Bootstrap Kube namespaced roles and bindings #16517
Conversation
openshift-ci-robot
added
the
size/XXL
openshift-merge-robot
added
the
approved
| @@ -53,6 +55,7 @@ func NewCommandCreateBootstrapPolicyFile(commandName string, fullName string, ou | |||
|
|
|||
| flags.StringVar(&options.File, "filename", DefaultPolicyFile, "The policy template file that will be written with roles and bindings.") | |||
| flags.StringVar(&options.OpenShiftSharedResourcesNamespace, "openshift-namespace", "openshift", "Namespace for shared resources.") | |||
| flags.MarkDeprecated("openshift-namespace", "this field is no longer supported and using it can lead to undefined behavior") | |||
There was a problem hiding this comment.
this entire command should just die.
| @@ -53,6 +55,7 @@ func NewCommandCreateBootstrapPolicyFile(commandName string, fullName string, ou | |||
|
|
|||
| flags.StringVar(&options.File, "filename", DefaultPolicyFile, "The policy template file that will be written with roles and bindings.") | |||
| flags.StringVar(&options.OpenShiftSharedResourcesNamespace, "openshift-namespace", "openshift", "Namespace for shared resources.") | |||
| flags.MarkDeprecated("openshift-namespace", "this field is no longer supported and using it can lead to undefined behavior") | |||
There was a problem hiding this comment.
We got rid of openshift-infra choice. I don't remember removing the shared namespace choice. If openshift-infra was changed, we simply created what needed to be. If they used a custom shared namespace, we cannot recreate that for them.
@smarterclayton its easier if we remove it, but I'm not sure about breaks. Opinion?
There was a problem hiding this comment.
We got rid of openshift-infra choice. I don't remember removing the shared namespace choice. If openshift-infra was changed, we simply created what needed to be. If they used a custom shared namespace, we cannot recreate that for them.
@smarterclayton its easier if we remove it, but I'm not sure about breaks. Opinion?
Ansible doesn't allow it to be set. If a user changes it, I think its up to him to make sure all his roles are ready
There was a problem hiding this comment.
I think we should remove it.
There was a problem hiding this comment.
Deprecate in 3.7 and remove in 3.8 seems reasonable to me. Removing it completely in 3.7 seems a bit sudden, but I have a feeling that no sane person ever messed with this so I can stomp on it if you really want.
There was a problem hiding this comment.
Deprecate in 3.7 and remove in 3.8 seems reasonable to me. Removing it completely in 3.7 seems a bit sudden, but I have a feeling that no sane person ever messed with this so I can stomp on it if you really want.
@enj You already have removed it in this pull. You just don't realize that you have. It no longer functions as it used to.
There was a problem hiding this comment.
Hm yeah I killed the bootstrapping of it which is what matters.
| namespaceRoleBindings := map[string][]rbac.RoleBinding{} | ||
|
|
||
| addNamespaceRole(namespaceRoles, | ||
| DefaultOpenShiftSharedResourcesNamespace, |
| @@ -87,32 +89,6 @@ var ( | |||
| legacyNetworkGroup = networkapi.LegacyGroupName | |||
| ) | |||
|
|
|||
| func GetBootstrapOpenshiftRoles(openshiftNamespace string) []rbac.Role { | |||
There was a problem hiding this comment.
|
|
||
| func buildNamespaceRolesAndBindings() (map[string][]rbac.Role, map[string][]rbac.RoleBinding) { | ||
| // namespaceRoles is a map of namespace to slice of roles to create | ||
| namespaceRoles := map[string][]rbac.Role{} |
There was a problem hiding this comment.
I prefer the private, global map upstream has.
There was a problem hiding this comment.
I prefer the approach that @liggitt started upstream with plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go, especially since it allows us to mutate the output easily.
There was a problem hiding this comment.
I prefer the approach that @liggitt started upstream with plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go, especially since it allows us to mutate the output easily.
Letting you do something you shouldn't do isn't a point in its favor. Unbork the output and you can have it though.
| for _, roles := range ret { | ||
| for i := range roles { | ||
| role := &roles[i] | ||
| addDefaultMetadata(role) |
There was a problem hiding this comment.
upstream adds it as they go and I think has a test to ensure everyone gets it.
| creationTimestamp: null | ||
| labels: | ||
| kubernetes.io/bootstrapping: rbac-defaults |
enj
force-pushed
the
enj/i/kube_bootstrap_roles
branch
from
eac5ffd
to
8369288
Compare
|
@deads2k label removed. #16512 (review) ? |
enj
force-pushed
the
enj/i/kube_bootstrap_roles
branch
from
8369288
to
f368abf
Compare
openshift-merge-robot
removed
the
approved
| "github.com/golang/glog" | ||
| ) | ||
|
|
||
| func addNamespaceRole(namespaceRoles map[string][]rbac.Role, namespace string, role rbac.Role) { |
There was a problem hiding this comment.
Not seeing a use-case where these shouldn't be auto-reconciled. Add the annotation here.
| for _, roles := range ret { | ||
| for i := range roles { | ||
| role := &roles[i] | ||
| addDefaultMetadata(role) |
There was a problem hiding this comment.
don't mutate the upstream roles.
| @@ -1047,6 +1016,11 @@ func GetBootstrapClusterRoleBindings() []rbac.ClusterRoleBinding { | |||
| } | |||
| } | |||
|
|
|||
| for i := range finalClusterRoleBindings { | |||
| roleBinding := &finalClusterRoleBindings[i] | |||
| addDefaultMetadata(roleBinding) | |||
There was a problem hiding this comment.
Why are we mutating upstream roles.
enj
force-pushed
the
enj/i/kube_bootstrap_roles
branch
from
f368abf
to
6fa5344
Compare
| // add default metadata only to openshift cluster roles | ||
| for i := range finalClusterRoles { | ||
| role := &finalClusterRoles[i] | ||
| addDefaultMetadata(role) |
There was a problem hiding this comment.
Seems like this should be done when you're building the roles. What is the use-case for having GetOpenshiftBootstrapClusterRoles to be missing annotations?
| // add default metadata only to openshift cluster role bindings | ||
| for i := range finalClusterRoleBindings { | ||
| roleBinding := &finalClusterRoleBindings[i] | ||
| addDefaultMetadata(roleBinding) |
There was a problem hiding this comment.
What is the use-case for GetOpenshiftBootstrapClusterRoleBindings to be missing annotations?
| func GetBootstrapNamespaceRoles() map[string][]rbac.Role { | ||
| // openshift and kube are guaranteed never to conflict on these | ||
| // the openshift map is safe to mutate unlike the kube one | ||
| ret := NamespaceRoles() |
There was a problem hiding this comment.
What is the use-case for this to return roles missing annotations?
| func GetBootstrapNamespaceRoleBindings() map[string][]rbac.RoleBinding { | ||
| // openshift and kube are guaranteed never to conflict on these | ||
| // the openshift map is safe to mutate unlike the kube one | ||
| ret := NamespaceRoleBindings() |
There was a problem hiding this comment.
What is the use-case for this to be missing annotations?
This change brings in the upstream namespaced roles that are used by controllers. These will never conflict with the openshift ones since they are required to be in namespaces prefixed with "kube-". Signed-off-by: Monis Khan <[email protected]>
Signed-off-by: Monis Khan <[email protected]>
enj
force-pushed
the
enj/i/kube_bootstrap_roles
branch
from
6fa5344
to
f42b2d7
Compare
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
test integration flaked. killing the rest to free our queue |
|
/retest |
|
Automatic merge from submit-queue |
…e catalog example template. Upstream role was added in openshift#16517.
…e catalog example template. Upstream role was added in openshift#16517.
This change brings in the upstream namespaced roles that are used by controllers. These will never conflict with the openshift ones since they are required to be in namespaces prefixed with "kube-".
Signed-off-by: Monis Khan [email protected]