValidateClusterRole(clusterRole)
}
@ -79,7 +80,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
}
// ValidateUpdate is the default update validation for an end user.
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
newObj := obj.(*rbac.ClusterRole)
errorList := validation.ValidateClusterRole(newObj)
return append(errorList, validation.ValidateClusterRoleUpdate(newObj, old.(*rbac.ClusterRole))...)

4
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/BUILD generated vendored
View File

@ -16,12 +16,12 @@ go_library(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/apis/rbac/validation:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",

3
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/BUILD generated vendored
View File

@ -12,13 +12,14 @@ go_library(
deps = [
"//pkg/apis/core/helper:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/registry/rbac:go_default_library",
"//pkg/registry/rbac/validation:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
],
)

29
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/storage.go generated vendored
View File

@ -18,14 +18,17 @@ limitations under the License.
package policybased
import (
"context"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
)
@ -44,7 +47,11 @@ func NewStorage(s rest.StandardStorage, authorizer authorizer.Authorizer, ruleRe
return &Storage{s, authorizer, ruleResolver}
}
func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
func (r *Storage) NamespaceScoped() bool {
return false
}
func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
@ -54,7 +61,12 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, crea
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, metav1.NamespaceNone)
v1RoleRef := rbacv1.RoleRef{}
err := rbacv1helpers.Convert_rbac_RoleRef_To_v1_RoleRef(&clusterRoleBinding.RoleRef, &v1RoleRef, nil)
if err != nil {
return nil, err
}
rules, err := s.ruleResolver.GetRoleReferenceRules(v1RoleRef, metav1.NamespaceNone)
if err != nil {
return nil, err
}
@ -64,12 +76,12 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, crea
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation)
}
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx genericapirequest.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
// if we're only mutating fields needed for the GC to eventually delete this obj, return
@ -83,7 +95,12 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
}
// Otherwise, see if we already have all the permissions contained in the referenced clusterrole
rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, metav1.NamespaceNone)
v1RoleRef := rbacv1.RoleRef{}
err := rbacv1helpers.Convert_rbac_RoleRef_To_v1_RoleRef(&clusterRoleBinding.RoleRef, &v1RoleRef, nil)
if err != nil {
return nil, err
}
rules, err := s.ruleResolver.GetRoleReferenceRules(v1RoleRef, metav1.NamespaceNone)
if err != nil {
return nil, err
}

50
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/registry.go generated vendored
View File

@ -17,27 +17,24 @@ limitations under the License.
package clusterrolebinding
import (
"context"
rbacv1 "k8s.io/api/rbac/v1"
metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
// Registry is an interface for things that know how to store ClusterRoleBindings.
type Registry interface {
ListClusterRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.ClusterRoleBindingList, error)
CreateClusterRoleBinding(ctx genericapirequest.Context, clusterRoleBinding *rbac.ClusterRoleBinding, createValidation rest.ValidateObjectFunc) error
UpdateClusterRoleBinding(ctx genericapirequest.Context, clusterRoleBinding *rbac.ClusterRoleBinding, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error
GetClusterRoleBinding(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.ClusterRoleBinding, error)
DeleteClusterRoleBinding(ctx genericapirequest.Context, name string) error
WatchClusterRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error)
ListClusterRoleBindings(ctx context.Context, options *metainternalversion.ListOptions) (*rbacv1.ClusterRoleBindingList, error)
}
// storage puts strong typing around storage calls
type storage struct {
rest.StandardStorage
rest.Lister
}
// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
@ -46,40 +43,17 @@ func NewRegistry(s rest.StandardStorage) Registry {
return &storage{s}
}
func (s *storage) ListClusterRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.ClusterRoleBindingList, error) {
func (s *storage) ListClusterRoleBindings(ctx context.Context, options *metainternalversion.ListOptions) (*rbacv1.ClusterRoleBindingList, error) {
obj, err := s.List(ctx, options)
if err != nil {
return nil, err
}
return obj.(*rbac.ClusterRoleBindingList), nil
}
func (s *storage) CreateClusterRoleBinding(ctx genericapirequest.Context, clusterRoleBinding *rbac.ClusterRoleBinding, createValidation rest.ValidateObjectFunc) error {
_, err := s.Create(ctx, clusterRoleBinding, createValidation, false)
return err
}
func (s *storage) UpdateClusterRoleBinding(ctx genericapirequest.Context, clusterRoleBinding *rbac.ClusterRoleBinding, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error {
_, _, err := s.Update(ctx, clusterRoleBinding.Name, rest.DefaultUpdatedObjectInfo(clusterRoleBinding), createValidation, updateValidation)
return err
}
func (s *storage) WatchClusterRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) {
return s.Watch(ctx, options)
}
func (s *storage) GetClusterRoleBinding(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.ClusterRoleBinding, error) {
obj, err := s.Get(ctx, name, options)
if err != nil {
ret := &rbacv1.ClusterRoleBindingList{}
if err := rbacv1helpers.Convert_rbac_ClusterRoleBindingList_To_v1_ClusterRoleBindingList(obj.(*rbac.ClusterRoleBindingList), ret, nil); err != nil {
return nil, err
}
return obj.(*rbac.ClusterRoleBinding), nil
}
func (s *storage) DeleteClusterRoleBinding(ctx genericapirequest.Context, name string) error {
_, _, err := s.Delete(ctx, name, nil)
return err
return ret, nil
}
// AuthorizerAdapter adapts the registry to the authorizer interface
@ -87,13 +61,13 @@ type AuthorizerAdapter struct {
Registry Registry
}
func (a AuthorizerAdapter) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
func (a AuthorizerAdapter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error) {
list, err := a.Registry.ListClusterRoleBindings(genericapirequest.NewContext(), &metainternalversion.ListOptions{})
if err != nil {
return nil, err
}
ret := []*rbac.ClusterRoleBinding{}
ret := []*rbacv1.ClusterRoleBinding{}
for i := range list.Items {
ret = append(ret, &list.Items[i])
}

3
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/storage/BUILD generated vendored
View File

@ -11,6 +11,9 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/storage",
deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/printers:go_default_library",
"//pkg/printers/internalversion:go_default_library",
"//pkg/printers/storage:go_default_library",
"//pkg/registry/rbac/clusterrolebinding:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",

5
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/storage/storage.go generated vendored
View File

@ -21,6 +21,9 @@ import (
"k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/printers"
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
printerstorage "k8s.io/kubernetes/pkg/printers/storage"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
)
@ -39,6 +42,8 @@ func NewREST(optsGetter generic.RESTOptionsGetter) *REST {
CreateStrategy: clusterrolebinding.Strategy,
UpdateStrategy: clusterrolebinding.Strategy,
DeleteStrategy: clusterrolebinding.Strategy,
TableConvertor: printerstorage.TableConvertor{TablePrinter: printers.NewTablePrinter().With(printersinternal.AddHandlers)},
}
options := &generic.StoreOptions{RESTOptions: optsGetter}
if err := store.CompleteWithOptions(options); err != nil {

11
vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/strategy.go generated vendored
View File

@ -17,9 +17,10 @@ limitations under the License.
package clusterrolebinding
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme"
@ -55,12 +56,12 @@ func (strategy) AllowCreateOnUpdate() bool {
// PrepareForCreate clears fields that are not allowed to be set by end users
// on creation.
func (strategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.Object) {
func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
_ = obj.(*rbac.ClusterRoleBinding)
}
// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
newClusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
oldClusterRoleBinding := old.(*rbac.ClusterRoleBinding)
@ -68,7 +69,7 @@ func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime
}
// Validate validates a new ClusterRoleBinding. Validation must check for a correct signature.
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
return validation.ValidateClusterRoleBinding(clusterRoleBinding)
}
@ -79,7 +80,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
}
// ValidateUpdate is the default update validation for an end user.
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
newObj := obj.(*rbac.ClusterRoleBinding)
errorList := validation.ValidateClusterRoleBinding(newObj)
return append(errorList, validation.ValidateClusterRoleBindingUpdate(newObj, old.(*rbac.ClusterRoleBinding))...)

5
vendor/k8s.io/kubernetes/pkg/registry/rbac/escalation_check.go generated vendored
View File

@ -17,6 +17,7 @@ limitations under the License.
package rbac
import (
"context"
"fmt"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@ -26,7 +27,7 @@ import (
"k8s.io/kubernetes/pkg/apis/rbac"
)
func EscalationAllowed(ctx genericapirequest.Context) bool {
func EscalationAllowed(ctx context.Context) bool {
u, ok := genericapirequest.UserFrom(ctx)
if !ok {
return false
@ -44,7 +45,7 @@ func EscalationAllowed(ctx genericapirequest.Context) bool {
}
// BindingAuthorized returns true if the user associated with the context is explicitly authorized to bind the specified roleRef
func BindingAuthorized(ctx genericapirequest.Context, roleRef rbac.RoleRef, bindingNamespace string, a authorizer.Authorizer) bool {
func BindingAuthorized(ctx context.Context, roleRef rbac.RoleRef, bindingNamespace string, a authorizer.Authorizer) bool {
if a == nil {
return false
}

10
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/BUILD generated vendored
View File

@ -15,7 +15,7 @@ go_test(
embed = [":go_default_library"],
deps = [
"//pkg/apis/core/helper:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
],
@ -34,16 +34,16 @@ go_library(
],
importpath = "k8s.io/kubernetes/pkg/registry/rbac/reconciliation",
deps = [
"//pkg/apis/core:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
"//pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion:go_default_library",
"//pkg/registry/rbac/validation:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library",
],
)

16
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/clusterrole_interfaces.go generated vendored
View File

@ -17,17 +17,17 @@ limitations under the License.
package reconciliation
import (
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
)
// +k8s:deepcopy-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RuleOwner
// +k8s:deepcopy-gen:nonpointer-interfaces=true
type ClusterRoleRuleOwner struct {
ClusterRole *rbac.ClusterRole
ClusterRole *rbacv1.ClusterRole
}
func (o ClusterRoleRuleOwner) GetObject() runtime.Object {
@ -58,24 +58,24 @@ func (o ClusterRoleRuleOwner) SetAnnotations(in map[string]string) {
o.ClusterRole.Annotations = in
}
func (o ClusterRoleRuleOwner) GetRules() []rbac.PolicyRule {
func (o ClusterRoleRuleOwner) GetRules() []rbacv1.PolicyRule {
return o.ClusterRole.Rules
}
func (o ClusterRoleRuleOwner) SetRules(in []rbac.PolicyRule) {
func (o ClusterRoleRuleOwner) SetRules(in []rbacv1.PolicyRule) {
o.ClusterRole.Rules = in
}
func (o ClusterRoleRuleOwner) GetAggregationRule() *rbac.AggregationRule {
func (o ClusterRoleRuleOwner) GetAggregationRule() *rbacv1.AggregationRule {
return o.ClusterRole.AggregationRule
}
func (o ClusterRoleRuleOwner) SetAggregationRule(in *rbac.AggregationRule) {
func (o ClusterRoleRuleOwner) SetAggregationRule(in *rbacv1.AggregationRule) {
o.ClusterRole.AggregationRule = in
}
type ClusterRoleModifier struct {
Client internalversion.ClusterRoleInterface
Client rbacv1client.ClusterRoleInterface
}
func (c ClusterRoleModifier) Get(namespace, name string) (RuleOwner, error) {

14
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/clusterrolebinding_interfaces.go generated vendored
View File

@ -17,18 +17,18 @@ limitations under the License.
package reconciliation
import (
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
)
// +k8s:deepcopy-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RoleBinding
// +k8s:deepcopy-gen:nonpointer-interfaces=true
type ClusterRoleBindingAdapter struct {
ClusterRoleBinding *rbac.ClusterRoleBinding
ClusterRoleBinding *rbacv1.ClusterRoleBinding
}
func (o ClusterRoleBindingAdapter) GetObject() runtime.Object {
@ -63,20 +63,20 @@ func (o ClusterRoleBindingAdapter) SetAnnotations(in map[string]string) {
o.ClusterRoleBinding.Annotations = in
}
func (o ClusterRoleBindingAdapter) GetRoleRef() rbac.RoleRef {
func (o ClusterRoleBindingAdapter) GetRoleRef() rbacv1.RoleRef {
return o.ClusterRoleBinding.RoleRef
}
func (o ClusterRoleBindingAdapter) GetSubjects() []rbac.Subject {
func (o ClusterRoleBindingAdapter) GetSubjects() []rbacv1.Subject {
return o.ClusterRoleBinding.Subjects
}
func (o ClusterRoleBindingAdapter) SetSubjects(in []rbac.Subject) {
func (o ClusterRoleBindingAdapter) SetSubjects(in []rbacv1.Subject) {
o.ClusterRoleBinding.Subjects = in
}
type ClusterRoleBindingClientAdapter struct {
Client internalversion.ClusterRoleBindingInterface
Client rbacv1client.ClusterRoleBindingInterface
}
func (c ClusterRoleBindingClientAdapter) Get(namespace, name string) (RoleBinding, error) {

27
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/reconcile_role.go generated vendored
View File

@ -20,11 +20,11 @@ import (
"fmt"
"reflect"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/registry/rbac/validation"
)
@ -51,10 +51,10 @@ type RuleOwner interface {
SetLabels(map[string]string)
GetAnnotations() map[string]string
SetAnnotations(map[string]string)
GetRules() []rbac.PolicyRule
SetRules([]rbac.PolicyRule)
GetAggregationRule() *rbac.AggregationRule
SetAggregationRule(*rbac.AggregationRule)
GetRules() []rbacv1.PolicyRule
SetRules([]rbacv1.PolicyRule)
GetAggregationRule() *rbacv1.AggregationRule
SetAggregationRule(*rbacv1.AggregationRule)
DeepCopyRuleOwner() RuleOwner
}
@ -75,9 +75,9 @@ type ReconcileClusterRoleResult struct {
Role RuleOwner
// MissingRules contains expected rules that were missing from the currently persisted role
MissingRules []rbac.PolicyRule
MissingRules []rbacv1.PolicyRule
// ExtraRules contains extra permissions the currently persisted role had
ExtraRules []rbac.PolicyRule
ExtraRules []rbacv1.PolicyRule
// MissingAggregationRuleSelectors contains expected selectors that were missing from the currently persisted role
MissingAggregationRuleSelectors []metav1.LabelSelector
@ -112,7 +112,7 @@ func (o *ReconcileRoleOptions) run(attempts int) (*ReconcileClusterRoleResult, e
case errors.IsNotFound(err):
aggregationRule := o.Role.GetAggregationRule()
if aggregationRule == nil {
aggregationRule = &rbac.AggregationRule{}
aggregationRule = &rbacv1.AggregationRule{}
}
result = &ReconcileClusterRoleResult{
Role: o.Role,
@ -178,7 +178,7 @@ func (o *ReconcileRoleOptions) run(attempts int) (*ReconcileClusterRoleResult, e
func computeReconciledRole(existing, expected RuleOwner, removeExtraPermissions bool) (*ReconcileClusterRoleResult, error) {
result := &ReconcileClusterRoleResult{Operation: ReconcileNone}
result.Protected = (existing.GetAnnotations()[rbac.AutoUpdateAnnotationKey] == "false")
result.Protected = (existing.GetAnnotations()[rbacv1.AutoUpdateAnnotationKey] == "false")
// Start with a copy of the existing object
result.Role = existing.DeepCopyRuleOwner()
@ -214,11 +214,16 @@ func computeReconciledRole(existing, expected RuleOwner, removeExtraPermissions
_, result.MissingAggregationRuleSelectors = aggregationRuleCovers(existing.GetAggregationRule(), expected.GetAggregationRule())
switch {
case expected.GetAggregationRule() == nil && existing.GetAggregationRule() != nil:
// we didn't expect this to be an aggregated role at all, remove the existing aggregation
result.Role.SetAggregationRule(nil)
result.Operation = ReconcileUpdate
case !removeExtraPermissions && len(result.MissingAggregationRuleSelectors) > 0:
// add missing rules in the union case
aggregationRule := result.Role.GetAggregationRule()
if aggregationRule == nil {
aggregationRule = &rbac.AggregationRule{}
aggregationRule = &rbacv1.AggregationRule{}
}
aggregationRule.ClusterRoleSelectors = append(aggregationRule.ClusterRoleSelectors, result.MissingAggregationRuleSelectors...)
result.Role.SetAggregationRule(aggregationRule)
@ -249,7 +254,7 @@ func merge(maps ...map[string]string) map[string]string {
// aggregationRuleCovers determines whether or not the ownerSelectors cover the servantSelectors in terms of semantically
// equal label selectors.
// It returns whether or not the ownerSelectors cover and a list of the rules that the ownerSelectors do not cover.
func aggregationRuleCovers(ownerRule, servantRule *rbac.AggregationRule) (bool, []metav1.LabelSelector) {
func aggregationRuleCovers(ownerRule, servantRule *rbacv1.AggregationRule) (bool, []metav1.LabelSelector) {
switch {
case ownerRule == nil && servantRule == nil:
return true, []metav1.LabelSelector{}

64
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/reconcile_role_test.go generated vendored
View File

@ -19,23 +19,23 @@ package reconciliation
import (
"testing"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
)
func role(rules []rbac.PolicyRule, labels map[string]string, annotations map[string]string) *rbac.ClusterRole {
return &rbac.ClusterRole{
func role(rules []rbacv1.PolicyRule, labels map[string]string, annotations map[string]string) *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
Rules: rules,
ObjectMeta: metav1.ObjectMeta{Labels: labels, Annotations: annotations},
}
}
func rules(resources ...string) []rbac.PolicyRule {
r := []rbac.PolicyRule{}
func rules(resources ...string) []rbacv1.PolicyRule {
r := []rbacv1.PolicyRule{}
for _, resource := range resources {
r = append(r, rbac.PolicyRule{APIGroups: []string{""}, Verbs: []string{"get"}, Resources: []string{resource}})
r = append(r, rbacv1.PolicyRule{APIGroups: []string{""}, Verbs: []string{"get"}, Resources: []string{resource}})
}
return r
}
@ -44,11 +44,11 @@ type ss map[string]string
func TestComputeReconciledRoleRules(t *testing.T) {
tests := map[string]struct {
expectedRole *rbac.ClusterRole
actualRole *rbac.ClusterRole
expectedRole *rbacv1.ClusterRole
actualRole *rbacv1.ClusterRole
removeExtraPermissions bool
expectedReconciledRole *rbac.ClusterRole
expectedReconciledRole *rbacv1.ClusterRole
expectedReconciliationNeeded bool
}{
"empty": {
@ -278,14 +278,14 @@ func TestComputeReconciledRoleRules(t *testing.T) {
}
}
func aggregatedRole(aggregationRule *rbac.AggregationRule) *rbac.ClusterRole {
return &rbac.ClusterRole{
func aggregatedRole(aggregationRule *rbacv1.AggregationRule) *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
AggregationRule: aggregationRule,
}
}
func aggregationrule(selectors []map[string]string) *rbac.AggregationRule {
ret := &rbac.AggregationRule{}
func aggregationrule(selectors []map[string]string) *rbacv1.AggregationRule {
ret := &rbacv1.AggregationRule{}
for _, selector := range selectors {
ret.ClusterRoleSelectors = append(ret.ClusterRoleSelectors,
metav1.LabelSelector{MatchLabels: selector})
@ -295,15 +295,15 @@ func aggregationrule(selectors []map[string]string) *rbac.AggregationRule {
func TestComputeReconciledRoleAggregationRules(t *testing.T) {
tests := map[string]struct {
expectedRole *rbac.ClusterRole
actualRole *rbac.ClusterRole
expectedRole *rbacv1.ClusterRole
actualRole *rbacv1.ClusterRole
removeExtraPermissions bool
expectedReconciledRole *rbac.ClusterRole
expectedReconciledRole *rbacv1.ClusterRole
expectedReconciliationNeeded bool
}{
"empty": {
expectedRole: aggregatedRole(&rbac.AggregationRule{}),
expectedRole: aggregatedRole(&rbacv1.AggregationRule{}),
actualRole: aggregatedRole(nil),
removeExtraPermissions: true,
@ -311,8 +311,8 @@ func TestComputeReconciledRoleAggregationRules(t *testing.T) {
expectedReconciliationNeeded: false,
},
"empty-2": {
expectedRole: aggregatedRole(&rbac.AggregationRule{}),
actualRole: aggregatedRole(&rbac.AggregationRule{}),
expectedRole: aggregatedRole(&rbacv1.AggregationRule{}),
actualRole: aggregatedRole(&rbacv1.AggregationRule{}),
removeExtraPermissions: true,
expectedReconciledRole: nil,
@ -350,6 +350,32 @@ func TestComputeReconciledRoleAggregationRules(t *testing.T) {
expectedReconciledRole: aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}, {"foo": "bar"}})),
expectedReconciliationNeeded: true,
},
"unexpected aggregation": {
// desired role is not aggregated
expectedRole: role(rules("pods", "nodes", "secrets"), nil, nil),
// existing role is aggregated
actualRole: aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}})),
removeExtraPermissions: false,
// reconciled role should have desired permissions and not be aggregated
expectedReconciledRole: role(rules("pods", "nodes", "secrets"), nil, nil),
expectedReconciliationNeeded: true,
},
"unexpected aggregation with differing permissions": {
// desired role is not aggregated
expectedRole: role(rules("pods", "nodes", "secrets"), nil, nil),
// existing role is aggregated and has other permissions
actualRole: func() *rbacv1.ClusterRole {
r := aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}}))
r.Rules = rules("deployments")
return r
}(),
removeExtraPermissions: false,
// reconciled role should have aggregation removed, preserve differing permissions, and include desired permissions
expectedReconciledRole: role(rules("deployments", "pods", "nodes", "secrets"), nil, nil),
expectedReconciliationNeeded: true,
},
}
for k, tc := range tests {

