Node admission/authorization #14227
Node admission/authorization #14227
Conversation
liggitt
changed the title
openshift-bot
added
the
needs-rebase
|
Will wait for the 1.7 rebase and drop all the upstream commits |
openshift-merge-robot
added
size/S
openshift-merge-robot
added
approved
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
added
approved
stevekuznetsov
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
@liggitt: Your pull request title starts with "WIP", so the do-not-merge/work-in-progress label will be added. This label will ensure that your pull request will not be merged. Remove the prefix from your pull request title to trigger the removal of the label and allow for your pull request to be merged. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-merge-robot
removed
the
needs-rebase
openshift-ci-robot
added
size/M
liggitt
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
cc @openshift/sig-security |
| Kind: "ClusterRole", | ||
| Name: NodeRoleName, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
please use newOriginClusterBinding() or even better rbac.newClusterBinding() if you do not have to maintain a name difference between the role and the binding.
There was a problem hiding this comment.
that helper does not allow empty subjects, which we want here.
There was a problem hiding this comment.
very annoying, what is the purpose of a binding with no subjects ?
There was a problem hiding this comment.
so that tightening reconciliation removes the grant to the system:nodes group
| for _, r := range miss { | ||
| t.Logf("\t%s", r.CompactString()) | ||
| } | ||
| } |
There was a problem hiding this comment.
to ensure there were no differences between our node role and the upstream node role as we converge
| @@ -779,14 +777,25 @@ func buildKubeAuth(r rbacinformers.Interface) (kauthorizer.Authorizer, rbacregis | |||
| return kubeAuthorizer, ruleResolver, kubeSubjectLocator | |||
| } | |||
|
|
|||
| func newAuthorizer(kubeAuthorizer kauthorizer.Authorizer, kubeSubjectLocator rbacauthorizer.SubjectLocator, clusterRoleGetter rbaclisters.ClusterRoleLister, projectRequestDenyMessage string) (kauthorizer.Authorizer, authorizer.SubjectLocator) { | |||
| func newAuthorizer(kubeAuthorizer kauthorizer.Authorizer, kubeSubjectLocator rbacauthorizer.SubjectLocator, informers InformerAccess, projectRequestDenyMessage string) (kauthorizer.Authorizer, authorizer.SubjectLocator) { | |||
There was a problem hiding this comment.
We're trying to kill the big one. Plumb through the ones you want or make this a method on the config type or make a Complete method and we can try to start converging.
|
/retest |
|
Router flake |
|
any other comments? |
| newOriginClusterBinding(NodeRoleBindingName, NodeRoleName). | ||
| Groups(NodesGroup). | ||
| BindingOrDie(), | ||
| // Preserve the empty node binding with no subjects for tightening reconciliation |
There was a problem hiding this comment.
Seems like we should have a GetDeadClusterRoleBindings.
There was a problem hiding this comment.
I wouldn't want to chance someone calling this and missing calling that
There was a problem hiding this comment.
We already trust callers to use GetBootstrapClusterRoles which gives them GetDeadClusterRoles. I would expect GetBootstrapClusterRoleBindings to have the same logic.
There was a problem hiding this comment.
created GetDeadClusterRoleBindings
openshift-ci-robot
added
size/L
|
updated, and added an integration test that replicates the checks in https://github.com/kubernetes/kubernetes/blob/release-1.7/test/integration/auth/node_test.go against our wired API server to ensure our default authz/admission set up protects us. |
| // If an admin wants to grant the system:node role (which cannot partition Node API access), they will need to create their own clusterrolebinding. | ||
| // TODO: Remove the subjects from this binding in 1.8 (leave the empty binding for tightening reconciliation), and remove AddClusterRoleBindingFilter() | ||
| rbac.NewClusterBinding(systemNodeRoleName).Groups(user.NodesGroup).BindingOrDie(), | ||
| // This default binding of the system:node role to the system:nodes group is deprecated in 1.7 with the availability of the Node authorizer. |
There was a problem hiding this comment.
Yes, pushed too fast. Will fix
|
comments addressed, PTAL |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@liggitt: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 16224, 14227) |
Enables the node authorizer and NodeRestriction admission plugins