Commit 1f4e2efc authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #41184 from liggitt/subject-apigroup

Automatic merge from submit-queue (batch tested with PRs 41357, 41178, 41280, 41184, 41278) Switch RBAC subject apiVersion to apiGroup in v1beta1 Referencing a subject from an RBAC role binding, the API group and kind of the subject is needed to fully-qualify the reference. The version is not, and adds complexity around re-writing the reference when returning the binding from different versions of the API, and when reconciling subjects. This PR: * v1beta1: change the subject `apiVersion` field to `apiGroup` (to match roleRef) * v1alpha1: convert apiVersion to apiGroup for backwards compatibility * all versions: add defaulting for the three allowed subject kinds * all versions: add validation to the field so we can count on the data in etcd being good until we decide to relax the apiGroup restriction ```release-note RBAC `v1beta1` RoleBinding/ClusterRoleBinding subjects changed `apiVersion` to `apiGroup` to fully-qualify a subject. ServiceAccount subjects default to an apiGroup of `""`, User and Group subjects default to an apiGroup of `"rbac.authorization.k8s.io"`. ``` @deads2k @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-pr-reviews
parents 1dcb1a23 09d51e3e
......@@ -42731,7 +42731,7 @@
],
"properties": {
"apiVersion": {
"description": "APIVersion holds the API group and version of the referenced object.",
"description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
"type": "string"
},
"kind": {
......@@ -43102,8 +43102,8 @@
"name"
],
"properties": {
"apiVersion": {
"description": "APIVersion holds the API group and version of the referenced object.",
"apiGroup": {
"description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
"type": "string"
},
"kind": {
......@@ -2924,7 +2924,7 @@
},
"apiVersion": {
"type": "string",
"description": "APIVersion holds the API group and version of the referenced object."
"description": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects."
},
"name": {
"type": "string",
......
......@@ -2922,9 +2922,9 @@
"type": "string",
"description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error."
},
"apiVersion": {
"apiGroup": {
"type": "string",
"description": "APIVersion holds the API group and version of the referenced object."
"description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects."
},
"name": {
"type": "string",
......
......@@ -9,6 +9,6 @@ roleRef:
kind: ClusterRole
name: node-proxy
subjects:
- apiVersion: rbac/v1beta1
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
......@@ -802,7 +802,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">apiVersion</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced object.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced subject. Defaults to "v1" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
......@@ -1737,7 +1737,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-01-25 20:39:16 UTC
Last updated 2017-02-13 18:31:15 UTC
</div>
</div>
</body>
......
......@@ -1302,8 +1302,8 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">apiVersion</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">APIVersion holds the API group and version of the referenced object.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">apiGroup</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
......@@ -1737,7 +1737,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-01-25 20:39:12 UTC
Last updated 2017-02-13 18:31:09 UTC
</div>
</div>
</body>
......
......@@ -718,10 +718,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
},
Subjects: []rbacv1beta1.Subject{
{
Kind: "ServiceAccount",
APIVersion: "",
Name: "federation-controller-manager",
Namespace: "federation-system",
Kind: "ServiceAccount",
APIGroup: "",
Name: "federation-controller-manager",
Namespace: "federation-system",
},
},
RoleRef: rbacv1beta1.RoleRef{
......
......@@ -590,6 +590,23 @@ func rbacFuncs(t apitesting.TestingCommon) []interface{} {
r.APIGroup = rbac.GroupName
}
},
func(r *rbac.Subject, c fuzz.Continue) {
switch c.Int31n(3) {
case 0:
r.Kind = rbac.ServiceAccountKind
r.APIGroup = ""
c.FuzzNoCustom(&r.Name)
c.FuzzNoCustom(&r.Namespace)
case 1:
r.Kind = rbac.UserKind
r.APIGroup = rbac.GroupName
c.FuzzNoCustom(&r.Name)
case 2:
r.Kind = rbac.GroupKind
r.APIGroup = rbac.GroupName
c.FuzzNoCustom(&r.Name)
}
},
}
}
......
......@@ -220,14 +220,14 @@ func NewClusterBinding(clusterRoleName string) *ClusterRoleBindingBuilder {
func (r *ClusterRoleBindingBuilder) Groups(groups ...string) *ClusterRoleBindingBuilder {
for _, group := range groups {
r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: GroupKind, Name: group})
r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: GroupKind, APIGroup: GroupName, Name: group})
}
return r
}
func (r *ClusterRoleBindingBuilder) Users(users ...string) *ClusterRoleBindingBuilder {
for _, user := range users {
r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: UserKind, Name: user})
r.ClusterRoleBinding.Subjects = append(r.ClusterRoleBinding.Subjects, Subject{Kind: UserKind, APIGroup: GroupName, Name: user})
}
return r
}
......