18
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/reconcile_rolebindings.go generated vendored
View File

@ -20,10 +20,10 @@ import (
"fmt"
"reflect"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/apis/rbac"
)
type RoleBindingModifier interface {
@ -42,9 +42,9 @@ type RoleBinding interface {
SetLabels(map[string]string)
GetAnnotations() map[string]string
SetAnnotations(map[string]string)
GetRoleRef() rbac.RoleRef
GetSubjects() []rbac.Subject
SetSubjects([]rbac.Subject)
GetRoleRef() rbacv1.RoleRef
GetSubjects() []rbacv1.Subject
SetSubjects([]rbacv1.Subject)
DeepCopyRoleBinding() RoleBinding
}
@ -67,9 +67,9 @@ type ReconcileClusterRoleBindingResult struct {
RoleBinding RoleBinding
// MissingSubjects contains expected subjects that were missing from the currently persisted rolebinding
MissingSubjects []rbac.Subject
MissingSubjects []rbacv1.Subject
// ExtraSubjects contains extra subjects the currently persisted rolebinding had
ExtraSubjects []rbac.Subject
ExtraSubjects []rbacv1.Subject
// Operation is the API operation required to reconcile.
// If no reconciliation was needed, it is set to ReconcileNone.
@ -176,7 +176,7 @@ func (o *ReconcileRoleBindingOptions) run(attempts int) (*ReconcileClusterRoleBi
func computeReconciledRoleBinding(existing, expected RoleBinding, removeExtraSubjects bool) (*ReconcileClusterRoleBindingResult, error) {
result := &ReconcileClusterRoleBindingResult{Operation: ReconcileNone}
result.Protected = (existing.GetAnnotations()[rbac.AutoUpdateAnnotationKey] == "false")
result.Protected = (existing.GetAnnotations()[rbacv1.AutoUpdateAnnotationKey] == "false")
// Reset the binding completely if the roleRef is different
if expected.GetRoleRef() != existing.GetRoleRef() {
@ -216,7 +216,7 @@ func computeReconciledRoleBinding(existing, expected RoleBinding, removeExtraSub
return result, nil
}
func contains(list []rbac.Subject, item rbac.Subject) bool {
func contains(list []rbacv1.Subject, item rbacv1.Subject) bool {
for _, listItem := range list {
if listItem == item {
return true
@ -229,7 +229,7 @@ func contains(list []rbac.Subject, item rbac.Subject) bool {
// list1Only = list1 - list2
// list2Only = list2 - list1
// if both returned lists are empty, the provided lists are equal
func diffSubjectLists(list1 []rbac.Subject, list2 []rbac.Subject) (list1Only []rbac.Subject, list2Only []rbac.Subject) {
func diffSubjectLists(list1 []rbacv1.Subject, list2 []rbacv1.Subject) (list1Only []rbacv1.Subject, list2Only []rbacv1.Subject) {
for _, list1Item := range list1 {
if !contains(list2, list1Item) {
if !contains(list1Only, list1Item) {

32
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/reconcile_rolebindings_test.go generated vendored
View File

@ -19,24 +19,24 @@ package reconciliation
import (
"testing"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
)
func binding(roleRef rbac.RoleRef, subjects []rbac.Subject) *rbac.ClusterRoleBinding {
return &rbac.ClusterRoleBinding{RoleRef: roleRef, Subjects: subjects}
func binding(roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{RoleRef: roleRef, Subjects: subjects}
}
func ref(name string) rbac.RoleRef {
return rbac.RoleRef{Name: name}
func ref(name string) rbacv1.RoleRef {
return rbacv1.RoleRef{Name: name}
}
func subject(name string) rbac.Subject {
return rbac.Subject{Name: name}
func subject(name string) rbacv1.Subject {
return rbacv1.Subject{Name: name}
}
func subjects(names ...string) []rbac.Subject {
r := []rbac.Subject{}
func subjects(names ...string) []rbacv1.Subject {
r := []rbacv1.Subject{}
for _, name := range names {
r = append(r, subject(name))
}
@ -45,10 +45,10 @@ func subjects(names ...string) []rbac.Subject {
func TestDiffObjectReferenceLists(t *testing.T) {
tests := map[string]struct {
A []rbac.Subject
B []rbac.Subject
ExpectedOnlyA []rbac.Subject
ExpectedOnlyB []rbac.Subject
A []rbacv1.Subject
B []rbacv1.Subject
ExpectedOnlyA []rbacv1.Subject
ExpectedOnlyB []rbacv1.Subject
}{
"empty": {},
@ -92,11 +92,11 @@ func TestDiffObjectReferenceLists(t *testing.T) {
func TestComputeUpdate(t *testing.T) {
tests := map[string]struct {
ExpectedBinding *rbac.ClusterRoleBinding
ActualBinding *rbac.ClusterRoleBinding
ExpectedBinding *rbacv1.ClusterRoleBinding
ActualBinding *rbacv1.ClusterRoleBinding
RemoveExtraSubjects bool
ExpectedUpdatedBinding *rbac.ClusterRoleBinding
ExpectedUpdatedBinding *rbacv1.ClusterRoleBinding
ExpectedUpdateNeeded bool
}{
"match without union": {

24
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/role_interfaces.go generated vendored
View File

@ -17,20 +17,20 @@ limitations under the License.
package reconciliation
import (
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/rbac"
core "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
)
// +k8s:deepcopy-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RuleOwner
// +k8s:deepcopy-gen:nonpointer-interfaces=true
type RoleRuleOwner struct {
Role *rbac.Role
Role *rbacv1.Role
}
func (o RoleRuleOwner) GetObject() runtime.Object {
@ -61,24 +61,24 @@ func (o RoleRuleOwner) SetAnnotations(in map[string]string) {
o.Role.Annotations = in
}
func (o RoleRuleOwner) GetRules() []rbac.PolicyRule {
func (o RoleRuleOwner) GetRules() []rbacv1.PolicyRule {
return o.Role.Rules
}
func (o RoleRuleOwner) SetRules(in []rbac.PolicyRule) {
func (o RoleRuleOwner) SetRules(in []rbacv1.PolicyRule) {
o.Role.Rules = in
}
func (o RoleRuleOwner) GetAggregationRule() *rbac.AggregationRule {
func (o RoleRuleOwner) GetAggregationRule() *rbacv1.AggregationRule {
return nil
}
func (o RoleRuleOwner) SetAggregationRule(in *rbac.AggregationRule) {
func (o RoleRuleOwner) SetAggregationRule(in *rbacv1.AggregationRule) {
}
type RoleModifier struct {
Client internalversion.RolesGetter
NamespaceClient core.NamespaceInterface
Client rbacv1client.RolesGetter
NamespaceClient corev1client.NamespaceInterface
}
func (c RoleModifier) Get(namespace, name string) (RuleOwner, error) {
@ -90,7 +90,7 @@ func (c RoleModifier) Get(namespace, name string) (RuleOwner, error) {
}
func (c RoleModifier) Create(in RuleOwner) (RuleOwner, error) {
ns := &api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
if _, err := c.NamespaceClient.Create(ns); err != nil && !apierrors.IsAlreadyExists(err) {
return nil, err
}

22
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/rolebinding_interfaces.go generated vendored
View File

@ -17,21 +17,21 @@ limitations under the License.
package reconciliation
import (
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/rbac"
core "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
)
// +k8s:deepcopy-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/kubernetes/pkg/registry/rbac/reconciliation.RoleBinding
// +k8s:deepcopy-gen:nonpointer-interfaces=true
type RoleBindingAdapter struct {
RoleBinding *rbac.RoleBinding
RoleBinding *rbacv1.RoleBinding
}
func (o RoleBindingAdapter) GetObject() runtime.Object {
@ -66,21 +66,21 @@ func (o RoleBindingAdapter) SetAnnotations(in map[string]string) {
o.RoleBinding.Annotations = in
}
func (o RoleBindingAdapter) GetRoleRef() rbac.RoleRef {
func (o RoleBindingAdapter) GetRoleRef() rbacv1.RoleRef {
return o.RoleBinding.RoleRef
}
func (o RoleBindingAdapter) GetSubjects() []rbac.Subject {
func (o RoleBindingAdapter) GetSubjects() []rbacv1.Subject {
return o.RoleBinding.Subjects
}
func (o RoleBindingAdapter) SetSubjects(in []rbac.Subject) {
func (o RoleBindingAdapter) SetSubjects(in []rbacv1.Subject) {
o.RoleBinding.Subjects = in
}
type RoleBindingClientAdapter struct {
Client internalversion.RoleBindingsGetter
NamespaceClient core.NamespaceInterface
Client rbacv1client.RoleBindingsGetter
NamespaceClient corev1client.NamespaceInterface
}
func (c RoleBindingClientAdapter) Get(namespace, name string) (RoleBinding, error) {
@ -92,7 +92,7 @@ func (c RoleBindingClientAdapter) Get(namespace, name string) (RoleBinding, erro
}
func (c RoleBindingClientAdapter) Create(in RoleBinding) (RoleBinding, error) {
ns := &api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
if _, err := c.NamespaceClient.Create(ns); err != nil && !apierrors.IsAlreadyExists(err) {
return nil, err
}

12
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/zz_generated.deepcopy.go generated vendored
View File

@ -1,7 +1,7 @@
// +build !ignore_autogenerated
/*
Copyright 2018 The Kubernetes Authors.
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@ -21,7 +21,7 @@ limitations under the License.
package reconciliation
import (
rbac "k8s.io/kubernetes/pkg/apis/rbac"
v1 "k8s.io/api/rbac/v1"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@ -32,7 +32,7 @@ func (in *ClusterRoleBindingAdapter) DeepCopyInto(out *ClusterRoleBindingAdapter
if *in == nil {
*out = nil
} else {
*out = new(rbac.ClusterRoleBinding)
*out = new(v1.ClusterRoleBinding)
(*in).DeepCopyInto(*out)
}
}
@ -62,7 +62,7 @@ func (in *ClusterRoleRuleOwner) DeepCopyInto(out *ClusterRoleRuleOwner) {
if *in == nil {
*out = nil
} else {
*out = new(rbac.ClusterRole)
*out = new(v1.ClusterRole)
(*in).DeepCopyInto(*out)
}
}
@ -92,7 +92,7 @@ func (in *RoleBindingAdapter) DeepCopyInto(out *RoleBindingAdapter) {
if *in == nil {
*out = nil
} else {
*out = new(rbac.RoleBinding)
*out = new(v1.RoleBinding)
(*in).DeepCopyInto(*out)
}
}
@ -122,7 +122,7 @@ func (in *RoleRuleOwner) DeepCopyInto(out *RoleRuleOwner) {
if *in == nil {
*out = nil
} else {
*out = new(rbac.Role)
*out = new(v1.Role)
(*in).DeepCopyInto(*out)
}
}

