Skip to content

Commit aadac85

Browse files
author
Matt Rogers
committed
Aggregate cluster-reader role
Turn cluster-reader into an aggregate-able role. Aggregate the view role into cluster-reader and remove duplicates from the stock cluster-reader role. Update test fixtures.
1 parent 528fc4b commit aadac85

File tree

3 files changed

+51
-95
lines changed

3 files changed

+51
-95
lines changed

pkg/cmd/server/bootstrappolicy/constants.go

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -53,22 +53,23 @@ const (
5353

5454
// Roles
5555
const (
56-
ClusterAdminRoleName = "cluster-admin"
57-
SudoerRoleName = "sudoer"
58-
ScopeImpersonationRoleName = "system:scope-impersonation"
59-
ClusterReaderRoleName = "cluster-reader"
60-
StorageAdminRoleName = "storage-admin"
61-
ClusterDebuggerRoleName = "cluster-debugger"
62-
AdminRoleName = "admin"
63-
EditRoleName = "edit"
64-
ViewRoleName = "view"
65-
AggregatedAdminRoleName = "system:openshift:aggregate-to-admin"
66-
AggregatedEditRoleName = "system:openshift:aggregate-to-edit"
67-
AggregatedViewRoleName = "system:openshift:aggregate-to-view"
68-
SelfProvisionerRoleName = "self-provisioner"
69-
BasicUserRoleName = "basic-user"
70-
StatusCheckerRoleName = "cluster-status"
71-
SelfAccessReviewerRoleName = "self-access-reviewer"
56+
ClusterAdminRoleName = "cluster-admin"
57+
SudoerRoleName = "sudoer"
58+
ScopeImpersonationRoleName = "system:scope-impersonation"
59+
ClusterReaderRoleName = "cluster-reader"
60+
StorageAdminRoleName = "storage-admin"
61+
ClusterDebuggerRoleName = "cluster-debugger"
62+
AdminRoleName = "admin"
63+
EditRoleName = "edit"
64+
ViewRoleName = "view"
65+
AggregatedAdminRoleName = "system:openshift:aggregate-to-admin"
66+
AggregatedEditRoleName = "system:openshift:aggregate-to-edit"
67+
AggregatedViewRoleName = "system:openshift:aggregate-to-view"
68+
AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader"
69+
SelfProvisionerRoleName = "self-provisioner"
70+
BasicUserRoleName = "basic-user"
71+
StatusCheckerRoleName = "cluster-status"
72+
SelfAccessReviewerRoleName = "self-access-reviewer"
7273

7374
RegistryAdminRoleName = "registry-admin"
7475
RegistryViewerRoleName = "registry-viewer"

pkg/cmd/server/bootstrappolicy/policy.go

Lines changed: 17 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
131131
ObjectMeta: metav1.ObjectMeta{
132132
Name: ClusterReaderRoleName,
133133
},
134+
AggregationRule: &rbacv1.AggregationRule{
135+
ClusterRoleSelectors: []metav1.LabelSelector{{MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}},
136+
},
137+
},
138+
{
139+
ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}},
134140
Rules: []rbacv1.PolicyRule{
135141
rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges",
136142
"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
@@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
173179

174180
rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(),
175181

176-
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(),
182+
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(),
177183

178-
rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log",
179-
"deploymentconfigs/status").RuleOrDie(),
180-
181-
rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages",
182-
"imagestreams/status").RuleOrDie(),
184+
rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(),
183185
// pull images
184186
rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
185187

186188
rbacv1helpers.NewRule(read...).Groups(oauthGroup, legacyOauthGroup).Resources("oauthclientauthorizations").RuleOrDie(),
187189

188190
rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(),
189191

190-
rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
191-
192-
rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(),
192+
rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
193193

194194
rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),
195195

196196
rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(),
197197
rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(),
198198

199-
rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(),
200199
rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(),
201200

202201
rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(),
@@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
215214
rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(),
216215

217216
rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(),
218-
219-
// backwards compatibility
220-
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(),
221-
rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(),
222217
},
223218
},
224219
{
@@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
363358
{
364359
// a role for namespace level viewing. It grants Read-only access to non-escalating resources in
365360
// a namespace.
366-
ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
361+
ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{
362+
"rbac.authorization.k8s.io/aggregate-to-view": "true",
363+
"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true",
364+
}},
367365
Rules: []rbacv1.PolicyRule{
368366
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(),
369367
rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/log").RuleOrDie(),
@@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding {
10101008

