github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #31543 from deads2k/rbac-06-change-role-ref

Browse Source 
Automatic merge from submit-queue

Change rbac roleref to reflect the information we want

@liggitt @ericchiang This is a version of https://github.com/kubernetes/kubernetes/pull/31359 which updates the `RoleRef` to be (I think) the type that we want, with a group, resource, and name.

This is **not** backwards compatible with any existing data.  I'm ok with doing this since rbac was considered alpha, but its something to consider.

If we want this instead, I'll close the previous pull (or update it with this content).
This commit is contained in:
Kubernetes Submit Queue 2016-09-12 02:01:49 -07:00 committed by GitHub
commit ae839ffc44
20 changed files with 2186 additions and 1468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json
View File

@ -2713,7 +2713,7 @@
"description": "Subjects holds references to the objects the role applies to."
},
"roleRef": {
"$ref": "v1.ObjectReference",
"$ref": "v1alpha1.RoleRef",
"description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error."
}
}
@ -2852,37 +2852,26 @@
}
}
},
"v1.ObjectReference": {
"id": "v1.ObjectReference",
"description": "ObjectReference contains enough information to let you inspect or modify the referred object.",
"v1alpha1.RoleRef": {
"id": "v1alpha1.RoleRef",
"description": "RoleRef contains information that points to the role being used",
"required": [
"apiGroup",
"kind",
"name"
],
"properties": {
"apiGroup": {
"type": "string",
"description": "APIGroup is the group for the resource being referenced"
},
"kind": {
"type": "string",
"description": "Kind of the referent. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds"
},
"namespace": {
"type": "string",
"description": "Namespace of the referent. More info: http://releases.k8s.io/HEAD/docs/user-guide/namespaces.md"
"description": "Kind is the type of resource being referenced"
},
"name": {
"type": "string",
"description": "Name of the referent. More info: http://releases.k8s.io/HEAD/docs/user-guide/identifiers.md#names"
},
"uid": {
"type": "string",
"description": "UID of the referent. More info: http://releases.k8s.io/HEAD/docs/user-guide/identifiers.md#uids"
},
"apiVersion": {
"type": "string",
"description": "API version of the referent."
},
"resourceVersion": {
"type": "string",
"description": "Specific resourceVersion to which this reference is made, if any. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#concurrency-control-and-consistency"
},
"fieldPath": {
"type": "string",
"description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object."
"description": "Name is the name of resource being referenced"
}
}
},
@ -3183,7 +3172,7 @@
"description": "Subjects holds references to the objects the role applies to."
},
"roleRef": {
"$ref": "v1.ObjectReference",
"$ref": "v1alpha1.RoleRef",
"description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error."
}
}

9
pkg/api/testing/fuzzer.go
View File

@ -30,6 +30,7 @@ import (
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/batch"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/fields"
"k8s.io/kubernetes/pkg/labels"
"k8s.io/kubernetes/pkg/runtime"
@ -498,6 +499,14 @@ func FuzzerFor(t *testing.T, version unversioned.GroupVersion, src rand.Source)
}
}
},
func(r *rbac.RoleRef, c fuzz.Continue) {
c.FuzzNoCustom(r) // fuzz self without calling this function again
// match defaulter
if len(r.APIGroup) == 0 {
r.APIGroup = rbac.GroupName
}
},
func(r *runtime.RawExtension, c fuzz.Continue) {
// Pick an arbitrary type and fuzz it
types := []runtime.Object{&api.Pod{}, &extensions.Deployment{}, &api.Service{}}

25
pkg/apis/rbac/helpers.go Normal file
View File

@ -0,0 +1,25 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package rbac
import (
"k8s.io/kubernetes/pkg/api/unversioned"
)
func RoleRefGroupKind(roleRef RoleRef) unversioned.GroupKind {
return unversioned.GroupKind{Group: roleRef.APIGroup, Kind: roleRef.Kind}
}

14
pkg/apis/rbac/types.go
View File

@ -80,6 +80,16 @@ type Subject struct {
Namespace string
}
// RoleRef contains information that points to the role being used
type RoleRef struct {
// APIGroup is the group for the resource being referenced
APIGroup string
// Kind is the type of resource being referenced
Kind string
// Name is the name of resource being referenced
Name string
}
// +genclient=true
// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
@ -106,7 +116,7 @@ type RoleBinding struct {
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
RoleRef api.ObjectReference
RoleRef RoleRef
}
// RoleBindingList is a collection of RoleBindings
@ -157,7 +167,7 @@ type ClusterRoleBinding struct {
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
RoleRef api.ObjectReference
RoleRef RoleRef
}
// ClusterRoleBindingList is a collection of ClusterRoleBindings

36
pkg/apis/rbac/v1alpha1/defaults.go Normal file
View File

@ -0,0 +1,36 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"k8s.io/kubernetes/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return scheme.AddDefaultingFuncs(
func(obj *ClusterRoleBinding) {
if len(obj.RoleRef.APIGroup) == 0 {
obj.RoleRef.APIGroup = GroupName
}
},
func(obj *RoleBinding) {
if len(obj.RoleRef.APIGroup) == 0 {
obj.RoleRef.APIGroup = GroupName
}
},
)
}

304
pkg/apis/rbac/v1alpha1/generated.pb.go
View File

@ -34,6 +34,7 @@ limitations under the License.
RoleBinding
RoleBindingList
RoleList
RoleRef
Subject
*/
package v1alpha1
@ -92,9 +93,13 @@ func (m *RoleList) Reset() { *m = RoleList{} }
func (*RoleList) ProtoMessage() {}
func (*RoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
func (m *RoleRef) Reset() { *m = RoleRef{} }
func (*RoleRef) ProtoMessage() {}
func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
func (m *Subject) Reset() { *m = Subject{} }
func (*Subject) ProtoMessage() {}
func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
func init() {
proto.RegisterType((*ClusterRole)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.ClusterRole")
@ -106,6 +111,7 @@ func init() {
proto.RegisterType((*RoleBinding)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.RoleBinding")
proto.RegisterType((*RoleBindingList)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.RoleBindingList")
proto.RegisterType((*RoleList)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.RoleList")
proto.RegisterType((*RoleRef)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.RoleRef")
proto.RegisterType((*Subject)(nil), "k8s.io.kubernetes.pkg.apis.rbac.v1alpha1.Subject")
}
func (m *ClusterRole) Marshal() (data []byte, err error) {
@ -529,6 +535,36 @@ func (m *RoleList) MarshalTo(data []byte) (int, error) {
return i, nil
}
func (m *RoleRef) Marshal() (data []byte, err error) {
size := m.Size()
data = make([]byte, size)
n, err := m.MarshalTo(data)
if err != nil {
return nil, err
}
return data[:n], nil
}
func (m *RoleRef) MarshalTo(data []byte) (int, error) {
var i int
_ = i
var l int
_ = l
data[i] = 0xa
i++
i = encodeVarintGenerated(data, i, uint64(len(m.APIGroup)))
i += copy(data[i:], m.APIGroup)
data[i] = 0x12
i++
i = encodeVarintGenerated(data, i, uint64(len(m.Kind)))
i += copy(data[i:], m.Kind)
data[i] = 0x1a
i++
i = encodeVarintGenerated(data, i, uint64(len(m.Name)))
i += copy(data[i:], m.Name)
return i, nil
}
func (m *Subject) Marshal() (data []byte, err error) {
size := m.Size()
data = make([]byte, size)
@ -744,6 +780,18 @@ func (m *RoleList) Size() (n int) {
return n
}
func (m *RoleRef) Size() (n int) {
var l int
_ = l
l = len(m.APIGroup)
n += 1 + l + sovGenerated(uint64(l))
l = len(m.Kind)
n += 1 + l + sovGenerated(uint64(l))
l = len(m.Name)
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *Subject) Size() (n int) {
var l int
_ = l
@ -789,7 +837,7 @@ func (this *ClusterRoleBinding) String() string {
s := strings.Join([]string{`&ClusterRoleBinding{`,
`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_kubernetes_pkg_api_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "ObjectReference", "k8s_io_kubernetes_pkg_api_v1.ObjectReference", 1), `&`, ``, 1) + `,`,
`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
@ -849,7 +897,7 @@ func (this *RoleBinding) String() string {
s := strings.Join([]string{`&RoleBinding{`,
`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_kubernetes_pkg_api_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "ObjectReference", "k8s_io_kubernetes_pkg_api_v1.ObjectReference", 1), `&`, ``, 1) + `,`,
`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
@ -876,6 +924,18 @@ func (this *RoleList) String() string {
}, "")
return s
}
func (this *RoleRef) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&RoleRef{`,
`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
`}`,
}, "")
return s
}