......@@ -63,9 +63,10 @@ type Subject struct {
// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Kind string
// APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is
// expected to be API version of this API group. For example, "rbac/v1alpha1".
APIVersion string
// APIGroup holds the API group of the referenced subject.
// Defaults to "" for ServiceAccount subjects.
// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
APIGroup string
// Name of the object being referenced.
Name string
// Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
......
......@@ -18,6 +18,7 @@ package v1alpha1
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/apimachinery/pkg/runtime/schema"
api "k8s.io/kubernetes/pkg/apis/rbac"
)
......@@ -30,13 +31,51 @@ func Convert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *api.Subject, s c
return err
}
// specifically set the APIGroup for the three subjects recognized in v1alpha1
switch {
case in.Kind == ServiceAccountKind:
out.APIGroup = ""
case in.Kind == UserKind:
out.APIGroup = GroupName
case in.Kind == GroupKind:
out.APIGroup = GroupName
default:
// For unrecognized kinds, use the group portion of the APIVersion if we can get it
if gv, err := schema.ParseGroupVersion(in.APIVersion); err == nil {
out.APIGroup = gv.Group
}
}
// User * in v1alpha1 will only match all authenticated users
// This is only for compatibility with old RBAC bindings
// Special treatment for * should not be included in v1beta1
if out.Kind == UserKind && out.Name == "*" {
if out.Kind == UserKind && out.APIGroup == GroupName && out.Name == "*" {
out.Kind = GroupKind
out.Name = allAuthenticated
}
return nil
}
func Convert_rbac_Subject_To_v1alpha1_Subject(in *api.Subject, out *Subject, s conversion.Scope) error {
if err := autoConvert_rbac_Subject_To_v1alpha1_Subject(in, out, s); err != nil {
return err
}
switch {
case in.Kind == ServiceAccountKind && in.APIGroup == "":
// Make service accounts v1
out.APIVersion = "v1"
case in.Kind == UserKind && in.APIGroup == GroupName:
// users in the rbac API group get v1alpha
out.APIVersion = SchemeGroupVersion.String()
case in.Kind == GroupKind && in.APIGroup == GroupName:
// groups in the rbac API group get v1alpha
out.APIVersion = SchemeGroupVersion.String()
default:
// otherwise, they get an unspecified version of a group
out.APIVersion = schema.GroupVersion{Group: in.APIGroup}.String()
}
return nil
}
......@@ -34,21 +34,63 @@ func TestConversion(t *testing.T) {
"specific user": {
old: &v1alpha1.RoleBinding{
RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []v1alpha1.Subject{{Kind: "User", Name: "bob"}},
Subjects: []v1alpha1.Subject{{Kind: "User", APIVersion: v1alpha1.SchemeGroupVersion.String(), Name: "bob"}},
},
expected: &rbacapi.RoleBinding{
RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []rbacapi.Subject{{Kind: "User", Name: "bob"}},
Subjects: []rbacapi.Subject{{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "bob"}},
},
},
"wildcard user matches authenticated": {
old: &v1alpha1.RoleBinding{
RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []v1alpha1.Subject{{Kind: "User", Name: "*"}},
Subjects: []v1alpha1.Subject{{Kind: "User", APIVersion: v1alpha1.SchemeGroupVersion.String(), Name: "*"}},
},
expected: &rbacapi.RoleBinding{
RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []rbacapi.Subject{{Kind: "Group", Name: "system:authenticated"}},
Subjects: []rbacapi.Subject{{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "system:authenticated"}},
},
},
"missing api group gets defaulted": {
old: &v1alpha1.RoleBinding{
RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []v1alpha1.Subject{
{Kind: "User", Name: "myuser"},
{Kind: "Group", Name: "mygroup"},
{Kind: "ServiceAccount", Name: "mysa", Namespace: "myns"},
},
},
expected: &rbacapi.RoleBinding{
RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []rbacapi.Subject{
{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
},
},
},
"bad api group gets defaulted": {
old: &v1alpha1.RoleBinding{
RoleRef: v1alpha1.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []v1alpha1.Subject{
{Kind: "User", APIVersion: "rbac", Name: "myuser"},
{Kind: "Group", APIVersion: "rbac", Name: "mygroup"},
{Kind: "ServiceAccount", APIVersion: "rbac", Name: "mysa", Namespace: "myns"},
{Kind: "User", APIVersion: "rbac/v8", Name: "myuser"},
{Kind: "Group", APIVersion: "rbac/v8", Name: "mygroup"},
{Kind: "ServiceAccount", APIVersion: "rbac/v8", Name: "mysa", Namespace: "myns"},
},
},
expected: &rbacapi.RoleBinding{
RoleRef: rbacapi.RoleRef{Name: "foo", APIGroup: v1alpha1.GroupName},
Subjects: []rbacapi.Subject{
{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
{Kind: "User", APIGroup: v1alpha1.GroupName, Name: "myuser"},
{Kind: "Group", APIGroup: v1alpha1.GroupName, Name: "mygroup"},
{Kind: "ServiceAccount", APIGroup: "", Name: "mysa", Namespace: "myns"},
},
},
},
}
......
