mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-14 02:43:36 +00:00
vendor updates
This commit is contained in:
Serguei Bezverkhi
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD
generated
vendored
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD
generated
vendored
@ -50,8 +50,7 @@ filegroup(
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["helpers_test.go"],
|
||||
importpath = "k8s.io/kubernetes/pkg/registry/rbac",
|
||||
library = ":go_default_library",
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//pkg/apis/core:go_default_library",
|
||||
"//pkg/apis/core/helper:go_default_library",
|
||||
|
||||
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/BUILD
generated
vendored
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/BUILD
generated
vendored
@ -12,8 +12,7 @@ go_test(
|
||||
"reconcile_role_test.go",
|
||||
"reconcile_rolebindings_test.go",
|
||||
],
|
||||
importpath = "k8s.io/kubernetes/pkg/registry/rbac/reconciliation",
|
||||
library = ":go_default_library",
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//pkg/apis/core/helper:go_default_library",
|
||||
"//pkg/apis/rbac:go_default_library",
|
||||
|
||||
2
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/zz_generated.deepcopy.go
generated
vendored
2
vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/zz_generated.deepcopy.go
generated
vendored
@ -16,7 +16,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// This file was autogenerated by deepcopy-gen. Do not edit it manually!
|
||||
// Code generated by deepcopy-gen. DO NOT EDIT.
|
||||
|
||||
package reconciliation
|
||||
|
||||
|
||||
70
vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
generated
vendored
70
vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go
generated
vendored
@ -18,7 +18,6 @@ package rest
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
@ -71,15 +70,15 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
|
||||
// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
|
||||
// TODO refactor the plumbing to provide the information in the APIGroupInfo
|
||||
|
||||
if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {
|
||||
if apiResourceConfigSource.VersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {
|
||||
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1alpha1.SchemeGroupVersion.Version] = p.storage(rbacapiv1alpha1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
|
||||
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1alpha1.SchemeGroupVersion
|
||||
}
|
||||
if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1beta1.SchemeGroupVersion) {
|
||||
if apiResourceConfigSource.VersionEnabled(rbacapiv1beta1.SchemeGroupVersion) {
|
||||
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1beta1.SchemeGroupVersion.Version] = p.storage(rbacapiv1beta1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
|
||||
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1beta1.SchemeGroupVersion
|
||||
}
|
||||
if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1.SchemeGroupVersion) {
|
||||
if apiResourceConfigSource.VersionEnabled(rbacapiv1.SchemeGroupVersion) {
|
||||
apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1.SchemeGroupVersion.Version] = p.storage(rbacapiv1.SchemeGroupVersion, apiResourceConfigSource, restOptionsGetter)
|
||||
apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1.SchemeGroupVersion
|
||||
}
|
||||
@ -88,48 +87,31 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
|
||||
}
|
||||
|
||||
func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
|
||||
once := new(sync.Once)
|
||||
var (
|
||||
authorizationRuleResolver rbacregistryvalidation.AuthorizationRuleResolver
|
||||
rolesStorage rest.StandardStorage
|
||||
roleBindingsStorage rest.StandardStorage
|
||||
clusterRolesStorage rest.StandardStorage
|
||||
clusterRoleBindingsStorage rest.StandardStorage
|
||||
storage := map[string]rest.Storage{}
|
||||
rolesStorage := rolestore.NewREST(restOptionsGetter)
|
||||
roleBindingsStorage := rolebindingstore.NewREST(restOptionsGetter)
|
||||
clusterRolesStorage := clusterrolestore.NewREST(restOptionsGetter)
|
||||
clusterRoleBindingsStorage := clusterrolebindingstore.NewREST(restOptionsGetter)
|
||||
|
||||
authorizationRuleResolver := rbacregistryvalidation.NewDefaultRuleResolver(
|
||||
role.AuthorizerAdapter{Registry: role.NewRegistry(rolesStorage)},
