api groups interesting changes

Author: mfojtik

pkg/api/meta/pods.go

@@ -23,18 +23,24 @@ var resourcesToCheck = map[unversioned.GroupResource]unversioned.GroupKind{
 	kapi.Resource("replicationcontrollers"): kapi.Kind("ReplicationController"),
 	batch.Resource("jobs"):                  batch.Kind("Job"),
 	batch.Resource("jobtemplates"):          batch.Kind("JobTemplate"),
+
 	// TODO do we still need this or is cronjob sufficient?
-	batch.Resource("scheduledjobs"):                             batch.Kind("ScheduledJob"),
-	batch.Resource("cronjobs"):                                  batch.Kind("CronJob"),
-	extensions.Resource("deployments"):                          extensions.Kind("Deployment"),
-	extensions.Resource("replicasets"):                          extensions.Kind("ReplicaSet"),
-	extensions.Resource("jobs"):                                 extensions.Kind("Job"),
-	extensions.Resource("jobtemplates"):                         extensions.Kind("JobTemplate"),
-	apps.Resource("statefulsets"):                               apps.Kind("StatefulSet"),
-	deployapi.Resource("deploymentconfigs"):                     deployapi.Kind("DeploymentConfig"),
-	securityapi.Resource("podsecuritypolicysubjectreviews"):     securityapi.Kind("PodSecurityPolicySubjectReview"),
-	securityapi.Resource("podsecuritypolicyselfsubjectreviews"): securityapi.Kind("PodSecurityPolicySelfSubjectReview"),
-	securityapi.Resource("podsecuritypolicyreviews"):            securityapi.Kind("PodSecurityPolicyReview"),
+	batch.Resource("scheduledjobs"):     batch.Kind("ScheduledJob"),
+	batch.Resource("cronjobs"):          batch.Kind("CronJob"),
+	extensions.Resource("deployments"):  extensions.Kind("Deployment"),
+	extensions.Resource("replicasets"):  extensions.Kind("ReplicaSet"),
+	extensions.Resource("jobs"):         extensions.Kind("Job"),
+	extensions.Resource("jobtemplates"): extensions.Kind("JobTemplate"),
+	apps.Resource("statefulsets"):       apps.Kind("StatefulSet"),
+
+	deployapi.Resource("deploymentconfigs"):                           deployapi.Kind("DeploymentConfig"),
+	deployapi.LegacyResource("deploymentconfigs"):                     deployapi.LegacyKind("DeploymentConfig"),
+	securityapi.Resource("podsecuritypolicysubjectreviews"):           securityapi.Kind("PodSecurityPolicySubjectReview"),
+	securityapi.LegacyResource("podsecuritypolicysubjectreviews"):     securityapi.LegacyKind("PodSecurityPolicySubjectReview"),
+	securityapi.Resource("podsecuritypolicyselfsubjectreviews"):       securityapi.Kind("PodSecurityPolicySelfSubjectReview"),
+	securityapi.LegacyResource("podsecuritypolicyselfsubjectreviews"): securityapi.LegacyKind("PodSecurityPolicySelfSubjectReview"),
+	securityapi.Resource("podsecuritypolicyreviews"):                  securityapi.Kind("PodSecurityPolicyReview"),
+	securityapi.LegacyResource("podsecuritypolicyreviews"):            securityapi.LegacyKind("PodSecurityPolicyReview"),
 }
 
 // HasPodSpec returns true if the resource is known to have a pod spec.

pkg/api/validation/validation.go

@@ -128,12 +128,17 @@ func GetRequiresNamespace(obj runtime.Object) (bool, error) {
 		return false, err
 	}
 
-	restMapping, err := registered.RESTMapper().RESTMapping(groupVersionKinds[0].GroupKind())
-	if err != nil {
-		return false, err
+	for _, gvk := range groupVersionKinds {
+		restMapping, err := registered.RESTMapper().RESTMapping(gvk.GroupKind())
+		if err != nil {
+			return false, err
+		}
+		if restMapping.Scope.Name() == meta.RESTScopeNameNamespace {
+			return true, nil
+		}
 	}
 
-	return restMapping.Scope.Name() == meta.RESTScopeNameNamespace, nil
+	return false, nil
 }
 
 func HasObjectMeta(obj runtime.Object) bool {

pkg/build/admission/strategyrestrictions/admission.go

@@ -36,18 +36,14 @@ func NewBuildByStrategy() admission.Interface {
 	}
 }
 
-var (
-	buildsResource       = buildapi.Resource("builds")
-	buildConfigsResource = buildapi.Resource("buildconfigs")
-)
-
 func (a *buildByStrategy) Admit(attr admission.Attributes) error {
-	if resource := attr.GetResource().GroupResource(); resource != buildsResource && resource != buildConfigsResource {
+	gr := attr.GetResource().GroupResource()
+	if !buildapi.IsResourceOrLegacy("buildconfigs", gr) && !buildapi.IsResourceOrLegacy("builds", gr) {
 		return nil
 	}
 	// Explicitly exclude the builds/details subresource because it's only
 	// updating commit info and cannot change build type.
-	if attr.GetResource().GroupResource() == buildsResource && attr.GetSubresource() == "details" {
+	if buildapi.IsResourceOrLegacy("builds", gr) && attr.GetSubresource() == "details" {
 		return nil
 	}
 	switch obj := attr.GetObject().(type) {
@@ -134,14 +130,15 @@ func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.Bu
 }
 
 func (a *buildByStrategy) checkBuildRequestAuthorization(req *buildapi.BuildRequest, attr admission.Attributes) error {
-	switch attr.GetResource().GroupResource() {
-	case buildsResource:
+	gr := attr.GetResource().GroupResource()
+	switch {
+	case buildapi.IsResourceOrLegacy("builds", gr):
 		build, err := a.client.Builds(attr.GetNamespace()).Get(req.Name)
 		if err != nil {
 			return admission.NewForbidden(attr, err)
 		}
 		return a.checkBuildAuthorization(build, attr)
-	case buildConfigsResource:
+	case buildapi.IsResourceOrLegacy("buildconfigs", gr):
 		build, err := a.client.BuildConfigs(attr.GetNamespace()).Get(req.Name)
 		if err != nil {
 			return admission.NewForbidden(attr, err)
@@ -157,8 +154,22 @@ func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAc
 	if err != nil {
 		return admission.NewForbidden(attr, err)
 	}
+	// If not allowed, try to check against the legacy resource
+	// FIXME: Remove this when the legacy API is deprecated
 	if !resp.Allowed {
-		return notAllowed(strategy, attr)
+		obj, err := kapi.Scheme.DeepCopy(subjectAccessReview)
+		if err != nil {
+			return admission.NewForbidden(attr, err)
+		}
+		legacySar := obj.(*authorizationapi.LocalSubjectAccessReview)
+		legacySar.Action.Group = ""
+		resp, err := a.client.LocalSubjectAccessReviews(attr.GetNamespace()).Create(legacySar)
+		if err != nil {
+			return admission.NewForbidden(attr, err)
+		}
+		if !resp.Allowed {
+			return notAllowed(strategy, attr)
+		}
 	}
 	return nil
 }

pkg/cmd/admin/migrate/migrator.go

@@ -153,6 +153,15 @@ func (o *ResourceOptions) Complete(f *clientcmd.Factory, c *cobra.Command) error
 		}
 		exclude := sets.NewString()
 		for _, gr := range o.DefaultExcludes {
+			if len(o.OverlappingResources) > 0 {
+				for _, others := range o.OverlappingResources {
+					if !others.Has(gr.String()) {
+						continue
+					}
+					exclude.Insert(others.List()...)
+					break
+				}
+			}
 			exclude.Insert(gr.String())
 		}
 		candidate := sets.NewString()
@@ -173,6 +182,9 @@ func (o *ResourceOptions) Complete(f *clientcmd.Factory, c *cobra.Command) error
 					if !others.Has(k) {
 						continue
 					}
+					// TODO: the order here is not deterministic, due to the fact that StringSet is
+					// using map under the covers, so you may end up with a different resource being
+					// used each time
 					reduce = others.List()[0]
 					break
 				}

pkg/cmd/admin/migrate/storage/storage.go

@@ -68,23 +68,89 @@ func NewCmdMigrateAPIStorage(name, fullName string, f *clientcmd.Factory, in io.
 
