From 75f3e66dd7770334e60bf28b2ada5caa0f307246 Mon Sep 17 00:00:00 2001 From: Brad Ison Date: Tue, 6 Oct 2020 12:13:31 +0200 Subject: [PATCH] MAISTRA-1856: Disable ClusterRbacConfig resources --- galley/testdatasets/validation/dataset.gen.go | 54 --------- ...ac-v1alpha1-ClusterRbacConfig-invalid.yaml | 6 - ...rbac-v1alpha1-ClusterRbacConfig-valid.yaml | 8 -- pilot/pkg/config/kube/crd/types.gen.go | 114 ------------------ pilot/pkg/model/config.go | 16 --- pilot/pkg/model/config_test.go | 13 -- pilot/pkg/model/push_context.go | 1 - .../fakes/fake_istio_config_store.gen.go | 64 ---------- pilot/pkg/proxy/envoy/v2/ads_common.go | 2 - pilot/test/mock/config.go | 1 - .../schema/collections/collections.gen.go | 42 ------- pkg/config/schema/metadata.gen.go | 20 --- pkg/config/schema/metadata.yaml | 20 --- .../rbac/clusterRbacConfig/basic/input.yaml | 8 -- .../rbac/clusterRbacConfig/basic/mcp.yaml | 18 --- .../rbac/clusterRbacConfig/basic/test.yaml | 0 16 files changed, 387 deletions(-) delete mode 100644 galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml delete mode 100644 galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml delete mode 100644 tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/input.yaml delete mode 100644 tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/mcp.yaml delete mode 100644 tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/test.yaml diff --git a/galley/testdatasets/validation/dataset.gen.go b/galley/testdatasets/validation/dataset.gen.go index 3d2d8dbc876..24adfcd6641 100644 --- a/galley/testdatasets/validation/dataset.gen.go +++ b/galley/testdatasets/validation/dataset.gen.go @@ -45,8 +45,6 @@ // dataset/networking-v1beta-VirtualService-valid.yaml // dataset/networking-v1beta-WorkloadEntry-invalid.yaml // dataset/networking-v1beta-WorkloadEntry-valid.yaml -// dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml -// dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml // dataset/rbac-v1alpha1-RBacConfig-invalid.yaml // dataset/rbac-v1alpha1-RBacConfig-valid.yaml // dataset/rbac-v1alpha1-ServiceRole-invalid.yaml @@ -1536,54 +1534,6 @@ func datasetNetworkingV1betaWorkloadentryValidYaml() (*asset, error) { return a, nil } -var _datasetRbacV1alpha1ClusterrbacconfigInvalidYaml = []byte(`apiVersion: "rbac.istio.io/v1alpha1" -kind: ClusterRbacConfig -metadata: - name: default -spec: - mode: 'ON_WITH_EXCLUSION' -`) - -func datasetRbacV1alpha1ClusterrbacconfigInvalidYamlBytes() ([]byte, error) { - return _datasetRbacV1alpha1ClusterrbacconfigInvalidYaml, nil -} - -func datasetRbacV1alpha1ClusterrbacconfigInvalidYaml() (*asset, error) { - bytes, err := datasetRbacV1alpha1ClusterrbacconfigInvalidYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _datasetRbacV1alpha1ClusterrbacconfigValidYaml = []byte(`apiVersion: "rbac.istio.io/v1alpha1" -kind: ClusterRbacConfig -metadata: - name: default -spec: - mode: 'ON_WITH_INCLUSION' - inclusion: - services: ["mongodb.default.svc.cluster.local"] -`) - -func datasetRbacV1alpha1ClusterrbacconfigValidYamlBytes() ([]byte, error) { - return _datasetRbacV1alpha1ClusterrbacconfigValidYaml, nil -} - -func datasetRbacV1alpha1ClusterrbacconfigValidYaml() (*asset, error) { - bytes, err := datasetRbacV1alpha1ClusterrbacconfigValidYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _datasetRbacV1alpha1RbacconfigInvalidYaml = []byte(`apiVersion: "rbac.istio.io/v1alpha1" kind: RbacConfig metadata: @@ -2023,8 +1973,6 @@ var _bindata = map[string]func() (*asset, error){ "dataset/networking-v1beta-VirtualService-valid.yaml": datasetNetworkingV1betaVirtualserviceValidYaml, "dataset/networking-v1beta-WorkloadEntry-invalid.yaml": datasetNetworkingV1betaWorkloadentryInvalidYaml, "dataset/networking-v1beta-WorkloadEntry-valid.yaml": datasetNetworkingV1betaWorkloadentryValidYaml, - "dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml": datasetRbacV1alpha1ClusterrbacconfigInvalidYaml, - "dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml": datasetRbacV1alpha1ClusterrbacconfigValidYaml, "dataset/rbac-v1alpha1-RBacConfig-invalid.yaml": datasetRbacV1alpha1RbacconfigInvalidYaml, "dataset/rbac-v1alpha1-RBacConfig-valid.yaml": datasetRbacV1alpha1RbacconfigValidYaml, "dataset/rbac-v1alpha1-ServiceRole-invalid.yaml": datasetRbacV1alpha1ServiceroleInvalidYaml, @@ -2126,8 +2074,6 @@ var _bintree = &bintree{nil, map[string]*bintree{ "networking-v1beta-VirtualService-valid.yaml": &bintree{datasetNetworkingV1betaVirtualserviceValidYaml, map[string]*bintree{}}, "networking-v1beta-WorkloadEntry-invalid.yaml": &bintree{datasetNetworkingV1betaWorkloadentryInvalidYaml, map[string]*bintree{}}, "networking-v1beta-WorkloadEntry-valid.yaml": &bintree{datasetNetworkingV1betaWorkloadentryValidYaml, map[string]*bintree{}}, - "rbac-v1alpha1-ClusterRbacConfig-invalid.yaml": &bintree{datasetRbacV1alpha1ClusterrbacconfigInvalidYaml, map[string]*bintree{}}, - "rbac-v1alpha1-ClusterRbacConfig-valid.yaml": &bintree{datasetRbacV1alpha1ClusterrbacconfigValidYaml, map[string]*bintree{}}, "rbac-v1alpha1-RBacConfig-invalid.yaml": &bintree{datasetRbacV1alpha1RbacconfigInvalidYaml, map[string]*bintree{}}, "rbac-v1alpha1-RBacConfig-valid.yaml": &bintree{datasetRbacV1alpha1RbacconfigValidYaml, map[string]*bintree{}}, "rbac-v1alpha1-ServiceRole-invalid.yaml": &bintree{datasetRbacV1alpha1ServiceroleInvalidYaml, map[string]*bintree{}}, diff --git a/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml b/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml deleted file mode 100644 index 690c9966b39..00000000000 --- a/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-invalid.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: "rbac.istio.io/v1alpha1" -kind: ClusterRbacConfig -metadata: - name: default -spec: - mode: 'ON_WITH_EXCLUSION' diff --git a/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml b/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml deleted file mode 100644 index 6e32426e538..00000000000 --- a/galley/testdatasets/validation/dataset/rbac-v1alpha1-ClusterRbacConfig-valid.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: "rbac.istio.io/v1alpha1" -kind: ClusterRbacConfig -metadata: - name: default -spec: - mode: 'ON_WITH_INCLUSION' - inclusion: - services: ["mongodb.default.svc.cluster.local"] diff --git a/pilot/pkg/config/kube/crd/types.gen.go b/pilot/pkg/config/kube/crd/types.gen.go index ffdd2ecdd24..d543441575d 100644 --- a/pilot/pkg/config/kube/crd/types.gen.go +++ b/pilot/pkg/config/kube/crd/types.gen.go @@ -50,7 +50,6 @@ var SupportedSchemas = collection.NewSchemasBuilder(). MustAdd(collections.IstioNetworkingV1Alpha3Sidecars). MustAdd(collections.IstioNetworkingV1Alpha3Virtualservices). MustAdd(collections.IstioNetworkingV1Alpha3Workloadentries). - MustAdd(collections.IstioRbacV1Alpha1Clusterrbacconfigs). MustAdd(collections.IstioRbacV1Alpha1Rbacconfigs). MustAdd(collections.IstioRbacV1Alpha1Servicerolebindings). MustAdd(collections.IstioRbacV1Alpha1Serviceroles). @@ -186,16 +185,6 @@ var SupportedTypes = map[resource.GroupVersionKind]SchemaType{ }, Collection: &IstioNetworkingV1Alpha3WorkloadentriesList{}, }, - collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().GroupVersionKind(): { - Schema: collections.IstioRbacV1Alpha1Clusterrbacconfigs, - Object: &IstioRbacV1Alpha1Clusterrbacconfigs{ - TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRbacConfig", - APIVersion: collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().APIVersion(), - }, - }, - Collection: &IstioRbacV1Alpha1ClusterrbacconfigsList{}, - }, collections.IstioRbacV1Alpha1Rbacconfigs.Resource().GroupVersionKind(): { Schema: collections.IstioRbacV1Alpha1Rbacconfigs, Object: &IstioRbacV1Alpha1Rbacconfigs{ @@ -1544,109 +1533,6 @@ func (in *IstioNetworkingV1Alpha3WorkloadentriesList) DeepCopyObject() runtime.O return nil } -// IstioRbacV1Alpha1Clusterrbacconfigs is the generic Kubernetes API Object wrapper -type IstioRbacV1Alpha1Clusterrbacconfigs struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata"` - Spec map[string]interface{} `json:"spec"` -} - -// GetSpec from a wrapper -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) GetSpec() map[string]interface{} { - return in.Spec -} - -// SetSpec for a wrapper -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) SetSpec(spec map[string]interface{}) { - in.Spec = spec -} - -// GetObjectMeta from a wrapper -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) GetObjectMeta() metav1.ObjectMeta { - return in.ObjectMeta -} - -// SetObjectMeta for a wrapper -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) SetObjectMeta(metadata metav1.ObjectMeta) { - in.ObjectMeta = metadata -} - -// IstioRbacV1Alpha1ClusterrbacconfigsList is the generic Kubernetes API list wrapper -type IstioRbacV1Alpha1ClusterrbacconfigsList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - Items []IstioRbacV1Alpha1Clusterrbacconfigs `json:"items"` -} - -// GetItems from a wrapper -func (in *IstioRbacV1Alpha1ClusterrbacconfigsList) GetItems() []IstioObject { - out := make([]IstioObject, len(in.Items)) - for i := range in.Items { - out[i] = &in.Items[i] - } - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) DeepCopyInto(out *IstioRbacV1Alpha1Clusterrbacconfigs) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioRbacV1Alpha1Clusterrbacconfigs. -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) DeepCopy() *IstioRbacV1Alpha1Clusterrbacconfigs { - if in == nil { - return nil - } - out := new(IstioRbacV1Alpha1Clusterrbacconfigs) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioRbacV1Alpha1Clusterrbacconfigs) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioRbacV1Alpha1ClusterrbacconfigsList) DeepCopyInto(out *IstioRbacV1Alpha1ClusterrbacconfigsList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]IstioRbacV1Alpha1Clusterrbacconfigs, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioRbacV1Alpha1ClusterrbacconfigsList. -func (in *IstioRbacV1Alpha1ClusterrbacconfigsList) DeepCopy() *IstioRbacV1Alpha1ClusterrbacconfigsList { - if in == nil { - return nil - } - out := new(IstioRbacV1Alpha1ClusterrbacconfigsList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioRbacV1Alpha1ClusterrbacconfigsList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - - return nil -} - // IstioRbacV1Alpha1Rbacconfigs is the generic Kubernetes API Object wrapper type IstioRbacV1Alpha1Rbacconfigs struct { metav1.TypeMeta `json:",inline"` diff --git a/pilot/pkg/model/config.go b/pilot/pkg/model/config.go index 23b3edf1350..25ae913f969 100644 --- a/pilot/pkg/model/config.go +++ b/pilot/pkg/model/config.go @@ -284,9 +284,6 @@ type IstioConfigStore interface { // RbacConfig selects the RbacConfig of name DefaultRbacConfigName. RbacConfig() *Config - // ClusterRbacConfig selects the ClusterRbacConfig of name DefaultRbacConfigName. - ClusterRbacConfig() *Config - // AuthorizationPolicies selects AuthorizationPolicies in the specified namespace. AuthorizationPolicies(namespace