|
||||
rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(roleBindingsStorage)},
|
||||
clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterRolesStorage)},
|
||||
clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterRoleBindingsStorage)},
|
||||
)
|
||||
|
||||
initializeStorage := func() {
|
||||
once.Do(func() {
|
||||
rolesStorage = rolestore.NewREST(restOptionsGetter)
|
||||
roleBindingsStorage = rolebindingstore.NewREST(restOptionsGetter)
|
||||
clusterRolesStorage = clusterrolestore.NewREST(restOptionsGetter)
|
||||
clusterRoleBindingsStorage = clusterrolebindingstore.NewREST(restOptionsGetter)
|
||||
// roles
|
||||
storage["roles"] = rolepolicybased.NewStorage(rolesStorage, authorizationRuleResolver)
|
||||
|
||||
authorizationRuleResolver = rbacregistryvalidation.NewDefaultRuleResolver(
|
||||
role.AuthorizerAdapter{Registry: role.NewRegistry(rolesStorage)},
|
||||
rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(roleBindingsStorage)},
|
||||
clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterRolesStorage)},
|
||||
clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterRoleBindingsStorage)},
|
||||
)
|
||||
})
|
||||
}
|
||||
// rolebindings
|
||||
storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, p.Authorizer, authorizationRuleResolver)
|
||||
|
||||
// clusterroles
|
||||
storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, authorizationRuleResolver)
|
||||
|
||||
// clusterrolebindings
|
||||
storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, p.Authorizer, authorizationRuleResolver)
|
||||
|
||||
storage := map[string]rest.Storage{}
|
||||
if apiResourceConfigSource.ResourceEnabled(version.WithResource("roles")) {
|
||||
initializeStorage()
|
||||
storage["roles"] = rolepolicybased.NewStorage(rolesStorage, authorizationRuleResolver)
|
||||
}
|
||||
if apiResourceConfigSource.ResourceEnabled(version.WithResource("rolebindings")) {
|
||||
initializeStorage()
|
||||
storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, p.Authorizer, authorizationRuleResolver)
|
||||
}
|
||||
if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterroles")) {
|
||||
initializeStorage()
|
||||
storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, authorizationRuleResolver)
|
||||
}
|
||||
if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterrolebindings")) {
|
||||
initializeStorage()
|
||||
storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, p.Authorizer, authorizationRuleResolver)
|
||||
}
|
||||
return storage
|
||||
}
|
||||
|
||||
@ -264,7 +246,7 @@ func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
|
||||
case result.Operation == reconciliation.ReconcileUpdate:
|
||||
glog.Infof("updated role.%s/%s in %v with additional permissions: %v", rbac.GroupName, role.Name, namespace, result.MissingRules)
|
||||
case result.Operation == reconciliation.ReconcileCreate:
|
||||
glog.Infof("created role.%s/%s in %v ", rbac.GroupName, role.Name, namespace)
|
||||
glog.Infof("created role.%s/%s in %v", rbac.GroupName, role.Name, namespace)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
@ -309,7 +291,7 @@ func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
|
||||
|
||||
return true, nil
|
||||
})
|
||||
// if we're never able to make it through intialization, kill the API server
|
||||
// if we're never able to make it through initialization, kill the API server
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to initialize roles: %v", err)
|
||||
}
|
||||
|
||||
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/BUILD
generated
vendored
3
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/BUILD
generated
vendored
@ -13,8 +13,7 @@ go_test(
|
||||
"policy_comparator_test.go",
|
||||
"rule_test.go",
|
||||
],
|
||||
importpath = "k8s.io/kubernetes/pkg/registry/rbac/validation",
|
||||
library = ":go_default_library",
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//pkg/apis/rbac:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
|
||||
81
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule.go
generated
vendored
81
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule.go
generated
vendored
@ -42,7 +42,7 @@ type AuthorizationRuleResolver interface {
|
||||
|
||||
// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
|
||||
// If visitor() returns false, visiting is short-circuited.