 			Include: []string{"*"},
 			DefaultExcludes: []unversioned.GroupResource{
+				// openshift resources:
 				{Resource: "appliedclusterresourcequotas"},
-				{Resource: "bindings"},
-				{Resource: "deploymentconfigrollbacks"},
-				{Resource: "events"},
 				{Resource: "imagestreamimages"}, {Resource: "imagestreamtags"}, {Resource: "imagestreammappings"}, {Resource: "imagestreamimports"},
 				{Resource: "projectrequests"}, {Resource: "projects"},
-				{Resource: "componentstatuses"},
 				{Resource: "clusterrolebindings"}, {Resource: "rolebindings"},
 				{Resource: "clusterroles"}, {Resource: "roles"},
 				{Resource: "resourceaccessreviews"}, {Resource: "localresourceaccessreviews"}, {Resource: "subjectaccessreviews"},
 				{Resource: "selfsubjectrulesreviews"}, {Resource: "localsubjectaccessreviews"},
+				{Resource: "useridentitymappings"},
+				{Resource: "podsecuritypolicyreviews"}, {Resource: "podsecuritypolicyselfsubjectreviews"}, {Resource: "podsecuritypolicysubjectreviews"},
+
+				// kubernetes resources:
+				{Resource: "bindings"},
+				{Resource: "deploymentconfigrollbacks"},
+				{Resource: "events"},
+				{Resource: "componentstatuses"},
 				{Resource: "replicationcontrollerdummies.extensions"},
 				{Resource: "podtemplates"},
-				{Resource: "useridentitymappings"},
+				{Resource: "selfsubjectaccessreviews", Group: "authorization.k8s.io"}, {Resource: "localsubjectaccessreviews", Group: "authorization.k8s.io"},
 			},
 			// Resources known to share the same storage
 			OverlappingResources: []sets.String{
+				// openshift resources:
+				sets.NewString("deploymentconfigs.apps.openshift.io", "deploymentconfigs"),
+
+				sets.NewString("clusterpolicies.authorization.openshift.io", "clusterpolicies"),
+				sets.NewString("clusterpolicybindings.authorization.openshift.io", "clusterpolicybindings"),
+				sets.NewString("clusterrolebindings.authorization.openshift.io", "clusterrolebindings"),
+				sets.NewString("clusterroles.authorization.openshift.io", "clusterroles"),
+				sets.NewString("localresourceaccessreviews.authorization.openshift.io", "localresourceaccessreviews"),
+				sets.NewString("localsubjectaccessreviews.authorization.openshift.io", "localsubjectaccessreviews"),
+				sets.NewString("policies.authorization.openshift.io", "policies"),
+				sets.NewString("policybindings.authorization.openshift.io", "policybindings"),
+				sets.NewString("resourceaccessreviews.authorization.openshift.io", "resourceaccessreviews"),
+				sets.NewString("rolebindingrestrictions.authorization.openshift.io", "rolebindingrestrictions"),
+				sets.NewString("rolebindings.authorization.openshift.io", "rolebindings"),
+				sets.NewString("roles.authorization.openshift.io", "roles"),
+				sets.NewString("selfsubjectrulesreviews.authorization.openshift.io", "selfsubjectrulesreviews"),
+				sets.NewString("subjectaccessreviews.authorization.openshift.io", "subjectaccessreviews"),
+				sets.NewString("subjectrulesreviews.authorization.openshift.io", "subjectrulesreviews"),
+
+				sets.NewString("builds.build.openshift.io", "builds"),
+				sets.NewString("buildconfigs.build.openshift.io", "buildconfigs"),
+
+				sets.NewString("images.image.openshift.io", "images"),
+				sets.NewString("imagesignatures.image.openshift.io", "imagesignatures"),
+				sets.NewString("imagestreamimages.image.openshift.io", "imagestreamimages"),
+				sets.NewString("imagestreamimports.image.openshift.io", "imagestreamimports"),
+				sets.NewString("imagestreammappings.image.openshift.io", "imagestreammappings"),
+				sets.NewString("imagestreams.image.openshift.io", "imagestreams"),
+				sets.NewString("imagestreamtags.image.openshift.io", "imagestreamtags"),
+
+				sets.NewString("clusternetworks.network.openshift.io", "clusternetworks"),
+				sets.NewString("egressnetworkpolicies.network.openshift.io", "egressnetworkpolicies"),
+				sets.NewString("hostsubnets.network.openshift.io", "hostsubnets"),
+				sets.NewString("netnamespaces.network.openshift.io", "netnamespaces"),
+
+				sets.NewString("oauthaccesstokens.oauth.openshift.io", "oauthaccesstokens"),
+				sets.NewString("oauthauthorizetokens.oauth.openshift.io", "oauthauthorizetokens"),
+				sets.NewString("oauthclientauthorizations.oauth.openshift.io", "oauthclientauthorizations"),
+				sets.NewString("oauthclients.oauth.openshift.io", "oauthclients"),
+
+				sets.NewString("projectrequests.project.openshift.io", "projectrequests"),
+				sets.NewString("projects.project.openshift.io", "projects"),
+
+				sets.NewString("appliedclusterresourcequotas.quota.openshift.io", "appliedclusterresourcequotas"),
+				sets.NewString("clusterresourcequotas.quota.openshift.io", "clusterresourcequotas"),
+
+				sets.NewString("routes.route.openshift.io", "routes"),
+
+				sets.NewString("podsecuritypolicyreviews.security.openshift.io", "podsecuritypolicyreviews"),
+				sets.NewString("podsecuritypolicyselfsubjectreviews.security.openshift.io", "podsecuritypolicyselfsubjectreviews"),
+				sets.NewString("podsecuritypolicysubjectreviews.security.openshift.io", "podsecuritypolicysubjectreviews"),
+
+				sets.NewString("processedtemplates.template.openshift.io", "processedtemplates"),
+				sets.NewString("templates.template.openshift.io", "templates"),
+
+				sets.NewString("groups.user.openshift.io", "groups"),
+				sets.NewString("identities.user.openshift.io", "identities"),
+				sets.NewString("useridentitymappings.user.openshift.io", "useridentitymappings"),
+				sets.NewString("users.user.openshift.io", "users"),
+
+				// kubernetes resources:
 				sets.NewString("horizontalpodautoscalers.autoscaling", "horizontalpodautoscalers.extensions"),
 				sets.NewString("jobs.batch", "jobs.extensions"),
 			},