string) []Config } @@ -610,19 +607,6 @@ func (store *istioConfigStore) ServiceRoleBindings(namespace string) []Config { return bindings } -func (store *istioConfigStore) ClusterRbacConfig() *Config { - clusterRbacConfig, err := store.List(collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().GroupVersionKind(), "") - if err != nil { - log.Errorf("failed to get ClusterRbacConfig: %v", err) - } - for _, rc := range clusterRbacConfig { - if rc.Name == constants.DefaultRbacConfigName { - return &rc - } - } - return nil -} - func (store *istioConfigStore) RbacConfig() *Config { rbacConfigs, err := store.List(collections.IstioRbacV1Alpha1Rbacconfigs.Resource().GroupVersionKind(), "") if err != nil { diff --git a/pilot/pkg/model/config_test.go b/pilot/pkg/model/config_test.go index 835e13ab32b..ff4623e4529 100644 --- a/pilot/pkg/model/config_test.go +++ b/pilot/pkg/model/config_test.go @@ -477,15 +477,6 @@ func TestRbacConfig(t *testing.T) { } } -func TestClusterRbacConfig(t *testing.T) { - store := model.MakeIstioStore(memory.Make(collections.Pilot)) - addRbacConfigToStore(collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().Kind(), constants.DefaultRbacConfigName, "", store, t) - rbacConfig := store.ClusterRbacConfig() - if rbacConfig.Name != constants.DefaultRbacConfigName { - t.Errorf("model.ClusterRbacConfig: expecting %s, but got %s", constants.DefaultRbacConfigName, rbacConfig.Name) - } -} - func TestAuthorizationPolicies(t *testing.T) { store := model.MakeIstioStore(memory.Make(collections.Pilot)) addRbacConfigToStore(collections.IstioSecurityV1Beta1Authorizationpolicies.Resource().Kind(), "policy1", "istio-system", store, t) @@ -541,10 +532,6 @@ func addRbacConfigToStore(kind, name, namespace string, store model.IstioConfigS group = collections.IstioRbacV1Alpha1Rbacconfigs.Resource().Group() version = collections.IstioRbacV1Alpha1Rbacconfigs.Resource().Version() value = &rbacproto.RbacConfig{Mode: rbacproto.RbacConfig_ON} - case collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().Kind(): - group = collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().Group() - version = collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().Version() - value = &rbacproto.RbacConfig{Mode: rbacproto.RbacConfig_ON} default: panic("Unknown kind: " + kind) } diff --git a/pilot/pkg/model/push_context.go b/pilot/pkg/model/push_context.go index d696893c655..5e56fda27ec 100644 --- a/pilot/pkg/model/push_context.go +++ b/pilot/pkg/model/push_context.go @@ -920,7 +920,6 @@ func (ps *PushContext) updateContext( envoyFiltersChanged = true case collections.IstioRbacV1Alpha1Servicerolebindings.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Serviceroles.Resource().GroupVersionKind(), - collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Rbacconfigs.Resource().GroupVersionKind(), collections.IstioSecurityV1Beta1Authorizationpolicies.Resource().GroupVersionKind(): authzChanged = true diff --git a/pilot/pkg/networking/core/v1alpha3/fakes/fake_istio_config_store.gen.go b/pilot/pkg/networking/core/v1alpha3/fakes/fake_istio_config_store.gen.go index 8a3a438b264..db3cfd096b3 100644 --- a/pilot/pkg/networking/core/v1alpha3/fakes/fake_istio_config_store.gen.go +++ b/pilot/pkg/networking/core/v1alpha3/fakes/fake_istio_config_store.gen.go @@ -24,16 +24,6 @@ type IstioConfigStore struct { authorizationPoliciesReturnsOnCall map[int]struct { result1 []model.Config } - ClusterRbacConfigStub func() *model.Config - clusterRbacConfigMutex sync.RWMutex - clusterRbacConfigArgsForCall []struct { - } - clusterRbacConfigReturns struct { - result1 *model.Config - } - clusterRbacConfigReturnsOnCall