Asymmetry in PolicyBinding naming upon creation and deletion #13549
Assignees
Comments
openshift-merge-robot
added a commit
that referenced
this issue
Aug 17, 2017
Automatic merge from submit-queue Migrate to Kubernetes RBAC Trello xref: https://trello.com/c/n3bR3Ys9 Fixes #12303 Fixes #13549 Fixes #13432 Fixes #15338 Fixes #14168 Fixes #10056 Need to investigate: - [x] ... Dependencies: - [x] Prerequisite #15342 - [x] Requires openshift/openshift-ansible/pull/4933 @sdodson - [x] Blocked on openshift/openshift-ansible/issues/4967 - [x] Prerequisite kubernetes/kubernetes#50639 Followups: - [ ] #15412 - [ ] #13316 - [ ] #13156 - [ ] #13430 - [ ] Should delete with proxy return details? - [ ] Make project creation use RBAC instead of proxy endpoints? - [ ] Remove policy objects from bootstrap roles - [ ] Check if delegated_test.go can be revived - [ ] Check to see if the deleted unit tests are reflected upstream and fix gaps - [ ] Open issue to remove `openshiftSubjectLocator` - [ ] Open issue to revisit forbidden message maker - [ ] Update upstream `subject_locator_test` with origin's extensive testing - [ ] Fix proxied create: ` _ bool is includeUnintialized, which we should really be passing through to the underlying API... it's odd there's not a CreateOptions parameter to Create` - [ ] Fix proxied update: `if initializers use Update() to initialize objects (which I think they do), we may need to pass GetOptions{IncludeUninitialized: true} here...` - [ ] Fix panics() in Convert...OrDie() functions - [ ] glog.Fatal on post stark hook error - [ ] Remove `TestPolicyCache`? - [ ] Use discovery API based gating? - [ ] upstream rules have always required a group. followup issue to remove getAPIGroupLegacy from `pkg/authorization/authorizer/scope/converter.go` - [ ] issue to remove "normalizeResources" from `pkg/cmd/server/bootstrappolicy/policy.go` - [ ] issue to find callers of `clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"` and move to point of use - [ ] issue to switch our encoding to rbac in `pkg/cmd/server/admin/create_bootstrappolicy_file.go` - [ ] Exercise proxied endpoints - [ ] hack/test-cmd.sh of gated overwrite bootstrap policy - [ ] Delete unused legacy policy registry code - [ ] Make RBAC discovery rule authoritative `pkg/authorization/apis/authorization/types.go` - [ ] Fix `ignoreError` in `pkg/oc/admin/router/router.go` - [ ] Confirm changes to `TestAuthorizationResolution` and `TestAuthorizationResourceAccessReview` in `test/integration/authorization_test.go` Done: - Store ClusterRoles as native RBAC Objects via Kubernetes. - Provides backwards compatible API for the old policy based roles. - Use Kubernetes authorizer TODO: - [x] Delete policy end points - [x] Decide what to do with overwrite policy - [x] Remove or gate `oc create policybinding` - [x] Move new impersonation code to `pkg/auth/client/impersonate.go` - [x] Remove any unnecessary conversions - [x] Review new `proxy.go` files - [x] Remove reason logic `allowed by rule in ...` - [x] Add interface assertion to proxy files - [x] Confirm we need `pkg/authorization/util/convert/convert.go` - [x] Confrim we need to expose some of the private conversion functions - [x] Add protect/autoupdate annotation conversion to general conversion functions - [x] ~~Support watch on proxied endpoints~~ - [x] Cherry pick kubernetes/kubernetes#49868 -> #15721 - [x] Fix upstream commits - [x] Restore and version gate `NewCmdMigrateAuthorization` - [x] ~~Wrap other errors in proxy files?~~ Remove all error wrapping - [x] Make `NewImpersonatingRBACFromContext` more generic - [x] Kube authorizer's reason on deny contains evaluation errors - do we want to preserve those? - [x] Review `ImpersonatingRESTClient` in `pkg/auth/client/impersonate.go` - [ ] Review `pkg/project/auth/cache.go` and ` pkg/project/auth/cache_test.go` - [ ] Review ` pkg/authorization/authorizer/scope/converter_test.go` - [ ] Review `k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/request.go`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When creating a policybinding within a project:
The actual name of the PolicyBinding object is
$PROJECTNAME:$POLICYBINDINGNAME:default, as can be seen with:However, if I want to delete that PolicyBinding, I need to specify the name with
:$POLICYBINDINGNAME:default(note the extra :default suffix).It seems to me that both commands expect the same object (PolicyBinding) in an inconsistent way, ie:
$POLICYBINDINGNAMEfor creation vs$POLICYBINDINGNAME:defaultfor deletion.Also, note that
oc describe policybindingaccepts both$PROJECTNAME:$POLICYBINDINGNAME:defaultand$PROJECTNAME:$POLICYBINDINGNAMEThus, I suggest to make both calls consistent by:
:defaultwhen creating the PolicyBinding, orVersion
oc v1.4.1+3f9807a
openshift v1.4.1+3f9807a
The text was updated successfully, but these errors were encountered: