Implement /ext in Steve for Imperative API (#287)

This implements the Imperative API that is served at /ext with Steve. The imperative API is compatible with Kubernetes' API server and will be used as an extension API server.
2025-09-16 15:29:04 +00:00 · 2024-10-11 15:19:27 -04:00
parent 57a25ffa82
commit 1f21e5e515
18 changed files with 5343 additions and 4 deletions
--- a/pkg/ext/testdata/rbac.yaml
+++ b/pkg/ext/testdata/rbac.yaml
@@ -0,0 +1,123 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-only
+rules:
+- apiGroups: ["ext.cattle.io"]
+  verbs: ["list", "get", "watch"]
+  resources: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: read-write
+rules:
+- apiGroups: ["ext.cattle.io"]
+  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
+  resources: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: update-not-create
+rules:
+- apiGroups: ["ext.cattle.io"]
+  verbs: ["list", "get", "watch", "update"]
+  resources: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: all
+rules:
+- apiGroups: ["ext.cattle.io"]
+  verbs: ["*"]
+  resources: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: other
+rules:
+- apiGroups: ["management.cattle.io"]
+  verbs: ["*"]
+  resources: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-only
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-only
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: read-only
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-write
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-write
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: read-write
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: update-not-create
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: update-not-create
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: update-not-create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: all
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: all
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: all
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: other
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: other
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: other
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-only-error
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: read-only
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: read-only-error