4
vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/BUILD generated vendored
View File

@ -12,8 +12,6 @@ go_library(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
"//pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion:go_default_library",
"//pkg/registry/rbac/clusterrole:go_default_library",
"//pkg/registry/rbac/clusterrole/policybased:go_default_library",
"//pkg/registry/rbac/clusterrole/storage:go_default_library",
@ -43,6 +41,8 @@ go_library(
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/storage:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/rbac/v1:go_default_library",
"//vendor/k8s.io/client-go/util/retry:go_default_library",
],
)

27
vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go generated vendored
View File

@ -35,11 +35,11 @@ import (
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
serverstorage "k8s.io/apiserver/pkg/server/storage"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
"k8s.io/client-go/util/retry"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/rbac"
coreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
clusterrolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased"
clusterrolestore "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/storage"
@ -66,21 +66,18 @@ type RESTStorageProvider struct {
var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}
func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(rbac.GroupName, legacyscheme.Registry, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(rbac.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
// TODO refactor the plumbing to provide the information in the APIGroupInfo
if apiResourceConfigSource.VersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1alpha1.SchemeGroupVersion.Version] = p.storage(rbacapiv1alpha1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1alpha1.SchemeGroupVersion
}
if apiResourceConfigSource.VersionEnabled(rbacapiv1beta1.SchemeGroupVersion) {
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1beta1.SchemeGroupVersion.Version] = p.storage(rbacapiv1beta1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1beta1.SchemeGroupVersion
}
if apiResourceConfigSource.VersionEnabled(rbacapiv1.SchemeGroupVersion) {
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1.SchemeGroupVersion.Version] = p.storage(rbacapiv1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1.SchemeGroupVersion
}
return apiGroupInfo, true
@ -127,10 +124,10 @@ func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStart
}
type PolicyData struct {
ClusterRoles []rbac.ClusterRole
ClusterRoleBindings []rbac.ClusterRoleBinding
Roles map[string][]rbac.Role
RoleBindings map[string][]rbac.RoleBinding
ClusterRoles []rbacapiv1.ClusterRole
ClusterRoleBindings []rbacapiv1.ClusterRoleBinding
Roles map[string][]rbacapiv1.Role
RoleBindings map[string][]rbacapiv1.RoleBinding
// ClusterRolesToAggregate maps from previous clusterrole name to the new clusterrole name
ClusterRolesToAggregate map[string]string
}
@ -141,13 +138,13 @@ func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
// starts, the roles don't initialize, and nothing works.
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
coreclientset, err := coreclient.NewForConfig(hookContext.LoopbackClientConfig)
coreclientset, err := corev1client.NewForConfig(hookContext.LoopbackClientConfig)
if err != nil {
utilruntime.HandleError(fmt.Errorf("unable to initialize client: %v", err))
return false, nil
}
clientset, err := rbacclient.NewForConfig(hookContext.LoopbackClientConfig)
clientset, err := rbacv1client.NewForConfig(hookContext.LoopbackClientConfig)
if err != nil {
utilruntime.HandleError(fmt.Errorf("unable to initialize client: %v", err))
return false, nil
@ -306,7 +303,7 @@ func (p RESTStorageProvider) GroupName() string {
// primeAggregatedClusterRoles copies roles that have transitioned to aggregated roles and may need to pick up changes
// that were done to the legacy roles.
func primeAggregatedClusterRoles(clusterRolesToAggregate map[string]string, clusterRoleClient rbacclient.ClusterRolesGetter) error {
func primeAggregatedClusterRoles(clusterRolesToAggregate map[string]string, clusterRoleClient rbacv1client.ClusterRolesGetter) error {
for oldName, newName := range clusterRolesToAggregate {
_, err := clusterRoleClient.ClusterRoles().Get(newName, metav1.GetOptions{})
if err == nil {
@ -323,6 +320,10 @@ func primeAggregatedClusterRoles(clusterRolesToAggregate map[string]string, clus
if err != nil {
return err
}
if existingRole.AggregationRule != nil {
// the old role already moved to an aggregated role, so there are no custom rules to migrate at this point
return nil
}
glog.V(1).Infof("migrating %v to %v", existingRole.Name, newName)
existingRole.Name = newName
existingRole.ResourceVersion = "" // clear this so the object can be created.

4
vendor/k8s.io/kubernetes/pkg/registry/rbac/role/BUILD generated vendored
View File

@ -16,12 +16,12 @@ go_library(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/apis/rbac/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",

1
vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD generated vendored
View File

@ -16,7 +16,6 @@ go_library(
"//pkg/registry/rbac/validation:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
],
)

17
vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go generated vendored
View File

@ -18,9 +18,10 @@ limitations under the License.
package policybased
import (
"context"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
@ -40,25 +41,29 @@ func NewStorage(s rest.StandardStorage, ruleResolver rbacregistryvalidation.Auth
return &Storage{s, ruleResolver}
}
func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
func (r *Storage) NamespaceScoped() bool {
return true
}
func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
role := obj.(*rbac.Role)
rules := role.Rules
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
return nil, errors.NewForbidden(groupResource, role.Name, err)
}
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation)
}
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx genericapirequest.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
role := obj.(*rbac.Role)
// if we're only mutating fields needed for the GC to eventually delete this obj, return
@ -67,7 +72,7 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
}
rules := role.Rules
if err := rbacregistryvalidation.ConfirmNoEscalation(ctx, s.ruleResolver, rules); err != nil {
if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil {
return nil, errors.NewForbidden(groupResource, role.Name, err)
}
return obj, nil

53
vendor/k8s.io/kubernetes/pkg/registry/rbac/role/registry.go generated vendored
View File

@ -17,27 +17,24 @@ limitations under the License.
package role
import (
metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
"context"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
// Registry is an interface for things that know how to store Roles.
type Registry interface {
ListRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.RoleList, error)
CreateRole(ctx genericapirequest.Context, role *rbac.Role, createValidation rest.ValidateObjectFunc) error
UpdateRole(ctx genericapirequest.Context, role *rbac.Role, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error
GetRole(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.Role, error)
DeleteRole(ctx genericapirequest.Context, name string) error
WatchRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error)
GetRole(ctx context.Context, name string, options *metav1.GetOptions) (*rbacv1.Role, error)
}
// storage puts strong typing around storage calls
type storage struct {
rest.StandardStorage
rest.Getter
}
// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
@ -46,41 +43,17 @@ func NewRegistry(s rest.StandardStorage) Registry {
return &storage{s}
}
func (s *storage) ListRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.RoleList, error) {
obj, err := s.List(ctx, options)
if err != nil {
return nil, err
}
return obj.(*rbac.RoleList), nil
}
func (s *storage) CreateRole(ctx genericapirequest.Context, role *rbac.Role, createValidation rest.ValidateObjectFunc) error {
_, err := s.Create(ctx, role, createValidation, false)
return err
}
func (s *storage) UpdateRole(ctx genericapirequest.Context, role *rbac.Role, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error {
// TODO: any admission?
_, _, err := s.Update(ctx, role.Name, rest.DefaultUpdatedObjectInfo(role), createValidation, updateValidation)
return err
}
func (s *storage) WatchRoles(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) {
return s.Watch(ctx, options)
}
func (s *storage) GetRole(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.Role, error) {
func (s *storage) GetRole(ctx context.Context, name string, options *metav1.GetOptions) (*rbacv1.Role, error) {
obj, err := s.Get(ctx, name, options)
if err != nil {
return nil, err
}
return obj.(*rbac.Role), nil
}
func (s *storage) DeleteRole(ctx genericapirequest.Context, name string) error {
_, _, err := s.Delete(ctx, name, nil)
return err
ret := &rbacv1.Role{}
if err := rbacv1helpers.Convert_rbac_Role_To_v1_Role(obj.(*rbac.Role), ret, nil); err != nil {
return nil, err
}
return ret, nil
}
// AuthorizerAdapter adapts the registry to the authorizer interface
@ -88,6 +61,6 @@ type AuthorizerAdapter struct {
Registry Registry
}
func (a AuthorizerAdapter) GetRole(namespace, name string) (*rbac.Role, error) {
func (a AuthorizerAdapter) GetRole(namespace, name string) (*rbacv1.Role, error) {
return a.Registry.GetRole(genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace), name, &metav1.GetOptions{})
}

11
vendor/k8s.io/kubernetes/pkg/registry/rbac/role/strategy.go generated vendored
View File

@ -17,9 +17,10 @@ limitations under the License.
package role
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme"
@ -55,12 +56,12 @@ func (strategy) AllowCreateOnUpdate() bool {
// PrepareForCreate clears fields that are not allowed to be set by end users
// on creation.
func (strategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.Object) {
func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
_ = obj.(*rbac.Role)
}
// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
newRole := obj.(*rbac.Role)
oldRole := old.(*rbac.Role)
@ -68,7 +69,7 @@ func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime
}
// Validate validates a new Role. Validation must check for a correct signature.
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
role := obj.(*rbac.Role)
return validation.ValidateRole(role)
}
@ -79,7 +80,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
}
// ValidateUpdate is the default update validation for an end user.
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
newObj := obj.(*rbac.Role)
errorList := validation.ValidateRole(newObj)
return append(errorList, validation.ValidateRoleUpdate(newObj, old.(*rbac.Role))...)

