github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-22 02:18:51 +00:00
Code Issues Projects Releases Wiki Activity

rbac api changes for aggregation

Browse Source
This commit is contained in:
David Eads
2017-10-16 13:56:13 -04:00
parent 41fe3ed5bc
commit 0f0a5223df
6 changed files with 97 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/apis/rbac/types.go
View File

@@ -155,6 +155,18 @@ type ClusterRole struct {
// Rules holds all the PolicyRules for this ClusterRole
Rules []PolicyRule
// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
// stomped by the controller.
AggregationRule *AggregationRule
}
// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
type AggregationRule struct {
// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
// If any of the selectors match, then the ClusterRole's permissions will be added
ClusterRoleSelectors []metav1.LabelSelector
}
// +genclient

18
pkg/apis/rbac/validation/validation.go
View File

@@ -18,6 +18,8 @@ package validation
import (
"k8s.io/apimachinery/pkg/api/validation/path"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/kubernetes/pkg/apis/core/validation"
"k8s.io/kubernetes/pkg/apis/rbac"
@@ -61,6 +63,22 @@ func ValidateClusterRole(role *rbac.ClusterRole) field.ErrorList {
allErrs = append(allErrs, err...)
}
}
if role.AggregationRule != nil {
if len(role.AggregationRule.ClusterRoleSelectors) == 0 {
allErrs = append(allErrs, field.Required(field.NewPath("aggregationRule", "clusterRoleSelectors"), "at least one clusterRoleSelector required if aggregationRule is non-nil"))
}
for i, selector := range role.AggregationRule.ClusterRoleSelectors {
fieldPath := field.NewPath("aggregationRule", "clusterRoleSelectors").Index(i)
allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(&selector, fieldPath)...)
selector, err := metav1.LabelSelectorAsSelector(&selector)
if err != nil {
allErrs = append(allErrs, field.Invalid(fieldPath, selector, "invalid label selector."))
}
}
}
if len(allErrs) != 0 {
return allErrs
}