github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Avoid copying aggregated admin/edit/view roles during bootstrap

Browse Source
This commit is contained in:
Jordan Liggitt 2018-05-13 15:07:38 -04:00
parent b617748f7b
commit a674335ccc
No known key found for this signature in database
GPG Key ID: 39928704103C7229
3 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/registry/rbac/reconciliation/reconcile_role.go
View File

@ -214,6 +214,11 @@ func computeReconciledRole(existing, expected RuleOwner, removeExtraPermissions
_, result.MissingAggregationRuleSelectors = aggregationRuleCovers(existing.GetAggregationRule(), expected.GetAggregationRule()) _, result.MissingAggregationRuleSelectors = aggregationRuleCovers(existing.GetAggregationRule(), expected.GetAggregationRule())
switch { switch {
case expected.GetAggregationRule() == nil && existing.GetAggregationRule() != nil:
// we didn't expect this to be an aggregated role at all, remove the existing aggregation
result.Role.SetAggregationRule(nil)
result.Operation = ReconcileUpdate
case !removeExtraPermissions && len(result.MissingAggregationRuleSelectors) > 0: case !removeExtraPermissions && len(result.MissingAggregationRuleSelectors) > 0:
// add missing rules in the union case // add missing rules in the union case
aggregationRule := result.Role.GetAggregationRule() aggregationRule := result.Role.GetAggregationRule()

26
pkg/registry/rbac/reconciliation/reconcile_role_test.go
View File

@ -350,6 +350,32 @@ func TestComputeReconciledRoleAggregationRules(t *testing.T) {
expectedReconciledRole: aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}, {"foo": "bar"}})), expectedReconciledRole: aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}, {"foo": "bar"}})),
expectedReconciliationNeeded: true, expectedReconciliationNeeded: true,
}, },
"unexpected aggregation": {
// desired role is not aggregated
expectedRole: role(rules("pods", "nodes", "secrets"), nil, nil),
// existing role is aggregated
actualRole: aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}})),
removeExtraPermissions: false,
// reconciled role should have desired permissions and not be aggregated
expectedReconciledRole: role(rules("pods", "nodes", "secrets"), nil, nil),
expectedReconciliationNeeded: true,
},
"unexpected aggregation with differing permissions": {
// desired role is not aggregated
expectedRole: role(rules("pods", "nodes", "secrets"), nil, nil),
// existing role is aggregated and has other permissions
actualRole: func() *rbac.ClusterRole {
r := aggregatedRole(aggregationrule([]map[string]string{{"alpha": "bravo"}}))
r.Rules = rules("deployments")
return r
}(),
removeExtraPermissions: false,
// reconciled role should have aggregation removed, preserve differing permissions, and include desired permissions
expectedReconciledRole: role(rules("deployments", "pods", "nodes", "secrets"), nil, nil),
expectedReconciliationNeeded: true,
},
} }
for k, tc := range tests { for k, tc := range tests {

4
pkg/registry/rbac/rest/storage_rbac.go
View File

@ -320,6 +320,10 @@ func primeAggregatedClusterRoles(clusterRolesToAggregate map[string]string, clus
if err != nil { if err != nil {
return err return err
} }
if existingRole.AggregationRule != nil {
// the old role already moved to an aggregated role, so there are no custom rules to migrate at this point
return nil
}
glog.V(1).Infof("migrating %v to %v", existingRole.Name, newName) glog.V(1).Infof("migrating %v to %v", existingRole.Name, newName)
existingRole.Name = newName existingRole.Name = newName
existingRole.ResourceVersion = "" // clear this so the object can be created. existingRole.ResourceVersion = "" // clear this so the object can be created.