Skip to content

Commit 7f9567a

Browse files
author
OpenShift Bot
authored
Merge pull request #14510 from benjaminapetersen/bpeterse/issue/14411/role-systemonly-annotation
Merged by openshift-bot
2 parents b19f70e + ba5b20c commit 7f9567a

File tree

3 files changed

+144
-0
lines changed

3 files changed

+144
-0
lines changed

pkg/cmd/server/bootstrappolicy/policy.go

+16
Original file line numberDiff line numberDiff line change
@@ -1321,8 +1321,24 @@ func convertClusterRoles(in []rbac.ClusterRole) ([]authorizationapi.ClusterRole,
13211321
errs = append(errs, fmt.Errorf("error converting %q: %v", in[i].Name, err))
13221322
continue
13231323
}
1324+
// adding annotation to any role not explicitly in the whitelist below
1325+
if !rolesToShow.Has(newRole.Name) {
1326+
newRole.Annotations[roleSystemOnly] = roleIsSystemOnly
1327+
}
13241328
out = append(out, *newRole)
13251329
}
13261330

13271331
return out, kutilerrors.NewAggregate(errs)
13281332
}
1333+
1334+
// The current list of roles considered useful for normal users (non-admin)
1335+
var rolesToShow = sets.NewString(
1336+
"admin",
1337+
"basic-user",
1338+
"edit",
1339+
"system:deployer",
1340+
"system:image-builder",
1341+
"system:image-puller",
1342+
"system:image-pusher",
1343+
"view",
1344+
)

pkg/cmd/server/bootstrappolicy/web_console_role_test.go

+98
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
package bootstrappolicy
2+
3+
import (
4+
"strings"
5+
"testing"
6+
7+
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
8+
"k8s.io/apimachinery/pkg/util/sets"
9+
)
10+
11+
// NOTE: If this test fails, talk to the web console team to decide if your
12+
// new role(s) should be visible to an end user in the web console.
13+
14+
var rolesToHide = sets.NewString(
15+
"cluster-admin",
16+
"cluster-debugger",
17+
"cluster-reader",
18+
"cluster-status",
19+
"registry-admin",
20+
"registry-editor",
21+
"registry-viewer",
22+
"self-access-reviewer",
23+
"self-provisioner",
24+
"storage-admin",
25+
"sudoer",
26+
"system:auth-delegator",
27+
"system:basic-user",
28+
"system:build-strategy-custom",
29+
"system:build-strategy-docker",
30+
"system:build-strategy-jenkinspipeline",
31+
"system:build-strategy-source",
32+
"system:discovery",
33+
"system:heapster",
34+
"system:image-auditor",
35+
"system:image-pruner",
36+
"system:image-signer",
37+
"system:kube-aggregator",
38+
"system:kube-controller-manager",
39+
"system:kube-dns",
40+
"system:kube-scheduler",
41+
"system:master",
42+
"system:node",
43+
"system:node-admin",
44+
"system:node-bootstrapper",
45+
"system:node-problem-detector",
46+
"system:node-proxier",
47+
"system:node-reader",
48+
"system:oauth-token-deleter",
49+
"system:openshift:template-service-broker",
50+
"system:openshift:templateservicebroker-client",
51+
"system:persistent-volume-provisioner",
52+
"system:registry",
53+
"system:router",
54+
"system:sdn-manager",
55+
"system:sdn-reader",
56+
"system:webhook",
57+
)
58+
59+
func TestSystemOnlyRoles(t *testing.T) {
60+
show := sets.NewString()
61+
hide := sets.NewString()
62+
63+
for _, role := range GetBootstrapClusterRoles() {
64+
if isControllerRole(&role) {
65+
continue // assume all controller roles can be ignored
66+
}
67+
if isSystemOnlyRole(role) {
68+
hide.Insert(role.Name)
69+
} else {
70+
show.Insert(role.Name)
71+
}
72+
}
73+
74+
if !show.Equal(rolesToShow) || !hide.Equal(rolesToHide) {
75+
shouldNotShow := show.Difference(rolesToShow).List()
76+
shouldNotHide := hide.Difference(rolesToHide).List()
77+
t.Error("The list of expected end user roles has been changed. Please discuss with the web console team to update role annotations.")
78+
if len(shouldNotShow) > 0 {
79+
t.Errorf("These roles are visible but not in rolesToShow: %v", shouldNotShow)
80+
}
81+
if len(shouldNotHide) > 0 {
82+
t.Errorf("These roles are hidden but not in rolesToHide: %v", shouldNotHide)
83+
}
84+
}
85+
}
86+
87+
// this logic must stay in sync w/the web console for this test to be valid/valuable
88+
// it is the same logic that is run on the membership page
89+
func isSystemOnlyRole(role authorizationapi.ClusterRole) bool {
90+
return role.Annotations[roleSystemOnly] == roleIsSystemOnly
91+
}
92+
93+
// helper so that roles following this pattern do not need to be manaully added
94+
// to the hide list
95+
func isControllerRole(role *authorizationapi.ClusterRole) bool {
96+
return strings.HasPrefix(role.Name, "system:controller:") ||
97+
strings.HasSuffix(role.Name, "-controller")
98+
}