10111009
func GetBootstrapClusterRolesToAggregate() map[string]string {
10121010
return map[string]string{
1013-
AdminRoleName: AggregatedAdminRoleName,
1014-
EditRoleName: AggregatedEditRoleName,
1015-
ViewRoleName: AggregatedViewRoleName,
1011+
AdminRoleName: AggregatedAdminRoleName,
1012+
EditRoleName: AggregatedEditRoleName,
1013+
ViewRoleName: AggregatedViewRoleName,
1014+
ClusterReaderRoleName: AggregatedClusterReaderRoleName,
10161015
}
10171016
}

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

Lines changed: 17 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -66,14 +66,29 @@ items:
6666
- userextras/scopes.authorization.openshift.io
6767
verbs:
6868
- impersonate
69-
- apiVersion: rbac.authorization.k8s.io/v1
69+
- aggregationRule:
70+
clusterRoleSelectors:
71+
- matchLabels:
72+
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
73+
apiVersion: rbac.authorization.k8s.io/v1
7074
kind: ClusterRole
7175
metadata:
7276
annotations:
7377
authorization.openshift.io/system-only: "true"
7478
rbac.authorization.kubernetes.io/autoupdate: "true"
7579
creationTimestamp: null
7680
name: cluster-reader
81+
rules: null
82+
- apiVersion: rbac.authorization.k8s.io/v1
83+
kind: ClusterRole
84+
metadata:
85+
annotations:
86+
authorization.openshift.io/system-only: "true"
87+
rbac.authorization.kubernetes.io/autoupdate: "true"
88+
creationTimestamp: null
89+
labels:
90+
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
91+
name: system:openshift:aggregate-to-cluster-reader
7792
rules:
7893
- apiGroups:
7994
- ""
@@ -293,23 +308,7 @@ items:
293308
- ""
294309
- build.openshift.io
295310
resources:
296-
- buildconfigs
297-
- buildconfigs/webhooks
298-
- builds
299311
- builds/details
300-
- builds/log
301-
verbs:
302-
- get
303-
- list
304-
- watch
305-
- apiGroups:
306-
- ""
307-
- apps.openshift.io
308-
resources:
309-
- deploymentconfigs
310-
- deploymentconfigs/log
311-
- deploymentconfigs/scale
312-
- deploymentconfigs/status
313312
verbs:
314313
- get
315314
- list
@@ -320,10 +319,6 @@ items:
320319
resources:
321320
- images
322321
- imagesignatures
323-
- imagestreamimages
324-
- imagestreams
325-
- imagestreams/status
326-
- imagestreamtags
327322
verbs:
328323
- get
329324
- list
@@ -358,23 +353,12 @@ items:
358353
- ""
359354
- quota.openshift.io
360355
resources:
361-
- appliedclusterresourcequotas
362356
- clusterresourcequotas
363357
- clusterresourcequotas/status
364358
verbs:
365359
- get
366360
- list
367361
- watch
368-
- apiGroups:
369-
- ""
370-
- route.openshift.io
371-
resources:
372-
- routes
373-
- routes/status
374-
verbs:
375-
- get
376-
- list
377-
- watch
378362
- apiGroups:
379363
- ""
380364
- network.openshift.io
@@ -404,18 +388,6 @@ items:
404388
- get
405389
- list
406390
- watch
407-
- apiGroups:
408-
- ""
409-
- template.openshift.io
410-
resources:
411-
- processedtemplates
412-
- templateconfigs
413-
- templateinstances
414-
- templates
415-
verbs:
416-
- get
417-
- list
418-
- watch
419391
- apiGroups:
420392
- ""
421393
- template.openshift.io
@@ -492,23 +464,6 @@ items:
492464
- '*'
493465
verbs:
494466
- get
495-
- apiGroups:
496-
- ""
497-
- build.openshift.io
498-
resources:
499-
- buildlogs
500-
verbs:
501-
- get
502-
- list
503-
- watch
504-
- apiGroups:
505-
- ""
506-
resources:
507-
- resourcequotausages
508-
verbs:
509-
- get
510-
- list
511-
- watch
512467
- apiVersion: rbac.authorization.k8s.io/v1
513468
kind: ClusterRole
514469
metadata:
@@ -1170,6 +1125,7 @@ items:
11701125
rbac.authorization.kubernetes.io/autoupdate: "true"
11711126
creationTimestamp: null
11721127
labels:
1128+
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
11731129
rbac.authorization.k8s.io/aggregate-to-view: "true"
11741130
name: system:openshift:aggregate-to-view
11751131
rules:

0 commit comments

Comments
 (0)