From 1d475edd1c8d53e080273b9d1d405075e44208dd Mon Sep 17 00:00:00 2001 From: xilabao Date: Mon, 5 Dec 2016 16:28:37 +0800 Subject: [PATCH] add default label to rbac bootstrap policy --- .../authorizer/rbac/bootstrappolicy/BUILD | 6 +++- .../rbac/bootstrappolicy/controller_policy.go | 3 ++ .../bootstrappolicy/controller_policy_test.go | 28 +++++++++++++++ .../authorizer/rbac/bootstrappolicy/policy.go | 34 +++++++++++++++++-- .../rbac/bootstrappolicy/policy_test.go | 28 +++++++++++++++ .../testdata/cluster-roles.yaml | 18 ++++++++++ .../testdata/controller-role-bindings.yaml | 30 ++++++++++++++++ .../testdata/controller-roles.yaml | 30 ++++++++++++++++ 8 files changed, 174 insertions(+), 3 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD index 9603a37f785..be864a440ca 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD @@ -32,6 +32,7 @@ go_test( deps = [ "//pkg/api:go_default_library", "//pkg/api/install:go_default_library", + "//pkg/api/meta:go_default_library", "//pkg/api/v1:go_default_library", "//pkg/apis/rbac:go_default_library", "//pkg/apis/rbac/install:go_default_library", @@ -50,5 +51,8 @@ go_test( srcs = ["controller_policy_test.go"], library = "go_default_library", tags = ["automanaged"], - deps = ["//pkg/util/sets:go_default_library"], + deps = [ + "//pkg/api/meta:go_default_library", + "//pkg/util/sets:go_default_library", + ], ) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index a815281bf6e..99a4c6655c2 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -46,8 +46,11 @@ func addControllerRole(role rbac.ClusterRole) { } controllerRoles = append(controllerRoles, role) + addClusterRoleLabel(controllerRoles) + controllerRoleBindings = append(controllerRoleBindings, rbac.NewClusterBinding(role.Name).SAs("kube-system", role.Name[len(saRolePrefix):]).BindingOrDie()) + addClusterRoleBindingLabel(controllerRoleBindings) } func eventsRule() rbac.PolicyRule { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go index 6fa055c5a50..e6836481033 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go @@ -17,8 +17,10 @@ limitations under the License. package bootstrappolicy import ( + "reflect" "testing" + "k8s.io/kubernetes/pkg/api/meta" "k8s.io/kubernetes/pkg/util/sets" ) @@ -58,3 +60,29 @@ func TestNoStarsForControllers(t *testing.T) { } } } + +func TestControllerRoleLabel(t *testing.T) { + roles := ControllerRoles() + for i := range roles { + role := roles[i] + accessor, err := meta.Accessor(&role) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) { + t.Errorf("ClusterRole: %s GetLabels() = %s, want %s", accessor.GetName(), got, want) + } + } + + rolebindings := ControllerRoleBindings() + for i := range rolebindings { + rolebinding := rolebindings[i] + accessor, err := meta.Accessor(&rolebinding) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) { + t.Errorf("ClusterRoleBinding: %s GetLabels() = %s, want %s", accessor.GetName(), got, want) + } + } +} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 259a32bd986..2d1b01704cd 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -25,6 +25,8 @@ import ( var ( ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"} Read = []string{"get", "list", "watch"} + + Label = map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"} ) const ( @@ -41,9 +43,33 @@ const ( storageGroup = "storage.k8s.io" ) +func addClusterRoleLabel(roles []rbac.ClusterRole) { + for i := range roles { + if roles[i].ObjectMeta.Labels == nil { + roles[i].ObjectMeta.Labels = make(map[string]string) + } + for k, v := range Label { + roles[i].ObjectMeta.Labels[k] = v + } + } + return +} + +func addClusterRoleBindingLabel(rolebindings []rbac.ClusterRoleBinding) { + for i := range rolebindings { + if rolebindings[i].ObjectMeta.Labels == nil { + rolebindings[i].ObjectMeta.Labels = make(map[string]string) + } + for k, v := range Label { + rolebindings[i].ObjectMeta.Labels[k] = v + } + } + return +} + // ClusterRoles returns the cluster roles to bootstrap an API server with func ClusterRoles() []rbac.ClusterRole { - return []rbac.ClusterRole{ + roles := []rbac.ClusterRole{ { // a "root" role which can do absolutely anything ObjectMeta: api.ObjectMeta{Name: "cluster-admin"}, @@ -204,15 +230,19 @@ func ClusterRoles() []rbac.ClusterRole { }, }, } + addClusterRoleLabel(roles) + return roles } // ClusterRoleBindings return default rolebindings to the default roles func ClusterRoleBindings() []rbac.ClusterRoleBinding { - return []rbac.ClusterRoleBinding{ + rolebindings := []rbac.ClusterRoleBinding{ rbac.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(), rbac.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), rbac.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), rbac.NewClusterBinding("system:node").Groups(user.NodesGroup).BindingOrDie(), rbac.NewClusterBinding("system:node-proxier").Groups(user.NodesGroup).BindingOrDie(), } + addClusterRoleBindingLabel(rolebindings) + return rolebindings } diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go index 2de4bf8fca6..5d0ddd579b8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go @@ -20,12 +20,14 @@ import ( "io/ioutil" "os" "path/filepath" + "reflect" "testing" "github.com/ghodss/yaml" "k8s.io/kubernetes/pkg/api" _ "k8s.io/kubernetes/pkg/api/install" + "k8s.io/kubernetes/pkg/api/meta" "k8s.io/kubernetes/pkg/api/v1" rbac "k8s.io/kubernetes/pkg/apis/rbac" _ "k8s.io/kubernetes/pkg/apis/rbac/install" @@ -233,3 +235,29 @@ func testObjects(t *testing.T, list *api.List, fixtureFilename string) { } } } + +func TestClusterRoleLabel(t *testing.T) { + roles := bootstrappolicy.ClusterRoles() + for i := range roles { + role := roles[i] + accessor, err := meta.Accessor(&role) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) { + t.Errorf("ClusterRole: %s GetLabels() = %s, want %s", accessor.GetName(), got, want) + } + } + + rolebindings := bootstrappolicy.ClusterRoleBindings() + for i := range rolebindings { + rolebinding := rolebindings[i] + accessor, err := meta.Accessor(&rolebinding) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) { + t.Errorf("ClusterRoleBinding: %s GetLabels() = %s, want %s", accessor.GetName(), got, want) + } + } +} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 2cebcba747d..5562da1371d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -4,6 +4,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: admin rules: - apiGroups: @@ -170,6 +172,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin rules: - apiGroups: @@ -188,6 +192,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: edit rules: - apiGroups: @@ -332,6 +338,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:auth-delegator rules: - apiGroups: @@ -352,6 +360,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:basic-user rules: - apiGroups: @@ -365,6 +375,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:discovery rules: - attributeRestrictions: null @@ -380,6 +392,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:node rules: - apiGroups: @@ -484,6 +498,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:node-proxier rules: - apiGroups: @@ -499,6 +515,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: view rules: - apiGroups: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 45bf22c2148..12f56683e64 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -4,6 +4,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:attachdetach-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -17,6 +19,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:cronjob-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -30,6 +34,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:daemon-set-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -43,6 +49,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:deployment-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -56,6 +64,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:disruption-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -69,6 +79,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:endpoint-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -82,6 +94,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:horizontal-pod-autoscaler roleRef: apiGroup: rbac.authorization.k8s.io @@ -95,6 +109,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:job-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -108,6 +124,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:namespace-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -121,6 +139,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:persistent-volume-binder roleRef: apiGroup: rbac.authorization.k8s.io @@ -134,6 +154,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:pod-garbage-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -147,6 +169,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:replicaset-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -160,6 +184,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:replication-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -173,6 +199,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:service-controller roleRef: apiGroup: rbac.authorization.k8s.io @@ -186,6 +214,8 @@ items: kind: ClusterRoleBinding metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:statefulset-controller roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 5cc27b5ed81..735509e9333 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -4,6 +4,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:attachdetach-controller rules: - apiGroups: @@ -53,6 +55,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:cronjob-controller rules: - apiGroups: @@ -96,6 +100,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:daemon-set-controller rules: - apiGroups: @@ -152,6 +158,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:deployment-controller rules: - apiGroups: @@ -206,6 +214,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:disruption-controller rules: - apiGroups: @@ -252,6 +262,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:endpoint-controller rules: - apiGroups: @@ -295,6 +307,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:horizontal-pod-autoscaler rules: - apiGroups: @@ -361,6 +375,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:job-controller rules: - apiGroups: @@ -405,6 +421,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:namespace-controller rules: - apiGroups: @@ -439,6 +457,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:persistent-volume-binder rules: - apiGroups: @@ -527,6 +547,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:pod-garbage-controller rules: - apiGroups: @@ -542,6 +564,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:replicaset-controller rules: - apiGroups: @@ -584,6 +608,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:replication-controller rules: - apiGroups: @@ -626,6 +652,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:service-controller rules: - apiGroups: @@ -665,6 +693,8 @@ items: kind: ClusterRole metadata: creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults name: system:controller:statefulset-controller rules: - apiGroups: