Add namespaced role to inspect particular configmap for delegated authentication

pkg/registry/rbac/reconciliation/BUILD

@@ -11,8 +11,8 @@ load(
 go_test(
     name = "go_default_test",
     srcs = [
-        "reconcile_clusterrole_test.go",
         "reconcile_clusterrolebindings_test.go",
+        "reconcile_role_test.go",
     ],
     library = ":go_default_library",
     tags = ["automanaged"],
@@ -26,8 +26,9 @@ go_test(
 go_library(
     name = "go_default_library",
     srcs = [
-        "reconcile_clusterrole.go",
         "reconcile_clusterrolebindings.go",
+        "reconcile_role.go",
+        "role_interfaces.go",
     ],
     tags = ["automanaged"],
     deps = [

pkg/registry/rbac/reconciliation/reconcile_clusterrole.go → pkg/registry/rbac/reconciliation/reconcile_role.go

@@ -37,21 +37,38 @@ var (
 	ReconcileNone     ReconcileOperation = "none"
 )
 
+type RuleOwnerModifier interface {
+	Get(namespace, name string) (RuleOwner, error)
+	Create(RuleOwner) (RuleOwner, error)
+	Update(RuleOwner) (RuleOwner, error)
+}
+
+type RuleOwner interface {
+	GetNamespace() string
+	GetName() string
+	GetLabels() map[string]string
+	SetLabels(map[string]string)
+	GetAnnotations() map[string]string
+	SetAnnotations(map[string]string)
+	GetRules() []rbac.PolicyRule
+	SetRules([]rbac.PolicyRule)
+}
+
 type ReconcileClusterRoleOptions struct {
 	// Role is the expected role that will be reconciled
-	Role *rbac.ClusterRole
+	Role RuleOwner
 	// Confirm indicates writes should be performed. When false, results are returned as a dry-run.
 	Confirm bool
 	// RemoveExtraPermissions indicates reconciliation should remove extra permissions from an existing role
 	RemoveExtraPermissions bool
 	// Client is used to look up existing roles, and create/update the role when Confirm=true
-	Client internalversion.ClusterRoleInterface
+	Client RuleOwnerModifier
 }
 
 type ReconcileClusterRoleResult struct {
 	// Role is the reconciled role from the reconciliation operation.
 	// If the reconcile was performed as a dry-run, or the existing role was protected, the reconciled role is not persisted.
-	Role *rbac.ClusterRole
+	Role RuleOwner
 
 	// MissingRules contains expected rules that were missing from the currently persisted role
 	MissingRules []rbac.PolicyRule
@@ -81,12 +98,12 @@ func (o *ReconcileClusterRoleOptions) run(attempts int) (*ReconcileClusterRoleRe
 
 	var result *ReconcileClusterRoleResult
 
-	existing, err := o.Client.Get(o.Role.Name, metav1.GetOptions{})
+	existing, err := o.Client.Get(o.Role.GetNamespace(), o.Role.GetName())
 	switch {
 	case errors.IsNotFound(err):
 		result = &ReconcileClusterRoleResult{
 			Role:         o.Role,
-			MissingRules: o.Role.Rules,
+			MissingRules: o.Role.GetRules(),
 			Operation:    ReconcileCreate,
 		}
 
@@ -144,41 +161,41 @@ func (o *ReconcileClusterRoleOptions) run(attempts int) (*ReconcileClusterRoleRe
 
 // computeReconciledRole returns the role that must be created and/or updated to make the
 // existing role's permissions match the expected role's permissions
-func computeReconciledRole(existing, expected *rbac.ClusterRole, removeExtraPermissions bool) (*ReconcileClusterRoleResult, error) {
+func computeReconciledRole(existing, expected RuleOwner, removeExtraPermissions bool) (*ReconcileClusterRoleResult, error) {
 	result := &ReconcileClusterRoleResult{Operation: ReconcileNone}
 
-	result.Protected = (existing.Annotations[rbac.AutoUpdateAnnotationKey] == "false")
+	result.Protected = (existing.GetAnnotations()[rbac.AutoUpdateAnnotationKey] == "false")
 
 	// Start with a copy of the existing object
 	changedObj, err := api.Scheme.DeepCopy(existing)
 	if err != nil {
 		return nil, err
 	}
-	result.Role = changedObj.(*rbac.ClusterRole)
+	result.Role = changedObj.(RuleOwner)
 
 	// Merge expected annotations and labels
-	result.Role.Annotations = merge(expected.Annotations, result.Role.Annotations)
-	if !reflect.DeepEqual(result.Role.Annotations, existing.Annotations) {
+	result.Role.SetAnnotations(merge(expected.GetAnnotations(), result.Role.GetAnnotations()))
+	if !reflect.DeepEqual(result.Role.GetAnnotations(), existing.GetAnnotations()) {
 		result.Operation = ReconcileUpdate
 	}
-	result.Role.Labels = merge(expected.Labels, result.Role.Labels)
-	if !reflect.DeepEqual(result.Role.Labels, existing.Labels) {
+	result.Role.SetLabels(merge(expected.GetLabels(), result.Role.GetLabels()))
+	if !reflect.DeepEqual(result.Role.GetLabels(), existing.GetLabels()) {
 		result.Operation = ReconcileUpdate
 	}
 
 	// Compute extra and missing rules
-	_, result.ExtraRules = validation.Covers(expected.Rules, existing.Rules)
-	_, result.MissingRules = validation.Covers(existing.Rules, expected.Rules)
+	_, result.ExtraRules = validation.Covers(expected.GetRules(), existing.GetRules())
+	_, result.MissingRules = validation.Covers(existing.GetRules(), expected.GetRules())
 
 	switch {
 	case !removeExtraPermissions && len(result.MissingRules) > 0:
 		// add missing rules in the union case
-		result.Role.Rules = append(result.Role.Rules, result.MissingRules...)
+		result.Role.SetRules(append(result.Role.GetRules(), result.MissingRules...))
 		result.Operation = ReconcileUpdate
 
 	case removeExtraPermissions && (len(result.MissingRules) > 0 || len(result.ExtraRules) > 0):
 		// stomp to expected rules in the non-union case
-		result.Role.Rules = expected.Rules
+		result.Role.SetRules(expected.GetRules())
 		result.Operation = ReconcileUpdate
 	}
 
@@ -198,3 +215,68 @@ func merge(maps ...map[string]string) map[string]string {
 	}
 	return output
 }
+
+type ClusterRoleRuleOwner struct {
+	ClusterRole *rbac.ClusterRole
+}
+
+func (o ClusterRoleRuleOwner) GetNamespace() string {
+	return o.ClusterRole.Namespace
+}
+
+func (o ClusterRoleRuleOwner) GetName() string {
+	return o.ClusterRole.Name
+}
+
+func (o ClusterRoleRuleOwner) GetLabels() map[string]string {
+	return o.ClusterRole.Labels
+}
+
+func (o ClusterRoleRuleOwner) SetLabels(in map[string]string) {
+	o.ClusterRole.Labels = in
+}
+
+func (o ClusterRoleRuleOwner) GetAnnotations() map[string]string {
+	return o.ClusterRole.Annotations
+}
+
+func (o ClusterRoleRuleOwner) SetAnnotations(in map[string]string) {
+	o.ClusterRole.Annotations = in
+}
+
+func (o ClusterRoleRuleOwner) GetRules() []rbac.PolicyRule {
+	return o.ClusterRole.Rules
+}
+
+func (o ClusterRoleRuleOwner) SetRules(in []rbac.PolicyRule) {
+	o.ClusterRole.Rules = in
+}
+
+type ClusterRoleModifier struct {
+	Client internalversion.ClusterRoleInterface
+}
+
+func (c ClusterRoleModifier) Get(namespace, name string) (RuleOwner, error) {
+	ret, err := c.Client.Get(name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return ClusterRoleRuleOwner{ClusterRole: ret}, err
+}
+
+func (c ClusterRoleModifier) Create(in RuleOwner) (RuleOwner, error) {
+	ret, err := c.Client.Create(in.(ClusterRoleRuleOwner).ClusterRole)
+	if err != nil {
+		return nil, err
+	}
+	return ClusterRoleRuleOwner{ClusterRole: ret}, err
+}
+
+func (c ClusterRoleModifier) Update(in RuleOwner) (RuleOwner, error) {
+	ret, err := c.Client.Create(in.(ClusterRoleRuleOwner).ClusterRole)
+	if err != nil {
+		return nil, err
+	}
+	return ClusterRoleRuleOwner{ClusterRole: ret}, err
+
+}

pkg/registry/rbac/reconciliation/reconcile_clusterrole_test.go → pkg/registry/rbac/reconciliation/reconcile_role_test.go

@@ -256,7 +256,9 @@ func TestComputeReconciledRole(t *testing.T) {
 	}
 
 	for k, tc := range tests {
-		result, err := computeReconciledRole(tc.actualRole, tc.expectedRole, tc.removeExtraPermissions)
+		actualRole := ClusterRoleRuleOwner{ClusterRole: tc.actualRole}
+		expectedRole := ClusterRoleRuleOwner{ClusterRole: tc.expectedRole}
+		result, err := computeReconciledRole(actualRole, expectedRole, tc.removeExtraPermissions)
 		if err != nil {
 			t.Errorf("%s: %v", k, err)
 			continue
@@ -266,7 +268,7 @@ func TestComputeReconciledRole(t *testing.T) {
 			t.Errorf("%s: Expected\n\t%v\ngot\n\t%v", k, tc.expectedReconciliationNeeded, reconciliationNeeded)
 			continue
 		}
-		if reconciliationNeeded && !api.Semantic.DeepEqual(result.Role, tc.expectedReconciledRole) {
+		if reconciliationNeeded && !api.Semantic.DeepEqual(result.Role.(ClusterRoleRuleOwner).ClusterRole, tc.expectedReconciledRole) {
 			t.Errorf("%s: Expected\n\t%#v\ngot\n\t%#v", k, tc.expectedReconciledRole, result.Role)
 		}
 	}