pkg/cmd/admin/registry/registry.go

@@ -436,6 +436,7 @@ func (opts *RegistryOptions) RunCmdRegistry() error {
 
 	if opts.Config.Action.ShouldPrint() {
 		mapper, _ := opts.factory.Object()
+		opts.cmd.Flag("output-version").Value.Set("extensions/v1beta1,v1")
 		fn := cmdutil.VersionedPrintObject(opts.factory.PrintObject, opts.cmd, mapper, opts.out)
 		if err := fn(list); err != nil {
 			return fmt.Errorf("unable to print object: %v", err)

pkg/cmd/cli/cmd/process.go

@@ -315,6 +315,8 @@ func RunProcess(f *clientcmd.Factory, in io.Reader, out, errout io.Writer, cmd *
 	if err != nil {
 		return err
 	}
+	// Prefer the Kubernetes core group for the List over the template.openshift.io
+	version.Group = kapi.GroupName
 	p = kubectl.NewVersionedPrinter(p, kapi.Scheme, version)
 
 	// use generic output

pkg/cmd/cli/describe/deployments.go

@@ -269,7 +269,8 @@ func printDeploymentConfigSpec(kc kclientset.Interface, dc deployapi.DeploymentC
 	}
 
 	// Autoscaling info
-	printAutoscalingInfo(deployapi.Resource("DeploymentConfig"), dc.Namespace, dc.Name, kc, w)
+	// FIXME: The CrossVersionObjectReference should specify the Group
+	printAutoscalingInfo([]unversioned.GroupResource{deployapi.Resource("DeploymentConfig"), deployapi.LegacyResource("DeploymentConfig")}, dc.Namespace, dc.Name, kc, w)
 
