add --as-group option to cli #43696
Merged
add --as-group option to cli #43696
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
|
Hi @CaoShuFeng. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-github-robot
added
size/M
|
@kubernetes/sig-cli-pr-reviews |
liggitt
reviewed
Mar 28, 2017
| @@ -109,6 +109,9 @@ type AuthInfo struct { | |||
| // Impersonate is the username to act-as. | |||
| // +optional | |||
| Impersonate string `json:"act-as,omitempty"` | |||
| // ImpersonateGroups is the groups to imperonate. | |||
| // +optional | |||
| ImpersonateGroups []string `json:"asgroups,omitempty"` | |||
There was a problem hiding this comment.
for congruence with act-as, act-as-groups?
liggitt
reviewed
Mar 28, 2017
| @@ -103,6 +103,9 @@ type AuthInfo struct { | |||
| // Impersonate is the username to imperonate. The name matches the flag. | |||
| // +optional | |||
| Impersonate string `json:"as,omitempty"` | |||
| // ImpersonateGroups is the groups to imperonate. | |||
| // +optional | |||
| ImpersonateGroups []string `json:"asgroups,omitempty"` | |||
liggitt
reviewed
Mar 28, 2017
| if len(f.LongName) > 0 { | ||
| sliceVal := []string{} | ||
| if len(f.Default) > 0 { | ||
| sliceVal = strings.Split(f.Default, ",") |
There was a problem hiding this comment.
no splitting on , (group names could contain ,), this should just be a StringArrayVarP
liggitt
reviewed
Mar 28, 2017
| FlagEmbedCerts = "embed-certs" | ||
| FlagBearerToken = "token" | ||
| FlagImpersonate = "as" | ||
| FlagImpersonateGroups = "asgroups" |
There was a problem hiding this comment.
--as-group, and can be repeated --as-group=foo --as-group=bar --as-group=baz?
liggitt
reviewed
Mar 28, 2017
| @@ -153,6 +169,7 @@ func RecommendedAuthOverrideFlags(prefix string) AuthOverrideFlags { | |||
| ClientKey: FlagInfo{prefix + FlagKeyFile, "", "", "Path to a client key file for TLS"}, | |||
| Token: FlagInfo{prefix + FlagBearerToken, "", "", "Bearer token for authentication to the API server"}, | |||
| Impersonate: FlagInfo{prefix + FlagImpersonate, "", "", "Username to impersonate for the operation"}, | |||
| ImpersonateGroups: FlagInfo{prefix + FlagImpersonateGroups, "", "", "Groups to impersonate for the operation"}, | |||
There was a problem hiding this comment.
Indicate the flag can be repeated to specify multiple groups
liggitt
added
sig/auth
|
cc @kubernetes/sig-cli-pr-reviews |
liggitt
reviewed
Apr 3, 2017
| if len(f.LongName) > 0 { | ||
| sliceVal := []string{} | ||
| if len(f.Default) > 0 { | ||
| sliceVal = strings.Split(f.Default, " ") |
There was a problem hiding this comment.
can't assume " " is the delimiter... either don't support multi-value defaults or allow setting a slice as the default somehow
|
needs to be exercised in test-cmd (along with --as) # give permissions to gooduser and goodgroup
kubectl create rolebinding good-admin --clusterrole=admin --user=gooduser --group=goodgroup
# these should succeed
kubectl get pods --as=gooduser
kubectl get pods --as=gooduser --as-group=badgroup
kubectl get pods --as=baduser --as-group=goodgroup
# these should fail
kubectl get pods --as=baduser --as-group=badgroup |
|
And |
I wouldn't add that yet... not every bit of API functionality has a corresponding CLI flag. |
|
@liggitt not cli flags necessary, but just in |
Yeah, everything needed to populate ImpersonationConfig should be in the client config type |
I think I need some more suggestions from you. Thanks in advance. Do you think we can upgrade test-cmd to support more RBAC features? |
|
@zhouhaibing089 |
|
@CaoShuFeng I mean adding |
|
@liggitt done |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
@k8s-bot ok to test |
k8s-ci-robot
removed
the
needs-ok-to-test
liggitt
reviewed
May 12, 2017
hack/make-rules/test-cmd.sh
Outdated
| --admission-control="${ADMISSION_CONTROL}" \ | ||
| --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \ | ||
| --public-address-override="127.0.0.1" \ | ||
| --kubelet-port=${KUBELET_PORT} \ | ||
| --runtime-config=api/v1 \ | ||
| --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \ | ||
| --cert-dir="${TMPDIR:-/tmp/}" \ | ||
| --service-cluster-ip-range="10.0.0.0/24" 1>&2 & | ||
| --service-cluster-ip-range="10.0.0.0/24" \ | ||
| --token-auth-file=${TOKEN_AUTH_FILE} 1>&2 & |
There was a problem hiding this comment.
