Bootstrap Kube namespaced roles and bindings

enj · enj · commit 199830809652 · 2017-09-26T23:15:55.000-04:00
This change brings in the upstream namespaced roles that are used by
controllers.  These will never conflict with the openshift ones
since they are required to be in namespaces prefixed with "kube-".

Signed-off-by: Monis Khan &lt;mkhan@redhat.com&gt;
diff --git a/pkg/authorization/apis/authorization/rbacconversion/conversion.go b/pkg/authorization/apis/authorization/rbacconversion/conversion.go
@@ -47,6 +47,7 @@ func Convert_authorization_ClusterRole_To_rbac_ClusterRole(in *authorizationapi.
 
 func Convert_authorization_Role_To_rbac_Role(in *authorizationapi.Role, out *rbac.Role, _ conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)
 	out.Rules = convert_api_PolicyRules_To_rbac_PolicyRules(in.Rules)
 	return nil
 }
@@ -61,6 +62,7 @@ func Convert_authorization_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in *aut
 	}
 	out.RoleRef = convert_api_RoleRef_To_rbac_RoleRef(&in.RoleRef)
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)
 	return nil
 }
 
@@ -74,6 +76,7 @@ func Convert_authorization_RoleBinding_To_rbac_RoleBinding(in *authorizationapi.
 	}
 	out.RoleRef = convert_api_RoleRef_To_rbac_RoleRef(&in.RoleRef)
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)
 	return nil
 }
 
@@ -172,6 +175,7 @@ func Convert_rbac_ClusterRole_To_authorization_ClusterRole(in *rbac.ClusterRole,
 
 func Convert_rbac_Role_To_authorization_Role(in *rbac.Role, out *authorizationapi.Role, _ conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)
 	out.Rules = Convert_rbac_PolicyRules_To_authorization_PolicyRules(in.Rules)
 	return nil
 }
@@ -185,6 +189,7 @@ func Convert_rbac_ClusterRoleBinding_To_authorization_ClusterRoleBinding(in *rba
 		return err
 	}
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)
 	return nil
 }
 
@@ -197,6 +202,7 @@ func Convert_rbac_RoleBinding_To_authorization_RoleBinding(in *rbac.RoleBinding,
 		return err
 	}
 	out.ObjectMeta = in.ObjectMeta
+	out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)
 	return nil
 }
 
diff --git a/pkg/cmd/server/admin/create_bootstrappolicy_file.go b/pkg/cmd/server/admin/create_bootstrappolicy_file.go
@@ -10,7 +10,9 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	kprinters "k8s.io/kubernetes/pkg/printers"
 
@@ -53,6 +55,7 @@ func NewCommandCreateBootstrapPolicyFile(commandName string, fullName string, ou
 
 	flags.StringVar(&options.File, "filename", DefaultPolicyFile, "The policy template file that will be written with roles and bindings.")
 	flags.StringVar(&options.OpenShiftSharedResourcesNamespace, "openshift-namespace", "openshift", "Namespace for shared resources.")
+	flags.MarkDeprecated("openshift-namespace", "this field is no longer supported and using it can lead to undefined behavior")
 
 	// autocompletion hints
 	cmd.MarkFlagFilename("filename")
@@ -80,11 +83,11 @@ func (o CreateBootstrapPolicyFileOptions) CreateBootstrapPolicyFile() error {
 	}
 
 	policyTemplate := &templateapi.Template{}
+	policy := bootstrappolicy.Policy()
 
-	clusterRoles := bootstrappolicy.GetBootstrapClusterRoles()
-	for i := range clusterRoles {
+	for i := range policy.ClusterRoles {
 		originObject := &authorizationapi.ClusterRole{}
-		if err := kapi.Scheme.Convert(&clusterRoles[i], originObject, nil); err != nil {
+		if err := kapi.Scheme.Convert(&policy.ClusterRoles[i], originObject, nil); err != nil {
 			return err
 		}
 		versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
@@ -94,10 +97,9 @@ func (o CreateBootstrapPolicyFileOptions) CreateBootstrapPolicyFile() error {
 		policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 	}
 