 	// Triggers
 	printTriggers(spec.Triggers, w)
@@ -290,16 +291,18 @@ func printDeploymentConfigSpec(kc kclientset.Interface, dc deployapi.DeploymentC
 }
 
 // TODO: Move this upstream
-func printAutoscalingInfo(res unversioned.GroupResource, namespace, name string, kclient kclientset.Interface, w *tabwriter.Writer) {
+func printAutoscalingInfo(res []unversioned.GroupResource, namespace, name string, kclient kclientset.Interface, w *tabwriter.Writer) {
 	hpaList, err := kclient.Autoscaling().HorizontalPodAutoscalers(namespace).List(kapi.ListOptions{LabelSelector: labels.Everything()})
 	if err != nil {
 		return
 	}
 
 	scaledBy := []autoscaling.HorizontalPodAutoscaler{}
 	for _, hpa := range hpaList.Items {
-		if hpa.Spec.ScaleTargetRef.Name == name && hpa.Spec.ScaleTargetRef.Kind == res.String() {
-			scaledBy = append(scaledBy, hpa)
+		for _, r := range res {
+			if hpa.Spec.ScaleTargetRef.Name == name && hpa.Spec.ScaleTargetRef.Kind == r.String() {
+				scaledBy = append(scaledBy, hpa)
+			}
 		}
 	}
 

pkg/cmd/cli/describe/describer.go

@@ -36,7 +36,7 @@ import (
 	userapi "github.com/openshift/origin/pkg/user/api"
 )
 
-func describerMap(c *client.Client, kclient kclientset.Interface, host string) map[unversioned.GroupKind]kctl.Describer {
+func describerMap(c *client.Client, kclient kclientset.Interface, host string, withCoreGroup bool) map[unversioned.GroupKind]kctl.Describer {
 	m := map[unversioned.GroupKind]kctl.Describer{
 		buildapi.Kind("Build"):                          &BuildDescriber{c, kclient},
 		buildapi.Kind("BuildConfig"):                    &BuildConfigDescriber{c, kclient, host},
@@ -69,6 +69,18 @@ func describerMap(c *client.Client, kclient kclientset.Interface, host string) m
 		sdnapi.Kind("EgressNetworkPolicy"):              &EgressNetworkPolicyDescriber{c},
 		authorizationapi.Kind("RoleBindingRestriction"): &RoleBindingRestrictionDescriber{c},
 	}
+
+	// Register the legacy ("core") API group for all kinds as well.
+	if withCoreGroup {
+		for _, t := range kapi.Scheme.KnownTypes(oapi.SchemeGroupVersion) {
+			coreKind := oapi.SchemeGroupVersion.WithKind(t.Name())
+			for g, d := range m {
+				if g.Kind == coreKind.Kind {
+					m[oapi.Kind(g.Kind)] = d
+				}
+			}
+		}
+	}
 	return m
 }
 
@@ -77,7 +89,7 @@ func DescribableResources() []string {
 	// Include describable resources in kubernetes
 	keys := kctl.DescribableResources()
 
-	for k := range describerMap(nil, nil, "") {
+	for k := range describerMap(nil, nil, "", false) {
 		resource := strings.ToLower(k.Kind)
 		keys = append(keys, resource)
 	}
@@ -86,7 +98,7 @@ func DescribableResources() []string {
 
 // DescriberFor returns a describer for a given kind of resource
 func DescriberFor(kind unversioned.GroupKind, c *client.Client, kclient kclientset.Interface, host string) (kctl.Describer, bool) {
-	f, ok := describerMap(c, kclient, host)[kind]
+	f, ok := describerMap(c, kclient, host, true)[kind]
 	if ok {
 		return f, true
 	}

pkg/cmd/server/bootstrappolicy/infra_sa_policy.go

@@ -14,6 +14,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	buildapi "github.com/openshift/origin/pkg/build/api"
 )
 
 const (
@@ -158,6 +159,7 @@ func init() {
 				{
 					Verbs:     sets.NewString("create"),
 					Resources: sets.NewString("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline"),
+					APIGroups: []string{buildapi.GroupName, buildapi.LegacyGroupName},
 				},
 				// BuildController.ImageStreamClient (ControllerClient)
 				{