func (this *Subject) String() string {
if this == nil {
return "nil"
@ -2070,6 +2130,143 @@ func (m *RoleList) Unmarshal(data []byte) error {
}
return nil
}
func (m *RoleRef) Unmarshal(data []byte) error {
l := len(data)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: RoleRef: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: RoleRef: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.APIGroup = string(data[iNdEx:postIndex])
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.Kind = string(data[iNdEx:postIndex])
iNdEx = postIndex
case 3:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.Name = string(data[iNdEx:postIndex])
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(data[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *Subject) Unmarshal(data []byte) error {
l := len(data)
iNdEx := 0
@ -2342,54 +2539,55 @@ var (
)
var fileDescriptorGenerated = []byte{
// 775 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xec, 0x54, 0xc1, 0x4f, 0x13, 0x4f,
0x14, 0x66, 0x69, 0xfb, 0xa3, 0x3b, 0xfc, 0x9a, 0xca, 0x1a, 0x4c, 0xd3, 0x44, 0x20, 0x3d, 0x35,
0x22, 0xb3, 0x29, 0x91, 0xc8, 0x41, 0x0f, 0xac, 0x31, 0x86, 0x88, 0x48, 0x86, 0x48, 0x94, 0xc4,
0x98, 0xed, 0x76, 0x28, 0x6b, 0xdb, 0xdd, 0x66, 0x66, 0x16, 0xf5, 0x46, 0xfc, 0x0b, 0xfc, 0x1b,
0xbc, 0x79, 0xf5, 0x6a, 0xe2, 0xc1, 0x13, 0x07, 0x0f, 0x1c, 0x8d, 0x07, 0xa2, 0xf8, 0x8f, 0xf8,
0x66, 0x76, 0x97, 0xdd, 0xd2, 0x56, 0x2a, 0x89, 0x24, 0x26, 0x1e, 0x26, 0xb0, 0xef, 0x7d, 0xdf,
0xb7, 0xef, 0x7b, 0x3b, 0xfd, 0xd0, 0x72, 0x6b, 0x99, 0x63, 0xd7, 0x37, 0x5b, 0x41, 0x9d, 0x32,
0x8f, 0x0a, 0xca, 0xcd, 0x6e, 0xab, 0x69, 0xda, 0x5d, 0x97, 0x9b, 0xac, 0x6e, 0x3b, 0xe6, 0x5e,
0xcd, 0x6e, 0x77, 0x77, 0xed, 0x9a, 0xd9, 0xa4, 0x1e, 0x65, 0xb6, 0xa0, 0x0d, 0xdc, 0x65, 0xbe,
0xf0, 0x8d, 0x6a, 0xc8, 0xc4, 0x09, 0x13, 0x03, 0x13, 0x4b, 0x26, 0x96, 0x4c, 0x1c, 0x33, 0xcb,
0x0b, 0x4d, 0x57, 0xec, 0x06, 0x75, 0xec, 0xf8, 0x1d, 0xb3, 0xe9, 0x37, 0x7d, 0x53, 0x09, 0xd4,
0x83, 0x1d, 0xf5, 0xa4, 0x1e, 0xd4, 0x7f, 0xa1, 0x70, 0x79, 0x71, 0xe8, 0x48, 0x26, 0xa3, 0xdc,
0x0f, 0x98, 0x43, 0x4f, 0x0f, 0x53, 0x5e, 0x1a, 0xce, 0x09, 0xbc, 0x3d, 0xca, 0xb8, 0xeb, 0x7b,
0xb4, 0xd1, 0x47, 0xbb, 0x3e, 0x9c, 0xb6, 0xd7, 0xe7, 0xb8, 0xbc, 0x30, 0x18, 0xcd, 0x02, 0x4f,
0xb8, 0x9d, 0xfe, 0x99, 0x6a, 0x83, 0xe1, 0x81, 0x70, 0xdb, 0xa6, 0xeb, 0x09, 0x2e, 0xd8, 0x69,
0x4a, 0xe5, 0x93, 0x86, 0x26, 0xef, 0xb4, 0x03, 0x2e, 0x28, 0x23, 0x7e, 0x9b, 0x1a, 0x8f, 0x51,
0xbe, 0x43, 0x85, 0xdd, 0xb0, 0x85, 0x5d, 0xd2, 0xe6, 0xb4, 0xea, 0xe4, 0x62, 0x15, 0x0f, 0x5d,
0x3b, 0x2c, 0x1c, 0x3f, 0xac, 0x3f, 0xa7, 0x8e, 0x78, 0x00, 0x1c, 0xcb, 0x38, 0x38, 0x9a, 0x1d,
0x3b, 0x3e, 0x9a, 0x45, 0x49, 0x8d, 0x9c, 0xa8, 0x19, 0x4f, 0x50, 0x8e, 0x05, 0x6d, 0xca, 0x4b,
0xe3, 0x73, 0x19, 0x90, 0xbd, 0x81, 0x47, 0xfd, 0x9a, 0x78, 0xc3, 0x6f, 0xbb, 0xce, 0x2b, 0x02,
0x64, 0xab, 0x10, 0xbd, 0x22, 0x27, 0x9f, 0x38, 0x09, 0x15, 0x2b, 0xef, 0xc6, 0x91, 0x91, 0x32,
0x61, 0xb9, 0x5e, 0xc3, 0xf5, 0x9a, 0x7f, 0xd0, 0xcb, 0x33, 0x94, 0xe7, 0x81, 0x6a, 0xc4, 0x76,
0x6a, 0xa3, 0xdb, 0xd9, 0x0c, 0x99, 0xd6, 0xa5, 0xe8, 0x15, 0xf9, 0xa8, 0xc0, 0xc9, 0x89, 0x28,
0x8c, 0x3e, 0xc1, 0xc0, 0x09, 0xa1, 0x3b, 0xa5, 0x8c, 0x9a, 0x7c, 0x61, 0x94, 0xc9, 0x01, 0x4e,
0x19, 0xf5, 0x1c, 0x6a, 0x15, 0x23, 0xed, 0x09, 0x12, 0xaa, 0x90, 0x58, 0xae, 0xf2, 0x55, 0x43,
0x57, 0xfa, 0x77, 0xb5, 0xe6, 0x72, 0x61, 0x3c, 0xed, 0xdb, 0x97, 0xf9, 0x8b, 0xb7, 0xa6, 0x6e,
0x39, 0x96, 0x74, 0xb5, 0xb6, 0x13, 0x4f, 0x71, 0x25, 0xb5, 0x34, 0x1b, 0xe5, 0x5c, 0x41, 0x3b,