......@@ -25,6 +25,7 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
return scheme.AddDefaultingFuncs(
SetDefaults_ClusterRoleBinding,
SetDefaults_RoleBinding,
SetDefaults_Subject,
)
}
......@@ -38,3 +39,15 @@ func SetDefaults_RoleBinding(obj *RoleBinding) {
obj.RoleRef.APIGroup = GroupName
}
}
func SetDefaults_Subject(obj *Subject) {
if len(obj.APIVersion) == 0 {
switch obj.Kind {
case ServiceAccountKind:
obj.APIVersion = "v1"
case UserKind:
obj.APIVersion = SchemeGroupVersion.String()
case GroupKind:
obj.APIVersion = SchemeGroupVersion.String()
}
}
}
......@@ -184,7 +184,10 @@ message Subject {
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
optional string kind = 1;
// APIVersion holds the API group and version of the referenced object.
// APIVersion holds the API group and version of the referenced subject.
// Defaults to "v1" for ServiceAccount subjects.
// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
// +k8s:conversion-gen=false
// +optional
optional string apiVersion = 2;
......
......@@ -72,7 +72,10 @@ type Subject struct {
// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
// APIVersion holds the API group and version of the referenced object.
// APIVersion holds the API group and version of the referenced subject.
// Defaults to "v1" for ServiceAccount subjects.
// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
// +k8s:conversion-gen=false
// +optional
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"`
// Name of the object being referenced.
......
......@@ -136,7 +136,7 @@ func (RoleRef) SwaggerDoc() map[string]string {
var map_Subject = map[string]string{
"": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"kind": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
"apiVersion": "APIVersion holds the API group and version of the referenced object.",
"apiVersion": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
"name": "Name of the object being referenced.",
"namespace": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
}
......
......@@ -410,7 +410,7 @@ func Convert_rbac_RoleRef_To_v1alpha1_RoleRef(in *rbac.RoleRef, out *RoleRef, s
func autoConvert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
out.Kind = in.Kind
out.APIVersion = in.APIVersion
// INFO: in.APIVersion opted out of conversion generation
out.Name = in.Name
out.Namespace = in.Namespace
return nil
......@@ -418,12 +418,8 @@ func autoConvert_v1alpha1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject
func autoConvert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
out.Kind = in.Kind
out.APIVersion = in.APIVersion
// WARNING: in.APIGroup requires manual conversion: does not exist in peer-type
out.Name = in.Name
out.Namespace = in.Namespace
return nil
}
func Convert_rbac_Subject_To_v1alpha1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
return autoConvert_rbac_Subject_To_v1alpha1_Subject(in, out, s)
}
......@@ -37,6 +37,10 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
func SetObjectDefaults_ClusterRoleBinding(in *ClusterRoleBinding) {
SetDefaults_ClusterRoleBinding(in)
for i := range in.Subjects {
a := &in.Subjects[i]
SetDefaults_Subject(a)
}
}
func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
......@@ -48,6 +52,10 @@ func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
func SetObjectDefaults_RoleBinding(in *RoleBinding) {
SetDefaults_RoleBinding(in)
for i := range in.Subjects {
a := &in.Subjects[i]
SetDefaults_Subject(a)
}
}
func SetObjectDefaults_RoleBindingList(in *RoleBindingList) {
......
......@@ -25,6 +25,7 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
return scheme.AddDefaultingFuncs(
SetDefaults_ClusterRoleBinding,
SetDefaults_RoleBinding,
SetDefaults_Subject,
)
}
......@@ -38,3 +39,15 @@ func SetDefaults_RoleBinding(obj *RoleBinding) {
obj.RoleRef.APIGroup = GroupName
}
}
func SetDefaults_Subject(obj *Subject) {
if len(obj.APIGroup) == 0 {
switch obj.Kind {
case ServiceAccountKind:
obj.APIGroup = ""
case UserKind:
obj.APIGroup = GroupName
case GroupKind:
obj.APIGroup = GroupName
}
}
}
......@@ -183,9 +183,11 @@ message Subject {
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
optional string kind = 1;
// APIVersion holds the API group and version of the referenced object.
