mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 21:17:23 +00:00
Merge pull request #50702 from enj/enj/r/inject_policy_hook
Automatic merge from submit-queue (batch tested with PRs 50694, 50702) Allow injection of policy in RBAC post start hook This change allows the RBAC PostStartHook logic to be reused with different policy data when bootstrapping the cluster. Thus any changes to the bootstrap logic are separated from the policy data. Signed-off-by: Monis Khan <mkhan@redhat.com> ```release-note NONE ``` @kubernetes/sig-auth-pr-reviews
This commit is contained in:
commit
f6929fc089
@ -134,10 +134,24 @@ func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceCon
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
|
func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
|
||||||
return PostStartHookName, PostStartHook, nil
|
policy := &PolicyData{
|
||||||
|
ClusterRoles: append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...),
|
||||||
|
ClusterRoleBindings: append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...),
|
||||||
|
Roles: bootstrappolicy.NamespaceRoles(),
|
||||||
|
RoleBindings: bootstrappolicy.NamespaceRoleBindings(),
|
||||||
|
}
|
||||||
|
return PostStartHookName, policy.EnsureRBACPolicy(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
type PolicyData struct {
|
||||||
|
ClusterRoles []rbac.ClusterRole
|
||||||
|
ClusterRoleBindings []rbac.ClusterRoleBinding
|
||||||
|
Roles map[string][]rbac.Role
|
||||||
|
RoleBindings map[string][]rbac.RoleBinding
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
|
||||||
|
return func(hookContext genericapiserver.PostStartHookContext) error {
|
||||||
// intializing roles is really important. On some e2e runs, we've seen cases where etcd is down when the server
|
// intializing roles is really important. On some e2e runs, we've seen cases where etcd is down when the server
|
||||||
// starts, the roles don't initialize, and nothing works.
|
// starts, the roles don't initialize, and nothing works.
|
||||||
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
|
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
|
||||||
@ -164,7 +178,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ensure bootstrap roles are created or reconciled
|
// ensure bootstrap roles are created or reconciled
|
||||||
for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
|
for _, clusterRole := range p.ClusterRoles {
|
||||||
opts := reconciliation.ReconcileRoleOptions{
|
opts := reconciliation.ReconcileRoleOptions{
|
||||||
Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: &clusterRole},
|
Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: &clusterRole},
|
||||||
Client: reconciliation.ClusterRoleModifier{Client: clientset.ClusterRoles()},
|
Client: reconciliation.ClusterRoleModifier{Client: clientset.ClusterRoles()},
|
||||||
@ -192,7 +206,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ensure bootstrap rolebindings are created or reconciled
|
// ensure bootstrap rolebindings are created or reconciled
|
||||||
for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
|
for _, clusterRoleBinding := range p.ClusterRoleBindings {
|
||||||
opts := reconciliation.ReconcileRoleBindingOptions{
|
opts := reconciliation.ReconcileRoleBindingOptions{
|
||||||
RoleBinding: reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: &clusterRoleBinding},
|
RoleBinding: reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: &clusterRoleBinding},
|
||||||
Client: reconciliation.ClusterRoleBindingClientAdapter{Client: clientset.ClusterRoleBindings()},
|
Client: reconciliation.ClusterRoleBindingClientAdapter{Client: clientset.ClusterRoleBindings()},
|
||||||
@ -222,7 +236,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ensure bootstrap namespaced roles are created or reconciled
|
// ensure bootstrap namespaced roles are created or reconciled
|
||||||
for namespace, roles := range bootstrappolicy.NamespaceRoles() {
|
for namespace, roles := range p.Roles {
|
||||||
for _, role := range roles {
|
for _, role := range roles {
|
||||||
opts := reconciliation.ReconcileRoleOptions{
|
opts := reconciliation.ReconcileRoleOptions{
|
||||||
Role: reconciliation.RoleRuleOwner{Role: &role},
|
Role: reconciliation.RoleRuleOwner{Role: &role},
|
||||||
@ -252,7 +266,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ensure bootstrap namespaced rolebindings are created or reconciled
|
// ensure bootstrap namespaced rolebindings are created or reconciled
|
||||||
for namespace, roleBindings := range bootstrappolicy.NamespaceRoleBindings() {
|
for namespace, roleBindings := range p.RoleBindings {
|
||||||
for _, roleBinding := range roleBindings {
|
for _, roleBinding := range roleBindings {
|
||||||
opts := reconciliation.ReconcileRoleBindingOptions{
|
opts := reconciliation.ReconcileRoleBindingOptions{
|
||||||
RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: &roleBinding},
|
RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: &roleBinding},
|
||||||
@ -291,6 +305,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p RESTStorageProvider) GroupName() string {
|
func (p RESTStorageProvider) GroupName() string {
|
||||||
|
Loading…
Reference in New Issue
Block a user