4
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/BUILD generated vendored
View File

@ -16,12 +16,12 @@ go_library(
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/apis/rbac/validation:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",

2
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/BUILD generated vendored
View File

@ -12,8 +12,10 @@ go_library(
deps = [
"//pkg/apis/core/helper:go_default_library",
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//pkg/registry/rbac:go_default_library",
"//pkg/registry/rbac/validation:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",

28
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/storage.go generated vendored
View File

@ -18,6 +18,9 @@ limitations under the License.
package policybased
import (
"context"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authorization/authorizer"
@ -25,6 +28,7 @@ import (
"k8s.io/apiserver/pkg/registry/rest"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
)
@ -43,7 +47,11 @@ func NewStorage(s rest.StandardStorage, authorizer authorizer.Authorizer, ruleRe
return &Storage{s, authorizer, ruleResolver}
}
func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
func (r *Storage) NamespaceScoped() bool {
return true
}
func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
@ -60,7 +68,12 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, crea
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
v1RoleRef := rbacv1.RoleRef{}
err := rbacv1helpers.Convert_rbac_RoleRef_To_v1_RoleRef(&roleBinding.RoleRef, &v1RoleRef, nil)
if err != nil {
return nil, err
}
rules, err := s.ruleResolver.GetRoleReferenceRules(v1RoleRef, namespace)
if err != nil {
return nil, err
}
@ -70,12 +83,12 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object, crea
return s.StandardStorage.Create(ctx, obj, createValidation, includeUninitialized)
}
func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (runtime.Object, bool, error) {
if rbacregistry.EscalationAllowed(ctx) {
return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation)
}
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx genericapirequest.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
// Get the namespace from the context (populated from the URL).
// The namespace in the object can be empty until StandardStorage.Update()->BeforeUpdate() populates it from the context.
namespace, ok := genericapirequest.NamespaceFrom(ctx)
@ -96,7 +109,12 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
}
// Otherwise, see if we already have all the permissions contained in the referenced role
rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
v1RoleRef := rbacv1.RoleRef{}
err := rbacv1helpers.Convert_rbac_RoleRef_To_v1_RoleRef(&roleBinding.RoleRef, &v1RoleRef, nil)
if err != nil {
return nil, err
}
rules, err := s.ruleResolver.GetRoleReferenceRules(v1RoleRef, namespace)
if err != nil {
return nil, err
}

51
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/registry.go generated vendored
View File

@ -17,27 +17,24 @@ limitations under the License.
package rolebinding
import (
"context"
rbacv1 "k8s.io/api/rbac/v1"
metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/watch"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
// Registry is an interface for things that know how to store RoleBindings.
type Registry interface {
ListRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.RoleBindingList, error)
CreateRoleBinding(ctx genericapirequest.Context, roleBinding *rbac.RoleBinding, createValidation rest.ValidateObjectFunc) error
UpdateRoleBinding(ctx genericapirequest.Context, roleBinding *rbac.RoleBinding, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error
GetRoleBinding(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.RoleBinding, error)
DeleteRoleBinding(ctx genericapirequest.Context, name string) error
WatchRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error)
ListRoleBindings(ctx context.Context, options *metainternalversion.ListOptions) (*rbacv1.RoleBindingList, error)
}
// storage puts strong typing around storage calls
type storage struct {
rest.StandardStorage
rest.Lister
}
// NewRegistry returns a new Registry interface for the given Storage. Any mismatched
@ -46,41 +43,17 @@ func NewRegistry(s rest.StandardStorage) Registry {
return &storage{s}
}
func (s *storage) ListRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*rbac.RoleBindingList, error) {
func (s *storage) ListRoleBindings(ctx context.Context, options *metainternalversion.ListOptions) (*rbacv1.RoleBindingList, error) {
obj, err := s.List(ctx, options)
if err != nil {
return nil, err
}
return obj.(*rbac.RoleBindingList), nil
}
func (s *storage) CreateRoleBinding(ctx genericapirequest.Context, roleBinding *rbac.RoleBinding, createValidation rest.ValidateObjectFunc) error {
// TODO(ericchiang): add additional validation
_, err := s.Create(ctx, roleBinding, createValidation, false)
return err
}
func (s *storage) UpdateRoleBinding(ctx genericapirequest.Context, roleBinding *rbac.RoleBinding, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error {
_, _, err := s.Update(ctx, roleBinding.Name, rest.DefaultUpdatedObjectInfo(roleBinding), createValidation, updateValidation)
return err
}
func (s *storage) WatchRoleBindings(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) {
return s.Watch(ctx, options)
}
func (s *storage) GetRoleBinding(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*rbac.RoleBinding, error) {
obj, err := s.Get(ctx, name, options)
if err != nil {
ret := &rbacv1.RoleBindingList{}
if err := rbacv1helpers.Convert_rbac_RoleBindingList_To_v1_RoleBindingList(obj.(*rbac.RoleBindingList), ret, nil); err != nil {
return nil, err
}
return obj.(*rbac.RoleBinding), nil
}
func (s *storage) DeleteRoleBinding(ctx genericapirequest.Context, name string) error {
_, _, err := s.Delete(ctx, name, nil)
return err
return ret, nil
}
// AuthorizerAdapter adapts the registry to the authorizer interface
@ -88,13 +61,13 @@ type AuthorizerAdapter struct {
Registry Registry
}
func (a AuthorizerAdapter) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
func (a AuthorizerAdapter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error) {
list, err := a.Registry.ListRoleBindings(genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace), &metainternalversion.ListOptions{})
if err != nil {
return nil, err
}
ret := []*rbac.RoleBinding{}
ret := []*rbacv1.RoleBinding{}
for i := range list.Items {
ret = append(ret, &list.Items[i])
}

3
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/storage/BUILD generated vendored
View File

@ -11,6 +11,9 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/storage",
deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/printers:go_default_library",
"//pkg/printers/internalversion:go_default_library",
"//pkg/printers/storage:go_default_library",
"//pkg/registry/rbac/rolebinding:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",

5
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/storage/storage.go generated vendored
View File

@ -21,6 +21,9 @@ import (
"k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/printers"
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
printerstorage "k8s.io/kubernetes/pkg/printers/storage"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
)
@ -39,6 +42,8 @@ func NewREST(optsGetter generic.RESTOptionsGetter) *REST {
CreateStrategy: rolebinding.Strategy,
UpdateStrategy: rolebinding.Strategy,
DeleteStrategy: rolebinding.Strategy,
TableConvertor: printerstorage.TableConvertor{TablePrinter: printers.NewTablePrinter().With(printersinternal.AddHandlers)},
}
options := &generic.StoreOptions{RESTOptions: optsGetter}
if err := store.CompleteWithOptions(options); err != nil {

11
vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/strategy.go generated vendored
View File

@ -17,9 +17,10 @@ limitations under the License.
package rolebinding
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme"
@ -55,12 +56,12 @@ func (strategy) AllowCreateOnUpdate() bool {
// PrepareForCreate clears fields that are not allowed to be set by end users
// on creation.
func (strategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.Object) {
func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
_ = obj.(*rbac.RoleBinding)
}
// PrepareForUpdate clears fields that are not allowed to be set by end users on update.
func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime.Object) {
func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
newRoleBinding := obj.(*rbac.RoleBinding)
oldRoleBinding := old.(*rbac.RoleBinding)
@ -68,7 +69,7 @@ func (strategy) PrepareForUpdate(ctx genericapirequest.Context, obj, old runtime
}
// Validate validates a new RoleBinding. Validation must check for a correct signature.
func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
roleBinding := obj.(*rbac.RoleBinding)
return validation.ValidateRoleBinding(roleBinding)
}
@ -79,7 +80,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
}
// ValidateUpdate is the default update validation for an end user.
func (strategy) ValidateUpdate(ctx genericapirequest.Context, obj, old runtime.Object) field.ErrorList {
func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
newObj := obj.(*rbac.RoleBinding)
errorList := validation.ValidateRoleBinding(newObj)
return append(errorList, validation.ValidateRoleBindingUpdate(newObj, old.(*rbac.RoleBinding))...)

6
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/BUILD generated vendored
View File

@ -15,7 +15,8 @@ go_test(
],
embed = [":go_default_library"],
deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
@ -25,6 +26,7 @@ go_test(
go_library(
name = "go_default_library",
srcs = [
"internal_version_adapter.go",
"policy_compact.go",
"policy_comparator.go",
"rule.go",
@ -32,7 +34,9 @@ go_library(
importpath = "k8s.io/kubernetes/pkg/registry/rbac/validation",
deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/k8s.io/api/rbac/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",

39
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/internal_version_adapter.go generated vendored Normal file
View File

@ -0,0 +1,39 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package validation
import (
"context"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, inRules []rbac.PolicyRule) error {
rules := []rbacv1.PolicyRule{}
for i := range inRules {
v1Rule := rbacv1.PolicyRule{}
err := rbacv1helpers.Convert_rbac_PolicyRule_To_v1_PolicyRule(&inRules[i], &v1Rule, nil)
if err != nil {
return err
}
rules = append(rules, v1Rule)
}
return ConfirmNoEscalation(ctx, ruleResolver, rules)
}

12
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/policy_compact.go generated vendored
View File

@ -19,7 +19,7 @@ package validation
import (
"reflect"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1 "k8s.io/api/rbac/v1"
)
type simpleResource struct {
@ -31,10 +31,10 @@ type simpleResource struct {
// CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes.
// this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.
func CompactRules(rules []rbac.PolicyRule) ([]rbac.PolicyRule, error) {
compacted := make([]rbac.PolicyRule, 0, len(rules))
func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error) {
compacted := make([]rbacv1.PolicyRule, 0, len(rules))
simpleRules := map[simpleResource]*rbac.PolicyRule{}
simpleRules := map[simpleResource]*rbacv1.PolicyRule{}
for _, rule := range rules {
if resource, isSimple := isSimpleResourceRule(&rule); isSimple {
if existingRule, ok := simpleRules[resource]; ok {
@ -61,7 +61,7 @@ func CompactRules(rules []rbac.PolicyRule) ([]rbac.PolicyRule, error) {
}
// isSimpleResourceRule returns true if the given rule contains verbs, a single resource, a single API group, at most one Resource Name, and no other values
func isSimpleResourceRule(rule *rbac.PolicyRule) (simpleResource, bool) {
func isSimpleResourceRule(rule *rbacv1.PolicyRule) (simpleResource, bool) {
resource := simpleResource{}
// If we have "complex" rule attributes, return early without allocations or expensive comparisons
@ -74,7 +74,7 @@ func isSimpleResourceRule(rule *rbac.PolicyRule) (simpleResource, bool) {
}
// Test if this rule only contains APIGroups/Resources/Verbs/ResourceNames
simpleRule := &rbac.PolicyRule{APIGroups: rule.APIGroups, Resources: rule.Resources, Verbs: rule.Verbs, ResourceNames: rule.ResourceNames}
simpleRule := &rbacv1.PolicyRule{APIGroups: rule.APIGroups, Resources: rule.Resources, Verbs: rule.Verbs, ResourceNames: rule.ResourceNames}
if !reflect.DeepEqual(simpleRule, rule) {
return resource, false
}

63
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/policy_compact_test.go generated vendored
View File

