start bootstrapping cluster roles from kube

openshift · May 4, 2017 · d7acdb1 · d7acdb1
1 parent d98ef74
commit d7acdb1
Show file tree

Hide file tree

Showing 9 changed files with 2,282 additions and 80 deletions.
diff --git a/pkg/authorization/authorizer/subjects_test.go b/pkg/authorization/authorizer/subjects_test.go
@@ -34,7 +34,11 @@ func TestSubjects(t *testing.T) {
 			Verb:            "get",
 			Resource:        "pods",
 		},
-		expectedUsers:  sets.NewString("Anna", "ClusterAdmin", "Ellen", "Valerie", "system:serviceaccount:adze:second", "system:serviceaccount:foo:default", "system:serviceaccount:other:first", "system:admin"),
+		expectedUsers: sets.NewString("Anna", "ClusterAdmin", "Ellen", "Valerie",
+			"system:serviceaccount:adze:second", "system:serviceaccount:foo:default", "system:serviceaccount:other:first",
+			"system:serviceaccount:kube-system:deployment-controller", "system:serviceaccount:kube-system:endpoint-controller", "system:serviceaccount:kube-system:generic-garbage-collector",
+			"system:serviceaccount:kube-system:namespace-controller", "system:serviceaccount:kube-system:persistent-volume-binder", "system:serviceaccount:kube-system:statefulset-controller",
+			"system:admin", "system:kube-scheduler"),
 		expectedGroups: sets.NewString("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:masters", "system:nodes"),
 	}
 	test.clusterPolicies = newDefaultClusterPolicies()

diff --git a/pkg/cmd/server/api/group_coverage_test.go b/pkg/cmd/server/api/group_coverage_test.go
@@ -0,0 +1,47 @@
+package api_test
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	kapi "k8s.io/kubernetes/pkg/api"
+
+	"github.com/openshift/origin/pkg/cmd/server/api"
+
+	_ "github.com/openshift/origin/pkg/api/install"
+)
+
+func TestKnownAPIGroups(t *testing.T) {
+	unexposedGroups := sets.NewString("componentconfig", "metrics", "policy", "federation")
+
+	enabledGroups := sets.NewString()
+	for _, enabledVersion := range kapi.Registry.EnabledVersions() {
+		enabledGroups.Insert(enabledVersion.Group)
+	}
+
+	knownGroups := sets.NewString(api.KnownKubeAPIGroups.List()...)
+	knownGroups.Insert(api.KnownOriginAPIGroups.List()...)
+
+	if missingKnownGroups := knownGroups.Difference(enabledGroups); len(missingKnownGroups) > 0 {
+		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups are missing from registered.EnabledVersions: %v", missingKnownGroups.List())
+	}
+	if unknownEnabledGroups := enabledGroups.Difference(knownGroups).Difference(unexposedGroups); len(unknownEnabledGroups) > 0 {
+		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups is missing groups from registered.EnabledVersions: %v", unknownEnabledGroups.List())
+	}
+}
+
+func TestAllowedAPIVersions(t *testing.T) {
+	// Make sure all versions we know about match registered versions
+	for group, versions := range api.KubeAPIGroupsToAllowedVersions {
+		enabled := sets.NewString()
+		for _, enabledVersion := range kapi.Registry.EnabledVersionsForGroup(group) {
+			enabled.Insert(enabledVersion.Version)
+		}
+		expected := sets.NewString(versions...)
+		actual := enabled.Difference(sets.NewString(api.KubeAPIGroupsToDeadVersions[group]...))
+		if e, a := expected.List(), actual.List(); !reflect.DeepEqual(e, a) {
+			t.Errorf("For group %s, expected versions %#v, got %#v", group, e, a)
+		}
+	}
+}
diff --git a/pkg/cmd/server/api/types_test.go b/pkg/cmd/server/api/types_test.go
@@ -1,45 +1,10 @@
 package api
 
 import (
-	"reflect"
 	"strings"
 	"testing"
-
-	"k8s.io/apimachinery/pkg/util/sets"
-	kapi "k8s.io/kubernetes/pkg/api"
 )
 
