@@ -12,6 +12,7 @@ import (
1212 kerrors "k8s.io/apimachinery/pkg/util/errors"
1313 "k8s.io/apiserver/pkg/admission"
1414 kapi "k8s.io/kubernetes/pkg/api"
15+ "k8s.io/kubernetes/pkg/apis/rbac"
1516 kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
1617
1718 authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
@@ -68,11 +69,11 @@ func (q *restrictUsersAdmission) SetUserInformer(userInformers userinformer.Shar
6869 q .groupCache = usercache .NewGroupCache (userInformers .User ().InternalVersion ().Groups ())
6970}
7071
71- // objectReferenceDelta returns the relative complement of
72- // []ObjectReference elementsToIgnore in []ObjectReference elements
73- // (i.e., elements∖elementsToIgnore).
74- func objectReferenceDelta (elementsToIgnore , elements []kapi. ObjectReference ) []kapi.ObjectReference {
75- result := []kapi. ObjectReference {}
72+ // subjectsDelta returns the relative complement of elementsToIgnore in
73+ // elements (i.e., elements∖elementsToIgnore).
74+ // TODO return []rbac.Subject{} once we convert subjectchecker to RBAC types
75+ func subjectsDelta (elementsToIgnore , elements []rbac. Subject ) ( []kapi.ObjectReference , error ) {
76+ result := []rbac. Subject {}
7677
7778 for _ , el := range elements {
7879 keep := true
@@ -87,19 +88,17 @@ func objectReferenceDelta(elementsToIgnore, elements []kapi.ObjectReference) []k
8788 }
8889 }
8990
90- return result
91+ return authorizationapi . Convert_rbac_Subjects_To_authorization_Subjects ( result )
9192}
9293
9394// Admit makes admission decisions that enforce restrictions on adding
9495// project-scoped role-bindings. In order for a role binding to be permitted,
9596// each subject in the binding must be matched by some rolebinding restriction
9697// in the namespace.
9798func (q * restrictUsersAdmission ) Admit (a admission.Attributes ) (err error ) {
98- // We only care about rolebindings and policybindings; ignore anything else.
99- gr := a .GetResource ().GroupResource ()
100- switch {
101- case authorizationapi .IsResourceOrLegacy ("policybindings" , gr ), authorizationapi .IsResourceOrLegacy ("rolebindings" , gr ):
102- default :
99+
100+ // We only care about rolebindings
101+ if a .GetResource ().GroupResource () != rbac .Resource ("rolebindings" ) {
103102 return nil
104103 }
105104
@@ -114,66 +113,38 @@ func (q *restrictUsersAdmission) Admit(a admission.Attributes) (err error) {
114113 return nil
115114 }
116115
117- var subjects , oldSubjects []kapi. ObjectReference
116+ var oldSubjects []rbac. Subject
118117
119118 obj , oldObj := a .GetObject (), a .GetOldObject ()
120- switch {
121- case authorizationapi .IsResourceOrLegacy ("rolebindings" , gr ):
122- rolebinding , ok := obj .(* authorizationapi.RoleBinding )
123- if ! ok {
124- return admission .NewForbidden (a ,
125- fmt .Errorf ("wrong object type for new rolebinding: %T" , obj ))
126- }
127-
128- subjects = rolebinding .Subjects
129- if len (subjects ) == 0 {
130- return nil
131- }
132119
133- if oldObj != nil {
134- oldrolebinding , ok := oldObj .(* authorizationapi.RoleBinding )
135- if ! ok {
136- return admission .NewForbidden (a ,
137- fmt .Errorf ("wrong object type for old rolebinding: %T" , oldObj ))
138- }
139-
140- oldSubjects = oldrolebinding .Subjects
141- }
120+ rolebinding , ok := obj .(* rbac.RoleBinding )
121+ if ! ok {
122+ return admission .NewForbidden (a ,
123+ fmt .Errorf ("wrong object type for new rolebinding: %T" , obj ))
124+ }
142125
143- glog .V (4 ).Infof ("Handling rolebinding %s/%s" ,
144- rolebinding .Namespace , rolebinding .Name )
126+ if len (rolebinding .Subjects ) == 0 {
127+ glog .V (4 ).Infof ("No new subjects; admitting" )
128+ return nil
129+ }
145130
146- case authorizationapi . IsResourceOrLegacy ( "policybindings" , gr ):
147- policybinding , ok := obj .(* authorizationapi. PolicyBinding )
131+ if oldObj != nil {
132+ oldrolebinding , ok := oldObj .(* rbac. RoleBinding )
148133 if ! ok {
149134 return admission .NewForbidden (a ,
150- fmt .Errorf ("wrong object type for new policybinding: %T" , obj ))
151- }
152-
153- for _ , rolebinding := range policybinding .RoleBindings {
154- subjects = append (subjects , rolebinding .Subjects ... )
135+ fmt .Errorf ("wrong object type for old rolebinding: %T" , oldObj ))
155136 }
156- if len (subjects ) == 0 {
157- return nil
158- }
159-
160- if oldObj != nil {
161- oldpolicybinding , ok := oldObj .(* authorizationapi.PolicyBinding )
162- if ! ok {
163- return admission .NewForbidden (a ,
164- fmt .Errorf ("wrong object type for old policybinding: %T" , oldObj ))
165- }
137+ oldSubjects = oldrolebinding .Subjects
138+ }
166139
167- for _ , rolebinding := range oldpolicybinding .RoleBindings {
168- oldSubjects = append (oldSubjects , rolebinding .Subjects ... )
169- }
170- }
140+ glog .V (4 ).Infof ("Handling rolebinding %s/%s" ,
141+ rolebinding .Namespace , rolebinding .Name )
171142
172- glog .V (4 ).Infof ("Handling policybinding %s/%s" ,
173- policybinding .Namespace , policybinding .Name )
143+ newSubjects , err := subjectsDelta (oldSubjects , rolebinding .Subjects )
144+ if err != nil {
145+ return admission .NewForbidden (a ,
146+ fmt .Errorf ("failed to select Subjects: %v" , err ))
174147 }
175-
176- newSubjects := objectReferenceDelta (oldSubjects , subjects )
177148 if len (newSubjects ) == 0 {
178149 glog .V (4 ).Infof ("No new subjects; admitting" )
179150 return nil
0 commit comments