|
||||
VisitRulesFor(user user.Info, namespace string, visitor func(rule *rbac.PolicyRule, err error) bool)
|
||||
VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool)
|
||||
}
|
||||
|
||||
// ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
|
||||
@ -107,7 +107,7 @@ type ruleAccumulator struct {
|
||||
errors []error
|
||||
}
|
||||
|
||||
func (r *ruleAccumulator) visit(rule *rbac.PolicyRule, err error) bool {
|
||||
func (r *ruleAccumulator) visit(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool {
|
||||
if rule != nil {
|
||||
r.rules = append(r.rules, *rule)
|
||||
}
|
||||
@ -117,25 +117,69 @@ func (r *ruleAccumulator) visit(rule *rbac.PolicyRule, err error) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(rule *rbac.PolicyRule, err error) bool) {
|
||||
func describeSubject(s *rbac.Subject, bindingNamespace string) string {
|
||||
switch s.Kind {
|
||||
case rbac.ServiceAccountKind:
|
||||
if len(s.Namespace) > 0 {
|
||||
return fmt.Sprintf("%s %q", s.Kind, s.Name+"/"+s.Namespace)
|
||||
}
|
||||
return fmt.Sprintf("%s %q", s.Kind, s.Name+"/"+bindingNamespace)
|
||||
default:
|
||||
return fmt.Sprintf("%s %q", s.Kind, s.Name)
|
||||
}
|
||||
}
|
||||
|
||||
type clusterRoleBindingDescriber struct {
|
||||
binding *rbac.ClusterRoleBinding
|
||||
subject *rbac.Subject
|
||||
}
|
||||
|
||||
func (d *clusterRoleBindingDescriber) String() string {
|
||||
return fmt.Sprintf("ClusterRoleBinding %q of %s %q to %s",
|
||||
d.binding.Name,
|
||||
d.binding.RoleRef.Kind,
|
||||
d.binding.RoleRef.Name,
|
||||
describeSubject(d.subject, ""),
|
||||
)
|
||||
}
|
||||
|
||||
type roleBindingDescriber struct {
|
||||
binding *rbac.RoleBinding
|
||||
subject *rbac.Subject
|
||||
}
|
||||
|
||||
func (d *roleBindingDescriber) String() string {
|
||||
return fmt.Sprintf("RoleBinding %q of %s %q to %s",
|
||||
d.binding.Name+"/"+d.binding.Namespace,
|
||||
d.binding.RoleRef.Kind,
|
||||
d.binding.RoleRef.Name,
|
||||
describeSubject(d.subject, d.binding.Namespace),
|
||||
)
|
||||
}
|
||||
|
||||
func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool) {
|
||||
if clusterRoleBindings, err := r.clusterRoleBindingLister.ListClusterRoleBindings(); err != nil {
|
||||
if !visitor(nil, err) {
|
||||
if !visitor(nil, nil, err) {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
sourceDescriber := &clusterRoleBindingDescriber{}
|
||||
for _, clusterRoleBinding := range clusterRoleBindings {
|
||||
if !appliesTo(user, clusterRoleBinding.Subjects, "") {
|
||||
subjectIndex, applies := appliesTo(user, clusterRoleBinding.Subjects, "")
|
||||
if !applies {
|
||||
continue
|
||||
}
|
||||
rules, err := r.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
|
||||
if err != nil {
|
||||
if !visitor(nil, err) {
|
||||
if !visitor(nil, nil, err) {
|
||||
return
|
||||
}
|
||||
continue
|
||||
}
|
||||
sourceDescriber.binding = clusterRoleBinding
|
||||
sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
|
||||
for i := range rules {
|
||||
if !visitor(&rules[i], nil) {
|
||||
if !visitor(sourceDescriber, &rules[i], nil) {
|
||||
return
|
||||
}
|
||||
}
|
||||
@ -144,23 +188,27 @@ func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, vi
|
||||
|
||||
if len(namespace) > 0 {
|
||||
if roleBindings, err := r.roleBindingLister.ListRoleBindings(namespace); err != nil {
|
||||
if !visitor(nil, err) {
|
||||
if !visitor(nil, nil, err) {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
sourceDescriber := &roleBindingDescriber{}
|
||||
for _, roleBinding := range roleBindings {
|
||||
if !appliesTo(user, roleBinding.Subjects, namespace) {
|
||||
subjectIndex, applies := appliesTo(user, roleBinding.Subjects, namespace)
|
||||
if !applies {
|
||||
continue
|
||||
}
|
||||
rules, err := r.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
|
||||
if err != nil {
|
||||
if !visitor(nil, err) {
|
||||
if !visitor(nil, nil, err) {
|
||||
return
|
||||
}
|
||||
continue
|
||||
}
|
||||
sourceDescriber.binding = roleBinding
|
