Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow aggregate-to-view roles to get jobs status #77866

Merged
merged 12 commits into from Jul 26, 2019

Conversation

@Fodoj
Copy link
Contributor

commented May 14, 2019

What type of PR is this?

/kind feature

What this PR does / why we need it:

Right now users/accounts with role admin or edit can create, update and delete jobs, but are not allowed to pull the status of a job that they create. This change extends aggregate-to-view rules to include jobs/status.

Does this PR introduce a user-facing change?:

The default `view`, `edit`, and `admin` cluster roles now include read access to status subresources.
Allow aggregate-to-edit roles to get jobs status
Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

Hi @Fodoj. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot requested review from lavalamp and ncdc May 14, 2019

@k8s-ci-robot k8s-ci-robot added sig/auth and removed needs-sig labels May 14, 2019

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

Signed

@Fodoj Fodoj changed the title Allow aggregate-to-edit roles to get jobs status Allow aggregate-to-view roles to get jobs status May 14, 2019

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 1, 2019

@ncdc @lavalamp any update on this is highly appreciated

@ncdc

This comment has been minimized.

Copy link
Member

commented Jul 1, 2019

/uncc
/cc @deads2k @soltysh

@k8s-ci-robot k8s-ci-robot requested review from deads2k and soltysh and removed request for ncdc Jul 1, 2019

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

@soltysh @deads2k any update would be great.

@lavalamp

This comment has been minimized.

Copy link
Member

commented Jul 17, 2019

/ok-to-test

If this thing already has jobs read access, it seems pretty safe to let it see jobs/status, too.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the size/S label Jul 18, 2019

Fodoj added some commits Jul 18, 2019

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 18, 2019

/test pull-kubernetes-verify

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 22, 2019

@liggitt is it good to merge now?

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 22, 2019

/retest

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 22, 2019

/retest

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

/retest

@k8s-ci-robot k8s-ci-robot added size/M and removed size/S labels Jul 26, 2019

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

/retest

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

/retest

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

/retest

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 26, 2019

/lgtm

@Fodoj

This comment has been minimized.

Copy link
Contributor Author

commented Jul 26, 2019

"merge-merthod-sqush" - is it something I need to do?

@k8s-ci-robot k8s-ci-robot merged commit 5e9da75 into kubernetes:master Jul 26, 2019

23 checks passed

cla/linuxfoundation Fodoj authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

liu-cong added a commit to liu-cong/kubernetes that referenced this pull request Jul 29, 2019

Allow aggregate-to-view roles to get jobs status (kubernetes#77866)
* Allow aggregate-to-edit roles to get jobs status

Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create.  This change extends `aggregate-to-edit` rules to include `jobs/status`.

* Move jobs/status to aggregate-to-view rules

* Add aggregate-to-view policy to view PVCs status

* Update fixtures to include new read permissions

* Add more status subresources

* Update cluster-roles.yaml

* Re-order deployment permissions

* Run go fmt

* Add more permissions

* Fix tests

* Re-order permissions in test data

* Automatically update yamls

@liggitt liggitt added this to the v1.16 milestone Aug 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.