// APIGroup holds the API group of the referenced subject.
// Defaults to "" for ServiceAccount subjects.
// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
// +optional
optional string apiVersion = 2;
optional string apiGroup = 2;
// Name of the object being referenced.
optional string name = 3;
......
......@@ -540,7 +540,7 @@ func (x *Subject) CodecEncodeSelf(e *codec1978.Encoder) {
var yyq2 [4]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[1] = x.APIVersion != ""
yyq2[1] = x.APIGroup != ""
yyq2[3] = x.Namespace != ""
var yynn2 int
if yyr2 || yy2arr2 {
......@@ -581,7 +581,7 @@ func (x *Subject) CodecEncodeSelf(e *codec1978.Encoder) {
_ = yym7
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion))
r.EncodeString(codecSelferC_UTF81234, string(x.APIGroup))
}
} else {
r.EncodeString(codecSelferC_UTF81234, "")
......@@ -589,13 +589,13 @@ func (x *Subject) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
if yyq2[1] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("apiVersion"))
r.EncodeString(codecSelferC_UTF81234, string("apiGroup"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
yym8 := z.EncBinary()
_ = yym8
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion))
r.EncodeString(codecSelferC_UTF81234, string(x.APIGroup))
}
}
}
......@@ -716,11 +716,11 @@ func (x *Subject) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
*((*string)(yyv4)) = r.DecodeString()
}
}
case "apiVersion":
case "apiGroup":
if r.TryDecodeAsNil() {
x.APIVersion = ""
x.APIGroup = ""
} else {
yyv6 := &x.APIVersion
yyv6 := &x.APIGroup
yym7 := z.DecBinary()
_ = yym7
if false {
......@@ -800,9 +800,9 @@ func (x *Subject) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.APIVersion = ""
x.APIGroup = ""
} else {
yyv15 := &x.APIVersion
yyv15 := &x.APIGroup
yym16 := z.DecBinary()
_ = yym16
if false {
......
......@@ -71,9 +71,11 @@ type Subject struct {
// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
// APIVersion holds the API group and version of the referenced object.
// APIGroup holds the API group of the referenced subject.
// Defaults to "" for ServiceAccount subjects.
// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
// +optional
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"`
APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt.name=apiGroup"`
// Name of the object being referenced.
Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
// Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
......
......@@ -134,11 +134,11 @@ func (RoleRef) SwaggerDoc() map[string]string {
}
var map_Subject = map[string]string{
"": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"kind": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
"apiVersion": "APIVersion holds the API group and version of the referenced object.",
"name": "Name of the object being referenced.",
"namespace": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
"": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"kind": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
"apiGroup": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
"name": "Name of the object being referenced.",
"namespace": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
}
func (Subject) SwaggerDoc() map[string]string {
......
......@@ -330,7 +330,7 @@ func Convert_rbac_RoleRef_To_v1beta1_RoleRef(in *rbac.RoleRef, out *RoleRef, s c
func autoConvert_v1beta1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s conversion.Scope) error {
out.Kind = in.Kind
out.APIVersion = in.APIVersion
out.APIGroup = in.APIGroup
out.Name = in.Name
out.Namespace = in.Namespace
return nil
......@@ -342,7 +342,7 @@ func Convert_v1beta1_Subject_To_rbac_Subject(in *Subject, out *rbac.Subject, s c
func autoConvert_rbac_Subject_To_v1beta1_Subject(in *rbac.Subject, out *Subject, s conversion.Scope) error {
out.Kind = in.Kind
out.APIVersion = in.APIVersion
out.APIGroup = in.APIGroup
out.Name = in.Name
out.Namespace = in.Namespace
return nil
......
......@@ -37,6 +37,10 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
func SetObjectDefaults_ClusterRoleBinding(in *ClusterRoleBinding) {
SetDefaults_ClusterRoleBinding(in)
for i := range in.Subjects {
a := &in.Subjects[i]
SetDefaults_Subject(a)
}
}
func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
......@@ -48,6 +52,10 @@ func SetObjectDefaults_ClusterRoleBindingList(in *ClusterRoleBindingList) {
func SetObjectDefaults_RoleBinding(in *RoleBinding) {
SetDefaults_RoleBinding(in)
for i := range in.Subjects {
a := &in.Subjects[i]
SetDefaults_Subject(a)
}
}
func SetObjectDefaults_RoleBindingList(in *RoleBindingList) {
......