-func TestKnownAPIGroups(t *testing.T) {
-	unexposedGroups := sets.NewString("authorization.k8s.io", "componentconfig", "metrics", "policy", "federation", "authentication.k8s.io", "rbac.authorization.k8s.io")
-
-	enabledGroups := sets.NewString()
-	for _, enabledVersion := range kapi.Registry.EnabledVersions() {
-		enabledGroups.Insert(enabledVersion.Group)
-	}
-
-	if missingKnownGroups := KnownKubeAPIGroups.Difference(enabledGroups); len(missingKnownGroups) > 0 {
-		t.Errorf("KnownKubeAPIGroups are missing from registered.EnabledVersions: %v", missingKnownGroups.List())
-	}
-	if unknownEnabledGroups := enabledGroups.Difference(KnownKubeAPIGroups).Difference(unexposedGroups); len(unknownEnabledGroups) > 0 {
-		t.Errorf("KnownKubeAPIGroups is missing groups from registered.EnabledVersions: %v", unknownEnabledGroups.List())
-	}
-}
-
-func TestAllowedAPIVersions(t *testing.T) {
-	// Make sure all versions we know about match registered versions
-	for group, versions := range KubeAPIGroupsToAllowedVersions {
-		enabled := sets.NewString()
-		for _, enabledVersion := range kapi.Registry.EnabledVersionsForGroup(group) {
-			enabled.Insert(enabledVersion.Version)
-		}
-		expected := sets.NewString(versions...)
-		actual := enabled.Difference(sets.NewString(KubeAPIGroupsToDeadVersions[group]...))
-		if e, a := expected.List(), actual.List(); !reflect.DeepEqual(e, a) {
-			t.Errorf("For group %s, expected versions %#v, got %#v", group, e, a)
-		}
-	}
-}
-
 func TestFeatureListAdd(t *testing.T) {
 	orderedList := []string{FeatureBuilder, FeatureWebConsole, FeatureS2I}
 	fl := FeatureList{}

diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
@@ -15,7 +15,11 @@ import (
 	"k8s.io/kubernetes/pkg/apis/storage"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	authorizationapiv1 "github.com/openshift/origin/pkg/authorization/api/v1"
 	buildapi "github.com/openshift/origin/pkg/build/api"
+
+	// we need the conversions registered for our init block
+	_ "github.com/openshift/origin/pkg/authorization/api/install"
 )
 
 const (
@@ -114,7 +118,28 @@ func (r *InfraServiceAccounts) addServiceAccount(saName string, role authorizati
 		role.Annotations = map[string]string{}
 	}
 	role.Annotations[roleSystemOnly] = roleIsSystemOnly
-	r.saToRole[saName] = role
+
+	// TODO make this unnecessary
+	// we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from
+	// our default roles and hard for them to reason about what power they are granting their users
+	for j := range role.Rules {
+		role.Rules[j].Resources = authorizationapi.NormalizeResources(role.Rules[j].Resources)
+	}
+
+	// TODO roundtrip roles to pick up defaulting for API groups.  Without this, the covers check in reconcile-cluster-roles will fail.
+	// we can remove this again once everything gets group qualified and we have unit tests enforcing that.  other pulls are in
+	// progress to do that.
+	// we only want to roundtrip the sa roles now.  We'll remove this once we convert the SA roles
+	versionedRole := &authorizationapiv1.ClusterRole{}
+	if err := kapi.Scheme.Convert(&role, versionedRole, nil); err != nil {
+		return err
+	}
+	defaultedInternalRole := &authorizationapi.ClusterRole{}
+	if err := kapi.Scheme.Convert(versionedRole, defaultedInternalRole, nil); err != nil {
+		return err
+	}
+
+	r.saToRole[saName] = *defaultedInternalRole
 	r.serviceAccounts.Insert(saName)
 	return nil
 }
@@ -129,11 +154,12 @@ func (r *InfraServiceAccounts) RoleFor(saName string) (authorizationapi.ClusterR
 }
 
 func (r *InfraServiceAccounts) AllRoles() []authorizationapi.ClusterRole {
-	ret := []authorizationapi.ClusterRole{}
+	saRoles := []authorizationapi.ClusterRole{}
 	for _, saName := range r.serviceAccounts.List() {
-		ret = append(ret, r.saToRole[saName])
+		saRoles = append(saRoles, r.saToRole[saName])
 	}
-	return ret
+
+	return saRoles
 }
 
 func init() {
@@ -1113,7 +1139,9 @@ func init() {
 			Rules: []authorizationapi.PolicyRule{
 				{
 					APIGroups: []string{certificates.GroupName},
-					Verbs:     sets.NewString("create", "get"),
+					// match the upstream role for now
+					// TODO sort out how to deconflict this with upstream
+					Verbs:     sets.NewString("create", "get", "list", "watch"),
 					Resources: sets.NewString("certificatesigningrequests"),
 				},
 			},