Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow */subresource in rbac policy rules #53722

Merged
merged 2 commits into from
Oct 18, 2017
Merged

allow */subresource in rbac policy rules #53722

merged 2 commits into from
Oct 18, 2017

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Oct 11, 2017
edited

xref #29698
xref #38756
xref #49504
xref #38810

Allow */subresource format in RBAC policy rules to support polymorphic subresources like */scale for HPA.

@DirectXMan12 fyi

RBAC PolicyRules now allow resource=`*/<subresource>` to cover `any-resource/<subresource>`.   For example, `*/scale` covers `replicationcontroller/scale`.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 11, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Oct 11, 2017

/assign liggitt
/assign ericchiang

liggitt
liggitt reviewed Oct 11, 2017
View reviewed changes
pkg/apis/rbac/helpers.go Outdated
if len(requestedSubresource) == 0 {
continue
}
ruleTokens := strings.SplitN(ruleResource, "/", 2)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no allocations here, this is a hot spot.

if len(ruleResource) == len(requestedSubresource) + 2 && strings.HasPrefix(ruleResource, "*/") && strings.HasSuffix(ruleResource, requestedSubresource)

@deads2k
Copy link
Contributor Author

deads2k commented Oct 11, 2017

allocations removed, readability reduced.

@ericchiang
Copy link
Contributor

/lgtm

cc @DirectXMan12 for HPA updates.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2017
@liggitt
Copy link
Member

liggitt commented Oct 11, 2017

needs a release note
ruleCovers() needs updating (*/scale covers foo/scale)

@liggitt
Copy link
Member

liggitt commented Oct 11, 2017
edited

Update the godoc on PolicyRule.Resources:

  • change ResourceAll represents all resources. to '*' represents all resources in the specified apiGroups
  • add '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups

also update docs for ResourceRule.Resources (in authorization.k8s.io)

@liggitt
Copy link
Member

liggitt commented Oct 11, 2017

cc @kubernetes/sig-auth-api-reviews

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API labels Oct 11, 2017
@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 11, 2017
@enj
Copy link
Member

enj commented Oct 11, 2017

/lgtm

Not a super big fan of the idea, but I can see how it would be useful.

@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 12, 2017
@ericchiang
Copy link
Contributor

Allocs removed, release note added, updated godoc (and removed use of "ResourceAll"), updated default RBAC role.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 12, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Oct 13, 2017

@liggitt good minus regeneration?

@deads2k deads2k removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 16, 2017
@deads2k deads2k added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 16, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Oct 16, 2017

regenerated

@liggitt
Copy link
Member

liggitt commented Oct 18, 2017
edited

allows for polymorphic subresource authorization, consistent with admission syntax

kubernetes/pkg/apis/admissionregistration/types.go

Line 95 in 6265d21

// '*/scale' means all scale subresources.

/lgtm

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: deads2k, enj, ericchiang, liggitt
We suggest the following additional approvers:

Assign the PR to them by writing /assign in a comment when ready.

Associated issue: 29698

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@deads2k deads2k added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 18, 2017
@deads2k
Copy link
Contributor Author

deads2k commented Oct 18, 2017

last remain package is docs. That was generated. tagging approved.

@deads2k
Copy link
Contributor Author

deads2k commented Oct 18, 2017

/test all

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 18, 2017
edited

@deads2k: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gce-gpu e8a703b link /test pull-kubernetes-e2e-gce-gpu

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 900c076 into kubernetes:master Oct 18, 2017
@deads2k deads2k deleted the rbac-01-allow-star branch July 3, 2018 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

Assignees

@liggitt liggitt

@ericchiang ericchiang

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@deads2k @ericchiang @liggitt @enj @k8s-github-robot @k8s-ci-robot