@ -21,20 +21,21 @@ import (
"sort"
"testing"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1 "k8s.io/api/rbac/v1"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
)
func TestCompactRules(t *testing.T) {
testcases := map[string]struct {
Rules []rbac.PolicyRule
Expected []rbac.PolicyRule
Rules []rbacv1.PolicyRule
Expected []rbacv1.PolicyRule
}{
"empty": {
Rules: []rbac.PolicyRule{},
Expected: []rbac.PolicyRule{},
Rules: []rbacv1.PolicyRule{},
Expected: []rbacv1.PolicyRule{},
},
"simple": {
Rules: []rbac.PolicyRule{
Rules: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}},
{Verbs: []string{"list"}, APIGroups: []string{""}, Resources: []string{"builds"}},
{Verbs: []string{"update", "patch"}, APIGroups: []string{""}, Resources: []string{"builds"}},
@ -55,7 +56,7 @@ func TestCompactRules(t *testing.T) {
{Verbs: nil, APIGroups: []string{""}, Resources: []string{"pods"}},
{Verbs: []string{"create"}, APIGroups: []string{""}, Resources: []string{"pods"}},
},
Expected: []rbac.PolicyRule{
Expected: []rbacv1.PolicyRule{
{Verbs: []string{"create", "delete"}, APIGroups: []string{"extensions"}, Resources: []string{"daemonsets"}},
{Verbs: []string{"patch"}, APIGroups: []string{"extensions"}, Resources: []string{"daemonsets"}, ResourceNames: []string{""}},
{Verbs: []string{"get", "list"}, APIGroups: []string{"extensions"}, Resources: []string{"daemonsets"}, ResourceNames: []string{"foo"}},
@ -66,44 +67,44 @@ func TestCompactRules(t *testing.T) {
},
},
"complex multi-group": {
Rules: []rbac.PolicyRule{
Rules: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{"", "builds.openshift.io"}, Resources: []string{"builds"}},
{Verbs: []string{"list"}, APIGroups: []string{"", "builds.openshift.io"}, Resources: []string{"builds"}},
},
Expected: []rbac.PolicyRule{
Expected: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{"", "builds.openshift.io"}, Resources: []string{"builds"}},
{Verbs: []string{"list"}, APIGroups: []string{"", "builds.openshift.io"}, Resources: []string{"builds"}},
},
},
"complex multi-resource": {
Rules: []rbac.PolicyRule{
Rules: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
{Verbs: []string{"list"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
},
Expected: []rbac.PolicyRule{
Expected: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
{Verbs: []string{"list"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
},
},
"complex named-resource": {
Rules: []rbac.PolicyRule{
Rules: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"mybuild"}},
{Verbs: []string{"list"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"mybuild2"}},
},
Expected: []rbac.PolicyRule{
Expected: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"mybuild"}},
{Verbs: []string{"list"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"mybuild2"}},
},
},
"complex non-resource": {
Rules: []rbac.PolicyRule{
Rules: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/"}},
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/foo"}},
},
Expected: []rbac.PolicyRule{
Expected: []rbacv1.PolicyRule{
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/"}},
{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/foo"}},
},
@ -112,7 +113,7 @@ func TestCompactRules(t *testing.T) {
for k, tc := range testcases {
rules := tc.Rules
originalRules := make([]rbac.PolicyRule, len(tc.Rules))
originalRules := make([]rbacv1.PolicyRule, len(tc.Rules))
for i := range tc.Rules {
originalRules[i] = *tc.Rules[i].DeepCopy()
}
@ -134,8 +135,8 @@ func TestCompactRules(t *testing.T) {
continue
}
sort.Stable(rbac.SortableRuleSlice(compacted))
sort.Stable(rbac.SortableRuleSlice(tc.Expected))
sort.Stable(rbacv1helpers.SortableRuleSlice(compacted))
sort.Stable(rbacv1helpers.SortableRuleSlice(tc.Expected))
if !reflect.DeepEqual(compacted, tc.Expected) {
t.Errorf("%s: Expected\n%#v\ngot\n%#v", k, tc.Expected, compacted)
continue
@ -145,68 +146,68 @@ func TestCompactRules(t *testing.T) {
func TestIsSimpleResourceRule(t *testing.T) {
testcases := map[string]struct {
Rule rbac.PolicyRule
Rule rbacv1.PolicyRule
Simple bool
Resource simpleResource
}{
"simple, no verbs": {
Rule: rbac.PolicyRule{Verbs: []string{}, APIGroups: []string{""}, Resources: []string{"builds"}},
Rule: rbacv1.PolicyRule{Verbs: []string{}, APIGroups: []string{""}, Resources: []string{"builds"}},
Simple: true,
Resource: simpleResource{Group: "", Resource: "builds"},
},
"simple, one verb": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}},
Simple: true,
Resource: simpleResource{Group: "", Resource: "builds"},
},
"simple, one empty resource name": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{""}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{""}},
Simple: true,
Resource: simpleResource{Group: "", Resource: "builds", ResourceNameExist: true, ResourceName: ""},
},
"simple, one resource name": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"foo"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"foo"}},
Simple: true,
Resource: simpleResource{Group: "", Resource: "builds", ResourceNameExist: true, ResourceName: "foo"},
},
"simple, multi verb": {
Rule: rbac.PolicyRule{Verbs: []string{"get", "list"}, APIGroups: []string{""}, Resources: []string{"builds"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get", "list"}, APIGroups: []string{""}, Resources: []string{"builds"}},
Simple: true,
Resource: simpleResource{Group: "", Resource: "builds"},
},
"complex, empty": {
Rule: rbac.PolicyRule{},
Rule: rbacv1.PolicyRule{},
Simple: false,
Resource: simpleResource{},
},
"complex, no group": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{}, Resources: []string{"builds"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{}, Resources: []string{"builds"}},
Simple: false,
Resource: simpleResource{},
},
"complex, multi group": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{"a", "b"}, Resources: []string{"builds"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{"a", "b"}, Resources: []string{"builds"}},
Simple: false,
Resource: simpleResource{},
},
"complex, no resource": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{}},
Simple: false,
Resource: simpleResource{},
},
"complex, multi resource": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds", "images"}},
Simple: false,
Resource: simpleResource{},
},
"complex, resource names": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"foo", "bar"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, ResourceNames: []string{"foo", "bar"}},
Simple: false,
Resource: simpleResource{},
},
"complex, non-resource urls": {
Rule: rbac.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/"}},
Rule: rbacv1.PolicyRule{Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"builds"}, NonResourceURLs: []string{"/"}},
Simple: false,
Resource: simpleResource{},
},

26
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/policy_comparator.go generated vendored
View File

@ -19,23 +19,23 @@ package validation
import (
"strings"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1 "k8s.io/api/rbac/v1"
)
// Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions.
// It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.
func Covers(ownerRules, servantRules []rbac.PolicyRule) (bool, []rbac.PolicyRule) {
func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule) {
// 1. Break every servantRule into individual rule tuples: group, verb, resource, resourceName
// 2. Compare the mini-rules against each owner rule. Because the breakdown is down to the most atomic level, we're guaranteed that each mini-servant rule will be either fully covered or not covered by a single owner rule
// 3. Any left over mini-rules means that we are not covered and we have a nice list of them.
// TODO: it might be nice to collapse the list down into something more human readable
subrules := []rbac.PolicyRule{}
subrules := []rbacv1.PolicyRule{}
for _, servantRule := range servantRules {
subrules = append(subrules, BreakdownRule(servantRule)...)
}
uncoveredRules := []rbac.PolicyRule{}
uncoveredRules := []rbacv1.PolicyRule{}
for _, subrule := range subrules {
covered := false
for _, ownerRule := range ownerRules {
@ -55,18 +55,18 @@ func Covers(ownerRules, servantRules []rbac.PolicyRule) (bool, []rbac.PolicyRule
// BreadownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one
// resource, and one resource name
func BreakdownRule(rule rbac.PolicyRule) []rbac.PolicyRule {
subrules := []rbac.PolicyRule{}
func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule {
subrules := []rbacv1.PolicyRule{}
for _, group := range rule.APIGroups {
for _, resource := range rule.Resources {
for _, verb := range rule.Verbs {
if len(rule.ResourceNames) > 0 {
for _, resourceName := range rule.ResourceNames {
subrules = append(subrules, rbac.PolicyRule{APIGroups: []string{group}, Resources: []string{resource}, Verbs: []string{verb}, ResourceNames: []string{resourceName}})
subrules = append(subrules, rbacv1.PolicyRule{APIGroups: []string{group}, Resources: []string{resource}, Verbs: []string{verb}, ResourceNames: []string{resourceName}})
}
} else {
subrules = append(subrules, rbac.PolicyRule{APIGroups: []string{group}, Resources: []string{resource}, Verbs: []string{verb}})
subrules = append(subrules, rbacv1.PolicyRule{APIGroups: []string{group}, Resources: []string{resource}, Verbs: []string{verb}})
}
}
@ -76,7 +76,7 @@ func BreakdownRule(rule rbac.PolicyRule) []rbac.PolicyRule {
// Non-resource URLs are unique because they only combine with verbs.
for _, nonResourceURL := range rule.NonResourceURLs {
for _, verb := range rule.Verbs {
subrules = append(subrules, rbac.PolicyRule{NonResourceURLs: []string{nonResourceURL}, Verbs: []string{verb}})
subrules = append(subrules, rbacv1.PolicyRule{NonResourceURLs: []string{nonResourceURL}, Verbs: []string{verb}})
}
}
@ -107,7 +107,7 @@ func hasAll(set, contains []string) bool {
func resourceCoversAll(setResources, coversResources []string) bool {
// if we have a star or an exact match on all resources, then we match
if has(setResources, rbac.ResourceAll) || hasAll(setResources, coversResources) {
if has(setResources, rbacv1.ResourceAll) || hasAll(setResources, coversResources) {
return true
}
@ -155,9 +155,9 @@ func nonResourceURLCovers(ownerPath, subPath string) bool {
// ruleCovers determines whether the ownerRule (which may have multiple verbs, resources, and resourceNames) covers
// the subrule (which may only contain at most one verb, resource, and resourceName)
func ruleCovers(ownerRule, subRule rbac.PolicyRule) bool {
verbMatches := has(ownerRule.Verbs, rbac.VerbAll) || hasAll(ownerRule.Verbs, subRule.Verbs)
groupMatches := has(ownerRule.APIGroups, rbac.APIGroupAll) || hasAll(ownerRule.APIGroups, subRule.APIGroups)
func ruleCovers(ownerRule, subRule rbacv1.PolicyRule) bool {
verbMatches := has(ownerRule.Verbs, rbacv1.VerbAll) || hasAll(ownerRule.Verbs, subRule.Verbs)
groupMatches := has(ownerRule.APIGroups, rbacv1.APIGroupAll) || hasAll(ownerRule.APIGroups, subRule.APIGroups)
resourceMatches := resourceCoversAll(ownerRule.Resources, subRule.Resources)
nonResourceURLMatches := nonResourceURLsCoversAll(ownerRule.NonResourceURLs, subRule.NonResourceURLs)

148
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/policy_comparator_test.go generated vendored
View File

