SuccessChanges

Summary

  1. UPSTREAM: 48480: Ensure namespace exists as part of RBAC reconciliation (commit: 70ec58f) (details)
  2. Cleanup: Check for error conditions in aggregator (commit: e668952) (details)
  3. Cleanup: Remove custom code and use available utility code (commit: f5388b3) (details)
  4. Cleanup: Move conversion function (commit: 9811649) (details)
  5. UPSTREAM: 50639:  Extend SetHeader Requests method ito accept multiple (commit: 230db26) (details)
  6. Proxy {Cluster}Role{Binding}s to Native Kube RBAC (commit: c96408a) (details)
  7. Use dynamic error wrapper on proxied endpoints (commit: f080a1b) (details)
  8. UPSTREAM: 50702: Allow injection of policy in RBAC post start hook (commit: 1bb9a94) (details)
  9. Bootstrap Origin policies in post start hook (commit: d278ea6) (details)
  10. Version gate legacy oc commands to < 3.7 (commit: acd6597) (details)
  11. UPSTREAM: 50710: Refactor RBAC authorizer entry points (commit: c7d2994) (details)
  12. Change authorizer to use Kubernetes facilities (commit: a94e0db) (details)
  13. UPSTREAM: 49902: Allow update to GC fields for RBAC resources (commit: f0704fd) (details)
  14. Update admission to use moved GC helper (commit: 8cf692d) (details)
  15. flakes fixes (commit: c51da07) (details)
  16. test/cmd fixes (commit: 806d7be) (details)
  17. (re)generated stuff (commit: be05ce5) (details)
  18. Handle reconciliation annotation during conversion (commit: 33c4fc3) (details)
Commit 70ec58fe94923d8eba45fdeaa7abea147576086a by Mo Khan
UPSTREAM: 48480: Ensure namespace exists as part of RBAC reconciliation
(commit: 70ec58f)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/rest/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/rolebinding_interfaces.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation/role_interfaces.go (diff)
Commit e668952035457eea54b7e213c9f8c25a4f1aa8b3 by Mo Khan
Cleanup: Check for error conditions in aggregator
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: e668952)
The file was modifiedpkg/cmd/server/origin/aggregator.go (diff)
Commit f5388b3d637be61e5f4a91160fb32ca07fa9a1a9 by Mo Khan
Cleanup: Remove custom code and use available utility code
(commit: f5388b3)
The file was modifiedpkg/auth/client/impersonate.go (diff)
Commit 9811649a41cc32973772f0385d93ffdbab7882ed by Mo Khan
Cleanup: Move conversion function
Put it into a utility package for reusability, we'll need it in other
places in the next few commits
Signed-off-by: Simo Sorce <simo@redhat.com>
(commit: 9811649)
The file was modifiedpkg/authorization/controller/authorizationsync/normalize.go (diff)
The file was addedpkg/authorization/util/convert/convert.go
Commit 230db262377e202d91526309ea8733713dbe5e42 by Mo Khan
UPSTREAM: 50639:  Extend SetHeader Requests method ito accept multiple
values
This allows to set headers that are multivalued directly. The headers
variable is not directly accessible and currently SetHeaders allows to
set only one value.
Signed-off-by: Simo Sorce <simo@redhat.com>
(commit: 230db26)
The file was modifiedvendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/request.go (diff)
Commit c96408ab5367af82333157f20226efc7f230ff36 by Mo Khan
Proxy {Cluster}Role{Binding}s to Native Kube RBAC
Store them as native RBAC Objects via Kubernetes. Also:
- Provides backwards compatible Openshift API.