||||
sourceDescriber.subject = &roleBinding.Subjects[subjectIndex]
|
||||
for i := range rules {
|
||||
if !visitor(&rules[i], nil) {
|
||||
if !visitor(sourceDescriber, &rules[i], nil) {
|
||||
return
|
||||
}
|
||||
}
|
||||
@ -190,13 +238,16 @@ func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbac.RoleRef, bindin
|
||||
return nil, fmt.Errorf("unsupported role reference kind: %q", kind)
|
||||
}
|
||||
}
|
||||
func appliesTo(user user.Info, bindingSubjects []rbac.Subject, namespace string) bool {
|
||||
for _, bindingSubject := range bindingSubjects {
|
||||
|
||||
// appliesTo returns whether any of the bindingSubjects applies to the specified subject,
|
||||
// and if true, the index of the first subject that applies
|
||||
func appliesTo(user user.Info, bindingSubjects []rbac.Subject, namespace string) (int, bool) {
|
||||
for i, bindingSubject := range bindingSubjects {
|
||||
if appliesToUser(user, bindingSubject, namespace) {
|
||||
return true
|
||||
return i, true
|
||||
}
|
||||
}
|
||||
return false
|
||||
return 0, false
|
||||
}
|
||||
|
||||
func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool {
|
||||
|
||||
13
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule_test.go
generated
vendored
13
vendor/k8s.io/kubernetes/pkg/registry/rbac/validation/rule_test.go
generated
vendored
@ -168,6 +168,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
user user.Info
|
||||
namespace string
|
||||
appliesTo bool
|
||||
index int
|
||||
testCase string
|
||||
}{
|
||||
{
|
||||
@ -176,6 +177,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
},
|
||||
user: &user.DefaultInfo{Name: "foobar"},
|
||||
appliesTo: true,
|
||||
index: 0,
|
||||
testCase: "single subject that matches username",
|
||||
},
|
||||
{
|
||||
@ -185,6 +187,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
},
|
||||
user: &user.DefaultInfo{Name: "foobar"},
|
||||
appliesTo: true,
|
||||
index: 1,
|
||||
testCase: "multiple subjects, one that matches username",
|
||||
},
|
||||
{
|
||||
@ -203,6 +206,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
},
|
||||
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
|
||||
appliesTo: true,
|
||||
index: 1,
|
||||
testCase: "multiple subjects, one that match group",
|
||||
},
|
||||
{
|
||||
@ -213,6 +217,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
|
||||
namespace: "namespace1",
|
||||
appliesTo: true,
|
||||
index: 1,
|
||||
testCase: "multiple subjects, one that match group, should ignore namespace",
|
||||
},
|
||||
{
|
||||
@ -224,6 +229,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
user: &user.DefaultInfo{Name: "system:serviceaccount:kube-system:default"},
|
||||
namespace: "default",
|
||||
appliesTo: true,
|
||||
index: 2,
|
||||
testCase: "multiple subjects with a service account that matches",
|
||||
},
|
||||
{
|
||||
@ -243,6 +249,7 @@ func TestAppliesTo(t *testing.T) {
|
||||
user: &user.DefaultInfo{Name: "foobar", Groups: []string{user.AllAuthenticated}},
|
||||
namespace: "default",
|
||||
appliesTo: true,
|
||||
index: 0,
|
||||
testCase: "binding to all authenticated and unauthenticated subjects matches authenticated user",
|
||||
},
|
||||
{
|
||||
@ -253,14 +260,18 @@ func TestAppliesTo(t *testing.T) {
|
||||
user: &user.DefaultInfo{Name: "system:anonymous", Groups: []string{user.AllUnauthenticated}},
|
||||
namespace: "default",
|
||||
appliesTo: true,
|
||||
index: 1,
|
||||
testCase: "binding to all authenticated and unauthenticated subjects matches anonymous user",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
got := appliesTo(tc.user, tc.subjects, tc.namespace)
|
||||
gotIndex, got := appliesTo(tc.user, tc.subjects, tc.namespace)
|
||||
if got != tc.appliesTo {
|
||||
t.Errorf("case %q want appliesTo=%t, got appliesTo=%t", tc.testCase, tc.appliesTo, got)
|
||||
}
|
||||
if gotIndex != tc.index {
|
||||
t.Errorf("case %q want index %d, got %d", tc.testCase, tc.index, gotIndex)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user