github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-19 08:54:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #29930 from ericchiang/rbac-validation-dont-mix-non-resource-urls-and-resources

Browse Source 
Automatic merge from submit-queue

rbac validation: rules can't combine non-resource URLs and regular resources

This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.

For example the following is no longer valid

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    nonResourceURLs: ["*"]
```

And must be rewritten as so.

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
``` 

It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.

Also, do we need to bump the API version?

Discussed by @erictune and @liggitt  in #28304

Updates kubernetes/features#2

cc @kubernetes/sig-auth 

Edit:
* Need to update the RBAC docs if this change goes in.
This commit is contained in:
Kubernetes Submit Queue
2016-08-04 04:52:51 -07:00
committed by GitHub
parent 1933462c7b 7ec270dce7
commit 16454277aa
8 changed files with 316 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
View File

@@ -3075,9 +3075,7 @@
"id": "v1alpha1.PolicyRule",
"description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.",
"required": [
"verbs",
"apiGroups",
"resources"
"verbs"
],
"properties": {
"verbs": {
@@ -3117,7 +3115,7 @@
"items": {
"type": "string"
},
"description": "NonResourceURLsSlice is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding."
"description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both."
}
}
},