0xf1, 0xc6, 0x6e, 0x8d, 0xbe, 0xb1, 0xfe, 0x79, 0x93, 0x8b, 0xb0, 0x2a, 0x25, 0x49, 0xa8, 0x5c,
0xf9, 0xac, 0xa1, 0x62, 0x0a, 0x7c, 0x11, 0xae, 0xb6, 0x7b, 0x5d, 0x2d, 0x9d, 0xcf, 0xd5, 0x60,
0x3b, 0xaf, 0x33, 0x08, 0x25, 0x97, 0xdf, 0x98, 0x45, 0x39, 0x18, 0xae, 0xce, 0xc1, 0x46, 0xa6,
0xaa, 0x5b, 0xba, 0xc4, 0x6f, 0xc9, 0x02, 0x09, 0xeb, 0xc6, 0xbe, 0x86, 0xa6, 0x6d, 0x21, 0x98,
0x5b, 0x0f, 0x04, 0x7c, 0x6c, 0xf8, 0xbd, 0xbb, 0x8e, 0x00, 0x2f, 0x72, 0x38, 0x69, 0x7c, 0x7e,
0xc8, 0x70, 0x51, 0x9e, 0x60, 0x62, 0xbf, 0xb8, 0xfb, 0x52, 0x50, 0x4f, 0xfa, 0xb7, 0xae, 0x46,
0x23, 0x4d, 0xaf, 0x0c, 0x52, 0x24, 0x83, 0x5f, 0x64, 0xcc, 0x23, 0x1d, 0xac, 0xde, 0x63, 0x7e,
0xd0, 0xe5, 0x70, 0x75, 0xe5, 0x9c, 0x05, 0x10, 0xd1, 0x57, 0x36, 0x56, 0xc3, 0x22, 0x49, 0xfa,
0x12, 0x1c, 0xe7, 0x2b, 0x2f, 0x65, 0x13, 0x30, 0x89, 0x8b, 0x24, 0xe9, 0x1b, 0x37, 0x51, 0x21,
0x7e, 0x58, 0xb7, 0x3b, 0x40, 0xc8, 0x29, 0xc2, 0x14, 0x10, 0x0a, 0x24, 0xdd, 0x20, 0xbd, 0x38,
0xe3, 0x36, 0x2a, 0x7a, 0xbe, 0x17, 0x43, 0x1e, 0x91, 0x35, 0x5e, 0xfa, 0x4f, 0x51, 0x2f, 0x03,
0xb5, 0xb8, 0xde, 0xdb, 0x22, 0xa7, 0xb1, 0x95, 0x0f, 0x1a, 0xca, 0xfe, 0xbd, 0xd1, 0xf8, 0x76,
0x1c, 0x4d, 0xfe, 0xcb, 0xc4, 0x33, 0x32, 0x51, 0xc6, 0xc6, 0x05, 0x87, 0xe1, 0xf9, 0x63, 0xe3,
0xec, 0x14, 0xfc, 0xa8, 0xa1, 0xfc, 0x45, 0xc5, 0xdf, 0x66, 0xaf, 0x0f, 0xfc, 0x9b, 0x3e, 0x06,
0x1b, 0x78, 0xaf, 0xa1, 0x89, 0xe8, 0x02, 0x18, 0x73, 0x28, 0xdb, 0x02, 0xb7, 0x6a, 0x76, 0xdd,
0xfa, 0x3f, 0xc2, 0x67, 0xef, 0x43, 0x8d, 0xa8, 0x8e, 0xb1, 0x88, 0x10, 0xc8, 0x6f, 0x85, 0x73,
0xab, 0xa4, 0xd3, 0x93, 0xab, 0x0a, 0xb9, 0x13, 0x75, 0x48, 0x0a, 0x25, 0x55, 0x3d, 0x08, 0x07,
0x75, 0x91, 0x52, 0xaa, 0x32, 0x30, 0x88, 0xea, 0x18, 0x26, 0xd2, 0xe5, 0x5f, 0xde, 0xb5, 0x1d,
0x0a, 0xd9, 0x24, 0x61, 0x53, 0x11, 0x4c, 0x5f, 0x8f, 0x1b, 0x24, 0xc1, 0x58, 0xd7, 0x0e, 0xbe,
0xcf, 0x8c, 0x1d, 0xc2, 0xf9, 0x02, 0x67, 0xff, 0x78, 0x46, 0x3b, 0x80, 0x73, 0x08, 0xe7, 0x1b,
0x9c, 0x37, 0x3f, 0x66, 0xc6, 0xb6, 0xf3, 0xb1, 0xf7, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xf2,
0x51, 0x62, 0x4c, 0x04, 0x0b, 0x00, 0x00,
// 800 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xec, 0x54, 0x41, 0x4f, 0x13, 0x4d,
0x18, 0x66, 0x69, 0xfb, 0xd1, 0x1d, 0xbe, 0xa6, 0x1f, 0xf3, 0x85, 0x2f, 0x4d, 0x93, 0x0f, 0x48,
0x4f, 0x8d, 0xc0, 0x6c, 0x4a, 0x24, 0x72, 0xd0, 0x03, 0x6b, 0x8c, 0x21, 0x22, 0x92, 0x21, 0x12,
0x25, 0x1a, 0xb3, 0x6d, 0x87, 0xb2, 0xb6, 0xdd, 0x6d, 0x76, 0x66, 0x51, 0xe3, 0x85, 0xf8, 0x0b,
0xfc, 0x15, 0xde, 0xbc, 0x78, 0x35, 0xf1, 0xe0, 0x89, 0x83, 0x07, 0x8e, 0xc6, 0x03, 0x51, 0xfc,
0x23, 0xbe, 0xb3, 0xbb, 0xd3, 0xdd, 0xd2, 0x56, 0x0a, 0x89, 0x24, 0x26, 0x1e, 0x26, 0xed, 0xbc,
0xef, 0xf3, 0xbc, 0xf3, 0x3e, 0xef, 0xce, 0x3c, 0x68, 0xa5, 0xb9, 0xc2, 0x89, 0xed, 0x1a, 0x4d,
0xbf, 0xca, 0x3c, 0x87, 0x09, 0xc6, 0x8d, 0x4e, 0xb3, 0x61, 0x58, 0x1d, 0x9b, 0x1b, 0x5e, 0xd5,
0xaa, 0x19, 0xfb, 0x15, 0xab, 0xd5, 0xd9, 0xb3, 0x2a, 0x46, 0x83, 0x39, 0xcc, 0xb3, 0x04, 0xab,
0x93, 0x8e, 0xe7, 0x0a, 0x17, 0x97, 0x43, 0x26, 0x89, 0x99, 0x04, 0x98, 0x44, 0x32, 0x89, 0x64,
0x12, 0xc5, 0x2c, 0x2e, 0x36, 0x6c, 0xb1, 0xe7, 0x57, 0x49, 0xcd, 0x6d, 0x1b, 0x0d, 0xb7, 0xe1,
0x1a, 0x41, 0x81, 0xaa, 0xbf, 0x1b, 0xec, 0x82, 0x4d, 0xf0, 0x2f, 0x2c, 0x5c, 0x5c, 0x1a, 0xda,
0x92, 0xe1, 0x31, 0xee, 0xfa, 0x5e, 0x8d, 0x9d, 0x6e, 0xa6, 0xb8, 0x3c, 0x9c, 0xe3, 0x3b, 0xfb,
0xcc, 0xe3, 0xb6, 0xeb, 0xb0, 0x7a, 0x1f, 0x6d, 0x61, 0x38, 0x6d, 0xbf, 0x4f, 0x71, 0x71, 0x71,
0x30, 0xda, 0xf3, 0x1d, 0x61, 0xb7, 0xfb, 0x7b, 0xaa, 0x0c, 0x86, 0xfb, 0xc2, 0x6e, 0x19, 0xb6,
0x23, 0xb8, 0xf0, 0x4e, 0x53, 0x4a, 0x1f, 0x35, 0x34, 0x79, 0xb3, 0xe5, 0x73, 0xc1, 0x3c, 0xea,
0xb6, 0x18, 0x7e, 0x80, 0xb2, 0x6d, 0x26, 0xac, 0xba, 0x25, 0xac, 0x82, 0x36, 0xa7, 0x95, 0x27,
0x97, 0xca, 0x64, 0xe8, 0xd8, 0x61, 0xe0, 0xe4, 0x5e, 0xf5, 0x29, 0xab, 0x89, 0xbb, 0xc0, 0x31,
0xf1, 0xe1, 0xf1, 0xec, 0xd8, 0xc9, 0xf1, 0x2c, 0x8a, 0x63, 0xb4, 0x5b, 0x0d, 0x3f, 0x44, 0x19,
0xcf, 0x6f, 0x31, 0x5e, 0x18, 0x9f, 0x4b, 0x41, 0xd9, 0xab, 0x64, 0xd4, 0xaf, 0x49, 0x36, 0xdd,
0x96, 0x5d, 0x7b, 0x41, 0x81, 0x6c, 0xe6, 0xa2, 0x23, 0x32, 0x72, 0xc7, 0x69, 0x58, 0xb1, 0xf4,
0x76, 0x1c, 0xe1, 0x84, 0x08, 0xd3, 0x76, 0xea, 0xb6, 0xd3, 0xf8, 0x85, 0x5a, 0x9e, 0xa0, 0x2c,
0xf7, 0x83, 0x84, 0x92, 0x53, 0x19, 0x5d, 0xce, 0x56, 0xc8, 0x34, 0xff, 0x89, 0x8e, 0xc8, 0x46,
0x01, 0x4e, 0xbb, 0x45, 0xf1, 0x23, 0x34, 0xe1, 0x81, 0x12, 0xca, 0x76, 0x0b, 0xa9, 0xa0, 0xf3,
0x73, 0xd4, 0xa7, 0x21, 0xd1, 0xcc, 0x47, 0xf5, 0x27, 0xa2, 0x00, 0x55, 0x25, 0x4b, 0x5f, 0x34,
0xf4, 0x5f, 0xff, 0xbc, 0xd6, 0x6d, 0x2e, 0xf0, 0xe3, 0xbe, 0x99, 0x19, 0x3f, 0x99, 0x59, 0xe2,
0xa6, 0x13, 0x49, 0x0f, 0x46, 0xd7, 0xd5, 0xa5, 0x22, 0x89, 0xc1, 0x59, 0x28, 0x63, 0x0b, 0xd6,
0x56, 0x53, 0xbb, 0x3e, 0xba, 0xaa, 0xfe, 0x7e, 0xe3, 0xcb, 0xb0, 0x26, 0x4b, 0xd2, 0xb0, 0x72,
0xe9, 0x93, 0x86, 0xf2, 0x09, 0xf0, 0x65, 0xa8, 0xda, 0xe9, 0x55, 0xb5, 0x7c, 0x31, 0x55, 0x83,
0xe5, 0xbc, 0x4a, 0x21, 0x14, 0x3f, 0x00, 0x3c, 0x8b, 0x32, 0xd0, 0x5c, 0x95, 0x83, 0x8c, 0x54,
0x59, 0x37, 0x75, 0x89, 0xdf, 0x96, 0x01, 0x1a, 0xc6, 0xf1, 0x81, 0x86, 0xa6, 0x2d, 0x21, 0x3c,
0xbb, 0xea, 0x0b, 0xf8, 0xd8, 0xf0, 0xe6, 0xed, 0x9a, 0x00, 0x2d, 0xb2, 0x39, 0x29, 0x7c, 0x7e,
0x48, 0x73, 0x91, 0xa7, 0x10, 0x6a, 0x3d, 0xbb, 0xf5, 0x5c, 0x30, 0x47, 0xea, 0x37, 0xff, 0x8f,
0x5a, 0x9a, 0x5e, 0x1d, 0x54, 0x91, 0x0e, 0x3e, 0x08, 0xcf, 0x23, 0x1d, 0xa4, 0xde, 0xf6, 0x5c,
0xbf, 0xc3, 0xe1, 0xfa, 0xca, 0x3e, 0x73, 0x50, 0x44, 0x5f, 0xdd, 0x5c, 0x0b, 0x83, 0x34, 0xce,
0x4b, 0xb0, 0xf2, 0x58, 0x5e, 0x48, 0xc7, 0x60, 0xaa, 0x82, 0x34, 0xce, 0xe3, 0x6b, 0x28, 0xa7,
0x36, 0x1b, 0x56, 0x1b, 0x08, 0x99, 0x80, 0x30, 0x05, 0x84, 0x1c, 0x4d, 0x26, 0x68, 0x2f, 0x0e,
0xdf, 0x40, 0x79, 0xc7, 0x75, 0x14, 0xe4, 0x3e, 0x5d, 0xe7, 0x85, 0xbf, 0x02, 0xea, 0xbf, 0x40,
0xcd, 0x6f, 0xf4, 0xa6, 0xe8, 0x69, 0x6c, 0xe9, 0xbd, 0x86, 0xd2, 0xbf, 0xaf, 0x3d, 0xbe, 0x19,
0x47, 0x93, 0x7f, 0x7c, 0x71, 0x04, 0x5f, 0x94, 0xd6, 0x71, 0xc9, 0x86, 0x78, 0x71, 0xeb, 0x38,
0xdb, 0x09, 0x3f, 0x68, 0x28, 0x7b, 0x59, 0x16, 0xb8, 0xd5, 0xab, 0x83, 0x9c, 0x53, 0xc7, 0x60,
0x01, 0x2f, 0x91, 0xfa, 0x46, 0x78, 0x01, 0x65, 0x95, 0x67, 0x04, 0xed, 0xeb, 0x71, 0x37, 0xca,
0x56, 0x68, 0x17, 0x81, 0xe7, 0x50, 0xba, 0x09, 0xa3, 0x09, 0x2c, 0x4f, 0x37, 0xff, 0x8e, 0x90,
0xe9, 0x3b, 0x10, 0xa3, 0x41, 0x46, 0x22, 0x1c, 0x70, 0x86, 0xe0, 0x16, 0x25, 0x10, 0xd2, 0x2d,
0x68, 0x90, 0x29, 0xbd, 0xd3, 0xd0, 0x44, 0x74, 0x03, 0xbb, 0xf5, 0xb4, 0xa1, 0xf5, 0x96, 0x10,
0x82, 0xd3, 0xb7, 0xc3, 0xa1, 0x45, 0xe7, 0x76, 0xdf, 0x0a, 0x74, 0x18, 0x65, 0x68, 0x02, 0x75,
0x76, 0x0f, 0xd8, 0x40, 0xba, 0xfc, 0xe5, 0x1d, 0xab, 0xc6, 0xc0, 0x1c, 0x25, 0x6c, 0x2a, 0x82,
0xe9, 0x1b, 0x2a, 0x41, 0x63, 0x8c, 0x79, 0xe5, 0xf0, 0xdb, 0xcc, 0xd8, 0x11, 0xac, 0xcf, 0xb0,
0x0e, 0x4e, 0x66, 0xb4, 0x43, 0x58, 0x47, 0xb0, 0xbe, 0xc2, 0x7a, 0xfd, 0x7d, 0x66, 0x6c, 0x27,
0xab, 0x06, 0xff, 0x23, 0x00, 0x00, 0xff, 0xff, 0x62, 0x32, 0x8a, 0x1f, 0x89, 0x0b, 0x00, 0x00,
}

16
pkg/apis/rbac/v1alpha1/generated.proto
View File

@ -50,7 +50,7 @@ message ClusterRoleBinding {
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 3;
optional RoleRef roleRef = 3;
}
// ClusterRoleBindingList is a collection of ClusterRoleBindings
@ -119,7 +119,7 @@ message RoleBinding {
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
optional k8s.io.kubernetes.pkg.api.v1.ObjectReference roleRef = 3;
optional RoleRef roleRef = 3;
}
// RoleBindingList is a collection of RoleBindings
@ -140,6 +140,18 @@ message RoleList {
repeated Role items = 2;
}
// RoleRef contains information that points to the role being used
message RoleRef {
// APIGroup is the group for the resource being referenced
optional string apiGroup = 1;
// Kind is the type of resource being referenced
optional string kind = 2;
// Name is the name of resource being referenced
optional string name = 3;
}
// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
// or a value for non-objects such as user and group names.
message Subject {

7
pkg/apis/rbac/v1alpha1/register.go
View File

@ -19,16 +19,17 @@ package v1alpha1
import (
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/api/v1"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/runtime"
"k8s.io/kubernetes/pkg/watch/versioned"
)
const GroupName = "rbac.authorization.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = unversioned.GroupVersion{Group: rbac.GroupName, Version: "v1alpha1"}
var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: "v1alpha1"}
var (
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addDefaultingFuncs)
AddToScheme = SchemeBuilder.AddToScheme
)

2878
pkg/apis/rbac/v1alpha1/types.generated.go
View File

File diff suppressed because it is too large Load Diff

14
pkg/apis/rbac/v1alpha1/types.go
View File

@ -66,6 +66,16 @@ type Subject struct {
Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
}
// RoleRef contains information that points to the role being used
type RoleRef struct {
// APIGroup is the group for the resource being referenced
APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
// Kind is the type of resource being referenced
Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
// Name is the name of resource being referenced
Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
}
// +genclient=true
// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
@ -93,7 +103,7 @@ type RoleBinding struct {
// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
RoleRef v1.ObjectReference `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
}
// RoleBindingList is a collection of RoleBindings
@ -144,7 +154,7 @@ type ClusterRoleBinding struct {
// RoleRef can only reference a ClusterRole in the global namespace.
// If the RoleRef cannot be resolved, the Authorizer must return an error.
RoleRef v1.ObjectReference `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
}
// ClusterRoleBindingList is a collection of ClusterRoleBindings

11
pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go
View File

@ -123,6 +123,17 @@ func (RoleList) SwaggerDoc() map[string]string {
return map_RoleList
}
var map_RoleRef = map[string]string{
"": "RoleRef contains information that points to the role being used",
"apiGroup": "APIGroup is the group for the resource being referenced",
"kind": "Kind is the type of resource being referenced",
"name": "Name is the name of resource being referenced",
}
func (RoleRef) SwaggerDoc() map[string]string {
return map_RoleRef
}
var map_Subject = map[string]string{
"": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"kind": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",

36
pkg/apis/rbac/v1alpha1/zz_generated.conversion.go
View File

@ -53,6 +53,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
Convert_rbac_RoleBindingList_To_v1alpha1_RoleBindingList,
Convert_v1alpha1_RoleList_To_rbac_RoleList,
Convert_rbac_RoleList_To_v1alpha1_RoleList,
Convert_v1alpha1_RoleRef_To_rbac_RoleRef,
Convert_rbac_RoleRef_To_v1alpha1_RoleRef,
Convert_v1alpha1_Subject_To_rbac_Subject,
Convert_rbac_Subject_To_v1alpha1_Subject,
)
@ -129,8 +131,7 @@ func autoConvert_v1alpha1_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in *Clus
} else {
out.Subjects = nil
}
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
if err := Convert_v1alpha1_RoleRef_To_rbac_RoleRef(&in.RoleRef, &out.RoleRef, s); err != nil {
return err
}
return nil
@ -159,8 +160,7 @@ func autoConvert_rbac_ClusterRoleBinding_To_v1alpha1_ClusterRoleBinding(in *rbac
} else {
out.Subjects = nil
}
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
if err := Convert_rbac_RoleRef_To_v1alpha1_RoleRef(&in.RoleRef, &out.RoleRef, s); err != nil {
return err
}
return nil
@ -373,8 +373,7 @@ func autoConvert_v1alpha1_RoleBinding_To_rbac_RoleBinding(in *RoleBinding, out *
} else {
out.Subjects = nil
}
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
if err := Convert_v1alpha1_RoleRef_To_rbac_RoleRef(&in.RoleRef, &out.RoleRef, s); err != nil {
return err
}
return nil
@ -403,8 +402,7 @@ func autoConvert_rbac_RoleBinding_To_v1alpha1_RoleBinding(in *rbac.RoleBinding,
} else {
out.Subjects = nil
}
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&in.RoleRef, &out.RoleRef, 0); err != nil {
if err := Convert_rbac_RoleRef_To_v1alpha1_RoleRef(&in.RoleRef, &out.RoleRef, s); err != nil {
return err
}
return nil
@ -514,6 +512,28 @@ func Convert_rbac_RoleList_To_v1alpha1_RoleList(in *rbac.RoleList, out *RoleList
return autoConvert_rbac_RoleList_To_v1alpha1_RoleList(in, out, s)
}
func autoConvert_v1alpha1_RoleRef_To_rbac_RoleRef(in *RoleRef, out *rbac.RoleRef, s conversion.Scope) error {
out.APIGroup = in.APIGroup
out.Kind = in.Kind
out.Name = in.Name
return nil
}
func Convert_v1alpha1_RoleRef_To_rbac_RoleRef(in *RoleRef, out *rbac.RoleRef, s conversion.Scope) error {
return autoConvert_v1alpha1_RoleRef_To_rbac_RoleRef(in, out, s)
}
func autoConvert_rbac_RoleRef_To_v1alpha1_RoleRef(in *rbac.RoleRef, out *RoleRef, s conversion.Scope) error {
out.APIGroup = in.APIGroup
out.Kind = in.Kind
out.Name = in.Name
return nil
}
func Convert_rbac_RoleRef_To_v1alpha1_RoleRef(in *rbac.RoleRef, out *RoleRef, s conversion.Scope) error {
return autoConvert_rbac_RoleRef_To_v1alpha1_RoleRef(in, out, s)
}
func autoConvert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
out.Kind = in.Kind
out.APIVersion = in.APIVersion

12
pkg/apis/rbac/v1alpha1/zz_generated.deepcopy.go
View File

@ -44,6 +44,7 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_RoleBinding, InType: reflect.TypeOf(&RoleBinding{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_RoleBindingList, InType: reflect.TypeOf(&RoleBindingList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_RoleList, InType: reflect.TypeOf(&RoleList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_RoleRef, InType: reflect.TypeOf(&RoleRef{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_v1alpha1_Subject, InType: reflect.TypeOf(&Subject{})},
)
}
@ -268,6 +269,17 @@ func DeepCopy_v1alpha1_RoleList(in interface{}, out interface{}, c *conversion.C
}
}
func DeepCopy_v1alpha1_RoleRef(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*RoleRef)
out := out.(*RoleRef)
out.APIGroup = in.APIGroup
out.Kind = in.Kind
out.Name = in.Name
return nil
}
}
func DeepCopy_v1alpha1_Subject(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*Subject)

