Add parity check for Openshift policy and Kube RBAC #14429
Conversation
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
7a5caa0
to
b25b87f
Compare
pkg/cmd/admin/admin.go
Outdated
| @@ -93,6 +94,7 @@ func NewCommandAdmin(name, fullName string, in io.Reader, out io.Writer, errout | |||
| // Migration commands | |||
| migrateimages.NewCmdMigrateImageReferences("image-references", fullName+" "+migrate.MigrateRecommendedName+" image-references", f, in, out, errout), | |||
| migratestorage.NewCmdMigrateAPIStorage("storage", fullName+" "+migrate.MigrateRecommendedName+" storage", f, in, out, errout), | |||
| migratepolicy.NewCmdMigratePolicy("policy", fullName+" "+migrate.MigrateRecommendedName+" policy", f, in, out, errout), | |||
pkg/cmd/admin/migrate/migrator.go
Outdated
| // ReporterBool implements the Reporter interface for a boolean. | ||
| type ReporterBool bool | ||
|
|
||
| func (r ReporterBool) Changed() bool { return bool(r) } |
There was a problem hiding this comment.
Blah missed this one, will clean up later since #14365 is already 9 deep in the merge queue.
| ) | ||
|
|
||
| type MigratePolicyOptions struct { | ||
| migrate.ResourceOptions |
There was a problem hiding this comment.
anonymously including this for some reason? I dislike anonymous includes.
There was a problem hiding this comment.
Just following the pattern for every other migrate command.
| // compare the results if there have been no errors so far | ||
| if len(errlist) == 0 { | ||
| // there's one wrinkle. If `openshift.io/reconcile-protect` is to true, then we must set rbac.authorization.kubernetes.io/autoupdate to false | ||
| if convertedClusterRole.Annotations["openshift.io/reconcile-protect"] == "true" { |
There was a problem hiding this comment.
this looks very familiar. Restructure enough to be able to re-use the implementation for this with the controllers.
There was a problem hiding this comment.
They are just different enough to not warrant trying to refactor, especially since we will delete the controller soon.
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
b25b87f
to
e7c982e
Compare
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
e7c982e
to
a2cd085
Compare
| Out: out, | ||
| ErrOut: errout, | ||
| AllNamespaces: true, | ||
| Include: []string{"clusterrole", "role", "clusterrolebinding", "rolebinding"}, |
There was a problem hiding this comment.
clusterrole.authorization.openshift.io, right? This could never successfully be run on a prior version since the RBAC side would be missing.
|
lgtm from a cli perspective. |
openshift-bot
added
the
needs-rebase
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
a2cd085
to
3e7035f
Compare
enj
removed
the
needs-rebase
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
3e7035f
to
057ec4d
Compare
| ) | ||
|
|
||
| // NormalizePolicyRules mutates the given rules and lowercases verbs, resources and API groups. | ||
| func PrepareForCreateClusterRole(originClusterRole *authorizationapi.ClusterRole) (*rbac.ClusterRole, error) { |
| return equivalentClusterRole, nil | ||
| } | ||
|
|
||
| func PrepareForUpdateClusterRole(equivalentClusterRole, rbacClusterRole *rbac.ClusterRole) bool { |
There was a problem hiding this comment.
godoc, particularly the mutation bit.
(newClusterRole, existingClusterRole *rbac.ClusterRole)
There was a problem hiding this comment.
Invert the bool. Return true if an update is needed and doc it.
| return apiequality.Semantic.DeepEqual(equivalentRoleBinding, rbacRoleBinding) | ||
| } | ||
|
|
||
| func normalizeObjectMeta(a *v1.ObjectMeta, b v1.ObjectMeta) { |
There was a problem hiding this comment.
godoc explaining why you're doing this to these particular fields. Also, this could all be non mutating given shallow copies. Take value objects and return a value object.
| return apiequality.Semantic.DeepEqual(equivalentRoleBinding, rbacRoleBinding) | ||
| } | ||
|
|
||
| func normalizeObjectMeta(a *v1.ObjectMeta, b v1.ObjectMeta) { |
There was a problem hiding this comment.
This isn't normalization. This is "prepareObjectMetaForUpdate"
| glog.V(1).Infof("writing RBAC role %v/%v", namespace, name) | ||
| _, err = c.rbacClient.Roles(namespace).Update(equivalentRole) | ||
| // if the update was invalid, we're probably changing an immutable field or something like that | ||
| // either way, the existing object is wrong. Delete it and try again. | ||
| if apierrors.IsInvalid(err) { | ||
| c.rbacClient.Roles(namespace).Delete(name, nil) | ||
| c.rbacClient.Roles(namespace).Delete(name, nil) // ignore delete error |
There was a problem hiding this comment.
I'll trust you as a reader, but you really think it needs a comment?
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
057ec4d
to
171b08c
Compare
|
Comments addressed. [merge] |
openshift-bot
added
the
needs-rebase
This change adds the `oadm migrate authorization` command: A controller is used to keep Openshift authorization objects and Kubernetes RBAC in sync. This command checks for parity between those objects across all namespaces and reports all objects that are out of sync. These objects require manual intervention to sync as the controller handles all cases where automatic sync is possible. The following resource types are checked by this command: * clusterrole * role * clusterrolebinding * rolebinding No resources are mutated. Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Monis Khan <[email protected]>
This change adds functions that handle all normalization, conversion and comparison for the authorization objects. These are now shared between authorizationsync and `oadm migrate authorization` to prevent any logic drift. Signed-off-by: Monis Khan <[email protected]>
enj
force-pushed
the
enj/i/parity_rbac/14139
branch
from
171b08c
to
46af0f1
Compare
enj
removed
the
needs-rebase
|
Evaluated for origin test up to 46af0f1 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2096/) (Base Commit: a659cf7) |
|
Flake #14496 |
|
Evaluated for origin merge up to 46af0f1 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/969/) (Base Commit: aed6393) (Image: devenv-rhel7_6338) |
This change adds the
oadm migrate authorizationcommand:A controller is used to keep Openshift authorization objects and Kubernetes RBAC in sync. This command checks for parity between those objects across all namespaces and reports all objects that are out of sync. These objects require manual intervention to sync as the controller handles all cases where automatic sync is possible.
The following resource types are checked by this command:
No resources are mutated.
Signed-off-by: Monis Khan [email protected]
Fixes #14139
Prerequisite #14365 #14475
TODO
[test]