Aggregate cluster-reader role #20279
Conversation
openshift-ci-robot
added
sig/security
size/M
openshift-ci-robot
added
size/L
|
/retest |
| }, | ||
| }, | ||
| { | ||
| ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}, |
| @@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { | |||
|
|
|||
| rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(), | |||
|
|
|||
| rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(), | |||
| rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(), | |||
| ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}}, | ||
| ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{ | ||
| "rbac.authorization.k8s.io/aggregate-to-view": "true", | ||
| "rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true", |
There was a problem hiding this comment.
this isn't going to end well for you. No one "normal" will add to this.
| }, | ||
| }, | ||
| { | ||
| ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}, |
There was a problem hiding this comment.
you want "rbac.authorization.k8s.io/aggregate-to-view" too right? Otherwise nothing from upstream or the community will aggregate the way you want.
There was a problem hiding this comment.
These are the current rules to initially aggregate to cluster-reader, why aggregate them to view also? My intent was to assemble cluster-reader by aggregating the current rules plus view into cluster-reader.
There was a problem hiding this comment.
Sorry commented on the wrong line. the selector needs that. I may have been in the wrong spot in the file.
There was a problem hiding this comment.
No problem, I thought that may have been the case, so I tried updating the cluster-reader role's MatchLabel with both aggregate-to-cluster-reader and aggregate-to-view labels, but nothing gets aggregated. I think that matching on two labels means a to-aggregate role must have both labels.
There was a problem hiding this comment.
No problem, I thought that may have been the case, so I tried updating the cluster-reader role's MatchLabel with both aggregate-to-cluster-reader and aggregate-to-view labels, but nothing gets aggregated. I think that matching on two labels means a to-aggregate role must have both labels.
I wrote it to OR them. Try adding a second label selector instead of adding to the first selector
|
The idea is fine. I think you need to aggregate more than you currently are and I would suggest doing a separate pull to prune the old role. |
Turn cluster-reader into an aggregate-able role and aggregate view into it. The aggregation of view results in adding the following rules to cluster-reader: - imagestreammappings: get list watch - imagestreammappings.image.openshift.io: get list watch - jenkins.build.openshift.io: view
mrogers950
force-pushed
the
aggregate-cr
branch
2 times, most recently
from
8d0c4df
to
2195841
Compare
|
/retest |
| @@ -65,6 +65,7 @@ var rolesToHide = sets.NewString( | |||
| "system:openshift:aggregate-to-admin", | |||
| "system:openshift:aggregate-to-edit", | |||
| "system:openshift:aggregate-to-view", | |||
| "system:openshift:aggregate-to-cluster-reader", | |||
There was a problem hiding this comment.
@openshift/origin-web-console-committers I've added a new role here that I think should be hidden to the end user, (heads up per the test's comment)
There was a problem hiding this comment.
@mrogers950 @enj aha, the test lives! But we can eliminate that test, might be a good time to do so?
There was a problem hiding this comment.
@benjaminapetersen I can do a follow-up to get rid of this test if it's no longer useful.
There was a problem hiding this comment.
@mrogers950 sounds good. Happy to chat about it if that would be helpful.
|
@deads2k should be all set. If there's no other changes needed can we merge this in 3.11 or should we defer it? |
|
@deads2k PTAL |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, mrogers950 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
Turn cluster-reader into an aggregate-able role. Aggregate the view role
into cluster-reader and remove duplicates from the stock cluster-reader
role.
@openshift/sig-security @smarterclayton @deads2k