use the upstream RBAC roles for reconciliation

openshift · Aug 14, 2018 · 004c02d · 004c02d
1 parent 2ff79b1
commit 004c02d
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 64 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go
@@ -96,7 +96,7 @@ const (
 	SDNManagerRoleName        = "system:sdn-manager"
 	OAuthTokenDeleterRoleName = "system:oauth-token-deleter"
 	WebHooksRoleName          = "system:webhook"
-	DiscoveryRoleName         = "system:discovery"
+	DiscoveryRoleName         = "system:openshift:discovery"
 
 	// NodeAdmin has full access to the API provided by the kubelet
 	NodeAdminRoleName = "system:node-admin"
@@ -127,7 +127,7 @@ const (
 	NodeAdminRoleBindingName          = NodeAdminRoleName + "s"
 	SDNReaderRoleBindingName          = SDNReaderRoleName + "s"
 	WebHooksRoleBindingName           = WebHooksRoleName + "s"
-	DiscoveryRoleBindingName          = DiscoveryRoleName + "-binding"
+	DiscoveryRoleBindingName          = DiscoveryRoleName
 
 	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
 

diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -102,18 +102,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 	// four resource can be a single line
 	// up to ten-ish resources per line otherwise
 	clusterRoles := []rbacv1.ClusterRole{
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: ClusterAdminRoleName,
-				Annotations: map[string]string{
-					oapi.OpenShiftDescription: "A super-user that can perform any action in the cluster. When granted to a user within a project, they have full control over quota and membership and can perform every action on every resource in the project.",
-				},
-			},
-			Rules: []rbacv1.PolicyRule{
-				rbacv1helpers.NewRule(rbacv1.VerbAll).Groups(rbacv1.APIGroupAll).Resources(rbacv1.ResourceAll).RuleOrDie(),
-				rbacv1helpers.NewRule(rbacv1.VerbAll).URLs(rbacv1.NonResourceAll).RuleOrDie(),
-			},
-		},
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: SudoerRoleName,
@@ -741,7 +729,6 @@ func GetBootstrapClusterRoles() []rbacv1.ClusterRole {
 	// so add them to this list.
 	openshiftClusterRoles = append(openshiftClusterRoles, GetDeadClusterRoles()...)
 	kubeClusterRoles := bootstrappolicy.ClusterRoles()
-	kubeSAClusterRoles := bootstrappolicy.ControllerRoles()
 	openshiftControllerRoles := ControllerRoles()
 
 	// Eventually openshift controllers and kube controllers have different prefixes
@@ -757,26 +744,14 @@ func GetBootstrapClusterRoles() []rbacv1.ClusterRole {
 	}
 
 	conflictingNames := kubeClusterRoleNames.Intersection(openshiftClusterRoleNames)
-	extraRBACConflicts := conflictingNames.Difference(clusterRoleConflicts)
-	extraWhitelistEntries := clusterRoleConflicts.Difference(conflictingNames)
-	switch {
-	case len(extraRBACConflicts) > 0 && len(extraWhitelistEntries) > 0:
-		panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v and ClusterRole whitelist contains a extraneous entries: %v ", extraRBACConflicts.List(), extraWhitelistEntries.List()))
-	case len(extraRBACConflicts) > 0:
-		panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v", extraRBACConflicts.List()))
-	case len(extraWhitelistEntries) > 0:
-		panic(fmt.Sprintf("ClusterRole whitelist contains a extraneous entries: %v", extraWhitelistEntries.List()))
+	if len(conflictingNames) > 0 {
+		panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v", conflictingNames.List()))
 	}
 
 	finalClusterRoles := []rbacv1.ClusterRole{}
 	finalClusterRoles = append(finalClusterRoles, openshiftClusterRoles...)
 	finalClusterRoles = append(finalClusterRoles, openshiftControllerRoles...)
-	finalClusterRoles = append(finalClusterRoles, kubeSAClusterRoles...)
-	for i := range kubeClusterRoles {
-		if !clusterRoleConflicts.Has(kubeClusterRoles[i].Name) {
-			finalClusterRoles = append(finalClusterRoles, kubeClusterRoles[i])
-		}
-	}
+	finalClusterRoles = append(finalClusterRoles, kubeClusterRoles...)
 
 	// TODO we should not do this for kube cluster roles since we cannot control them once we run on top of kube
 	// conditionally add the web console annotations
@@ -915,7 +890,6 @@ func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding {
 	openshiftClusterRoleBindings = append(openshiftClusterRoleBindings, GetDeadClusterRoleBindings()...)
 
 	kubeClusterRoleBindings := bootstrappolicy.ClusterRoleBindings()
-	kubeControllerClusterRoleBindings := bootstrappolicy.ControllerRoleBindings()
 	openshiftControllerClusterRoleBindings := ControllerRoleBindings()
 
 	// openshift controllers and kube controllers have different prefixes
@@ -930,44 +904,17 @@ func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding {
 	}
 
 	conflictingNames := kubeClusterRoleBindingNames.Intersection(openshiftClusterRoleBindingNames)
-	extraRBACConflicts := conflictingNames.Difference(clusterRoleBindingConflicts)
-	extraWhitelistEntries := clusterRoleBindingConflicts.Difference(conflictingNames)
-	switch {
-	case len(extraRBACConflicts) > 0 && len(extraWhitelistEntries) > 0:
-		panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v and ClusterRoleBinding whitelist contains a extraneous entries: %v ", extraRBACConflicts.List(), extraWhitelistEntries.List()))
-	case len(extraRBACConflicts) > 0:
-		panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v", extraRBACConflicts.List()))
-	case len(extraWhitelistEntries) > 0:
-		panic(fmt.Sprintf("ClusterRoleBinding whitelist contains a extraneous entries: %v", extraWhitelistEntries.List()))
+	if len(conflictingNames) > 0 {
+		panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v", conflictingNames.List()))
 	}
 
 	finalClusterRoleBindings := []rbacv1.ClusterRoleBinding{}
 	finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftClusterRoleBindings...)
-	finalClusterRoleBindings = append(finalClusterRoleBindings, kubeControllerClusterRoleBindings...)
 	finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftControllerClusterRoleBindings...)
-	for i := range kubeClusterRoleBindings {
-		if !clusterRoleBindingConflicts.Has(kubeClusterRoleBindings[i].Name) {
-			finalClusterRoleBindings = append(finalClusterRoleBindings, kubeClusterRoleBindings[i])
-		}
-	}
 
 	return finalClusterRoleBindings
 }
 
-// clusterRoleConflicts lists the roles which are known to conflict with upstream and which we have manually
-// deconflicted with our own.
-var clusterRoleConflicts = sets.NewString(
-	// TODO this should probably be re-swizzled to be the delta on top of the kube role
-	"system:discovery",
-
-	// TODO these should be reconsidered
-	"cluster-admin",
-)
-
-// clusterRoleBindingConflicts lists the roles which are known to conflict with upstream and which we have manually
-// deconflicted with our own.
-var clusterRoleBindingConflicts = sets.NewString()
-
 // The current list of roles considered useful for normal users (non-admin)
 var rolesToShow = sets.NewString(
 	"admin",

diff --git a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go
@@ -66,6 +66,7 @@ var rolesToHide = sets.NewString(
 	"system:openshift:aggregate-to-edit",
 	"system:openshift:aggregate-to-view",
 	"system:openshift:aggregate-to-cluster-reader",
+	"system:openshift:discovery",
 	"system:kubelet-api-admin",
 	"system:volume-scheduler",
 )

diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go
@@ -51,7 +51,6 @@ import (
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/registry/core/endpoint"
 	endpointsstorage "k8s.io/kubernetes/pkg/registry/core/endpoint/storage"
-	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
 	kversion "k8s.io/kubernetes/pkg/version"
 
 	"github.com/openshift/library-go/pkg/crypto"
@@ -412,9 +411,6 @@ func (rc *incompleteKubeMasterConfig) Complete(
 	genericConfig.PublicAddress = publicAddress
 	genericConfig.Authentication.Authenticator = originAuthenticator // this is used to fulfill the tokenreviews endpoint which is used by node authentication
 	genericConfig.Authorization.Authorizer = kubeAuthorizer          // this is used to fulfill the kube SAR endpoints
-	genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
-	// This disables the ThirdPartyController which removes handlers from our go-restful containers.  The remove functionality is broken and destroys the serve mux.
-	genericConfig.DisabledPostStartHooks.Insert("extensions/third-party-resources")
 	genericConfig.AdmissionControl = admissionControl
 	genericConfig.RequestInfoResolver = configprocessing.OpenshiftRequestInfoResolver()
 	genericConfig.OpenAPIConfig = configprocessing.DefaultOpenAPIConfig(masterConfig)

diff --git a/test/integration/master_routes_test.go b/test/integration/master_routes_test.go
@@ -125,6 +125,7 @@ var expectedIndex = []string{
 	"/healthz/poststarthook/project.openshift.io-projectauthorizationcache",
 	"/healthz/poststarthook/project.openshift.io-projectcache",
 	"/healthz/poststarthook/quota.openshift.io-clusterquotamapping",
+	"/healthz/poststarthook/rbac/bootstrap-roles",
 	"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
 	"/healthz/poststarthook/security.openshift.io-bootstrapscc",
 	"/healthz/poststarthook/start-apiextensions-controllers",