pkg/registry/rbac/reconciliation/role_interfaces.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package reconciliation
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
+)
+
+type RoleRuleOwner struct {
+	Role *rbac.Role
+}
+
+func (o RoleRuleOwner) GetNamespace() string {
+	return o.Role.Namespace
+}
+
+func (o RoleRuleOwner) GetName() string {
+	return o.Role.Name
+}
+
+func (o RoleRuleOwner) GetLabels() map[string]string {
+	return o.Role.Labels
+}
+
+func (o RoleRuleOwner) SetLabels(in map[string]string) {
+	o.Role.Labels = in
+}
+
+func (o RoleRuleOwner) GetAnnotations() map[string]string {
+	return o.Role.Annotations
+}
+
+func (o RoleRuleOwner) SetAnnotations(in map[string]string) {
+	o.Role.Annotations = in
+}
+
+func (o RoleRuleOwner) GetRules() []rbac.PolicyRule {
+	return o.Role.Rules
+}
+
+func (o RoleRuleOwner) SetRules(in []rbac.PolicyRule) {
+	o.Role.Rules = in
+}
+
+type RoleModifier struct {
+	Client internalversion.RolesGetter
+}
+
+func (c RoleModifier) Get(namespace, name string) (RuleOwner, error) {
+	ret, err := c.Client.Roles(namespace).Get(name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return RoleRuleOwner{Role: ret}, err
+}
+
+func (c RoleModifier) Create(in RuleOwner) (RuleOwner, error) {
+	ret, err := c.Client.Roles(in.GetNamespace()).Create(in.(RoleRuleOwner).Role)
+	if err != nil {
+		return nil, err
+	}
+	return RoleRuleOwner{Role: ret}, err
+}
+
+func (c RoleModifier) Update(in RuleOwner) (RuleOwner, error) {
+	ret, err := c.Client.Roles(in.GetNamespace()).Create(in.(RoleRuleOwner).Role)
+	if err != nil {
+		return nil, err
+	}
+	return RoleRuleOwner{Role: ret}, err
+
+}

pkg/registry/rbac/rest/storage_rbac.go

@@ -138,8 +138,8 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 		// ensure bootstrap roles are created or reconciled
 		for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
 			opts := reconciliation.ReconcileClusterRoleOptions{
-				Role:    &clusterRole,
-				Client:  clientset.ClusterRoles(),
+				Role:    reconciliation.ClusterRoleRuleOwner{ClusterRole: &clusterRole},
+				Client:  reconciliation.ClusterRoleModifier{Client: clientset.ClusterRoles()},
 				Confirm: true,
 			}
 			err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
@@ -165,7 +165,6 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 
 		// ensure bootstrap rolebindings are created or reconciled
 		for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
-
 			opts := reconciliation.ReconcileClusterRoleBindingOptions{
 				RoleBinding: &clusterRoleBinding,
 				Client:      clientset.ClusterRoleBindings(),
@@ -194,6 +193,36 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
 			}
 		}
 
+		// ensure bootstrap namespaced roles are created or reconciled
+		for namespace, roles := range bootstrappolicy.NamespaceRoles() {
+			for _, role := range roles {
+				opts := reconciliation.ReconcileClusterRoleOptions{
+					Role:    reconciliation.RoleRuleOwner{Role: &role},
+					Client:  reconciliation.RoleModifier{Client: clientset},
+					Confirm: true,
+				}
+				err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+					result, err := opts.Run()
+					if err != nil {
+						return err
+					}
+					switch {
+					case result.Protected && result.Operation != reconciliation.ReconcileNone:
+						glog.Warningf("skipped reconcile-protected role.%s/%s in %v with missing permissions: %v", rbac.GroupName, role.Name, namespace, result.MissingRules)
+					case result.Operation == reconciliation.ReconcileUpdate:
+						glog.Infof("updated role.%s/%s in %v with additional permissions: %v", rbac.GroupName, role.Name, namespace, result.MissingRules)
+					case result.Operation == reconciliation.ReconcileCreate:
+						glog.Infof("created role.%s/%s in %v ", rbac.GroupName, role.Name, namespace)
+					}
+					return nil
+				})
+				if err != nil {
+					// don't fail on failures, try to create as many as you can
+					utilruntime.HandleError(fmt.Errorf("unable to reconcile role.%s/%s in %v: %v", rbac.GroupName, role.Name, namespace, err))
+				}
+			}
+		}
+
 		return true, nil
 	})
 	// if we're never able to make it through intialization, kill the API server

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD

@@ -12,13 +12,16 @@ go_library(
     name = "go_default_library",
     srcs = [
         "controller_policy.go",
+        "namespace_policy.go",
         "policy.go",
     ],
     tags = ["automanaged"],
     deps = [
         "//pkg/apis/rbac:go_default_library",
         "//vendor:github.com/golang/glog",
+        "//vendor:k8s.io/apimachinery/pkg/api/meta",
         "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/runtime",
         "//vendor:k8s.io/apiserver/pkg/authentication/user",
     ],
 )