- Kills Policy Sync Controller
- Removes init of PolicyRegistry
- Move helpers closer to their users
- Remove TestRBACController
- Remove tests that check only PolicyBindings related stuff
- hack around TestAuthorizationResolution
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan
<mkhan@redhat.com>
(commit: c96408a)
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_role_controller_test.go
The file was removedpkg/authorization/registry/clusterrolebinding/registry_test.go
The file was modifiedtest/integration/restrictusers_test.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrolebinding_controller_test.go
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrolebinding_controller.go
The file was addedpkg/authorization/registry/rolebinding/proxy.go
The file was addedpkg/authorization/registry/clusterrole/proxy.go
The file was addedpkg/authorization/registry/role/proxy.go
The file was removedpkg/authorization/util/convert/convert.go
The file was modifiedtest/extended/templates/templateinstance_impersonation.go (diff)
The file was addedpkg/authorization/registry/util/convert.go
The file was modifiedpkg/authorization/util/util.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/generic.go
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_role_controller.go
The file was removedpkg/cmd/server/origin/controller/security.go
The file was addedpkg/auth/client/impersonate_rbac.go
The file was removedpkg/authorization/controller/authorizationsync/normalize.go
The file was modifiedpkg/cmd/server/origin/controller/config.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/generic_test.go
The file was modifiedpkg/auth/client/impersonate.go (diff)
The file was addedpkg/authorization/registry/util/normalize.go
The file was modifiedtest/integration/authorization_test.go (diff)
The file was modifiedtest/integration/project_request_test.go (diff)
The file was modifiedpkg/cmd/server/origin/master_config.go (diff)
The file was removedpkg/project/registry/projectrequest/delegated/delegated_test.go
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrole_controller_test.go
The file was modifiedpkg/cmd/server/admin/overwrite_bootstrappolicy.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_clusterrole_controller.go
The file was modifiedpkg/oc/admin/migrate/authorization/authorization.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_rolebinding_controller_test.go
The file was removedpkg/authorization/registry/clusterrole/registry_test.go
The file was modifiedtest/integration/etcd_storage_path_test.go (diff)
The file was removedpkg/authorization/controller/authorizationsync/origin_to_rbac_rolebinding_controller.go
The file was removedtest/integration/rbac_controller_test.go
The file was addedpkg/authorization/registry/clusterrolebinding/proxy.go
The file was modifiedpkg/cmd/server/origin/storage.go (diff)
Commit f080a1ba71f1dfa56739198d7cdd4cced2ecbab6 by Mo Khan
Use dynamic error wrapper on proxied endpoints
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: f080a1b)
The file was modifiedpkg/authorization/registry/clusterrole/proxy.go (diff)
The file was addedpkg/util/errors/wrapper_test.go
The file was modifiedpkg/authorization/registry/clusterrolebinding/proxy.go (diff)
The file was modifiedpkg/authorization/registry/role/proxy.go (diff)
The file was modifiedpkg/authorization/registry/rolebinding/proxy.go (diff)
The file was addedpkg/util/errors/wrapper.go
The file was addedpkg/util/registry/wrapper.go
Commit 1bb9a94474758106340e49c94f1784d22916e6c0 by Mo Khan
UPSTREAM: 50702: Allow injection of policy in RBAC post start hook
This change allows the RBAC PostStartHook logic to be reused with
different policy data when bootstrapping the cluster.  Thus any changes
to the bootstrap logic are separated from the policy data.
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: 1bb9a94)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/rest/storage_rbac.go (diff)
Commit d278ea6229e29c459c0775736fa2271f640cf21e by Mo Khan
Bootstrap Origin policies in post start hook
As we now use K8s' Rbac we need to bootstrap Origin's own additional
policies into kube's rbac objects. Also:
- Push conversions one step toward the edges
- Fix conversion and dont make policy.json
- delete TestBootstrapPolicyOverwritePolicyCommand for now
Signed-off-by: Monis Khan <mkhan@redhat.com> Signed-off-by: Simo Sorce
<simo@redhat.com>
(commit: d278ea6)
The file was modifiedpkg/cmd/server/bootstrappolicy/web_console_role_test.go (diff)
The file was modifiedpkg/oc/admin/policy/reconcile_clusterrolebindings.go (diff)
The file was modifiedpkg/cmd/server/start/start_master.go (diff)
The file was addedpkg/cmd/server/bootstrappolicy/all.go
The file was modifiedhack/lib/start.sh (diff)
The file was modifiedpkg/cmd/server/bootstrappolicy/dead.go (diff)
The file was modifiedpkg/cmd/server/origin/ensure.go (diff)
The file was removedpkg/cmd/server/bootstrappolicy/old_policy_test.go
The file was modifiedpkg/cmd/server/bootstrappolicy/policy.go (diff)
The file was modifiedpkg/cmd/server/bootstrappolicy/controller_policy.go (diff)
The file was modifiedpkg/cmd/server/bootstrappolicy/policy_test.go (diff)
The file was modifiedtest/integration/bootstrap_policy_test.go (diff)
The file was modifiedtest/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml (diff)
The file was modifiedpkg/cmd/server/origin/master.go (diff)
The file was modifiedtest/integration/master_routes_test.go (diff)
The file was modifiedpkg/oc/admin/policy/reconcile_clusterroles.go (diff)
The file was modifiedtest/testdata/bootstrappolicy/bootstrap_openshift_roles.yaml (diff)
The file was modifiedtest/util/server/server.go (diff)
The file was modifiedpkg/cmd/server/admin/create_bootstrappolicy_file.go (diff)
The file was modifiedpkg/cmd/server/api/validation/master.go (diff)
Commit acd6597cd420914ef60b05de4e69cf1b0fae08c4 by Mo Khan
Version gate legacy oc commands to < 3.7
The following commands were version gated:
- oc create policybinding
- oc adm overwrite-policy
- oc adm migrate authorization
This is because in 3.7 we will store only k8s.io RBAC objects and not
the Origin Policy Objects.  All of the gated commands assume the
presence of policy objects, and thus it does not make sense to let users
run these against newer clusters.
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan
<mkhan@redhat.com>
(commit: acd6597)
The file was modifiedpkg/oc/admin/admin.go (diff)
The file was addedpkg/cmd/util/clientcmd/gating.go
The file was modifiedpkg/oc/cli/cmd/create/policy_binding.go (diff)
The file was modifiedpkg/cmd/server/admin/overwrite_bootstrappolicy.go (diff)
The file was modifiedpkg/oc/admin/migrate/authorization/authorization.go (diff)
Commit c7d2994db4a4dbe0ef3ea42e05c6a79d6fe5fd08 by Mo Khan
UPSTREAM: 50710: Refactor RBAC authorizer entry points
This change refactors various RBAC authorizer functions to be more
flexible in their inputs.  This makes it easier to reuse the various
components that make up the authorizer.
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: c7d2994)
The file was modifiedvendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/subject_locator.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/rbac.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go (diff)
Commit a94e0db72459c5963eb474acf0dc31ae1eb72486 by Mo Khan
Change authorizer to use Kubernetes facilities
- Origin Authorizer now a thin wrapper around k8s Rbac Authorizer
- Remove redundant authorizer tests
Now that we delegate nearly 100% of the authorizer work to the
upstream Rbac authorizer these tests are basically redundant,
as upstream already has its battery of tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan
<mkhan@redhat.com>
(commit: a94e0db)
The file was modifiedpkg/authorization/authorizer/scope/converter_test.go (diff)
The file was modifiedpkg/authorization/registry/localresourceaccessreview/rest_test.go (diff)
The file was modifiedpkg/authorization/apis/authorization/conversion.go (diff)
The file was modifiedpkg/authorization/apis/authorization/types.go (diff)
The file was modifiedpkg/cmd/server/origin/master_config.go (diff)
The file was modifiedpkg/authorization/registry/resourceaccessreview/rest.go (diff)
The file was modifiedpkg/authorization/registry/subjectaccessreview/rest.go (diff)
The file was addedpkg/authorization/registry/util/attributes.go
The file was modifiedpkg/project/registry/projectrequest/delegated/delegated.go (diff)
The file was modifiedtest/integration/authorization_test.go (diff)
The file was modifiedpkg/authorization/authorizer/scope/authorizer.go (diff)
The file was removedpkg/authorization/authorizer/non_resource_match_test.go
The file was removedpkg/authorization/authorizer/subjects_test.go
The file was removedpkg/authorization/authorizer/authorizer_test.go
The file was modifiedpkg/authorization/registry/resourceaccessreview/rest_test.go (diff)
The file was removedpkg/authorization/authorizer/bootstrap_policy_test.go
The file was modifiedpkg/project/auth/cache_test.go (diff)
The file was modifiedpkg/project/registry/project/proxy/proxy.go (diff)
The file was modifiedpkg/cmd/server/origin/storage.go (diff)
The file was modifiedpkg/authorization/registry/subjectaccessreview/rest_test.go (diff)
The file was modifiedpkg/authorization/registry/localsubjectaccessreview/rest_test.go (diff)
The file was modifiedpkg/authorization/registry/selfsubjectrulesreview/storage.go (diff)
The file was modifiedpkg/authorization/authorizer/authorizer.go (diff)
The file was modifiedpkg/cmd/server/origin/openshift_apiserver.go (diff)
The file was modifiedpkg/authorization/authorizer/scope/converter.go (diff)
The file was modifiedpkg/authorization/registry/subjectrulesreview/storage.go (diff)
The file was removedpkg/authorization/authorizer/attributes.go
The file was modifiedpkg/project/auth/cache.go (diff)
The file was removedpkg/cmd/server/origin/client_adapters.go
Commit f0704fdc7c9cbc89b107e8c2e2082973a4cb2e56 by Mo Khan
UPSTREAM: 49902: Allow update to GC fields for RBAC resources
This change makes it so that no escalation check is performed when
updating only the garbage collector fields (owner references and
finalizers) of RBAC resources.  This allows the garbage collector to
delete roles that grant permissions such as "create", which it will
never have.
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: f0704fd)
The file was addedvendor/k8s.io/kubernetes/pkg/registry/rbac/helpers.go
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/storage.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/storage.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased/BUILD (diff)
The file was addedvendor/k8s.io/kubernetes/pkg/registry/rbac/helpers_test.go
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/role/policybased/storage.go (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/BUILD (diff)
The file was modifiedvendor/k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased/storage.go (diff)
Commit 8cf692d3a2bcdcf13636ec350f6db7ff2c6ee0ba by Mo Khan
Update admission to use moved GC helper
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: 8cf692d)
The file was modifiedpkg/security/admission/admission.go (diff)
The file was modifiedpkg/template/registry/templateinstance/strategy.go (diff)
The file was removedpkg/cmd/server/admission/helpers.go
The file was removedpkg/cmd/server/admission/helpers_test.go
The file was modifiedpkg/build/admission/strategyrestrictions/admission.go (diff)
Commit c51da07cef83204c542dec0504908370c16fc7da by Mo Khan
flakes fixes
- Increase timeout to avoid TestGCDefault flaking
Locally raising timeout from 1 to 2 seconds made the test always
pass, as opposed to always fail.
- Make TestOadmPodNetwork less flakey
Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Monis Khan
<mkhan@redhat.com>
(commit: c51da07)
The file was modifiedtest/integration/gc_default_test.go (diff)
Commit 806d7be96585ae004c8de7421083add8a1360f89 by Mo Khan
test/cmd fixes
- Fix test/cmd/admin.sh
- Fix images-old-policy
- Fix test/cmd/policy.sh
- Temp fix for test/cmd/router.sh
Signed-off-by: Monis Khan <mkhan@redhat.com>
(commit: 806d7be)
The file was modifiedtest/cmd/images-old-policy.sh (diff)
The file was modifiedtest/cmd/policy.sh (diff)
The file was modifiedtest/extended/testdata/roles/policy-roles.yaml (diff)
The file was modifiedtest/testdata/bootstrappolicy/cluster_admin_without_apigroups.yaml (diff)
The file was modifiedtest/cmd/admin.sh (diff)
The file was modifiedpkg/oc/admin/router/router.go (diff)
The file was modifiedtest/extended/testdata/bindata.go (diff)
The file was modifiedapi/swagger-spec/oapi-v1.json (diff)
The file was modifiedapi/swagger-spec/openshift-openapi-spec.json (diff)
Commit 33c4fc3243a8ee694549a6f4f3b6db5ab035fe29 by Mo Khan
Handle reconciliation annotation during conversion
Signed-off-by: Simo Sorce <simo@redhat.com>
(commit: 33c4fc3)
The file was modifiedpkg/authorization/apis/authorization/conversion_test.go (diff)
The file was modifiedpkg/authorization/apis/authorization/conversion.go (diff)
The file was modifiedtest/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml (diff)