From 349d95e3be14531841e1110387593802493271b4 Mon Sep 17 00:00:00 2001 From: Kazuki Suda Date: Fri, 2 Mar 2018 11:32:03 +0900 Subject: [PATCH 1/2] Indicate clusterrolebinding, rolebinding subjects are optional fields --- api/openapi-spec/swagger.json | 6 ------ api/swagger-spec/rbac.authorization.k8s.io_v1.json | 2 -- api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json | 2 -- api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json | 2 -- .../rbac.authorization.k8s.io/v1/definitions.html | 4 ++-- .../rbac.authorization.k8s.io/v1alpha1/definitions.html | 4 ++-- .../rbac.authorization.k8s.io/v1beta1/definitions.html | 4 ++-- staging/src/k8s.io/api/rbac/v1/generated.proto | 2 ++ staging/src/k8s.io/api/rbac/v1/types.go | 6 ++++-- staging/src/k8s.io/api/rbac/v1alpha1/generated.proto | 2 ++ staging/src/k8s.io/api/rbac/v1alpha1/types.go | 6 ++++-- staging/src/k8s.io/api/rbac/v1beta1/generated.proto | 2 ++ staging/src/k8s.io/api/rbac/v1beta1/types.go | 6 ++++-- 13 files changed, 24 insertions(+), 24 deletions(-) diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index aab1117f9b1..ae65cf858b2 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -82143,7 +82143,6 @@ "io.k8s.api.rbac.v1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82327,7 +82326,6 @@ "io.k8s.api.rbac.v1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82531,7 +82529,6 @@ "io.k8s.api.rbac.v1alpha1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82715,7 +82712,6 @@ "io.k8s.api.rbac.v1alpha1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -82919,7 +82915,6 @@ "io.k8s.api.rbac.v1beta1.ClusterRoleBinding": { "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -83103,7 +83098,6 @@ "io.k8s.api.rbac.v1beta1.RoleBinding": { "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1.json index b5fdb605d3d..e1f93d1e8a9 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1.json @@ -3351,7 +3351,6 @@ "id": "v1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json index bae9fa9faa2..73a4ab4f5a2 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json @@ -3351,7 +3351,6 @@ "id": "v1alpha1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1alpha1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json index c51d9e77c10..eb3bd1d1dad 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1beta1.json @@ -3351,7 +3351,6 @@ "id": "v1beta1.ClusterRoleBinding", "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "required": [ - "subjects", "roleRef" ], "properties": { @@ -3927,7 +3926,6 @@ "id": "v1beta1.RoleBinding", "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "required": [ - "subjects", "roleRef" ], "properties": { diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html index 2972fea36b8..204669f59a6 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1/definitions.html @@ -502,7 +502,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1.Subject array

@@ -1443,7 +1443,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1.Subject array

diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html index 9a95c068557..8605a9c9537 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1alpha1/definitions.html @@ -924,7 +924,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1alpha1.Subject array

@@ -1791,7 +1791,7 @@ When an object is created, the system will populate this list with the current s

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1alpha1.Subject array

diff --git a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html index 86664748e15..5007ef02fc6 100755 --- a/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html +++ b/docs/api-reference/rbac.authorization.k8s.io/v1beta1/definitions.html @@ -1196,7 +1196,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1beta1.Subject array

@@ -1930,7 +1930,7 @@ Examples:

subjects

Subjects holds references to the objects the role applies to.

-

true

+

false

v1beta1.Subject array

diff --git a/staging/src/k8s.io/api/rbac/v1/generated.proto b/staging/src/k8s.io/api/rbac/v1/generated.proto index 2f8d863df1d..f48b1e039e0 100644 --- a/staging/src/k8s.io/api/rbac/v1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1/generated.proto @@ -62,6 +62,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -134,6 +135,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1/types.go b/staging/src/k8s.io/api/rbac/v1/types.go index 91990548bc4..17163cbb269 100644 --- a/staging/src/k8s.io/api/rbac/v1/types.go +++ b/staging/src/k8s.io/api/rbac/v1/types.go @@ -124,7 +124,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -199,7 +200,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto index 41a193f55d0..5be16511099 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto @@ -61,6 +61,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -134,6 +135,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/types.go b/staging/src/k8s.io/api/rbac/v1alpha1/types.go index 843d998ec9e..398d6a169cb 100644 --- a/staging/src/k8s.io/api/rbac/v1alpha1/types.go +++ b/staging/src/k8s.io/api/rbac/v1alpha1/types.go @@ -126,7 +126,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -201,7 +202,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto index aa9960b8ec4..5b5fa194baa 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto +++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto @@ -62,6 +62,7 @@ message ClusterRoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can only reference a ClusterRole in the global namespace. @@ -135,6 +136,7 @@ message RoleBinding { optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Subjects holds references to the objects the role applies to. + // +optional repeated Subject subjects = 2; // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. diff --git a/staging/src/k8s.io/api/rbac/v1beta1/types.go b/staging/src/k8s.io/api/rbac/v1beta1/types.go index 091fc1dc95f..857b67a6f84 100644 --- a/staging/src/k8s.io/api/rbac/v1beta1/types.go +++ b/staging/src/k8s.io/api/rbac/v1beta1/types.go @@ -125,7 +125,8 @@ type RoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. @@ -199,7 +200,8 @@ type ClusterRoleBinding struct { metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` // Subjects holds references to the objects the role applies to. - Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"` + // +optional + Subjects []Subject `json:"subjects,omitempty" protobuf:"bytes,2,rep,name=subjects"` // RoleRef can only reference a ClusterRole in the global namespace. // If the RoleRef cannot be resolved, the Authorizer must return an error. From 0b96762f1b6a263d6e83405a64e46d8377dd1a7c Mon Sep 17 00:00:00 2001 From: Kazuki Suda Date: Sat, 3 Mar 2018 12:56:10 +0900 Subject: [PATCH 2/2] Update bootstrap policy fixture data --- .../rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index 55a88317272..ab116df5fe1 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -138,7 +138,6 @@ items: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node - subjects: null - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: