Changes

Summary

UPSTREAM: 48480: Ensure namespace exists as part of RBAC reconciliation (commit: 70ec58f) (details)
Cleanup: Check for error conditions in aggregator (commit: e668952) (details)
Cleanup: Remove custom code and use available utility code (commit: f5388b3) (details)
Cleanup: Move conversion function (commit: 9811649) (details)
UPSTREAM: 50639: Extend SetHeader Requests method ito accept multiple (commit: 230db26) (details)
Proxy {Cluster}Role{Binding}s to Native Kube RBAC (commit: c96408a) (details)
Use dynamic error wrapper on proxied endpoints (commit: f080a1b) (details)
UPSTREAM: 50702: Allow injection of policy in RBAC post start hook (commit: 1bb9a94) (details)
Bootstrap Origin policies in post start hook (commit: d278ea6) (details)
Version gate legacy oc commands to < 3.7 (commit: acd6597) (details)
UPSTREAM: 50710: Refactor RBAC authorizer entry points (commit: c7d2994) (details)
Change authorizer to use Kubernetes facilities (commit: a94e0db) (details)
UPSTREAM: 49902: Allow update to GC fields for RBAC resources (commit: f0704fd) (details)
Update admission to use moved GC helper (commit: 8cf692d) (details)
flakes fixes (commit: c51da07) (details)
test/cmd fixes (commit: 806d7be) (details)
(re)generated stuff (commit: be05ce5) (details)
Handle reconciliation annotation during conversion (commit: 33c4fc3) (details)

Commit 70ec58fe94923d8eba45fdeaa7abea147576086a by Mo Khan UPSTREAM: 48480: Ensure namespace exists as part of RBAC reconciliation (commit: 70ec58f)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/rolebinding_interfaces.go (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/role_interfaces.go (diff)
Commit e668952035457eea54b7e213c9f8c25a4f1aa8b3 by Mo Khan Cleanup: Check for error conditions in aggregator Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: e668952)
	pkg/cmd/server/origin/aggregator.go (diff)
Commit f5388b3d637be61e5f4a91160fb32ca07fa9a1a9 by Mo Khan Cleanup: Remove custom code and use available utility code (commit: f5388b3)
	pkg/auth/client/impersonate.go (diff)
Commit 9811649a41cc32973772f0385d93ffdbab7882ed by Mo Khan Cleanup: Move conversion function Put it into a utility package for reusability, we'll need it in other places in the next few commits Signed-off-by: Simo Sorce <simo@redhat.com> (commit: 9811649)
	pkg/authorization/controller/authorizationsync/normalize.go (diff)
	pkg/authorization/util/convert/convert.go
Commit 230db262377e202d91526309ea8733713dbe5e42 by Mo Khan UPSTREAM: 50639: Extend SetHeader Requests method ito accept multiple values This allows to set headers that are multivalued directly. The headers variable is not directly accessible and currently SetHeaders allows to set only one value. Signed-off-by: Simo Sorce <simo@redhat.com> (commit: 230db26)
	vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/request.go (diff)
Commit c96408ab5367af82333157f20226efc7f230ff36 by Mo Khan Proxy {Cluster}Role{Binding}s to Native Kube RBAC Store them as native RBAC Objects via Kubernetes. Also: - Provides backwards compatible Openshift API. - Kills Policy Sync Controller - Removes init of PolicyRegistry - Move helpers closer to their users - Remove TestRBACController - Remove tests that check only PolicyBindings related stuff - hack around TestAuthorizationResolution Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: c96408a)
	pkg/authorization/controller/authorizationsync/origin_to_rbac_role_controller_test.go
	pkg/authorization/registry/clusterrolebinding/registry_test.go
	test/integration/restrictusers_test.go (diff)
	pkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrolebinding_controller_test.go
	pkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrolebinding_controller.go
	pkg/authorization/registry/rolebinding/proxy.go
	pkg/authorization/registry/clusterrole/proxy.go
	pkg/authorization/registry/role/proxy.go
	pkg/authorization/util/convert/convert.go
	test/extended/templates/templateinstance_impersonation.go (diff)
	pkg/authorization/registry/util/convert.go
	pkg/authorization/util/util.go (diff)
	pkg/authorization/controller/authorizationsync/generic.go
	pkg/authorization/controller/authorizationsync/origin_to_rbac_role_controller.go
	pkg/cmd/server/origin/controller/security.go
	pkg/auth/client/impersonate_rbac.go
	pkg/authorization/controller/authorizationsync/normalize.go
	pkg/cmd/server/origin/controller/config.go (diff)
	pkg/authorization/controller/authorizationsync/generic_test.go
	pkg/auth/client/impersonate.go (diff)
	pkg/authorization/registry/util/normalize.go
	test/integration/authorization_test.go (diff)
	test/integration/project_request_test.go (diff)
	pkg/cmd/server/origin/master_config.go (diff)
	pkg/project/registry/projectrequest/delegated/delegated_test.go
	pkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrole_controller_test.go
	pkg/cmd/server/admin/overwrite_bootstrappolicy.go (diff)
	pkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrole_controller.go
	pkg/oc/admin/migrate/authorization/authorization.go (diff)
	pkg/authorization/controller/authorizationsync/origin_to_rbac_rolebinding_controller_test.go
	pkg/authorization/registry/clusterrole/registry_test.go
	test/integration/etcd_storage_path_test.go (diff)
	pkg/authorization/controller/authorizationsync/origin_to_rbac_rolebinding_controller.go
	test/integration/rbac_controller_test.go
	pkg/authorization/registry/clusterrolebinding/proxy.go
	pkg/cmd/server/origin/storage.go (diff)
Commit f080a1ba71f1dfa56739198d7cdd4cced2ecbab6 by Mo Khan Use dynamic error wrapper on proxied endpoints Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: f080a1b)
	pkg/authorization/registry/clusterrole/proxy.go (diff)
	pkg/util/errors/wrapper_test.go
	pkg/authorization/registry/clusterrolebinding/proxy.go (diff)
	pkg/authorization/registry/role/proxy.go (diff)
	pkg/authorization/registry/rolebinding/proxy.go (diff)
	pkg/util/errors/wrapper.go
	pkg/util/registry/wrapper.go
Commit 1bb9a94474758106340e49c94f1784d22916e6c0 by Mo Khan UPSTREAM: 50702: Allow injection of policy in RBAC post start hook This change allows the RBAC PostStartHook logic to be reused with different policy data when bootstrapping the cluster. Thus any changes to the bootstrap logic are separated from the policy data. Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: 1bb9a94)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (diff)
Commit d278ea6229e29c459c0775736fa2271f640cf21e by Mo Khan Bootstrap Origin policies in post start hook As we now use K8s' Rbac we need to bootstrap Origin's own additional policies into kube's rbac objects. Also: - Push conversions one step toward the edges - Fix conversion and dont make policy.json - delete TestBootstrapPolicyOverwritePolicyCommand for now Signed-off-by: Monis Khan <mkhan@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> (commit: d278ea6)
	pkg/cmd/server/bootstrappolicy/web_console_role_test.go (diff)
	pkg/oc/admin/policy/reconcile_clusterrolebindings.go (diff)
	pkg/cmd/server/start/start_master.go (diff)
	pkg/cmd/server/bootstrappolicy/all.go
	hack/lib/start.sh (diff)
	pkg/cmd/server/bootstrappolicy/dead.go (diff)
	pkg/cmd/server/origin/ensure.go (diff)
	pkg/cmd/server/bootstrappolicy/old_policy_test.go
	pkg/cmd/server/bootstrappolicy/policy.go (diff)
	pkg/cmd/server/bootstrappolicy/controller_policy.go (diff)
	pkg/cmd/server/bootstrappolicy/policy_test.go (diff)
	test/integration/bootstrap_policy_test.go (diff)
	test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml (diff)
	pkg/cmd/server/origin/master.go (diff)
	test/integration/master_routes_test.go (diff)
	pkg/oc/admin/policy/reconcile_clusterroles.go (diff)
	test/testdata/bootstrappolicy/bootstrap_openshift_roles.yaml (diff)
	test/util/server/server.go (diff)
	pkg/cmd/server/admin/create_bootstrappolicy_file.go (diff)
	pkg/cmd/server/api/validation/master.go (diff)
Commit acd6597cd420914ef60b05de4e69cf1b0fae08c4 by Mo Khan Version gate legacy oc commands to < 3.7 The following commands were version gated: - oc create policybinding - oc adm overwrite-policy - oc adm migrate authorization This is because in 3.7 we will store only k8s.io RBAC objects and not the Origin Policy Objects. All of the gated commands assume the presence of policy objects, and thus it does not make sense to let users run these against newer clusters. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: acd6597)
	pkg/oc/admin/admin.go (diff)
	pkg/cmd/util/clientcmd/gating.go
	pkg/oc/cli/cmd/create/policy_binding.go (diff)
	pkg/cmd/server/admin/overwrite_bootstrappolicy.go (diff)
	pkg/oc/admin/migrate/authorization/authorization.go (diff)
Commit c7d2994db4a4dbe0ef3ea42e05c6a79d6fe5fd08 by Mo Khan UPSTREAM: 50710: Refactor RBAC authorizer entry points This change refactors various RBAC authorizer functions to be more flexible in their inputs. This makes it easier to reuse the various components that make up the authorizer. Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: c7d2994)
	vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/subject_locator.go (diff)
	vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/rbac.go (diff)
	vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go (diff)
Commit a94e0db72459c5963eb474acf0dc31ae1eb72486 by Mo Khan Change authorizer to use Kubernetes facilities - Origin Authorizer now a thin wrapper around k8s Rbac Authorizer - Remove redundant authorizer tests Now that we delegate nearly 100% of the authorizer work to the upstream Rbac authorizer these tests are basically redundant, as upstream already has its battery of tests. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: a94e0db)
	pkg/authorization/authorizer/scope/converter_test.go (diff)
	pkg/authorization/registry/localresourceaccessreview/rest_test.go (diff)
	pkg/authorization/apis/authorization/conversion.go (diff)
	pkg/authorization/apis/authorization/types.go (diff)
	pkg/cmd/server/origin/master_config.go (diff)
	pkg/authorization/registry/resourceaccessreview/rest.go (diff)
	pkg/authorization/registry/subjectaccessreview/rest.go (diff)
	pkg/authorization/registry/util/attributes.go
	pkg/project/registry/projectrequest/delegated/delegated.go (diff)
	test/integration/authorization_test.go (diff)
	pkg/authorization/authorizer/scope/authorizer.go (diff)
	pkg/authorization/authorizer/non_resource_match_test.go
	pkg/authorization/authorizer/subjects_test.go
	pkg/authorization/authorizer/authorizer_test.go
	pkg/authorization/registry/resourceaccessreview/rest_test.go (diff)
	pkg/authorization/authorizer/bootstrap_policy_test.go
	pkg/project/auth/cache_test.go (diff)
	pkg/project/registry/project/proxy/proxy.go (diff)
	pkg/cmd/server/origin/storage.go (diff)
	pkg/authorization/registry/subjectaccessreview/rest_test.go (diff)
	pkg/authorization/registry/localsubjectaccessreview/rest_test.go (diff)
	pkg/authorization/registry/selfsubjectrulesreview/storage.go (diff)
	pkg/authorization/authorizer/authorizer.go (diff)
	pkg/cmd/server/origin/openshift_apiserver.go (diff)
	pkg/authorization/authorizer/scope/converter.go (diff)
	pkg/authorization/registry/subjectrulesreview/storage.go (diff)
	pkg/authorization/authorizer/attributes.go
	pkg/project/auth/cache.go (diff)
	pkg/cmd/server/origin/client_adapters.go
Commit f0704fdc7c9cbc89b107e8c2e2082973a4cb2e56 by Mo Khan UPSTREAM: 49902: Allow update to GC fields for RBAC resources This change makes it so that no escalation check is performed when updating only the garbage collector fields (owner references and finalizers) of RBAC resources. This allows the garbage collector to delete roles that grant permissions such as "create", which it will never have. Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: f0704fd)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/helpers.go
	vendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/storage.go (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/helpers_test.go
	vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/BUILD (diff)
	vendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/storage.go (diff)
Commit 8cf692d3a2bcdcf13636ec350f6db7ff2c6ee0ba by Mo Khan Update admission to use moved GC helper Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: 8cf692d)
	pkg/security/admission/admission.go (diff)
	pkg/template/registry/templateinstance/strategy.go (diff)
	pkg/cmd/server/admission/helpers.go
	pkg/cmd/server/admission/helpers_test.go
	pkg/build/admission/strategyrestrictions/admission.go (diff)
Commit c51da07cef83204c542dec0504908370c16fc7da by Mo Khan flakes fixes - Increase timeout to avoid TestGCDefault flaking Locally raising timeout from 1 to 2 seconds made the test always pass, as opposed to always fail. - Make TestOadmPodNetwork less flakey Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: c51da07)
	test/integration/gc_default_test.go (diff)
Commit 806d7be96585ae004c8de7421083add8a1360f89 by Mo Khan test/cmd fixes - Fix test/cmd/admin.sh - Fix images-old-policy - Fix test/cmd/policy.sh - Temp fix for test/cmd/router.sh Signed-off-by: Monis Khan <mkhan@redhat.com> (commit: 806d7be)
	test/cmd/images-old-policy.sh (diff)
	test/cmd/policy.sh (diff)
	test/extended/testdata/roles/policy-roles.yaml (diff)
	test/testdata/bootstrappolicy/cluster_admin_without_apigroups.yaml (diff)
	test/cmd/admin.sh (diff)
	pkg/oc/admin/router/router.go (diff)
Commit be05ce5c13e520060a4f7142bc491271624885e4 by Mo Khan (re)generated stuff (commit: be05ce5)
	test/extended/testdata/bindata.go (diff)
	api/swagger-spec/oapi-v1.json (diff)
	api/swagger-spec/openshift-openapi-spec.json (diff)
Commit 33c4fc3243a8ee694549a6f4f3b6db5ab035fe29 by Mo Khan Handle reconciliation annotation during conversion Signed-off-by: Simo Sorce <simo@redhat.com> (commit: 33c4fc3)
	pkg/authorization/apis/authorization/conversion_test.go (diff)
	pkg/authorization/apis/authorization/conversion.go (diff)
	test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml (diff)