-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add parity check for Openshift policy and Kube RBAC #14429
Conversation
7a5caa0
to
b25b87f
Compare
pkg/cmd/admin/admin.go
Outdated
@@ -93,6 +94,7 @@ func NewCommandAdmin(name, fullName string, in io.Reader, out io.Writer, errout | |||
// Migration commands | |||
migrateimages.NewCmdMigrateImageReferences("image-references", fullName+" "+migrate.MigrateRecommendedName+" image-references", f, in, out, errout), | |||
migratestorage.NewCmdMigrateAPIStorage("storage", fullName+" "+migrate.MigrateRecommendedName+" storage", f, in, out, errout), | |||
migratepolicy.NewCmdMigratePolicy("policy", fullName+" "+migrate.MigrateRecommendedName+" policy", f, in, out, errout), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authorization
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
pkg/cmd/admin/migrate/migrator.go
Outdated
// ReporterBool implements the Reporter interface for a boolean. | ||
type ReporterBool bool | ||
|
||
func (r ReporterBool) Changed() bool { return bool(r) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
separate lines please
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blah missed this one, will clean up later since #14365 is already 9 deep in the merge queue.
) | ||
|
||
type MigratePolicyOptions struct { | ||
migrate.ResourceOptions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
anonymously including this for some reason? I dislike anonymous includes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just following the pattern for every other migrate command.
// compare the results if there have been no errors so far | ||
if len(errlist) == 0 { | ||
// there's one wrinkle. If `openshift.io/reconcile-protect` is to true, then we must set rbac.authorization.kubernetes.io/autoupdate to false | ||
if convertedClusterRole.Annotations["openshift.io/reconcile-protect"] == "true" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks very familiar. Restructure enough to be able to re-use the implementation for this with the controllers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are just different enough to not warrant trying to refactor, especially since we will delete the controller soon.
b25b87f
to
e7c982e
Compare
e7c982e
to
a2cd085
Compare
Out: out, | ||
ErrOut: errout, | ||
AllNamespaces: true, | ||
Include: []string{"clusterrole", "role", "clusterrolebinding", "rolebinding"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clusterrole.authorization.openshift.io
, right? This could never successfully be run on a prior version since the RBAC side would be missing.
lgtm from a cli perspective. |
a2cd085
to
3e7035f
Compare
3e7035f
to
057ec4d
Compare
) | ||
|
||
// NormalizePolicyRules mutates the given rules and lowercases verbs, resources and API groups. | ||
func PrepareForCreateClusterRole(originClusterRole *authorizationapi.ClusterRole) (*rbac.ClusterRole, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ConvertToRBACClusterRole
return equivalentClusterRole, nil | ||
} | ||
|
||
func PrepareForUpdateClusterRole(equivalentClusterRole, rbacClusterRole *rbac.ClusterRole) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
godoc, particularly the mutation bit.
(newClusterRole, existingClusterRole *rbac.ClusterRole)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Invert the bool. Return true if an update is needed and doc it.
return apiequality.Semantic.DeepEqual(equivalentRoleBinding, rbacRoleBinding) | ||
} | ||
|
||
func normalizeObjectMeta(a *v1.ObjectMeta, b v1.ObjectMeta) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
godoc explaining why you're doing this to these particular fields. Also, this could all be non mutating given shallow copies. Take value objects and return a value object.
return apiequality.Semantic.DeepEqual(equivalentRoleBinding, rbacRoleBinding) | ||
} | ||
|
||
func normalizeObjectMeta(a *v1.ObjectMeta, b v1.ObjectMeta) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't normalization. This is "prepareObjectMetaForUpdate"
glog.V(1).Infof("writing RBAC role %v/%v", namespace, name) | ||
_, err = c.rbacClient.Roles(namespace).Update(equivalentRole) | ||
// if the update was invalid, we're probably changing an immutable field or something like that | ||
// either way, the existing object is wrong. Delete it and try again. | ||
if apierrors.IsInvalid(err) { | ||
c.rbacClient.Roles(namespace).Delete(name, nil) | ||
c.rbacClient.Roles(namespace).Delete(name, nil) // ignore delete error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll trust you as a reader, but you really think it needs a comment?
057ec4d
to
171b08c
Compare
Comments addressed. [merge] |
This change adds the `oadm migrate authorization` command: A controller is used to keep Openshift authorization objects and Kubernetes RBAC in sync. This command checks for parity between those objects across all namespaces and reports all objects that are out of sync. These objects require manual intervention to sync as the controller handles all cases where automatic sync is possible. The following resource types are checked by this command: * clusterrole * role * clusterrolebinding * rolebinding No resources are mutated. Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Monis Khan <[email protected]>
This change adds functions that handle all normalization, conversion and comparison for the authorization objects. These are now shared between authorizationsync and `oadm migrate authorization` to prevent any logic drift. Signed-off-by: Monis Khan <[email protected]>
171b08c
to
46af0f1
Compare
Evaluated for origin test up to 46af0f1 |
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2096/) (Base Commit: a659cf7) |
Flake #14496 |
Evaluated for origin merge up to 46af0f1 |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/969/) (Base Commit: aed6393) (Image: devenv-rhel7_6338) |
This change adds the
oadm migrate authorization
command:A controller is used to keep Openshift authorization objects and Kubernetes RBAC in sync. This command checks for parity between those objects across all namespaces and reports all objects that are out of sync. These objects require manual intervention to sync as the controller handles all cases where automatic sync is possible.
The following resource types are checked by this command:
No resources are mutated.
Signed-off-by: Monis Khan [email protected]
Fixes #14139
Prerequisite #14365 #14475
TODO
[test]