Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] Fix downgrade logic of KubernetesResources to Role v6 #36009

Merged
merged 1 commit into from Dec 22, 2023
Merged

[v14] Fix downgrade logic of KubernetesResources to Role v6 #36009

merged 1 commit into from Dec 22, 2023

Conversation

tigrato
Copy link
Contributor

@tigrato tigrato commented Dec 22, 2023
edited

Backport #35991 to branch/v14

Changelog: Fix downgrade logic of KubernetesResources to Role v6

@tigrato
Fix downgrade logic of KubernetesResources to Role v6 (#35991)
ecadcc4 
`KubernetesResources` were improperly downgraded when they grant access
to all resources.

In that case, the role was downgraded to something that can't be used to
access Kubernetes clusters but they could have been downgraded to a
`Role` v6 with the same permissions as the `KubernetesResources`.

This commit fixes the downgrade logic to downgrade to a `Role` v6 with
the same permissions as the `KubernetesResources`.

A role v7 with

```json
kubenretes_labels:
 '*': '*'
kubernetes_resources:
- kind: pod
  name: '*'
  namespace: '*'
  verbs:
  - '*'
```
Is downgraded to a role v6 with

```json
kubenretes_labels:
 '*': '*'
kubernetes_resources:
- kind: pod
  name: '*'
  namespace: '*'
```

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@tigrato tigrato added this pull request to the merge queue Dec 22, 2023
Merged via the queue into branch/v14 with commit 8df12e4 Dec 22, 2023
26 of 27 checks passed
@tigrato tigrato deleted the tigrato/properly-handle-downgrades-b14 branch December 22, 2023 16:27
@BrewTestBot BrewTestBot mentioned this pull request Dec 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@espadolini espadolini espadolini approved these changes

@AntonAM AntonAM AntonAM approved these changes

Assignees
No one assigned
Labels
backport size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tigrato @espadolini @AntonAM