@ -20,65 +20,65 @@ import (
"reflect"
"testing"
"k8s.io/kubernetes/pkg/apis/rbac"
rbacv1 "k8s.io/api/rbac/v1"
)
type escalationTest struct {
ownerRules []rbac.PolicyRule
servantRules []rbac.PolicyRule
ownerRules []rbacv1.PolicyRule
servantRules []rbacv1.PolicyRule
expectedCovered bool
expectedUncoveredRules []rbac.PolicyRule
expectedUncoveredRules []rbacv1.PolicyRule
}
func TestCoversExactMatch(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversSubresourceWildcard(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*/scale"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"foo/scale"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversMultipleRulesCoveringSingleRule(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"delete"}, Resources: []string{"deployments"}},
{APIGroups: []string{"v1"}, Verbs: []string{"delete"}, Resources: []string{"builds"}},
{APIGroups: []string{"v1"}, Verbs: []string{"update"}, Resources: []string{"builds", "deployments"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"delete", "update"}, Resources: []string{"builds", "deployments"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversMultipleAPIGroupsCoveringSingleRule(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"group1"}, Verbs: []string{"delete"}, Resources: []string{"deployments"}},
{APIGroups: []string{"group1"}, Verbs: []string{"delete"}, Resources: []string{"builds"}},
{APIGroups: []string{"group1"}, Verbs: []string{"update"}, Resources: []string{"builds", "deployments"}},
@ -86,22 +86,22 @@ func TestCoversMultipleAPIGroupsCoveringSingleRule(t *testing.T) {
{APIGroups: []string{"group2"}, Verbs: []string{"delete"}, Resources: []string{"builds"}},
{APIGroups: []string{"group2"}, Verbs: []string{"update"}, Resources: []string{"builds", "deployments"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"group1", "group2"}, Verbs: []string{"delete", "update"}, Resources: []string{"builds", "deployments"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversSingleAPIGroupsCoveringMultiple(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"group1", "group2"}, Verbs: []string{"delete", "update"}, Resources: []string{"builds", "deployments"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"group1"}, Verbs: []string{"delete"}, Resources: []string{"deployments"}},
{APIGroups: []string{"group1"}, Verbs: []string{"delete"}, Resources: []string{"builds"}},
{APIGroups: []string{"group1"}, Verbs: []string{"update"}, Resources: []string{"builds", "deployments"}},
@ -111,23 +111,23 @@ func TestCoversSingleAPIGroupsCoveringMultiple(t *testing.T) {
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversMultipleRulesMissingSingleVerbResourceCombination(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"delete", "update"}, Resources: []string{"builds", "deployments"}},
{APIGroups: []string{"v1"}, Verbs: []string{"delete"}, Resources: []string{"pods"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"delete", "update"}, Resources: []string{"builds", "deployments", "pods"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"update"}, Resources: []string{"pods"}},
},
}.test(t)
@ -135,29 +135,29 @@ func TestCoversMultipleRulesMissingSingleVerbResourceCombination(t *testing.T) {
func TestCoversAPIGroupStarCoveringMultiple(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"*"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"group1", "group2"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversEnumerationNotCoveringAPIGroupStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"dummy-group"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"*"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{APIGroups: []string{"*"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
}.test(t)
@ -165,43 +165,43 @@ func TestCoversEnumerationNotCoveringAPIGroupStar(t *testing.T) {
func TestCoversAPIGroupStarCoveringStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"*"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"*"}, Verbs: []string{"get"}, Resources: []string{"roles"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversVerbStarCoveringMultiple(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"*"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"watch", "list"}, Resources: []string{"roles"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversEnumerationNotCoveringVerbStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get", "list", "watch", "create", "update", "delete", "exec"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"*"}, Resources: []string{"roles"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"*"}, Resources: []string{"roles"}},
},
}.test(t)
@ -209,43 +209,43 @@ func TestCoversEnumerationNotCoveringVerbStar(t *testing.T) {
func TestCoversVerbStarCoveringStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"*"}, Resources: []string{"roles"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"*"}, Resources: []string{"roles"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversResourceStarCoveringMultiple(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"resourcegroup:deployments"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversEnumerationNotCoveringResourceStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"roles", "resourcegroup:deployments"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*"}},
},
}.test(t)
@ -253,43 +253,43 @@ func TestCoversEnumerationNotCoveringResourceStar(t *testing.T) {
func TestCoversResourceStarCoveringStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"*"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversResourceNameEmptyCoveringMultiple(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"pods"}, ResourceNames: []string{}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"pods"}, ResourceNames: []string{"foo", "bar"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversEnumerationNotCoveringResourceNameEmpty(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"pods"}, ResourceNames: []string{"foo", "bar"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"pods"}, ResourceNames: []string{}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"pods"}},
},
}.test(t)
@ -297,43 +297,43 @@ func TestCoversEnumerationNotCoveringResourceNameEmpty(t *testing.T) {
func TestCoversNonResourceURLs(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis"}, Verbs: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis"}, Verbs: []string{"*"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversNonResourceURLsStar(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"*"}, Verbs: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis", "/apis/v1", "/"}, Verbs: []string{"*"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversNonResourceURLsStarAfterPrefixDoesntCover(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis/*"}, Verbs: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis", "/apis/v1"}, Verbs: []string{"get"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{
expectedUncoveredRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis"}, Verbs: []string{"get"}},
},
}.test(t)
@ -341,43 +341,43 @@ func TestCoversNonResourceURLsStarAfterPrefixDoesntCover(t *testing.T) {
func TestCoversNonResourceURLsStarAfterPrefix(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis/*"}, Verbs: []string{"*"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{NonResourceURLs: []string{"/apis/v1/foo", "/apis/v1"}, Verbs: []string{"get"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversNonResourceURLsWithOtherFields(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}, NonResourceURLs: []string{"/apis"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}, NonResourceURLs: []string{"/apis"}},
},
expectedCovered: true,
expectedUncoveredRules: []rbac.PolicyRule{},
expectedUncoveredRules: []rbacv1.PolicyRule{},
}.test(t)
}
func TestCoversNonResourceURLsWithOtherFieldsFailure(t *testing.T) {
escalationTest{
ownerRules: []rbac.PolicyRule{
ownerRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}},
},
servantRules: []rbac.PolicyRule{
servantRules: []rbacv1.PolicyRule{
{APIGroups: []string{"v1"}, Verbs: []string{"get"}, Resources: []string{"builds"}, NonResourceURLs: []string{"/apis"}},
},
expectedCovered: false,
expectedUncoveredRules: []rbac.PolicyRule{{NonResourceURLs: []string{"/apis"}, Verbs: []string{"get"}}},
expectedUncoveredRules: []rbacv1.PolicyRule{{NonResourceURLs: []string{"/apis"}, Verbs: []string{"get"}}},
}.test(t)
}
@ -393,7 +393,7 @@ func (test escalationTest) test(t *testing.T) {
}
}
func rulesMatch(expectedRules, actualRules []rbac.PolicyRule) bool {
func rulesMatch(expectedRules, actualRules []rbacv1.PolicyRule) bool {
if len(expectedRules) != len(actualRules) {
return false
}

81
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule.go generated vendored
View File

@ -17,36 +17,37 @@ limitations under the License.
package validation
import (
"context"
"errors"
"fmt"
"github.com/golang/glog"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/kubernetes/pkg/apis/rbac"
)
type AuthorizationRuleResolver interface {
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namepsace
// of the role binding, the empty string if a cluster role binding.
GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)
// RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of
// PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations
// can be made on the basis of those rules that are found.
RulesFor(user user.Info, namespace string) ([]rbac.PolicyRule, error)
RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)
// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
// If visitor() returns false, visiting is short-circuited.
VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool)
VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}
// ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
func ConfirmNoEscalation(ctx genericapirequest.Context, ruleResolver AuthorizationRuleResolver, rules []rbac.PolicyRule) error {
func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error {
ruleResolutionErrors := []error{}
user, ok := genericapirequest.UserFrom(ctx)
@ -81,33 +82,33 @@ func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBinding
}
type RoleGetter interface {
GetRole(namespace, name string) (*rbac.Role, error)
GetRole(namespace, name string) (*rbacv1.Role, error)
}
type RoleBindingLister interface {
ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error)
ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}
type ClusterRoleGetter interface {
GetClusterRole(name string) (*rbac.ClusterRole, error)
GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}
type ClusterRoleBindingLister interface {
ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error)
ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}
func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbac.PolicyRule, error) {
func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error) {
visitor := &ruleAccumulator{}
r.VisitRulesFor(user, namespace, visitor.visit)
return visitor.rules, utilerrors.NewAggregate(visitor.errors)
}
type ruleAccumulator struct {
rules []rbac.PolicyRule
rules []rbacv1.PolicyRule
errors []error
}
func (r *ruleAccumulator) visit(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool {
func (r *ruleAccumulator) visit(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool {
if rule != nil {
r.rules = append(r.rules, *rule)
}
@ -117,9 +118,9 @@ func (r *ruleAccumulator) visit(source fmt.Stringer, rule *rbac.PolicyRule, err
return true
}
func describeSubject(s *rbac.Subject, bindingNamespace string) string {
func describeSubject(s *rbacv1.Subject, bindingNamespace string) string {
switch s.Kind {
case rbac.ServiceAccountKind:
case rbacv1.ServiceAccountKind:
if len(s.Namespace) > 0 {
return fmt.Sprintf("%s %q", s.Kind, s.Name+"/"+s.Namespace)
}
@ -130,8 +131,8 @@ func describeSubject(s *rbac.Subject, bindingNamespace string) string {
}
type clusterRoleBindingDescriber struct {
binding *rbac.ClusterRoleBinding
subject *rbac.Subject
binding *rbacv1.ClusterRoleBinding
subject *rbacv1.Subject
}
func (d *clusterRoleBindingDescriber) String() string {
@ -144,8 +145,8 @@ func (d *clusterRoleBindingDescriber) String() string {
}
type roleBindingDescriber struct {
binding *rbac.RoleBinding
subject *rbac.Subject
binding *rbacv1.RoleBinding
subject *rbacv1.Subject
}
func (d *roleBindingDescriber) String() string {
@ -157,7 +158,7 @@ func (d *roleBindingDescriber) String() string {
)
}
func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool) {
func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) {
if clusterRoleBindings, err := r.clusterRoleBindingLister.ListClusterRoleBindings(); err != nil {
if !visitor(nil, nil, err) {
return
@ -218,16 +219,16 @@ func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, vi
}
// GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.
func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbac.RoleRef, bindingNamespace string) ([]rbac.PolicyRule, error) {
switch kind := rbac.RoleRefGroupKind(roleRef); kind {
case rbac.Kind("Role"):
func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error) {
switch roleRef.Kind {
case "Role":
role, err := r.roleGetter.GetRole(bindingNamespace, roleRef.Name)
if err != nil {
return nil, err
}
return role.Rules, nil
case rbac.Kind("ClusterRole"):
case "ClusterRole":
clusterRole, err := r.clusterRoleGetter.GetClusterRole(roleRef.Name)
if err != nil {
return nil, err
@ -235,13 +236,13 @@ func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbac.RoleRef, bindin
return clusterRole.Rules, nil
default:
return nil, fmt.Errorf("unsupported role reference kind: %q", kind)
return nil, fmt.Errorf("unsupported role reference kind: %q", roleRef.Kind)
}
}
// appliesTo returns whether any of the bindingSubjects applies to the specified subject,
// and if true, the index of the first subject that applies
func appliesTo(user user.Info, bindingSubjects []rbac.Subject, namespace string) (int, bool) {
func appliesTo(user user.Info, bindingSubjects []rbacv1.Subject, namespace string) (int, bool) {
for i, bindingSubject := range bindingSubjects {
if appliesToUser(user, bindingSubject, namespace) {
return i, true
@ -250,15 +251,15 @@ func appliesTo(user user.Info, bindingSubjects []rbac.Subject, namespace string)
return 0, false
}
func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool {
func appliesToUser(user user.Info, subject rbacv1.Subject, namespace string) bool {
switch subject.Kind {
case rbac.UserKind:
case rbacv1.UserKind:
return user.GetName() == subject.Name
case rbac.GroupKind:
case rbacv1.GroupKind:
return has(user.GetGroups(), subject.Name)
case rbac.ServiceAccountKind:
case rbacv1.ServiceAccountKind:
// default the namespace to namespace we're working in if its available. This allows rolebindings that reference
// SAs in th local namespace to avoid having to qualify them.
saNamespace := namespace
@ -275,7 +276,7 @@ func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool
}
// NewTestRuleResolver returns a rule resolver from lists of role objects.
func NewTestRuleResolver(roles []*rbac.Role, roleBindings []*rbac.RoleBinding, clusterRoles []*rbac.ClusterRole, clusterRoleBindings []*rbac.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles) {
func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles) {
r := StaticRoles{
roles: roles,
roleBindings: roleBindings,
@ -291,13 +292,13 @@ func newMockRuleResolver(r *StaticRoles) AuthorizationRuleResolver {
// StaticRoles is a rule resolver that resolves from lists of role objects.
type StaticRoles struct {
roles []*rbac.Role
roleBindings []*rbac.RoleBinding
clusterRoles []*rbac.ClusterRole
clusterRoleBindings []*rbac.ClusterRoleBinding
roles []*rbacv1.Role
roleBindings []*rbacv1.RoleBinding
clusterRoles []*rbacv1.ClusterRole
clusterRoleBindings []*rbacv1.ClusterRoleBinding
}
func (r *StaticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error) {
if len(namespace) == 0 {
return nil, errors.New("must provide namespace when getting role")
}
@ -309,21 +310,21 @@ func (r *StaticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
return nil, errors.New("role not found")
}
func (r *StaticRoles) GetClusterRole(name string) (*rbac.ClusterRole, error) {
func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error) {
for _, clusterRole := range r.clusterRoles {
if clusterRole.Name == name {
return clusterRole, nil
}
}
return nil, errors.New("role not found")
return nil, errors.New("clusterrole not found")
}
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error) {
if len(namespace) == 0 {
return nil, errors.New("must provide namespace when listing role bindings")
}
roleBindingList := []*rbac.RoleBinding{}
roleBindingList := []*rbacv1.RoleBinding{}
for _, roleBinding := range r.roleBindings {
if roleBinding.Namespace != namespace {
continue
@ -334,6 +335,6 @@ func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, e
return roleBindingList, nil
}
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error) {
return r.clusterRoleBindings, nil
}