-	clusterRoleBindings := bootstrappolicy.GetBootstrapClusterRoleBindings()
-	for i := range clusterRoleBindings {
+	for i := range policy.ClusterRoleBindings {
 		originObject := &authorizationapi.ClusterRoleBinding{}
-		if err := kapi.Scheme.Convert(&clusterRoleBindings[i], originObject, nil); err != nil {
+		if err := kapi.Scheme.Convert(&policy.ClusterRoleBindings[i], originObject, nil); err != nil {
 			return err
 		}
 		versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
@@ -107,30 +109,64 @@ func (o CreateBootstrapPolicyFileOptions) CreateBootstrapPolicyFile() error {
 		policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 	}
 
-	openshiftRoles := bootstrappolicy.GetBootstrapOpenshiftRoles(o.OpenShiftSharedResourcesNamespace)
-	for i := range openshiftRoles {
-		originObject := &authorizationapi.Role{}
-		if err := kapi.Scheme.Convert(&openshiftRoles[i], originObject, nil); err != nil {
-			return err
+	openshiftRoles := map[string][]rbac.Role{}
+	for namespace, roles := range policy.Roles {
+		if namespace == bootstrappolicy.DefaultOpenShiftSharedResourcesNamespace {
+			r := make([]rbac.Role, len(roles))
+			for i := range roles {
+				r[i] = roles[i]
+				r[i].Namespace = o.OpenShiftSharedResourcesNamespace
+			}
+			openshiftRoles[o.OpenShiftSharedResourcesNamespace] = r
+		} else {
+			openshiftRoles[namespace] = roles
 		}
-		versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
-		if err != nil {
-			return err
+	}
+
+	// iterate in a defined order
+	for _, namespace := range sets.StringKeySet(openshiftRoles).List() {
+		roles := openshiftRoles[namespace]
+		for i := range roles {
+			originObject := &authorizationapi.Role{}
+			if err := kapi.Scheme.Convert(&roles[i], originObject, nil); err != nil {
+				return err
+			}
+			versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
+			if err != nil {
+				return err
+			}
+			policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 		}
-		policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 	}
 
-	openshiftRoleBindings := bootstrappolicy.GetBootstrapOpenshiftRoleBindings(o.OpenShiftSharedResourcesNamespace)
-	for i := range openshiftRoleBindings {
-		originObject := &authorizationapi.RoleBinding{}
-		if err := kapi.Scheme.Convert(&openshiftRoleBindings[i], originObject, nil); err != nil {
-			return err
+	openshiftRoleBindings := map[string][]rbac.RoleBinding{}
+	for namespace, roleBindings := range policy.RoleBindings {
+		if namespace == bootstrappolicy.DefaultOpenShiftSharedResourcesNamespace {
+			rb := make([]rbac.RoleBinding, len(roleBindings))
+			for i := range roleBindings {
+				rb[i] = roleBindings[i]
+				rb[i].Namespace = o.OpenShiftSharedResourcesNamespace
+			}
+			openshiftRoleBindings[o.OpenShiftSharedResourcesNamespace] = rb
+		} else {
+			openshiftRoleBindings[namespace] = roleBindings
 		}
-		versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
-		if err != nil {
-			return err
+	}
+
+	// iterate in a defined order
+	for _, namespace := range sets.StringKeySet(openshiftRoleBindings).List() {
+		roleBindings := openshiftRoleBindings[namespace]
+		for i := range roleBindings {
+			originObject := &authorizationapi.RoleBinding{}
+			if err := kapi.Scheme.Convert(&roleBindings[i], originObject, nil); err != nil {
+				return err
+			}
+			versionedObject, err := kapi.Scheme.ConvertToVersion(originObject, latest.Version)
+			if err != nil {
+				return err
+			}
+			policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 		}
-		policyTemplate.Objects = append(policyTemplate.Objects, versionedObject)
 	}
 
 	versionedPolicyTemplate, err := kapi.Scheme.ConvertToVersion(policyTemplate, latest.Version)
diff --git a/pkg/cmd/server/bootstrappolicy/all.go b/pkg/cmd/server/bootstrappolicy/all.go
@@ -1,19 +1,14 @@
 package bootstrappolicy
 
 import (
-	"k8s.io/kubernetes/pkg/apis/rbac"
 	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
 )
 
