aggregate admin from edit and view to ensure coverage #66684
Conversation
k8s-ci-robot
added
approved
deads2k
force-pushed
the
rbac-01-aggregate
branch
from
df5615c
to
3c1495d
Compare
k8s-ci-robot
added
the
size/L
liggitt
requested review from
liggitt and
tallclair
and removed request for
ericchiang and
erictune
|
looks reasonable to me. can you verify reconciliation on this works properly in both directions? (a 1.12 apiserver would add the new selectors on startup, and a 1.11 server would not remove them on startup) |
|
needs a release note as well |
Labels don't collide with any reasonably existing thing and the reconcile attaches them: https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/rbac/reconciliation/reconcile_role.go#L186-L194 |
k8s-ci-robot
added
the
release-note
added |
|
Fancy. |
|
@mikedanese ptal. |
|
/lgtm I see no test failures so if something is missing RBAC it needs to add a test that actually uses it 😄 |
k8s-ci-robot
added
the
lgtm
|
/test all Tests are more than 96 hours old. Re-running tests. |
|
This is much nicer. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 65730, 66615, 66684, 66519, 66510). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
ClusterRole aggregate has worked quite well. This updates the edit role to be aggregated from a separate edit and view and updates the admin role to aggregated from admin, edit, and view. This ensures coverage (we previously had unit tests, but that didn't work as people aggregated more powers in) and it makes each role smaller since it only has a diff to consider.
@kubernetes/sig-auth-pr-reviews