Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs #937

Merged
merged 4 commits into from
May 14, 2024
Merged

✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs #937

merged 4 commits into from
May 14, 2024

Conversation

chrischdi
Copy link
Member

@chrischdi chrischdi commented May 2, 2024
edited
Loading

This improves the output of controller-gens rbac generator to further deduplicate the output.

It now:

  • first separates the rules by namespace and resource
  • and later deduplicates on the set resources if the rules are otherwise the same (excluding resource).
  • and also deduplicates based on apiGroups if possible.

The first commit only adds test data.

The second commit adds the change for deduplicating based on resources

The third commit deduplicates on apiGroups.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 2, 2024
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 2, 2024
@chrischdi chrischdi changed the title ✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs [WIP] ✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs May 2, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2024
@chrischdi chrischdi force-pushed the pr-deduplicate-by-verbs-and-group branch from dc44d68 to 56a3b24 Compare May 2, 2024 17:55
@chrischdi chrischdi changed the title [WIP] ✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs ✨ rbac: deduplicate having the same groups, resourceNames, URLs and Verbs May 2, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2024
@chrischdi chrischdi force-pushed the pr-deduplicate-by-verbs-and-group branch from 56a3b24 to 2220e4d Compare May 2, 2024 17:56
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 3, 2024
chrischdi
chrischdi commented May 3, 2024
View reviewed changes
pkg/rbac/parser_integration_test.go
@@ -52,7 +52,7 @@ var _ = Describe("ClusterRole generated by the RBAC Generator", func() {
Expect(err).NotTo(HaveOccurred())

By("parsing the desired YAML")
for i, expectedRoleBytes := range bytes.Split(expectedFile, []byte("\n---\n"))[1:] {
for i, expectedRoleBytes := range bytes.Split(expectedFile, []byte("\n---\n")) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this change allows to use the directly generated output as golden file. The [1:] is not necessary anymore because the document starts with ---\n

@chrischdi chrischdi mentioned this pull request May 3, 2024
Merged
sbueringer
sbueringer reviewed May 7, 2024
View reviewed changes
pkg/rbac/parser.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Show resolved Hide resolved
sbueringer
sbueringer reviewed May 14, 2024
View reviewed changes
Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few smaller findings and some ideas to test more before merge

pkg/rbac/testdata/controller.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Outdated Show resolved Hide resolved
pkg/rbac/parser.go Outdated Show resolved Hide resolved
@chrischdi chrischdi force-pushed the pr-deduplicate-by-verbs-and-group branch from ead6212 to 73b2aad Compare May 14, 2024 16:25
@chrischdi chrischdi mentioned this pull request May 14, 2024
Closed
@chrischdi
Copy link
Member Author

Could you also open a PR against core CAPI using this PR? (doesn't have to be a clean install of the binary, just want to validate the differences in generated roles)

(I would also bump to CT main once this PR merges in CAPI)

Example PR: kubernetes-sigs/cluster-api#10612

@sbueringer
Copy link
Member

Thx!

CAPI PR looks entirely as expected

Really nice optimization, Roles look much cleaner now

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 14, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3578a43773ef68570ca017fb76ea52b800335039

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrischdi, sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2024
@k8s-ci-robot k8s-ci-robot merged commit ed2fbe2 into kubernetes-sigs:master May 14, 2024
7 checks passed
@pmalek
Copy link
Contributor

pmalek commented Aug 15, 2024

Just tested 0.16.1 with this change and there's 1 little quirk:

If I have 2 different but logically identical codemarkers:

//+kubebuilder:rbac:groups=core,resources=events,verbs=create;patch

and

// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch

I'll get the following generated with 0.16.1:

rules:
- apiGroups:
  - ""
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

The workaround is to use the same apigroup everywhere.

@sbueringer
Copy link
Member

Ah interesting. Can you open an issue for that, please?

We should be able to improve this further :)

(cc @chrischdi, maybe you have some time to look into it (let's also add test coverage for this case))

@pmalek pmalek mentioned this pull request Aug 15, 2024
Closed
@pmalek
Copy link
Contributor

pmalek commented Aug 15, 2024

Ah interesting. Can you open an issue for that, please?

We should be able to improve this further :)

(cc @chrischdi, maybe you have some time to look into it (let's also add test coverage for this case))

@sbueringer #1036

@akutz akutz mentioned this pull request Aug 20, 2024
Merged
@rakesh-garimella
Copy link

Hi @chrischdi I tested the change with 0.16.1. Found one possible issue. We have some codemarker for nonResourceURLs

//+kubebuilder:rbac:urls=/metrics,verbs=get
//+kubebuilder:rbac:urls=/metrics/cadvisor,verbs=get

But after generating the manifests these RBAC are missing.

@rakesh-garimella rakesh-garimella mentioned this pull request Aug 29, 2024
Closed
@chrischdi chrischdi mentioned this pull request Aug 29, 2024
Merged
@chrischdi
Copy link
Member Author

Thanks for reporting @rakesh-garimella .

#1044 should fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer left review comments

@alvaroaleman alvaroaleman Awaiting requested review from alvaroaleman

@joelanford joelanford Awaiting requested review from joelanford

Assignees

@sbueringer sbueringer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chrischdi @sbueringer @k8s-ci-robot @pmalek @rakesh-garimella