 func Policy() *rbacrest.PolicyData {
 	return &rbacrest.PolicyData{
 		ClusterRoles:        GetBootstrapClusterRoles(),
 		ClusterRoleBindings: GetBootstrapClusterRoleBindings(),
-		Roles: map[string][]rbac.Role{
-			DefaultOpenShiftSharedResourcesNamespace: GetBootstrapOpenshiftRoles(DefaultOpenShiftSharedResourcesNamespace),
-		},
-		RoleBindings: map[string][]rbac.RoleBinding{
-			DefaultOpenShiftSharedResourcesNamespace: GetBootstrapOpenshiftRoleBindings(DefaultOpenShiftSharedResourcesNamespace),
-		},
+		Roles:               GetBootstrapNamespaceRoles(),
+		RoleBindings:        GetBootstrapNamespaceRoleBindings(),
 	}
 }
diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -77,10 +77,12 @@ func addControllerRoleToSA(saNamespace, saName string, role rbac.ClusterRole) {
 		}
 	}
 
+	addDefaultMetadata(&role)
 	controllerRoles = append(controllerRoles, role)
 
-	controllerRoleBindings = append(controllerRoleBindings,
-		rbac.NewClusterBinding(role.Name).SAs(saNamespace, saName).BindingOrDie())
+	roleBinding := rbac.NewClusterBinding(role.Name).SAs(saNamespace, saName).BindingOrDie()
+	addDefaultMetadata(&roleBinding)
+	controllerRoleBindings = append(controllerRoleBindings, roleBinding)
 }
 
 func eventsRule() rbac.PolicyRule {
@@ -167,8 +169,9 @@ func init() {
 	})
 
 	// template-instance-controller
-	controllerRoleBindings = append(controllerRoleBindings,
-		rbac.NewClusterBinding(AdminRoleName).SAs(DefaultOpenShiftInfraNamespace, InfraTemplateInstanceControllerServiceAccountName).BindingOrDie())
+	templateInstanceController := rbac.NewClusterBinding(AdminRoleName).SAs(DefaultOpenShiftInfraNamespace, InfraTemplateInstanceControllerServiceAccountName).BindingOrDie()
+	addDefaultMetadata(&templateInstanceController)
+	controllerRoleBindings = append(controllerRoleBindings, templateInstanceController)
 
 	// origin-namespace-controller
 	addControllerRole(rbac.ClusterRole{
diff --git a/pkg/cmd/server/bootstrappolicy/dead.go b/pkg/cmd/server/bootstrappolicy/dead.go
@@ -20,11 +20,11 @@ func addDeadClusterRole(name string) {
 		}
 	}
 
-	deadClusterRoles = append(deadClusterRoles,
-		rbac.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{Name: name},
-		},
-	)
+	deadClusterRole := rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
+	}
+	addDefaultMetadata(&deadClusterRole)
+	deadClusterRoles = append(deadClusterRoles, deadClusterRole)
 }
 
 func addDeadClusterRoleBinding(name, roleName string) {
@@ -34,12 +34,12 @@ func addDeadClusterRoleBinding(name, roleName string) {
 		}
 	}
 
-	deadClusterRoleBindings = append(deadClusterRoleBindings,
-		rbac.ClusterRoleBinding{
-			ObjectMeta: metav1.ObjectMeta{Name: name},
-			RoleRef:    rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: roleName},
-		},
-	)
+	deadClusterRoleBinding := rbac.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
+		RoleRef:    rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: roleName},
+	}
+	addDefaultMetadata(&deadClusterRoleBinding)
+	deadClusterRoleBindings = append(deadClusterRoleBindings, deadClusterRoleBinding)
 }
 
