Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClusterRole Aggregation #502

Closed
deads2k opened this Issue Oct 27, 2017 · 16 comments

Comments

@deads2k
Copy link

deads2k commented Oct 27, 2017

Feature Description

@liggitt liggitt added sig/auth and removed sig/api-machinery labels Nov 11, 2017

@liggitt liggitt added this to the v1.9 milestone Nov 13, 2017

@liggitt liggitt added the stage/beta label Nov 13, 2017

k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Nov 14, 2017

Kubernetes Submit Queue
Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll 


I added 
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews 

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

sttts pushed a commit to sttts/api that referenced this issue Nov 14, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@zacharysarah

This comment has been minimized.

Copy link
Contributor

zacharysarah commented Nov 22, 2017

@deads2k 👋 Please open a documentation PR and add a link to the tracking spreadsheet. Thanks in advance!

sttts pushed a commit to sttts/api that referenced this issue Nov 27, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93

sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93

sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93

sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@lookuptable

This comment has been minimized.

Copy link

lookuptable commented Nov 28, 2017

@deads2k Is there a plan to add E2E tests for this feature?

sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@zacharysarah

This comment has been minimized.

Copy link
Contributor

zacharysarah commented Nov 28, 2017

@deads2k Bump for docs ☝️

/cc @idvoretskyi

@ericchiang

This comment has been minimized.

Copy link
Member

ericchiang commented Nov 29, 2017

I can open a docs PR. cc @deads2k

k8s-publishing-bot pushed a commit to k8s-publishing-bot/api that referenced this issue Nov 29, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@deads2k

This comment has been minimized.

Copy link
Author

deads2k commented Nov 29, 2017

I can open a docs PR. cc @deads2k

Thanks. I forgot that I gave detail usage in the community pull and didn't open the corresponding website one.

@deads2k Is there a plan to add E2E tests for this feature?

We use this feature to bootstrap the cluster, so it is tested in every e2e run already.

k8s-publishing-bot pushed a commit to k8s-publishing-bot/api that referenced this issue Dec 7, 2017

Merge pull request #54005 from deads2k/rbac-02-aggregation
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Feb 27, 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Mar 29, 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@justaugustus

This comment has been minimized.

Copy link
Member

justaugustus commented Apr 17, 2018

@ericchiang @deads2k
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@deads2k

This comment has been minimized.

Copy link
Author

deads2k commented Apr 17, 2018

The feature has been remarkably stable. I'm ok promoting it as-is.

@kubernetes/sig-auth-api-reviews opinions?

@enj

This comment has been minimized.

Copy link
Member

enj commented Apr 17, 2018

IIRC all the bugs we saw were obvious (cluster failed to start) or wiring issues (incorrect upgrade). I do not think we had any issues in the actual controller that backs this feature. I am also unaware of any changes we need to make to the API. Thus I agree with @deads2k.

/remove-lifecycle rotten

@justaugustus justaugustus modified the milestones: v1.9, v1.11 Apr 17, 2018

@justaugustus

This comment has been minimized.

Copy link
Member

justaugustus commented Apr 17, 2018

Updated the milestone. Thanks for the feedback, @deads2k + @enj!

@AishSundar

This comment has been minimized.

Copy link

AishSundar commented May 23, 2018

@deads2k I saw your earlier reply about e2e tests for this feature. I am following up to see if and which of those tests should we promoted to the conformance test suite. Let me know if we already have coverage for this feature in Conformance suite

As part of the process to increase conformance coverage, outlined by Conformance WG and Sig-Arch, we expect features going into stable/GA to have representation in Conformance suite. So your update on the same will help us evaluate this feature better.

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented May 23, 2018

Let me know if we already have coverage for this feature in Conformance suite

RBAC is not required for a cluster to be conformant, so no conformance tests require it. See discussion in kubernetes/kubernetes#62988

@AishSundar

This comment has been minimized.

Copy link

AishSundar commented May 23, 2018

Thanks for the quick followup @liggitt

@mistyhacks

This comment has been minimized.

Copy link
Member

mistyhacks commented May 24, 2018

@deads2k please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@justaugustus

This comment has been minimized.

Copy link
Member

justaugustus commented Jun 27, 2018

Closing this as the feature is GA in 1.11. Please feel free to reopen if there is still a need to track this.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.