github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #50702 from enj/enj/r/inject_policy_hook

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 50694, 50702)

Allow injection of policy in RBAC post start hook

This change allows the RBAC PostStartHook logic to be reused with different policy data when bootstrapping the cluster.  Thus any changes to the bootstrap logic are separated from the policy data.

Signed-off-by: Monis Khan <mkhan@redhat.com>

```release-note
NONE
```

@kubernetes/sig-auth-pr-reviews
This commit is contained in:
Kubernetes Submit Queue 2017-08-15 14:28:28 -07:00 committed by GitHub
commit f6929fc089
1 changed files with 119 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/registry/rbac/rest/storage_rbac.go
View File

@ -134,10 +134,24 @@ func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceCon
}
func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
return PostStartHookName, PostStartHook, nil
policy := &PolicyData{
ClusterRoles: append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...),
ClusterRoleBindings: append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...),
Roles: bootstrappolicy.NamespaceRoles(),
RoleBindings: bootstrappolicy.NamespaceRoleBindings(),
}
return PostStartHookName, policy.EnsureRBACPolicy(), nil
}
func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
type PolicyData struct {
ClusterRoles []rbac.ClusterRole
ClusterRoleBindings []rbac.ClusterRoleBinding
Roles map[string][]rbac.Role
RoleBindings map[string][]rbac.RoleBinding
}
func (p *PolicyData) EnsureRBACPolicy() genericapiserver.PostStartHookFunc {
return func(hookContext genericapiserver.PostStartHookContext) error {
// intializing roles is really important. On some e2e runs, we've seen cases where etcd is down when the server
// starts, the roles don't initialize, and nothing works.
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
@ -164,7 +178,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
}
// ensure bootstrap roles are created or reconciled
for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
for _, clusterRole := range p.ClusterRoles {
opts := reconciliation.ReconcileRoleOptions{
Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: &clusterRole},
Client: reconciliation.ClusterRoleModifier{Client: clientset.ClusterRoles()},
@ -192,7 +206,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
}
// ensure bootstrap rolebindings are created or reconciled
for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
for _, clusterRoleBinding := range p.ClusterRoleBindings {
opts := reconciliation.ReconcileRoleBindingOptions{
RoleBinding: reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: &clusterRoleBinding},
Client: reconciliation.ClusterRoleBindingClientAdapter{Client: clientset.ClusterRoleBindings()},
@ -222,7 +236,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
}
// ensure bootstrap namespaced roles are created or reconciled
for namespace, roles := range bootstrappolicy.NamespaceRoles() {
for namespace, roles := range p.Roles {
for _, role := range roles {
opts := reconciliation.ReconcileRoleOptions{
Role: reconciliation.RoleRuleOwner{Role: &role},
@ -252,7 +266,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
}
// ensure bootstrap namespaced rolebindings are created or reconciled
for namespace, roleBindings := range bootstrappolicy.NamespaceRoleBindings() {
for namespace, roleBindings := range p.RoleBindings {
for _, roleBinding := range roleBindings {
opts := reconciliation.ReconcileRoleBindingOptions{
RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: &roleBinding},
@ -292,6 +306,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
return nil
}
}
func (p RESTStorageProvider) GroupName() string {
return rbac.GroupName