25
pkg/apis/rbac/validation/rulevalidation.go
View File

@ -32,7 +32,7 @@ import (
type AuthorizationRuleResolver interface {
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namepsace
// of the role binding, the empty string if a cluster role binding.
GetRoleReferenceRules(ctx api.Context, roleRef api.ObjectReference, namespace string) ([]rbac.PolicyRule, error)
GetRoleReferenceRules(ctx api.Context, roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
// GetEffectivePolicyRules returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of
// PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations
@ -101,31 +101,24 @@ type ClusterRoleBindingLister interface {
}
// GetRoleReferenceRules attempts resolve the RoleBinding or ClusterRoleBinding.
func (r *DefaultRuleResolver) GetRoleReferenceRules(ctx api.Context, roleRef api.ObjectReference, bindingNamespace string) ([]rbac.PolicyRule, error) {
switch roleRef.Kind {
case "Role":
// Roles can only be referenced by RoleBindings within the same namespace.
if len(bindingNamespace) == 0 {
return nil, fmt.Errorf("cluster role binding references role %q in namespace %q", roleRef.Name, roleRef.Namespace)
} else {
if bindingNamespace != roleRef.Namespace {
return nil, fmt.Errorf("role binding in namespace %q references role %q in namespace %q", bindingNamespace, roleRef.Name, roleRef.Namespace)
}
}
role, err := r.roleGetter.GetRole(api.WithNamespace(ctx, roleRef.Namespace), roleRef.Name)
func (r *DefaultRuleResolver) GetRoleReferenceRules(ctx api.Context, roleRef rbac.RoleRef, bindingNamespace string) ([]rbac.PolicyRule, error) {
switch kind := rbac.RoleRefGroupKind(roleRef); kind {
case rbac.Kind("Role"):
role, err := r.roleGetter.GetRole(api.WithNamespace(ctx, bindingNamespace), roleRef.Name)
if err != nil {
return nil, err
}
return role.Rules, nil
case "ClusterRole":
case rbac.Kind("ClusterRole"):
clusterRole, err := r.clusterRoleGetter.GetClusterRole(api.WithNamespace(ctx, ""), roleRef.Name)
if err != nil {
return nil, err
}
return clusterRole.Rules, nil
default:
return nil, fmt.Errorf("unsupported role reference kind: %q", roleRef.Kind)
return nil, fmt.Errorf("unsupported role reference kind: %q", kind)
}
}

4
pkg/apis/rbac/validation/rulevalidation_test.go
View File

@ -96,7 +96,7 @@ func TestDefaultRuleResolver(t *testing.T) {
{Kind: rbac.UserKind, Name: "foobar"},
{Kind: rbac.GroupKind, Name: "group1"},
},
RoleRef: api.ObjectReference{Kind: "Role", Namespace: "namespace1", Name: "readthings"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "readthings"},
},
},
clusterRoleBindings: []rbac.ClusterRoleBinding{
@ -105,7 +105,7 @@ func TestDefaultRuleResolver(t *testing.T) {
{Kind: rbac.UserKind, Name: "admin"},
{Kind: rbac.GroupKind, Name: "admin"},
},
RoleRef: api.ObjectReference{Kind: "ClusterRole", Name: "cluster-admin"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "cluster-admin"},
},
},
}

32
pkg/apis/rbac/validation/validation.go
View File

@ -103,11 +103,17 @@ func ValidateRoleBinding(roleBinding *rbac.RoleBinding) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, true, minimalNameRequirements, field.NewPath("metadata"))...)
// roleRef namespace is empty when referring to global policy.
if len(roleBinding.RoleRef.Namespace) > 0 {
for _, msg := range validation.ValidateNamespaceName(roleBinding.RoleRef.Namespace, false) {
allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef", "namespace"), roleBinding.RoleRef.Namespace, msg))
}
// TODO allow multiple API groups. For now, restrict to one, but I can envision other experimental roles in other groups taking
// advantage of the binding infrastructure
if roleBinding.RoleRef.APIGroup != rbac.GroupName {
allErrs = append(allErrs, field.NotSupported(field.NewPath("roleRef", "apiGroup"), roleBinding.RoleRef.APIGroup, []string{rbac.GroupName}))
}
switch roleBinding.RoleRef.Kind {
case "Role", "ClusterRole":
default:
allErrs = append(allErrs, field.NotSupported(field.NewPath("roleRef", "kind"), roleBinding.RoleRef.Kind, []string{"Role", "ClusterRole"}))
}
if len(roleBinding.RoleRef.Name) == 0 {
@ -141,11 +147,17 @@ func ValidateClusterRoleBinding(roleBinding *rbac.ClusterRoleBinding) field.Erro
allErrs := field.ErrorList{}
allErrs = append(allErrs, validation.ValidateObjectMeta(&roleBinding.ObjectMeta, false, minimalNameRequirements, field.NewPath("metadata"))...)
// roleRef namespace is empty when referring to global policy.
if len(roleBinding.RoleRef.Namespace) > 0 {
for _, msg := range validation.ValidateNamespaceName(roleBinding.RoleRef.Namespace, false) {
allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef", "namespace"), roleBinding.RoleRef.Namespace, msg))
}
// TODO allow multiple API groups. For now, restrict to one, but I can envision other experimental roles in other groups taking
// advantage of the binding infrastructure
if roleBinding.RoleRef.APIGroup != rbac.GroupName {
allErrs = append(allErrs, field.NotSupported(field.NewPath("roleRef", "apiGroup"), roleBinding.RoleRef.APIGroup, []string{rbac.GroupName}))
}
switch roleBinding.RoleRef.Kind {
case "ClusterRole":
default:
allErrs = append(allErrs, field.NotSupported(field.NewPath("roleRef", "kind"), roleBinding.RoleRef.Kind, []string{"ClusterRole"}))
}
if len(roleBinding.RoleRef.Name) == 0 {