--insecure-allow-any-token flag instead of a token file accepts a token in the form "user/group1,group2", and is useful for testing lots of different users without needing a token file
| @@ -153,6 +168,7 @@ func RecommendedAuthOverrideFlags(prefix string) AuthOverrideFlags { | |||
| ClientKey: FlagInfo{prefix + FlagKeyFile, "", "", "Path to a client key file for TLS"}, | |||
| Token: FlagInfo{prefix + FlagBearerToken, "", "", "Bearer token for authentication to the API server"}, | |||
| Impersonate: FlagInfo{prefix + FlagImpersonate, "", "", "Username to impersonate for the operation"}, | |||
| ImpersonateGroups: FlagInfo{prefix + FlagImpersonateGroups, "", "", "Groups to impersonate for the operation, this flag can be repeated to specify multiple groups."}, | |||
hack/make-rules/test-cmd-util.sh
Outdated
|
|
||
| # --as-group | ||
| kubectl create -f hack/testdata/csr.yml "${secure_kube_flags[@]}" --as=user1 --as-group=group1 --as-group=group2 --as-group=,,,chameleon | ||
| kube::test::get_object_assert 'csr/foo' '{{len .spec.groups}}' '3' |
There was a problem hiding this comment.
also check the specific group values
hack/make-rules/test-cmd-util.sh
Outdated
| if kube::test::if_supports_resource "${csr}" ; then | ||
| # --as | ||
| kubectl create -f hack/testdata/csr.yml "${secure_kube_flags[@]}" --as=user1 | ||
| kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1' |
There was a problem hiding this comment.
should get a single group of system:authenticated in this case (check number of groups and specific value)
liggitt
reviewed
May 12, 2017
hack/make-rules/test-cmd-util.sh
Outdated
| # --as-group | ||
| kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]}" --as=user1 --as-group=group2 --as-group=group1 --as-group=,,,chameleon | ||
| kube::test::get_object_assert 'csr/foo' '{{len .spec.groups}}' '3' | ||
| kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}}{{end}}' 'group2group1,,,chameleon' |
There was a problem hiding this comment.
kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}} {{end}}' 'group2 group1 ,,,chameleon'?
There was a problem hiding this comment.
Good idea. I will update it next Monday.
The usecase of this change: When a super user grant some RBAC permissions to a group, he can use --as-group to test whether the group get the permissions. Note that now we support as-groups, as-user-extra in kubeconfig file after this change.
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
|
@k8s-bot kubemark e2e test this |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
1 similar comment
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
|
/assign @deads2k |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, deads2k, liggitt
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue |
CaoShuFeng
added a commit
to CaoShuFeng/kubernetes.github.io
that referenced
this pull request
Jun 29, 2017
Add doc for this pr: kubernetes/kubernetes#43696
dchen1107
pushed a commit
to kubernetes/website
that referenced
this pull request
Jun 30, 2017
* Minor fixes in the Deployment doc Signed-off-by: Michail Kargakis <mkargaki@redhat.com> * add NodeRestriction to admission-controllers (#3842) * Admins Can Configure Zones in Storage Class The PR #38505 (kubernetes/kubernetes#38505) added zones optional parameter to Storage Class for AWS and GCE provisioners. That's why documentation needs to be updated accordingly. * document custom resource definitions * add host paths to psp (#3971) * add host paths to psp * add italics * Update ConfigMap doc to explain TTL-based cache updates (#3989) * Update ConfigMap doc to explain TTL-based cache updates * swap word order Change "When a ConfigMap being already consumed..." to "When a ConfigMap already being consumed..." * Update NetworkPolicy docs for v1 * StorageOS Volume plugin * Update GPU docs * docs: HPA autoscaling/v2alpha1 status conditions This commit documents the new status conditions feature for HPA autoscaling/v2alpha1. It demonstrates how to get the status conditions using `kubectl describe`, and how to interpret them. * Update description about NodeRestriction kubelet node can alse create mirror pods for their own static pods. * adding storage as a supported resource to node allocatable Signed-off-by: Vishnu kannan <vishnuk@google.com> * Add documentation for podpreset opt-out annotation This adds the annotation for having the podpreset admission controller to skip (opt-out) manipulating the pod spec. Also, the annotation format for what presets have acted on a pod has been modified to add a prefix of "podpreset-". The new naming makes it such that there is no chance of collision with the newly introduced opt-out annotation (or future ones yet to be added). Opt-out annotation PR: kubernetes/kubernetes#44965 * Update PDB documentation to explain new field (#3885) * update-docs-pdb * Addressed erictune@'s comments * Fix title and add a TOC to the logging concept page * Patch #4118 for typos * Describe setting coredns server in nameserver resolv chain * Address comments in PR #3997. Comment is in https://github.com/kubernetes/kubernetes.github.io/pull/3997/files/f6eb59c67e28efc298c87b1ef49a96bc6adacd1e#diff-7a14981f3dd8eb203f897ce6c11d9828 * Update task for DaemonSet history and rollback (#4098) * Update task for DaemonSet history and rollback Also remove mentions of templateGeneration field because it's deprecated * Address comments * removed lt and gt as operators (#4152) * removed lt and gt as operators * replace lt and gt for node-affinfity * updated based on bsalamat review * Initial draft of upgrade guide for kubeadm clusters. In-place upgrades are supported between 1.6 and 1.7 releases. Rollback instructions to come in a separate commit. Fixes kubernetes/kubeadm#278 * Add local volume documentation (#4050) * Add local volume documentation * Add PV local volume example * Patch PR #3999 * Add documentation for Stackdriver event exporter * Add documentation about controller metrics * Federation: Add task for setting up placement policies (#4075) * Add task for setting up placement policies * Update version of management sidecar in policy engine deployment * Address @nikhiljindal's comments - Lower case filenames - Comments in policy - Typo fixes - Removed type LoadBalancer from OPA Service * Add example that sets cluster selector Per-@nikhiljindal's suggestion * Fix wording and templating per @chenopis * PodDisruptionBudget documentation Improvements (#4140) * Changes from #3885 Title: Update PDB documentation to explain new field Author: foxish * Added Placeholder Disruptions Concept Guide New file: docs/concepts/workloads/pods/disruptions.md Intented contents: concept for Pod Disruption Budget, cross reference to Eviction and Preemption docs. Linked from: concepts > workloads > pods * Added placeholder Configuring PDB Task New file: docs/tasks/run-application/configure-pdb.md Intented contents: task for writing a Pod Disruption Budget. Linked from: tasks > configuring-applications > configure pdb. * Add refs to the "drain a node" task. * Refactor PDB docs. Move the "Requesting an eviction" section from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md -- which is going away -- to: docs/tasks/administer-cluster/safely-drain-node.md The move is verbatim, except for an introductory sentence. Also added assignees. * Refactor of PDB docs Moved the section: Specifying a PodDisruptionBudget from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/tasks/run-application/configure-pdb.md because that former file is going away. Move is verbatim. * Explain how Eviction tools should handle failures * Refactor PDB docs Move text from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/concepts/workloads/pods/disruptions.md Delete the now empty: docs/tasks/administer-cluster/configure-pod-disruption-budget.md Added a redirects_from section to the new doc, containing the path of the now-deleted doc, plus all the redirects from the deleted doc. * Expand PDB Concept guide Building on a little content from the old task, greatly expanded the Disruptions concept guide, including an abstract example. * Update creating a pdb Task. * Address review comments. * Fixed for all cody-clark's review comments * Address review comments from mml * Address review comments from maisem * Fix missing backtick * Api and Kubectl reference docs updates for 1.7 (#4193) * Fix includes groups * Generated kubectl docs for 1.7 * Generated references docs for 1.7 api * Document node authorization mode * API Aggregator (#4173) * API Aggregator * Additional bullet points * incorporated feedback for apiserver-aggregation.md * split setup-api-aggregator.md into two docs and address feedback * fix link * addressed docs feedback * incorporate feedback * integrate feedback * Add documentation for DNS stub domains (#4063) * Add documentation for DNS stub domains * add additional prereq * fix image path * review feedback * minor grammar and style nits * documentation for using hostAliases to manage hosts file (#4080) * documentation for using hostAliases to manage hosts file * add to table of contents * review comments * update the right command to see hosts file * reformat doc based on suggestion and change some wording * Fix typo for #4080 * Patch PR #4063 * Fix wording in placement policy task introduction * Add update to statefulset concepts and basic tutorial (#4174) * Add update to statefulset concpets and basic tutorial * Address tech comments. * Update ESIPP docs for new added API fields * Custom resource docs * update audit document with advanced audit features added in 1.7 * kubeadm v1.7 documentation updates (#4018) * v1.7 updates for kubeadm * Address review comments * Address Luke's comments * Encrypting secrets at rest and cluster security guide * Edits for Custom DNS Documentation (#4207) * reorganize custom dns doc * format fixes * Update version numbers to 1.7 * Patch PR #4140 (#4215) * Patch PR #4140 * fix link and typos * Update PR template * Update TLS bootstrapping with 1.7 features This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. * Federated ClusterSelector formatting updates from review * complete PR #4181 (#4223) * complete PR #4181 * fix security link * Extensible admission controller (#4092) * extensible-admission-controllers * Update extensible-admission-controllers.md * more on initializers * fixes * Expand external admission webhooks documentation * wrap at 80 chars * more * add reference * Use correct apigroup for network policy * Docs changes to PR #4092 (#4224) * Docs changes to PR #4092 * address feedback * add doc for --as-group in cli Add doc for this pr: kubernetes/kubernetes#43696
jesscodez
pushed a commit
to kubernetes/website
that referenced
this pull request
Sep 22, 2017
Add doc for this pr: kubernetes/kubernetes#43696
jesscodez
pushed a commit
to kubernetes/website
that referenced
this pull request
Sep 22, 2017
* Minor fixes in the Deployment doc Signed-off-by: Michail Kargakis <mkargaki@redhat.com> * add NodeRestriction to admission-controllers (#3842) * Admins Can Configure Zones in Storage Class The PR #38505 (kubernetes/kubernetes#38505) added zones optional parameter to Storage Class for AWS and GCE provisioners. That's why documentation needs to be updated accordingly. * document custom resource definitions * add host paths to psp (#3971) * add host paths to psp * add italics * Update ConfigMap doc to explain TTL-based cache updates (#3989) * Update ConfigMap doc to explain TTL-based cache updates * swap word order Change "When a ConfigMap being already consumed..." to "When a ConfigMap already being consumed..." * Update NetworkPolicy docs for v1 * StorageOS Volume plugin * Update GPU docs * docs: HPA autoscaling/v2alpha1 status conditions This commit documents the new status conditions feature for HPA autoscaling/v2alpha1. It demonstrates how to get the status conditions using `kubectl describe`, and how to interpret them. * Update description about NodeRestriction kubelet node can alse create mirror pods for their own static pods. * adding storage as a supported resource to node allocatable Signed-off-by: Vishnu kannan <vishnuk@google.com> * Add documentation for podpreset opt-out annotation This adds the annotation for having the podpreset admission controller to skip (opt-out) manipulating the pod spec. Also, the annotation format for what presets have acted on a pod has been modified to add a prefix of "podpreset-". The new naming makes it such that there is no chance of collision with the newly introduced opt-out annotation (or future ones yet to be added). Opt-out annotation PR: kubernetes/kubernetes#44965 * Update PDB documentation to explain new field (#3885) * update-docs-pdb * Addressed erictune@'s comments * Fix title and add a TOC to the logging concept page * Patch #4118 for typos * Describe setting coredns server in nameserver resolv chain * Address comments in PR #3997. Comment is in https://github.com/kubernetes/kubernetes.github.io/pull/3997/files/f6eb59c67e28efc298c87b1ef49a96bc6adacd1e#diff-7a14981f3dd8eb203f897ce6c11d9828 * Update task for DaemonSet history and rollback (#4098) * Update task for DaemonSet history and rollback Also remove mentions of templateGeneration field because it's deprecated * Address comments * removed lt and gt as operators (#4152) * removed lt and gt as operators * replace lt and gt for node-affinfity * updated based on bsalamat review * Initial draft of upgrade guide for kubeadm clusters. In-place upgrades are supported between 1.6 and 1.7 releases. Rollback instructions to come in a separate commit. Fixes kubernetes/kubeadm#278 * Add local volume documentation (#4050) * Add local volume documentation * Add PV local volume example * Patch PR #3999 * Add documentation for Stackdriver event exporter * Add documentation about controller metrics * Federation: Add task for setting up placement policies (#4075) * Add task for setting up placement policies * Update version of management sidecar in policy engine deployment * Address @nikhiljindal's comments - Lower case filenames - Comments in policy - Typo fixes - Removed type LoadBalancer from OPA Service * Add example that sets cluster selector Per-@nikhiljindal's suggestion * Fix wording and templating per @chenopis * PodDisruptionBudget documentation Improvements (#4140) * Changes from #3885 Title: Update PDB documentation to explain new field Author: foxish * Added Placeholder Disruptions Concept Guide New file: docs/concepts/workloads/pods/disruptions.md Intented contents: concept for Pod Disruption Budget, cross reference to Eviction and Preemption docs. Linked from: concepts > workloads > pods * Added placeholder Configuring PDB Task New file: docs/tasks/run-application/configure-pdb.md Intented contents: task for writing a Pod Disruption Budget. Linked from: tasks > configuring-applications > configure pdb. * Add refs to the "drain a node" task. * Refactor PDB docs. Move the "Requesting an eviction" section from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md -- which is going away -- to: docs/tasks/administer-cluster/safely-drain-node.md The move is verbatim, except for an introductory sentence. Also added assignees. * Refactor of PDB docs Moved the section: Specifying a PodDisruptionBudget from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/tasks/run-application/configure-pdb.md because that former file is going away. Move is verbatim. * Explain how Eviction tools should handle failures * Refactor PDB docs Move text from: docs/tasks/administer-cluster/configure-pod-disruption-budget.md to: docs/concepts/workloads/pods/disruptions.md Delete the now empty: docs/tasks/administer-cluster/configure-pod-disruption-budget.md Added a redirects_from section to the new doc, containing the path of the now-deleted doc, plus all the redirects from the deleted doc. * Expand PDB Concept guide Building on a little content from the old task, greatly expanded the Disruptions concept guide, including an abstract example. * Update creating a pdb Task. * Address review comments. * Fixed for all cody-clark's review comments * Address review comments from mml * Address review comments from maisem * Fix missing backtick * Api and Kubectl reference docs updates for 1.7 (#4193) * Fix includes groups * Generated kubectl docs for 1.7 * Generated references docs for 1.7 api * Document node authorization mode * API Aggregator (#4173) * API Aggregator * Additional bullet points * incorporated feedback for apiserver-aggregation.md * split setup-api-aggregator.md into two docs and address feedback * fix link * addressed docs feedback * incorporate feedback * integrate feedback * Add documentation for DNS stub domains (#4063) * Add documentation for DNS stub domains * add additional prereq * fix image path * review feedback * minor grammar and style nits * documentation for using hostAliases to manage hosts file (#4080) * documentation for using hostAliases to manage hosts file * add to table of contents * review comments * update the right command to see hosts file * reformat doc based on suggestion and change some wording * Fix typo for #4080 * Patch PR #4063 * Fix wording in placement policy task introduction * Add update to statefulset concepts and basic tutorial (#4174) * Add update to statefulset concpets and basic tutorial * Address tech comments. * Update ESIPP docs for new added API fields * Custom resource docs * update audit document with advanced audit features added in 1.7 * kubeadm v1.7 documentation updates (#4018) * v1.7 updates for kubeadm * Address review comments * Address Luke's comments * Encrypting secrets at rest and cluster security guide * Edits for Custom DNS Documentation (#4207) * reorganize custom dns doc * format fixes * Update version numbers to 1.7 * Patch PR #4140 (#4215) * Patch PR #4140 * fix link and typos * Update PR template * Update TLS bootstrapping with 1.7 features This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. * Federated ClusterSelector formatting updates from review * complete PR #4181 (#4223) * complete PR #4181 * fix security link * Extensible admission controller (#4092) * extensible-admission-controllers * Update extensible-admission-controllers.md * more on initializers * fixes * Expand external admission webhooks documentation * wrap at 80 chars * more * add reference * Use correct apigroup for network policy * Docs changes to PR #4092 (#4224) * Docs changes to PR #4092 * address feedback * add doc for --as-group in cli Add doc for this pr: kubernetes/kubernetes#43696
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The usecase of this change:
When a super user grant some RBAC permissions to a group, he can use
--as--group to test whether the group get the permissions.
Note that now we support as-groups, as-user-extra in kubeconfig file after this change.
Release note:
@liggitt