104
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule_test.go generated vendored
View File

@ -23,14 +23,14 @@ import (
"sort"
"testing"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kubernetes/pkg/apis/rbac"
)
// compute a hash of a policy rule so we can sort in a deterministic order
func hashOf(p rbac.PolicyRule) string {
func hashOf(p rbacv1.PolicyRule) string {
hash := fnv.New32()
writeStrings := func(slis ...[]string) {
for _, sli := range slis {
@ -44,68 +44,68 @@ func hashOf(p rbac.PolicyRule) string {
}
// byHash sorts a set of policy rules by a hash of its fields
type byHash []rbac.PolicyRule
type byHash []rbacv1.PolicyRule
func (b byHash) Len() int { return len(b) }
func (b byHash) Less(i, j int) bool { return hashOf(b[i]) < hashOf(b[j]) }
func (b byHash) Swap(i, j int) { b[i], b[j] = b[j], b[i] }
func TestDefaultRuleResolver(t *testing.T) {
ruleReadPods := rbac.PolicyRule{
ruleReadPods := rbacv1.PolicyRule{
Verbs: []string{"GET", "WATCH"},
APIGroups: []string{"v1"},
Resources: []string{"pods"},
}
ruleReadServices := rbac.PolicyRule{
ruleReadServices := rbacv1.PolicyRule{
Verbs: []string{"GET", "WATCH"},
APIGroups: []string{"v1"},
Resources: []string{"services"},
}
ruleWriteNodes := rbac.PolicyRule{
ruleWriteNodes := rbacv1.PolicyRule{
Verbs: []string{"PUT", "CREATE", "UPDATE"},
APIGroups: []string{"v1"},
Resources: []string{"nodes"},
}
ruleAdmin := rbac.PolicyRule{
ruleAdmin := rbacv1.PolicyRule{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"*"},
}
staticRoles1 := StaticRoles{
roles: []*rbac.Role{
roles: []*rbacv1.Role{
{
ObjectMeta: metav1.ObjectMeta{Namespace: "namespace1", Name: "readthings"},
Rules: []rbac.PolicyRule{ruleReadPods, ruleReadServices},
Rules: []rbacv1.PolicyRule{ruleReadPods, ruleReadServices},
},
},
clusterRoles: []*rbac.ClusterRole{
clusterRoles: []*rbacv1.ClusterRole{
{
ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"},
Rules: []rbac.PolicyRule{ruleAdmin},
Rules: []rbacv1.PolicyRule{ruleAdmin},
},
{
ObjectMeta: metav1.ObjectMeta{Name: "write-nodes"},
Rules: []rbac.PolicyRule{ruleWriteNodes},
Rules: []rbacv1.PolicyRule{ruleWriteNodes},
},
},
roleBindings: []*rbac.RoleBinding{
roleBindings: []*rbacv1.RoleBinding{
{
ObjectMeta: metav1.ObjectMeta{Namespace: "namespace1"},
Subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "foobar"},
{Kind: rbac.GroupKind, Name: "group1"},
Subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "foobar"},
{Kind: rbacv1.GroupKind, Name: "group1"},
},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "readthings"},
RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "Role", Name: "readthings"},
},
},
clusterRoleBindings: []*rbac.ClusterRoleBinding{
clusterRoleBindings: []*rbacv1.ClusterRoleBinding{
{
Subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "admin"},
{Kind: rbac.GroupKind, Name: "admin"},
Subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "admin"},
{Kind: rbacv1.GroupKind, Name: "admin"},
},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "cluster-admin"},
RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "cluster-admin"},
},
},
}
@ -116,13 +116,13 @@ func TestDefaultRuleResolver(t *testing.T) {
// For a given context, what are the rules that apply?
user user.Info
namespace string
effectiveRules []rbac.PolicyRule
effectiveRules []rbacv1.PolicyRule
}{
{
StaticRoles: staticRoles1,
user: &user.DefaultInfo{Name: "foobar"},
namespace: "namespace1",
effectiveRules: []rbac.PolicyRule{ruleReadPods, ruleReadServices},
effectiveRules: []rbacv1.PolicyRule{ruleReadPods, ruleReadServices},
},
{
StaticRoles: staticRoles1,
@ -134,7 +134,7 @@ func TestDefaultRuleResolver(t *testing.T) {
StaticRoles: staticRoles1,
// Same as above but without a namespace. Only cluster rules should apply.
user: &user.DefaultInfo{Name: "foobar", Groups: []string{"admin"}},
effectiveRules: []rbac.PolicyRule{ruleAdmin},
effectiveRules: []rbacv1.PolicyRule{ruleAdmin},
},
{
StaticRoles: staticRoles1,
@ -164,7 +164,7 @@ func TestDefaultRuleResolver(t *testing.T) {
func TestAppliesTo(t *testing.T) {
tests := []struct {
subjects []rbac.Subject
subjects []rbacv1.Subject
user user.Info
namespace string
appliesTo bool
@ -172,8 +172,8 @@ func TestAppliesTo(t *testing.T) {
testCase string
}{
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "foobar"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "foobar"},
},
user: &user.DefaultInfo{Name: "foobar"},
appliesTo: true,
@ -181,9 +181,9 @@ func TestAppliesTo(t *testing.T) {
testCase: "single subject that matches username",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.UserKind, Name: "foobar"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.UserKind, Name: "foobar"},
},
user: &user.DefaultInfo{Name: "foobar"},
appliesTo: true,
@ -191,18 +191,18 @@ func TestAppliesTo(t *testing.T) {
testCase: "multiple subjects, one that matches username",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.UserKind, Name: "foobar"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.UserKind, Name: "foobar"},
},
user: &user.DefaultInfo{Name: "zimzam"},
appliesTo: false,
testCase: "multiple subjects, none that match username",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.GroupKind, Name: "foobar"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.GroupKind, Name: "foobar"},
},
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
appliesTo: true,
@ -210,9 +210,9 @@ func TestAppliesTo(t *testing.T) {
testCase: "multiple subjects, one that match group",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.GroupKind, Name: "foobar"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.GroupKind, Name: "foobar"},
},
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
namespace: "namespace1",
@ -221,10 +221,10 @@ func TestAppliesTo(t *testing.T) {
testCase: "multiple subjects, one that match group, should ignore namespace",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.GroupKind, Name: "foobar"},
{Kind: rbac.ServiceAccountKind, Namespace: "kube-system", Name: "default"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.GroupKind, Name: "foobar"},
{Kind: rbacv1.ServiceAccountKind, Namespace: "kube-system", Name: "default"},
},
user: &user.DefaultInfo{Name: "system:serviceaccount:kube-system:default"},
namespace: "default",
@ -233,8 +233,8 @@ func TestAppliesTo(t *testing.T) {
testCase: "multiple subjects with a service account that matches",
},
{
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "*"},
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "*"},
},
user: &user.DefaultInfo{Name: "foobar"},
namespace: "default",
@ -242,9 +242,9 @@ func TestAppliesTo(t *testing.T) {
testCase: "* user subject name doesn't match all users",
},
{
subjects: []rbac.Subject{
{Kind: rbac.GroupKind, Name: user.AllAuthenticated},
{Kind: rbac.GroupKind, Name: user.AllUnauthenticated},
subjects: []rbacv1.Subject{
{Kind: rbacv1.GroupKind, Name: user.AllAuthenticated},
{Kind: rbacv1.GroupKind, Name: user.AllUnauthenticated},
},
user: &user.DefaultInfo{Name: "foobar", Groups: []string{user.AllAuthenticated}},
namespace: "default",
@ -253,9 +253,9 @@ func TestAppliesTo(t *testing.T) {
testCase: "binding to all authenticated and unauthenticated subjects matches authenticated user",
},
{
subjects: []rbac.Subject{
{Kind: rbac.GroupKind, Name: user.AllAuthenticated},
{Kind: rbac.GroupKind, Name: user.AllUnauthenticated},
subjects: []rbacv1.Subject{
{Kind: rbacv1.GroupKind, Name: user.AllAuthenticated},
{Kind: rbacv1.GroupKind, Name: user.AllUnauthenticated},
},
user: &user.DefaultInfo{Name: "system:anonymous", Groups: []string{user.AllUnauthenticated}},
namespace: "default",