start bootstrapping cluster roles from kube #14026

deads2k · 2017-05-03T16:35:57Z

This starts adding clusterroles and clusterrolebindings from kube RBAC rules as bootstrap origin roles. These will be plumbed to bootstrapping and to the reconcile commands.

This doesn't deprecate or remove any origin roles. Any origin role or binding takes priority.

Still todo:

Wire up the clientbuilder for upstream controllers to create the kube-system SAs
Create a dead.go file to contain roles that we're retiring in favor of upstream roles. Upstream controllers for example.
Re-prefix remaining system: roles in openshift to system:openshift: or system:openshift:controller:
Refactor origin controller bootstrapping to look like the upstream one to subdivide permissions easily.

deads2k · 2017-05-03T16:36:22Z

[test]

ncdc · 2017-05-03T16:40:06Z

pkg/cmd/server/bootstrappolicy/infra_sa_policy.go

+		role.Rules[j].Resources = authorizationapi.NormalizeResources(role.Rules[j].Resources)
+	}
+
+	// TODO roundtrip roles to pick up defaulting for API groups.  Without this, the covers check in reconcile-cluster-roles will fail.


Conversion and defaulting are separate. You'll need to call kapi.Scheme.Default on the external version, won't you?

They aren't separate here: https://github.com/openshift/origin/blob/master/pkg/authorization/api/v1/conversion.go#L95

Also this is pre-existing. Just moved it closer to its need.

ncdc · 2017-05-03T16:49:42Z

Gotcha. I noticed it was a move after I wrote the comment.

…

On Wed, May 3, 2017 at 12:44 PM, David Eads ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In pkg/cmd/server/bootstrappolicy/infra_sa_policy.go <#14026 (comment)>: > @@ -114,7 +118,28 @@ func (r *InfraServiceAccounts) addServiceAccount(saName string, role authorizati role.Annotations = map[string]string{} } role.Annotations[roleSystemOnly] = roleIsSystemOnly - r.saToRole[saName] = role + + // TODO make this unnecessary + // we don't want to expose the resourcegroups externally because it makes it very difficult for customers to learn from + // our default roles and hard for them to reason about what power they are granting their users + for j := range role.Rules { + role.Rules[j].Resources = authorizationapi.NormalizeResources(role.Rules[j].Resources) + } + + // TODO roundtrip roles to pick up defaulting for API groups. Without this, the covers check in reconcile-cluster-roles will fail. They aren't separate here: https://github.com/openshift/ origin/blob/master/pkg/authorization/api/v1/conversion.go#L95 Also this is pre-existing. Just moved it closer to its need. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#14026 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAABYgMonEKrDp4KRf2XUISB5c9Zta9oks5r2K7YgaJpZM4NPp39> .

deads2k · 2017-05-05T14:52:50Z

re[test]

enj

Minor comments. LGTM.

enj · 2017-05-05T17:38:27Z

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

+  kind: ClusterRole
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"


Does origin do anything with this?

Does origin do anything with this?

It will clone it back during the later sync: #14064

enj · 2017-05-05T17:40:26Z

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system:basic-user


Interesting mismtach.

enj · 2017-05-05T17:42:28Z

test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml

+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: cluster-admin


So kube does not pluralize them like we do...

So kube does not pluralize them like we do...

Right.

enj · 2017-05-05T17:54:15Z