Aggregate cluster-reader role

Matt Rogers · Matt Rogers · commit 2d391225789a · 2018-07-10T15:55:01.000-04:00
Turn cluster-reader into an aggregate-able role. Aggregate the view role
into cluster-reader and remove duplicates from the stock cluster-reader
role.
diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go
@@ -53,22 +53,23 @@ const (
 
 // Roles
 const (
-	ClusterAdminRoleName       = "cluster-admin"
-	SudoerRoleName             = "sudoer"
-	ScopeImpersonationRoleName = "system:scope-impersonation"
-	ClusterReaderRoleName      = "cluster-reader"
-	StorageAdminRoleName       = "storage-admin"
-	ClusterDebuggerRoleName    = "cluster-debugger"
-	AdminRoleName              = "admin"
-	EditRoleName               = "edit"
-	ViewRoleName               = "view"
-	AggregatedAdminRoleName    = "system:openshift:aggregate-to-admin"
-	AggregatedEditRoleName     = "system:openshift:aggregate-to-edit"
-	AggregatedViewRoleName     = "system:openshift:aggregate-to-view"
-	SelfProvisionerRoleName    = "self-provisioner"
-	BasicUserRoleName          = "basic-user"
-	StatusCheckerRoleName      = "cluster-status"
-	SelfAccessReviewerRoleName = "self-access-reviewer"
+	ClusterAdminRoleName            = "cluster-admin"
+	SudoerRoleName                  = "sudoer"
+	ScopeImpersonationRoleName      = "system:scope-impersonation"
+	ClusterReaderRoleName           = "cluster-reader"
+	StorageAdminRoleName            = "storage-admin"
+	ClusterDebuggerRoleName         = "cluster-debugger"
+	AdminRoleName                   = "admin"
+	EditRoleName                    = "edit"
+	ViewRoleName                    = "view"
+	AggregatedAdminRoleName         = "system:openshift:aggregate-to-admin"
+	AggregatedEditRoleName          = "system:openshift:aggregate-to-edit"
+	AggregatedViewRoleName          = "system:openshift:aggregate-to-view"
+	AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader"
+	SelfProvisionerRoleName         = "self-provisioner"
+	BasicUserRoleName               = "basic-user"
+	StatusCheckerRoleName           = "cluster-status"
+	SelfAccessReviewerRoleName      = "self-access-reviewer"
 
 	RegistryAdminRoleName  = "registry-admin"
 	RegistryViewerRoleName = "registry-viewer"
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: ClusterReaderRoleName,
 			},
+			AggregationRule: &rbacv1.AggregationRule{
+				ClusterRoleSelectors: []metav1.LabelSelector{{MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}},
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges",
 					"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
@@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 
 				rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log",
-					"deploymentconfigs/status").RuleOrDie(),
-
-				rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages",
-					"imagestreams/status").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(),
 				// pull images
 				rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(oauthGroup, legacyOauthGroup).Resources("oauthclientauthorizations").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
-
-				rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(),
@@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(),
 
 				rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(),
-
-				// backwards compatibility
-				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(),
-				rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(),
 			},
 		},
 		{
@@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 		{
 			// a role for namespace level viewing.  It grants Read-only access to non-escalating resources in
 			// a namespace.
-			ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
+			ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{
+				"rbac.authorization.k8s.io/aggregate-to-view":           "true",
+				"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true",
+			}},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/log").RuleOrDie(),
@@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding {
 
 func GetBootstrapClusterRolesToAggregate() map[string]string {
 	return map[string]string{
-		AdminRoleName: AggregatedAdminRoleName,
-		EditRoleName:  AggregatedEditRoleName,
-		ViewRoleName:  AggregatedViewRoleName,
+		AdminRoleName:         AggregatedAdminRoleName,
+		EditRoleName:          AggregatedEditRoleName,
+		ViewRoleName:          AggregatedViewRoleName,
+		ClusterReaderRoleName: AggregatedClusterReaderRoleName,
 	}
 }
