Add selfsubjectrulesreview in authorization

[xilabao]

What this PR does / why we need it:

Which issue this PR fixes: fixes #47834 #31292

Special notes for your reviewer:

Release note:

Add selfsubjectrulesreview API for allowing users to query which permissions they have in a given namespace.

/cc @deads2k @liggitt

[k8s-ci-robot]

Hi @xilabao. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[deads2k]

@ericchiang you were thinking something similar.

[ericchiang]

Awesome!

Would like to see the kubectl code as a different PR. If it's just @kubernetes/sig-auth-pr-reviews that needs to review then we can probably get this in faster. What do you think?

[ericchiang]

There are other kind of authorizers. Can we ensure that this isn't actually tied to the RBAC authorizer by introducing another interface like authorizer.Authorizer?

[xilabao]

updated. PTAL @ericchiang

[ericchiang]

You've got some generated code in your first commit.

Also can you explain a bit about what the third commit "create the methods in the generated expansion files" means? Are you creating those manually? Sorry, I'm not super familiar with the generated clientset.

[ericchiang]

The equivalent openshift type is called "AuthorizaitonRuleResolver"[1]. I think authorizaiton.RuleResolver would be a much more natural fit.

[1] https://github.com/openshift/origin/blob/496129f10823185674fa9d20a7e11be46ca53512/pkg/authorization/rulevalidation/find_rules.go#L27

[xilabao]

I think authorizaiton.RuleResolver would be a much more natural fit.

Done.

[ericchiang]

I would have expected some sort of logic to de-dup identical rules from different authorizers or when one returns a wildcard rule that encompasses the other rules.

[xilabao]

I would have expected some sort of logic to de-dup identical rules from different authorizers or when one returns a wildcard rule that encompasses the other rules.

could we sort in kubectl code?

[ericchiang]

nit: remove commented out return.

[ericchiang]

Why are we grabbing a namespace? Isn't the SelfSubjectRulesReview non-namespaced?

[xilabao]

Why are we grabbing a namespace? Isn't the SelfSubjectRulesReview non-namespaced?

I think that SelfSubjectRulesReview can get the cluster wide rules and the rules in the specified namespace.

[ericchiang]

Which specified namespace? The resource isn't namespaced, so I don't see a way for this to ever hold a value.

[xilabao]

@ericchiang you are right. SelfSubjectRulesReview should be namespaced. fixed. ptal

[ericchiang]

SelfSubjectRulesReview should be namespaced.

No, it definitely should definitely be cluster wide or you'd never be able to get information about cluster level resources. e.g. we need this to help determine what namespaces users have access too.

[liggitt]

This still doesn't look right... I'd expect the types to be cluster-scoped, and there to be a spec that allows indicating the namespace to evaluate at (see SelfSubjectAccessReview.Spec.ResourceAttributes.Namespace as a parallel)

[deads2k]

This still doesn't look right... I'd expect the types to be cluster-scoped, a

It seems weird to have a cluster scoped resource that is only valid in the context of a namespace. We can't reasonably evaluate permissions across all namespaces because of fanout. We could give strictly cluster-scoped powers, but that's of limited utility. You're just trying for parity with SAR?

[ericchiang]

Need to articulate how this method works for cluster wide (non-namespaced) rule evaluation. Particularly since this is only being used to fill out a non-namespaced resource.

[xilabao]

Need to articulate how this method works for cluster wide (non-namespaced) rule evaluation. Particularly since this is only being used to fill out a non-namespaced resource.

comments added

[ericchiang]

Don't know the implications of having this start to import an API package since before it was nicely self contained. cc @deads2k any thoughts here?

[xilabao]

Don't know the implications of having this start to import an API package since before it was nicely self contained.

Done. use "k8s.io/api/authorization/v1" instead of "k8s.io/kubernetes/pkg/apis/authorization"

[xilabao]

Also can you explain a bit about what the third commit "create the methods in the generated expansion files" means? Are you creating those manually?