 // GetDeadClusterRoles returns cluster roles which should no longer have any permissions.
diff --git a/pkg/cmd/server/bootstrappolicy/namespace_policy.go b/pkg/cmd/server/bootstrappolicy/namespace_policy.go
@@ -0,0 +1,83 @@
+package bootstrappolicy
+
+import (
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+
+	"github.com/golang/glog"
+)
+
+func addNamespaceRole(namespaceRoles map[string][]rbac.Role, namespace string, role rbac.Role) {
+	if namespace != "openshift" && !strings.HasPrefix(namespace, "openshift-") {
+		glog.Fatalf(`roles can only be bootstrapped into reserved "openshift" namespace or namespaces starting with "openshift-", not %q`, namespace)
+	}
+
+	existingRoles := namespaceRoles[namespace]
+	for _, existingRole := range existingRoles {
+		if role.Name == existingRole.Name {
+			glog.Fatalf("role %q was already registered in %q", role.Name, namespace)
+		}
+	}
+
+	role.Namespace = namespace
+	addDefaultMetadata(&role)
+	existingRoles = append(existingRoles, role)
+	namespaceRoles[namespace] = existingRoles
+}
+
+func addNamespaceRoleBinding(namespaceRoleBindings map[string][]rbac.RoleBinding, namespace string, roleBinding rbac.RoleBinding) {
+	if namespace != "openshift" && !strings.HasPrefix(namespace, "openshift-") {
+		glog.Fatalf(`role bindings can only be bootstrapped into reserved "openshift" namespace or namespaces starting with "openshift-", not %q`, namespace)
+	}
+
+	existingRoleBindings := namespaceRoleBindings[namespace]
+	for _, existingRoleBinding := range existingRoleBindings {
+		if roleBinding.Name == existingRoleBinding.Name {
+			glog.Fatalf("rolebinding %q was already registered in %q", roleBinding.Name, namespace)
+		}
+	}
+
+	roleBinding.Namespace = namespace
+	addDefaultMetadata(&roleBinding)
+	existingRoleBindings = append(existingRoleBindings, roleBinding)
+	namespaceRoleBindings[namespace] = existingRoleBindings
+}
+
+func buildNamespaceRolesAndBindings() (map[string][]rbac.Role, map[string][]rbac.RoleBinding) {
+	// namespaceRoles is a map of namespace to slice of roles to create
+	namespaceRoles := map[string][]rbac.Role{}
+	// namespaceRoleBindings is a map of namespace to slice of roleBindings to create
+	namespaceRoleBindings := map[string][]rbac.RoleBinding{}
+
+	addNamespaceRole(namespaceRoles,
+		DefaultOpenShiftSharedResourcesNamespace,
+		rbac.Role{
+			ObjectMeta: metav1.ObjectMeta{Name: OpenshiftSharedResourceViewRoleName},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates").RuleOrDie(),
+				rbac.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("imagestreams", "imagestreamtags", "imagestreamimages").RuleOrDie(),
+				// so anyone can pull from openshift/* image streams
+				rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
+			},
+		})
+
+	addNamespaceRoleBinding(namespaceRoleBindings,
+		DefaultOpenShiftSharedResourcesNamespace,
+		newOriginRoleBinding(OpenshiftSharedResourceViewRoleBindingName, OpenshiftSharedResourceViewRoleName, DefaultOpenShiftSharedResourcesNamespace).Groups(AuthenticatedGroup).BindingOrDie())
+
+	return namespaceRoles, namespaceRoleBindings
+}
+
+// NamespaceRoles returns a map of namespace to slice of roles to create
+func NamespaceRoles() map[string][]rbac.Role {
+	namespaceRoles, _ := buildNamespaceRolesAndBindings()
+	return namespaceRoles
+}
+
+// NamespaceRoleBindings returns a map of namespace to slice of role bindings to create
+func NamespaceRoleBindings() map[string][]rbac.RoleBinding {
+	_, namespaceRoleBindings := buildNamespaceRolesAndBindings()
+	return namespaceRoleBindings
+}
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
diff --git a/pkg/cmd/server/bootstrappolicy/policy_test.go b/pkg/cmd/server/bootstrappolicy/policy_test.go