map[int]struct { - result1 *model.Config - } CreateStub func(model.Config) (string, error) createMutex sync.RWMutex createArgsForCall []struct { @@ -283,58 +273,6 @@ func (fake *IstioConfigStore) AuthorizationPoliciesReturnsOnCall(i int, result1 }{result1} } -func (fake *IstioConfigStore) ClusterRbacConfig() *model.Config { - fake.clusterRbacConfigMutex.Lock() - ret, specificReturn := fake.clusterRbacConfigReturnsOnCall[len(fake.clusterRbacConfigArgsForCall)] - fake.clusterRbacConfigArgsForCall = append(fake.clusterRbacConfigArgsForCall, struct { - }{}) - fake.recordInvocation("ClusterRbacConfig", []interface{}{}) - fake.clusterRbacConfigMutex.Unlock() - if fake.ClusterRbacConfigStub != nil { - return fake.ClusterRbacConfigStub() - } - if specificReturn { - return ret.result1 - } - fakeReturns := fake.clusterRbacConfigReturns - return fakeReturns.result1 -} - -func (fake *IstioConfigStore) ClusterRbacConfigCallCount() int { - fake.clusterRbacConfigMutex.RLock() - defer fake.clusterRbacConfigMutex.RUnlock() - return len(fake.clusterRbacConfigArgsForCall) -} - -func (fake *IstioConfigStore) ClusterRbacConfigCalls(stub func() *model.Config) { - fake.clusterRbacConfigMutex.Lock() - defer fake.clusterRbacConfigMutex.Unlock() - fake.ClusterRbacConfigStub = stub -} - -func (fake *IstioConfigStore) ClusterRbacConfigReturns(result1 *model.Config) { - fake.clusterRbacConfigMutex.Lock() - defer fake.clusterRbacConfigMutex.Unlock() - fake.ClusterRbacConfigStub = nil - fake.clusterRbacConfigReturns = struct { - result1 *model.Config - }{result1} -} - -func (fake *IstioConfigStore) ClusterRbacConfigReturnsOnCall(i int, result1 *model.Config) { - fake.clusterRbacConfigMutex.Lock() - defer fake.clusterRbacConfigMutex.Unlock() - fake.ClusterRbacConfigStub = nil - if fake.clusterRbacConfigReturnsOnCall == nil { - fake.clusterRbacConfigReturnsOnCall = make(map[int]struct { - result1 *model.Config - }) - } - fake.clusterRbacConfigReturnsOnCall[i] = struct { - result1 *model.Config - }{result1} -} - func (fake *IstioConfigStore) Create(arg1 model.Config) (string, error) { fake.createMutex.Lock() ret, specificReturn := fake.createReturnsOnCall[len(fake.createArgsForCall)] @@ -1278,8 +1216,6 @@ func (fake *IstioConfigStore) Invocations() map[string][][]interface{} { defer fake.invocationsMutex.RUnlock() fake.authorizationPoliciesMutex.RLock() defer fake.authorizationPoliciesMutex.RUnlock() - fake.clusterRbacConfigMutex.RLock() - defer fake.clusterRbacConfigMutex.RUnlock() fake.createMutex.RLock() defer fake.createMutex.RUnlock() fake.deleteMutex.RLock() diff --git a/pilot/pkg/proxy/envoy/v2/ads_common.go b/pilot/pkg/proxy/envoy/v2/ads_common.go index d4b0b650c07..6c3bcc47be5 100644 --- a/pilot/pkg/proxy/envoy/v2/ads_common.go +++ b/pilot/pkg/proxy/envoy/v2/ads_common.go @@ -144,7 +144,6 @@ func PushTypeFor(proxy *model.Proxy, pushEv *XdsEvent) map[XdsType]bool { case collections.IstioRbacV1Alpha1Serviceroles.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Servicerolebindings.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Rbacconfigs.Resource().GroupVersionKind(), - collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().GroupVersionKind(), collections.IstioSecurityV1Beta1Authorizationpolicies.Resource().GroupVersionKind(), collections.IstioSecurityV1Beta1Requestauthentications.Resource().GroupVersionKind(): out[LDS] = true @@ -192,7 +191,6 @@ func PushTypeFor(proxy *model.Proxy, pushEv *XdsEvent) map[XdsType]bool { case collections.IstioRbacV1Alpha1Serviceroles.