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

+30
Original file line numberDiff line numberDiff line change
@@ -4007,6 +4007,7 @@ items:
40074007
kind: ClusterRole
40084008
metadata:
40094009
annotations:
4010+
authorization.openshift.io/system-only: "true"
40104011
rbac.authorization.kubernetes.io/autoupdate: "true"
40114012
creationTimestamp: null
40124013
labels:
@@ -4060,6 +4061,7 @@ items:
40604061
kind: ClusterRole
40614062
metadata:
40624063
annotations:
4064+
authorization.openshift.io/system-only: "true"
40634065
rbac.authorization.kubernetes.io/autoupdate: "true"
40644066
creationTimestamp: null
40654067
labels:
@@ -4116,6 +4118,7 @@ items:
41164118
kind: ClusterRole
41174119
metadata:
41184120
annotations:
4121+
authorization.openshift.io/system-only: "true"
41194122
rbac.authorization.kubernetes.io/autoupdate: "true"
41204123
creationTimestamp: null
41214124
labels:
@@ -4177,6 +4180,7 @@ items:
41774180
kind: ClusterRole
41784181
metadata:
41794182
annotations:
4183+
authorization.openshift.io/system-only: "true"
41804184
rbac.authorization.kubernetes.io/autoupdate: "true"
41814185
creationTimestamp: null
41824186
labels:
@@ -4238,6 +4242,7 @@ items:
42384242
kind: ClusterRole
42394243
metadata:
42404244
annotations:
4245+
authorization.openshift.io/system-only: "true"
42414246
rbac.authorization.kubernetes.io/autoupdate: "true"
42424247
creationTimestamp: null
42434248
labels:
@@ -4310,6 +4315,7 @@ items:
43104315
kind: ClusterRole
43114316
metadata:
43124317
annotations:
4318+
authorization.openshift.io/system-only: "true"
43134319
rbac.authorization.kubernetes.io/autoupdate: "true"
43144320
creationTimestamp: null
43154321
labels:
@@ -4357,6 +4363,7 @@ items:
43574363
kind: ClusterRole
43584364
metadata:
43594365
annotations:
4366+
authorization.openshift.io/system-only: "true"
43604367
rbac.authorization.kubernetes.io/autoupdate: "true"
43614368
creationTimestamp: null
43624369
labels:
@@ -4388,6 +4395,7 @@ items:
43884395
kind: ClusterRole
43894396
metadata:
43904397
annotations:
4398+
authorization.openshift.io/system-only: "true"
43914399
rbac.authorization.kubernetes.io/autoupdate: "true"
43924400
creationTimestamp: null
43934401
labels:
@@ -4476,6 +4484,7 @@ items:
44764484
kind: ClusterRole
44774485
metadata:
44784486
annotations:
4487+
authorization.openshift.io/system-only: "true"
44794488
rbac.authorization.kubernetes.io/autoupdate: "true"
44804489
creationTimestamp: null
44814490
labels:
@@ -4522,6 +4531,7 @@ items:
45224531
kind: ClusterRole
45234532
metadata:
45244533
annotations:
4534+
authorization.openshift.io/system-only: "true"
45254535
rbac.authorization.kubernetes.io/autoupdate: "true"
45264536
creationTimestamp: null
45274537
labels:
@@ -4560,6 +4570,7 @@ items:
45604570
kind: ClusterRole
45614571
metadata:
45624572
annotations:
4573+
authorization.openshift.io/system-only: "true"
45634574
rbac.authorization.kubernetes.io/autoupdate: "true"
45644575
creationTimestamp: null
45654576
labels:
@@ -4612,6 +4623,7 @@ items:
46124623
kind: ClusterRole
46134624
metadata:
46144625
annotations:
4626+
authorization.openshift.io/system-only: "true"
46154627
rbac.authorization.kubernetes.io/autoupdate: "true"
46164628
creationTimestamp: null
46174629
labels:
@@ -4711,6 +4723,7 @@ items:
47114723
kind: ClusterRole
47124724
metadata:
47134725
annotations:
4726+
authorization.openshift.io/system-only: "true"
47144727
rbac.authorization.kubernetes.io/autoupdate: "true"
47154728
creationTimestamp: null
47164729
labels:
@@ -4737,6 +4750,7 @@ items:
47374750
kind: ClusterRole
47384751
metadata:
47394752
annotations:
4753+
authorization.openshift.io/system-only: "true"
47404754
rbac.authorization.kubernetes.io/autoupdate: "true"
47414755
creationTimestamp: null
47424756
labels:
@@ -4784,6 +4798,7 @@ items:
47844798
kind: ClusterRole
47854799
metadata:
47864800
annotations:
4801+
authorization.openshift.io/system-only: "true"
47874802
rbac.authorization.kubernetes.io/autoupdate: "true"
47884803
