Kubernetes Submit Queue 16454277aa Merge pull request #29930 from ericchiang/rbac-validation-dont-mix-non-resource-urls-and-resources ...

Automatic merge from submit-queue

rbac validation: rules can't combine non-resource URLs and regular resources

This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.

For example the following is no longer valid

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    nonResourceURLs: ["*"]
```

And must be rewritten as so.

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
``` 

It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.

Also, do we need to bump the API version?

Discussed by @erictune and @liggitt  in #28304

Updates kubernetes/features#2

cc @kubernetes/sig-auth 

Edit:
* Need to update the RBAC docs if this change goes in.

2016-08-04 04:52:51 -07:00

..

swagger-spec

Merge pull request #29930 from ericchiang/rbac-validation-dont-mix-non-resource-urls-and-resources

2016-08-04 04:52:51 -07:00