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Servicerolebindings.Resource().GroupVersionKind(), collections.IstioRbacV1Alpha1Rbacconfigs.Resource().GroupVersionKind(), - collections.IstioRbacV1Alpha1Clusterrbacconfigs.Resource().GroupVersionKind(), collections.IstioSecurityV1Beta1Authorizationpolicies.Resource().GroupVersionKind(), collections.IstioSecurityV1Beta1Requestauthentications.Resource().GroupVersionKind(): out[LDS] = true diff --git a/pilot/test/mock/config.go b/pilot/test/mock/config.go index f276518edb8..81a690fb89f 100644 --- a/pilot/test/mock/config.go +++ b/pilot/test/mock/config.go @@ -424,7 +424,6 @@ func CheckIstioConfigTypes(store model.ConfigStore, namespace string, t *testing {"ServiceRole", configName, collections.IstioRbacV1Alpha1Serviceroles, ExampleServiceRole}, {"ServiceRoleBinding", configName, collections.IstioRbacV1Alpha1Servicerolebindings, ExampleServiceRoleBinding}, {"RbacConfig", constants.DefaultRbacConfigName, collections.IstioRbacV1Alpha1Rbacconfigs, ExampleRbacConfig}, - {"ClusterRbacConfig", constants.DefaultRbacConfigName, collections.IstioRbacV1Alpha1Clusterrbacconfigs, ExampleRbacConfig}, {"AuthorizationPolicy", configName, collections.IstioSecurityV1Beta1Authorizationpolicies, ExampleAuthorizationPolicy}, } diff --git a/pkg/config/schema/collections/collections.gen.go b/pkg/config/schema/collections/collections.gen.go index 61c4a80f531..6428e195a21 100755 --- a/pkg/config/schema/collections/collections.gen.go +++ b/pkg/config/schema/collections/collections.gen.go @@ -353,24 +353,6 @@ var ( }.MustBuild(), }.MustBuild() - // IstioRbacV1Alpha1Clusterrbacconfigs describes the collection - // istio/rbac/v1alpha1/clusterrbacconfigs - IstioRbacV1Alpha1Clusterrbacconfigs = collection.Builder{ - Name: "istio/rbac/v1alpha1/clusterrbacconfigs", - VariableName: "IstioRbacV1Alpha1Clusterrbacconfigs", - Disabled: false, - Resource: resource.Builder{ - Group: "rbac.istio.io", - Kind: "ClusterRbacConfig", - Plural: "clusterrbacconfigs", - Version: "v1alpha1", - Proto: "istio.rbac.v1alpha1.RbacConfig", - ProtoPackage: "istio.io/api/rbac/v1alpha1", - ClusterScoped: true, - ValidateProto: validation.ValidateClusterRbacConfig, - }.MustBuild(), - }.MustBuild() - // IstioRbacV1Alpha1Rbacconfigs describes the collection // istio/rbac/v1alpha1/rbacconfigs IstioRbacV1Alpha1Rbacconfigs = collection.Builder{ @@ -957,24 +939,6 @@ var ( }.MustBuild(), }.MustBuild() - // K8SRbacIstioIoV1Alpha1Clusterrbacconfigs describes the collection - // k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs - K8SRbacIstioIoV1Alpha1Clusterrbacconfigs = collection.Builder{ - Name: "k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs", - VariableName: "K8SRbacIstioIoV1Alpha1Clusterrbacconfigs", - Disabled: false, - Resource: resource.Builder{ - Group: "rbac.istio.io", - Kind: "ClusterRbacConfig", - Plural: "clusterrbacconfigs", - Version: "v1alpha1", - Proto: "istio.rbac.v1alpha1.RbacConfig", - ProtoPackage: "istio.io/api/rbac/v1alpha1", - ClusterScoped: true, - ValidateProto: validation.ValidateClusterRbacConfig, - }.MustBuild(), - }.MustBuild() - // K8SRbacIstioIoV1Alpha1Policy describes the collection // k8s/rbac.istio.io/v1alpha1/policy K8SRbacIstioIoV1Alpha1Policy = collection.Builder{ @@ -1194,7 +1158,6 @@ var ( MustAdd(IstioPolicyV1Beta1Handlers). MustAdd(IstioPolicyV1Beta1Instances). MustAdd(IstioPolicyV1Beta1Rules). - MustAdd(IstioRbacV1Alpha1Clusterrbacconfigs). MustAdd(IstioRbacV1Alpha1Rbacconfigs). MustAdd(IstioRbacV1Alpha1Servicerolebindings). MustAdd(IstioRbacV1Alpha1Serviceroles). @@ -1228,7 +1191,6 @@ var ( MustAdd(K8SNetworkingIstioIoV1Alpha3Sidecars). MustAdd(K8SNetworkingIstioIoV1Alpha3Virtualservices). MustAdd(K8SNetworkingIstioIoV1Alpha3Workloadentries). - MustAdd(K8SRbacIstioIoV1Alpha1Clusterrbacconfigs). MustAdd(K8SRbacIstioIoV1Alpha1Policy). MustAdd(K8SRbacIstioIoV1Alpha1Rbacconfigs). MustAdd(K8SRbacIstioIoV1Alpha1Serviceroles). @@ -1263,7 +1225,6 @@ var ( MustAdd(IstioPolicyV1Beta1Handlers). MustAdd(IstioPolicyV1Beta1Instances). MustAdd(IstioPolicyV1Beta1Rules). - MustAdd(IstioRbacV1Alpha1Clusterrbacconfigs). MustAdd(IstioRbacV1Alpha1Rbacconfigs). MustAdd(IstioRbacV1Alpha1Servicerolebindings). MustAdd(IstioRbacV1Alpha1Serviceroles). @@ -1301,7 +1262,6 @@ var ( MustAdd(K8SNetworkingIstioIoV1Alpha3Sidecars). MustAdd(K8SNetworkingIstioIoV1Alpha3Virtualservices). MustAdd(K8SNetworkingIstioIoV1Alpha3Workloadentries). - MustAdd(K8SRbacIstioIoV1Alpha1Clusterrbacconfigs). MustAdd(K8SRbacIstioIoV1Alpha1Policy). MustAdd(K8SRbacIstioIoV1Alpha1Rbacconfigs). MustAdd(K8SRbacIstioIoV1Alpha1Serviceroles). @@ -1328,7 +1288,6 @@ var ( MustAdd(IstioNetworkingV1Alpha3Sidecars). MustAdd(IstioNetworkingV1Alpha3Virtualservices). MustAdd(IstioNetworkingV1Alpha3Workloadentries). - MustAdd(IstioRbacV1Alpha1Clusterrbacconfigs). MustAdd(IstioRbacV1Alpha1Rbacconfigs). MustAdd(IstioRbacV1Alpha1Servicerolebindings). MustAdd(IstioRbacV1Alpha1Serviceroles). @@ -1350,7 +1309,6 @@ var ( MustAdd(IstioNetworkingV1Alpha3Sidecars). MustAdd(IstioNetworkingV1Alpha3Virtualservices). MustAdd(IstioNetworkingV1Alpha3Workloadentries). - MustAdd(IstioRbacV1Alpha1Clusterrbacconfigs). MustAdd(IstioRbacV1Alpha1Rbacconfigs). MustAdd(IstioRbacV1Alpha1Servicerolebindings). MustAdd(IstioRbacV1Alpha1Serviceroles). diff --git a/pkg/config/schema/metadata.gen.go b/pkg/config/schema/metadata.gen.go index bd1d132290d..7c7e60f34b6 100644 --- a/pkg/config/schema/metadata.gen.go +++ b/pkg/config/schema/metadata.gen.go @@ -162,11 +162,6 @@ collections: kind: "rule" group: "config.istio.io" - - name: "istio/rbac/v1alpha1/clusterrbacconfigs" - kind: "ClusterRbacConfig" - group: "rbac.istio.io" - pilot: true - - name: "istio/rbac/v1alpha1/rbacconfigs" kind: "RbacConfig" group: "rbac.istio.io" @@ -330,10 +325,6 @@ collections: kind: "handler" group: "config.istio.io" - - name: "k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs" - kind: "ClusterRbacConfig" - group: "rbac.istio.io" - - name: "k8s/rbac.istio.io/v1alpha1/policy" kind: "ServiceRoleBinding" group: "rbac.istio.io" @@ -382,7 +373,6 @@ snapshots: - "istio/policy/v1beta1/handlers" - "istio/policy/v1beta1/instances" - "istio/policy/v1beta1/rules" - - "istio/rbac/v1alpha1/clusterrbacconfigs" - "istio/rbac/v1alpha1/rbacconfigs" - "istio/rbac/v1alpha1/servicerolebindings" - "istio/rbac/v1alpha1/serviceroles" @@ -649,15 +639,6 @@ resources: Deprecated: use ClusterRbacConfig instead.\n See https://github.com/istio/istio/issues/8825 for more details." - - kind: "ClusterRbacConfig" - plural: "clusterrbacconfigs" - group: "rbac.istio.io" - version: "v1alpha1" - clusterScoped: true - proto: "istio.rbac.v1alpha1.RbacConfig" - protoPackage: "istio.io/api/rbac/v1alpha1" - description: "describes the cluster level RBAC config." - - kind: "AuthorizationPolicy" plural: "authorizationpolicies" group: "security.istio.io" @@ -749,7 +730,6 @@ transforms: "k8s/networking.istio.io/v1alpha3/virtualservices": "istio/networking/v1alpha3/virtualservices" "k8s/rbac.istio.io/v1alpha1/policy": "istio/rbac/v1alpha1/servicerolebindings" "k8s/rbac.istio.io/v1alpha1/rbacconfigs": "istio/rbac/v1alpha1/rbacconfigs" - "k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs": "istio/rbac/v1alpha1/clusterrbacconfigs" "k8s/rbac.istio.io/v1alpha1/serviceroles": "istio/rbac/v1alpha1/serviceroles" "k8s/security.istio.io/v1beta1/authorizationpolicies": "istio/security/v1beta1/authorizationpolicies" "k8s/security.istio.io/v1beta1/requestauthentications": "istio/security/v1beta1/requestauthentications" diff --git a/pkg/config/schema/metadata.yaml b/pkg/config/schema/metadata.yaml index 38de39c6560..45645dcfc4e 100644 --- a/pkg/config/schema/metadata.yaml +++ b/pkg/config/schema/metadata.yaml @@ -107,11 +107,6 @@ collections: kind: "rule" group: "config.istio.io" - - name: "istio/rbac/v1alpha1/clusterrbacconfigs" - kind: "ClusterRbacConfig" - group: "rbac.istio.io" - pilot: true - - name: "istio/rbac/v1alpha1/rbacconfigs" kind: "RbacConfig" group: "rbac.istio.io" @@ -275,10 +270,6 @@ collections: kind: "handler" group: "config.istio.io" - - name: "k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs" - kind: "ClusterRbacConfig" - group: "rbac.istio.io" - - name: "k8s/rbac.istio.io/v1alpha1/policy" kind: "ServiceRoleBinding" group: "rbac.istio.io" @@ -327,7 +318,6 @@ snapshots: - "istio/policy/v1beta1/handlers" - "istio/policy/v1beta1/instances" - "istio/policy/v1beta1/rules" - - "istio/rbac/v1alpha1/clusterrbacconfigs" - "istio/rbac/v1alpha1/rbacconfigs" - "istio/rbac/v1alpha1/servicerolebindings" - "istio/rbac/v1alpha1/serviceroles" @@ -594,15 +584,6 @@ resources: Deprecated: use ClusterRbacConfig instead.\n See https://github.com/istio/istio/issues/8825 for more details." - - kind: "ClusterRbacConfig" - plural: "clusterrbacconfigs" - group: "rbac.istio.io" - version: "v1alpha1" - clusterScoped: true - proto: "istio.rbac.v1alpha1.RbacConfig" - protoPackage: "istio.io/api/rbac/v1alpha1" - description: "describes the cluster level RBAC config." - - kind: "AuthorizationPolicy" plural: "authorizationpolicies" group: "security.istio.io" @@ -694,7 +675,6 @@ transforms: "k8s/networking.istio.io/v1alpha3/virtualservices": "istio/networking/v1alpha3/virtualservices" "k8s/rbac.istio.io/v1alpha1/policy": "istio/rbac/v1alpha1/servicerolebindings" "k8s/rbac.istio.io/v1alpha1/rbacconfigs": "istio/rbac/v1alpha1/rbacconfigs" - "k8s/rbac.istio.io/v1alpha1/clusterrbacconfigs": "istio/rbac/v1alpha1/clusterrbacconfigs" "k8s/rbac.istio.io/v1alpha1/serviceroles": "istio/rbac/v1alpha1/serviceroles" "k8s/security.istio.io/v1beta1/authorizationpolicies": "istio/security/v1beta1/authorizationpolicies" "k8s/security.istio.io/v1beta1/requestauthentications": "istio/security/v1beta1/requestauthentications" diff --git a/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/input.yaml b/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/input.yaml deleted file mode 100644 index 6e32426e538..00000000000 --- a/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/input.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: "rbac.istio.io/v1alpha1" -kind: ClusterRbacConfig -metadata: - name: default -spec: - mode: 'ON_WITH_INCLUSION' - inclusion: - services: ["mongodb.default.svc.cluster.local"] diff --git a/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/mcp.yaml b/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/mcp.yaml deleted file mode 100644 index 6ac690b3b52..00000000000 --- a/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/mcp.yaml +++ /dev/null @@ -1,18 +0,0 @@ -constraints: - - collection: istio/rbac/v1alpha1/clusterrbacconfigs - check: - - exactlyOne: - - equals: { - "Body": { - "inclusion": { - "services": [ - "mongodb.default.svc.cluster.local" - ] - }, - "mode": "ON_WITH_INCLUSION" - }, - "Metadata": { - "name": "default" - }, - "TypeURL": "type.googleapis.com/istio.rbac.v1alpha1.RbacConfig" - } diff --git a/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/test.yaml b/tests/integration/conformance/testdata/rbac/clusterRbacConfig/basic/test.yaml deleted file mode 100644 index e69de29bb2d..00000000000