creationTimestamp: null
47894804
labels:
@@ -4831,6 +4846,7 @@ items:
48314846
kind: ClusterRole
48324847
metadata:
48334848
annotations:
4849+
authorization.openshift.io/system-only: "true"
48344850
rbac.authorization.kubernetes.io/autoupdate: "true"
48354851
creationTimestamp: null
48364852
labels:
@@ -4865,6 +4881,7 @@ items:
48654881
kind: ClusterRole
48664882
metadata:
48674883
annotations:
4884+
authorization.openshift.io/system-only: "true"
48684885
rbac.authorization.kubernetes.io/autoupdate: "true"
48694886
creationTimestamp: null
48704887
labels:
@@ -4899,6 +4916,7 @@ items:
48994916
kind: ClusterRole
49004917
metadata:
49014918
annotations:
4919+
authorization.openshift.io/system-only: "true"
49024920
rbac.authorization.kubernetes.io/autoupdate: "true"
49034921
creationTimestamp: null
49044922
labels:
@@ -4925,6 +4943,7 @@ items:
49254943
kind: ClusterRole
49264944
metadata:
49274945
annotations:
4946+
authorization.openshift.io/system-only: "true"
49284947
rbac.authorization.kubernetes.io/autoupdate: "true"
49294948
creationTimestamp: null
49304949
labels:
@@ -4968,6 +4987,7 @@ items:
49684987
kind: ClusterRole
49694988
metadata:
49704989
annotations:
4990+
authorization.openshift.io/system-only: "true"
49714991
rbac.authorization.kubernetes.io/autoupdate: "true"
49724992
creationTimestamp: null
49734993
labels:
@@ -5030,6 +5050,7 @@ items:
50305050
kind: ClusterRole
50315051
metadata:
50325052
annotations:
5053+
authorization.openshift.io/system-only: "true"
50335054
rbac.authorization.kubernetes.io/autoupdate: "true"
50345055
creationTimestamp: null
50355056
labels:
@@ -5059,6 +5080,7 @@ items:
50595080
kind: ClusterRole
50605081
metadata:
50615082
annotations:
5083+
authorization.openshift.io/system-only: "true"
50625084
rbac.authorization.kubernetes.io/autoupdate: "true"
50635085
creationTimestamp: null
50645086
labels:
@@ -5095,6 +5117,7 @@ items:
50955117
kind: ClusterRole
50965118
metadata:
50975119
annotations:
5120+
authorization.openshift.io/system-only: "true"
50985121
rbac.authorization.kubernetes.io/autoupdate: "true"
50995122
creationTimestamp: null
51005123
labels:
@@ -5112,6 +5135,7 @@ items:
51125135
kind: ClusterRole
51135136
metadata:
51145137
annotations:
5138+
authorization.openshift.io/system-only: "true"
51155139
rbac.authorization.kubernetes.io/autoupdate: "true"
51165140
creationTimestamp: null
51175141
labels:
@@ -5134,6 +5158,7 @@ items:
51345158
kind: ClusterRole
51355159
metadata:
51365160
annotations:
5161+
authorization.openshift.io/system-only: "true"
51375162
rbac.authorization.kubernetes.io/autoupdate: "true"
51385163
creationTimestamp: null
51395164
labels:
@@ -5167,6 +5192,7 @@ items:
51675192
kind: ClusterRole
51685193
metadata:
51695194
annotations:
5195+
authorization.openshift.io/system-only: "true"
51705196
rbac.authorization.kubernetes.io/autoupdate: "true"
51715197
creationTimestamp: null
51725198
labels:
@@ -5191,6 +5217,7 @@ items:
51915217
kind: ClusterRole
51925218
metadata:
51935219
annotations:
5220+
authorization.openshift.io/system-only: "true"
51945221
rbac.authorization.kubernetes.io/autoupdate: "true"
51955222
creationTimestamp: null
51965223
labels:
@@ -5211,6 +5238,7 @@ items:
52115238
kind: ClusterRole
52125239
metadata:
52135240
annotations:
5241+
authorization.openshift.io/system-only: "true"
52145242
rbac.authorization.kubernetes.io/autoupdate: "true"
52155243
creationTimestamp: null
52165244
labels:
@@ -5278,6 +5306,7 @@ items:
52785306
kind: ClusterRole
52795307
metadata:
52805308
annotations:
5309+
authorization.openshift.io/system-only: "true"
52815310
rbac.authorization.kubernetes.io/autoupdate: "true"
52825311
creationTimestamp: null
52835312
labels:
@@ -5379,6 +5408,7 @@ items:
53795408
kind: ClusterRole
53805409
metadata:
53815410
annotations:
5411+
authorization.openshift.io/system-only: "true"
53825412
rbac.authorization.kubernetes.io/autoupdate: "true"
53835413
creationTimestamp: null
53845414
labels:

0 commit comments

Comments
 (0)