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ func Convert_authorization_ClusterRole_To_rbac_ClusterRole(in *authorizationapi.`
`47`	`47`
`48`	`48`	`func Convert_authorization_Role_To_rbac_Role(in authorizationapi.Role, out rbac.Role, _ conversion.Scope) error {`
`49`	`49`	`out.ObjectMeta = in.ObjectMeta`
	`50`	`+ out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)`
`50`	`51`	`out.Rules = convert_api_PolicyRules_To_rbac_PolicyRules(in.Rules)`
`51`	`52`	`return nil`
`52`	`53`	`}`
`@@ -61,6 +62,7 @@ func Convert_authorization_ClusterRoleBinding_To_rbac_ClusterRoleBinding(in *aut`
`61`	`62`	`}`
`62`	`63`	`out.RoleRef = convert_api_RoleRef_To_rbac_RoleRef(&in.RoleRef)`
`63`	`64`	`out.ObjectMeta = in.ObjectMeta`
	`65`	`+ out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)`
`64`	`66`	`return nil`
`65`	`67`	`}`
`66`	`68`
`@@ -74,6 +76,7 @@ func Convert_authorization_RoleBinding_To_rbac_RoleBinding(in *authorizationapi.`
`74`	`76`	`}`
`75`	`77`	`out.RoleRef = convert_api_RoleRef_To_rbac_RoleRef(&in.RoleRef)`
`76`	`78`	`out.ObjectMeta = in.ObjectMeta`
	`79`	`+ out.Annotations = convert_authorization_Annotations_To_rbac_Annotations(in.Annotations)`
`77`	`80`	`return nil`
`78`	`81`	`}`
`79`	`82`
`@@ -172,6 +175,7 @@ func Convert_rbac_ClusterRole_To_authorization_ClusterRole(in *rbac.ClusterRole,`
`172`	`175`
`173`	`176`	`func Convert_rbac_Role_To_authorization_Role(in rbac.Role, out authorizationapi.Role, _ conversion.Scope) error {`
`174`	`177`	`out.ObjectMeta = in.ObjectMeta`
	`178`	`+ out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)`
`175`	`179`	`out.Rules = Convert_rbac_PolicyRules_To_authorization_PolicyRules(in.Rules)`
`176`	`180`	`return nil`
`177`	`181`	`}`
`@@ -185,6 +189,7 @@ func Convert_rbac_ClusterRoleBinding_To_authorization_ClusterRoleBinding(in *rba`
`185`	`189`	`return err`
`186`	`190`	`}`
`187`	`191`	`out.ObjectMeta = in.ObjectMeta`
	`192`	`+ out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)`
`188`	`193`	`return nil`
`189`	`194`	`}`
`190`	`195`
`@@ -197,6 +202,7 @@ func Convert_rbac_RoleBinding_To_authorization_RoleBinding(in *rbac.RoleBinding,`
`197`	`202`	`return err`
`198`	`203`	`}`
`199`	`204`	`out.ObjectMeta = in.ObjectMeta`
	`205`	`+ out.Annotations = convert_rbac_Annotations_To_authorization_Annotations(in.Annotations)`
`200`	`206`	`return nil`
`201`	`207`	`}`
`202`	`208`
Original file line number	Diff line number	Diff line change
`@@ -20,11 +20,11 @@ func addDeadClusterRole(name string) {`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`
`23`		`- deadClusterRoles = append(deadClusterRoles,`
`24`		`- rbac.ClusterRole{`
`25`		`- ObjectMeta: metav1.ObjectMeta{Name: name},`
`26`		`- },`
`27`		`- )`
	`23`	`+ deadClusterRole := rbac.ClusterRole{`
	`24`	`+ ObjectMeta: metav1.ObjectMeta{Name: name},`
	`25`	`+ }`
	`26`	`+ addDefaultMetadata(&deadClusterRole)`
	`27`	`+ deadClusterRoles = append(deadClusterRoles, deadClusterRole)`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`func addDeadClusterRoleBinding(name, roleName string) {`
`@@ -34,12 +34,12 @@ func addDeadClusterRoleBinding(name, roleName string) {`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`		`- deadClusterRoleBindings = append(deadClusterRoleBindings,`
`38`		`- rbac.ClusterRoleBinding{`
`39`		`- ObjectMeta: metav1.ObjectMeta{Name: name},`
`40`		`- RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: roleName},`
`41`		`- },`
`42`		`- )`
	`37`	`+ deadClusterRoleBinding := rbac.ClusterRoleBinding{`
	`38`	`+ ObjectMeta: metav1.ObjectMeta{Name: name},`
	`39`	`+ RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: roleName},`
	`40`	`+ }`
	`41`	`+ addDefaultMetadata(&deadClusterRoleBinding)`
	`42`	`+ deadClusterRoleBindings = append(deadClusterRoleBindings, deadClusterRoleBinding)`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`// GetDeadClusterRoles returns cluster roles which should no longer have any permissions.`