I create those methods manually. I ref to the discussion at #31271 (comment)

[ericchiang]

/ok-to-test

[ericchiang]

This is working and I don't see any other outstanding concerns about the API

$ curl -k -X POST \
>     --key /var/run/kubernetes/client-admin.key \
>     --cert /var/run/kubernetes/client-admin.crt \
>     -H 'Content-Type: application/json;stream=watch' \
>     --data '{"spec":{"namespace":"kube-system"}}' \
>     https://localhost:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
{
  "kind": "SelfSubjectRulesReview",
  "apiVersion": "authorization.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null
  },
  "spec": {},
  "status": {
    "resourceRules": [
      {
        "verbs": [
          "*"
        ],
        "apiGroups": [
          "*"
        ],
        "resources": [
          "*"
        ]
      },
      {
        "verbs": [
          "create"
        ],
        "apiGroups": [
          "authorization.k8s.io"
        ],
        "resources": [
          "selfsubjectaccessreviews"
        ]
      }
    ],
    "nonResourceRules": [
      {
        "verbs": [
          "*"
        ],
        "nonResourceURLs": [
          "*"
        ]
      },
      {
        "verbs": [
          "get"
        ],
        "nonResourceURLs": [
          "/api",
          "/api/*",
          "/apis",
          "/apis/*",
          "/healthz",
          "/swaggerapi",
          "/swaggerapi/*",
          "/version"
        ]
      }
    ],
    "incomplete": false
  }
}

/lgtm

[calebamiles]

/test pull-kubernetes-e2e-kops-aws
/test pull-kubernetes-bazel

[xilabao]

/test pull-kubernetes-bazel
/test pull-kubernetes-kubemark-e2e-gce
/test pull-kubernetes-e2e-gce-etcd3

[xilabao]

/test pull-kubernetes-kubemark-e2e-gce

[deads2k]

/approve

[xilabao]

/test pull-kubernetes-kubemark-e2e-gce

[ericchiang]

/lgtm

/assign @smarterclayton

[smarterclayton]

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, ericchiang, smarterclayton, xilabao

Associated issue: 47834

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• api/OWNERS [smarterclayton]
• cmd/kube-apiserver/OWNERS [deads2k,smarterclayton]
• docs/OWNERS [smarterclayton]
• federation/cmd/federation-apiserver/OWNERS [deads2k,smarterclayton]
• pkg/apis/OWNERS [smarterclayton]
• pkg/auth/OWNERS [deads2k,smarterclayton]
• pkg/client/OWNERS [deads2k,smarterclayton]
• pkg/controller/garbagecollector/OWNERS [deads2k,smarterclayton]
• pkg/kubeapiserver/OWNERS [deads2k,smarterclayton]
• pkg/master/OWNERS [deads2k,smarterclayton]
• pkg/registry/OWNERS [deads2k,smarterclayton]
• plugin/pkg/auth/OWNERS [deads2k,smarterclayton]
• staging/src/k8s.io/api/OWNERS [smarterclayton]
• staging/src/k8s.io/client-go/OWNERS [deads2k,smarterclayton]
• test/OWNERS [deads2k,smarterclayton]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[ericchiang]

/retest

[ericchiang]

/test pull-kubernetes-kubemark-e2e-gce

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[CaoShuFeng]

/test pull-kubernetes-verify

[liggitt]

/retest

[ericchiang]

/retest

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 45724, 48051, 46444, 51056, 51605)

[k8s-ci-robot]

@xilabao: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-bazel	921a0566f15b961131e6001966b655535ae64aca	link	/test pull-kubernetes-bazel
pull-kubernetes-e2e-gce-etcd3	790374d	link	/test pull-kubernetes-e2e-gce-etcd3
pull-kubernetes-e2e-kops-aws	790374d	link	/test pull-kubernetes-e2e-kops-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.