159
pkg/apis/rbac/validation/validation_test.go
View File

@ -24,11 +24,126 @@ import (
"k8s.io/kubernetes/pkg/util/validation/field"
)
func TestValidateClusterRoleBinding(t *testing.T) {
errs := ValidateClusterRoleBinding(
&rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Namespace: "foo", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
{Name: "valid@groupname", Kind: rbac.GroupKind},
},
},
)
if len(errs) != 0 {
t.Errorf("expected success: %v", errs)
}
errorCases := map[string]struct {
A rbac.ClusterRoleBinding
T field.ErrorType
F string
}{
"bad group": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: "rbac.GroupName", Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.apiGroup",
},
"bad kind": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Type", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"reference role": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"zero-length name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.name",
},
"bad role": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole"},
},
T: field.ErrorTypeRequired,
F: "roleRef.name",
},
"bad subject kind": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject"}},
},
T: field.ErrorTypeNotSupported,
F: "subjects[0].kind",
},
"bad subject name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Namespace: "foo", Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeInvalid,
F: "subjects[0].name",
},
"missing SA namespace": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Name: "good", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
F: "subjects[0].namespace",
},
"missing subject name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Namespace: "foo", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
F: "subjects[0].name",
},
}
for k, v := range errorCases {
errs := ValidateClusterRoleBinding(&v.A)
if len(errs) == 0 {
t.Errorf("expected failure %s for %v", k, v.A)
continue
}
for i := range errs {
if errs[i].Type != v.T {
t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
}
if errs[i].Field != v.F {
t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
}
}
}
}
func TestValidateRoleBinding(t *testing.T) {
errs := ValidateRoleBinding(
&rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
@ -45,10 +160,26 @@ func TestValidateRoleBinding(t *testing.T) {
T field.ErrorType
F string
}{
"bad group": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: "rbac.GroupName", Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.apiGroup",
},
"bad kind": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Type", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"zero-length namespace": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.namespace",
@ -56,23 +187,15 @@ func TestValidateRoleBinding(t *testing.T) {
"zero-length name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.name",
},
"invalid ref": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "name"},
RoleRef: api.ObjectReference{Namespace: "-192083", Name: "valid"},
},
T: field.ErrorTypeInvalid,
F: "roleRef.namespace",
},
"bad role": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: api.ObjectReference{Namespace: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role"},
},
T: field.ErrorTypeRequired,
F: "roleRef.name",
@ -80,7 +203,7 @@ func TestValidateRoleBinding(t *testing.T) {
"bad subject kind": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject"}},
},
T: field.ErrorTypeNotSupported,
@ -89,7 +212,7 @@ func TestValidateRoleBinding(t *testing.T) {
"bad subject name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeInvalid,
@ -98,7 +221,7 @@ func TestValidateRoleBinding(t *testing.T) {
"missing subject name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
@ -125,13 +248,13 @@ func TestValidateRoleBinding(t *testing.T) {
func TestValidateRoleBindingUpdate(t *testing.T) {
old := &rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
}
errs := ValidateRoleBindingUpdate(
&rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
old,
)
@ -147,7 +270,7 @@ func TestValidateRoleBindingUpdate(t *testing.T) {
"changedRef": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "changed"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "changed"},
},
T: field.ErrorTypeInvalid,
F: "roleRef",

12
pkg/apis/rbac/zz_generated.deepcopy.go
View File

@ -44,6 +44,7 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_rbac_RoleBinding, InType: reflect.TypeOf(&RoleBinding{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_rbac_RoleBindingList, InType: reflect.TypeOf(&RoleBindingList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_rbac_RoleList, InType: reflect.TypeOf(&RoleList{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_rbac_RoleRef, InType: reflect.TypeOf(&RoleRef{})},
conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_rbac_Subject, InType: reflect.TypeOf(&Subject{})},
)
}
@ -272,6 +273,17 @@ func DeepCopy_rbac_RoleList(in interface{}, out interface{}, c *conversion.Clone
}
}
func DeepCopy_rbac_RoleRef(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*RoleRef)
out := out.(*RoleRef)
out.APIGroup = in.APIGroup
out.Kind = in.Kind
out.Name = in.Name
return nil
}
}
func DeepCopy_rbac_Subject(in interface{}, out interface{}, c *conversion.Cloner) error {
{
in := in.(*Subject)

11
plugin/pkg/auth/authorizer/rbac/rbac_test.go
View File

@ -53,9 +53,10 @@ const (
func newClusterRoleBinding(roleName string, subjects ...string) rbac.ClusterRoleBinding {
r := rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{},
RoleRef: api.ObjectReference{
Kind: "ClusterRole", // ClusterRoleBindings can only refer to ClusterRole
Name: roleName,
RoleRef: rbac.RoleRef{
APIGroup: rbac.GroupName,
Kind: "ClusterRole", // ClusterRoleBindings can only refer to ClusterRole
Name: roleName,
},
}
@ -72,9 +73,9 @@ func newRoleBinding(namespace, roleName string, bindType uint16, subjects ...str
switch bindType {
case bindToRole:
r.RoleRef = api.ObjectReference{Kind: "Role", Namespace: namespace, Name: roleName}
r.RoleRef = rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: roleName}
case bindToClusterRole:
r.RoleRef = api.ObjectReference{Kind: "ClusterRole", Name: roleName}
r.RoleRef = rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: roleName}
}
r.Subjects = make([]rbac.Subject, len(subjects))

6
test/integration/auth/rbac_test.go
View File

@ -303,7 +303,7 @@ func TestRBAC(t *testing.T) {
Subjects: []v1alpha1.Subject{
{Kind: "User", Name: "pod-reader"},
},
RoleRef: v1.ObjectReference{Kind: "ClusterRole", Name: "read-pods"},
RoleRef: v1alpha1.RoleRef{Kind: "ClusterRole", Name: "read-pods"},
},
},
},
@ -335,14 +335,14 @@ func TestRBAC(t *testing.T) {
{
ObjectMeta: v1.ObjectMeta{Name: "write-jobs"},
Subjects: []v1alpha1.Subject{{Kind: "User", Name: "job-writer"}},
RoleRef: v1.ObjectReference{Kind: "ClusterRole", Name: "write-jobs"},
RoleRef: v1alpha1.RoleRef{Kind: "ClusterRole", Name: "write-jobs"},
},
},
roleBindings: []v1alpha1.RoleBinding{
{
ObjectMeta: v1.ObjectMeta{Name: "write-jobs", Namespace: "job-namespace"},
Subjects: []v1alpha1.Subject{{Kind: "User", Name: "job-writer-namespace"}},
RoleRef: v1.ObjectReference{Kind: "ClusterRole", Name: "write-jobs"},
RoleRef: v1alpha1.RoleRef{Kind: "ClusterRole", Name: "write-jobs"},
},
},
},