......@@ -201,6 +201,9 @@ func validateRoleBindingSubject(subject rbac.Subject, isNamespaced bool, fldPath
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, msg))
}
}
if len(subject.APIGroup) > 0 {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("apiGroup"), subject.APIGroup, []string{""}))
}
if !isNamespaced && len(subject.Namespace) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), ""))
}
......@@ -210,12 +213,18 @@ func validateRoleBindingSubject(subject rbac.Subject, isNamespaced bool, fldPath
if len(subject.Name) == 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "user name cannot be empty"))
}
if subject.APIGroup != rbac.GroupName {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("apiGroup"), subject.APIGroup, []string{rbac.GroupName}))
}
case rbac.GroupKind:
// TODO(ericchiang): What other restrictions on group name are there?
if len(subject.Name) == 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), subject.Name, "group name cannot be empty"))
}
if subject.APIGroup != rbac.GroupName {
allErrs = append(allErrs, field.NotSupported(fldPath.Child("apiGroup"), subject.APIGroup, []string{rbac.GroupName}))
}
default:
allErrs = append(allErrs, field.NotSupported(fldPath.Child("kind"), subject.Kind, []string{rbac.ServiceAccountKind, rbac.UserKind, rbac.GroupKind}))
......
......@@ -30,9 +30,9 @@ func TestValidateClusterRoleBinding(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Namespace: "foo", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
{Name: "valid@groupname", Kind: rbac.GroupKind},
{Name: "validsaname", APIGroup: "", Namespace: "foo", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", APIGroup: rbac.GroupName, Kind: rbac.UserKind},
{Name: "valid@groupname", APIGroup: rbac.GroupName, Kind: rbac.GroupKind},
},
},
)
......@@ -145,9 +145,9 @@ func TestValidateRoleBinding(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceDefault, Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
{Name: "valid@groupname", Kind: rbac.GroupKind},
{Name: "validsaname", APIGroup: "", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", APIGroup: rbac.GroupName, Kind: rbac.UserKind},
{Name: "valid@groupname", APIGroup: rbac.GroupName, Kind: rbac.GroupKind},
},
},
)
......
......@@ -11697,7 +11697,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion holds the API group and version of the referenced object.",
Description: "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
Type: []string{"string"},
Format: "",
},
......@@ -15314,9 +15314,9 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
Format: "",
},
},
"apiVersion": {
"apiGroup": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion holds the API group and version of the referenced object.",
Description: "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
Type: []string{"string"},
Format: "",
},
......
......@@ -117,16 +117,16 @@ func (s ClusterRoleBindingGeneratorV1) StructuredGenerate() (runtime.Object, err
}
for _, user := range s.Users {
clusterRoleBinding.Subjects = append(clusterRoleBinding.Subjects, rbac.Subject{
Kind: rbac.UserKind,
APIVersion: "rbac.authorization.k8s.io/v1beta1",
Name: user,
Kind: rbac.UserKind,
APIGroup: rbac.GroupName,
Name: user,
})
}
for _, group := range s.Groups {
clusterRoleBinding.Subjects = append(clusterRoleBinding.Subjects, rbac.Subject{
Kind: rbac.GroupKind,
APIVersion: "rbac.authorization.k8s.io/v1beta1",
Name: group,
Kind: rbac.GroupKind,
APIGroup: rbac.GroupName,
Name: group,
})
}
for _, sa := range s.ServiceAccounts {
......@@ -136,6 +136,7 @@ func (s ClusterRoleBindingGeneratorV1) StructuredGenerate() (runtime.Object, err
}
clusterRoleBinding.Subjects = append(clusterRoleBinding.Subjects, rbac.Subject{
Kind: rbac.ServiceAccountKind,
APIGroup: "",
Namespace: tokens[0],
Name: tokens[1],
})
......
......@@ -132,16 +132,16 @@ func (s RoleBindingGeneratorV1) StructuredGenerate() (runtime.Object, error) {
for _, user := range s.Users {
roleBinding.Subjects = append(roleBinding.Subjects, rbac.Subject{
Kind: rbac.UserKind,
APIVersion: "rbac.authorization.k8s.io/v1beta1",
Name: user,
Kind: rbac.UserKind,
APIGroup: rbac.GroupName,
Name: user,
})
}
for _, group := range s.Groups {
roleBinding.Subjects = append(roleBinding.Subjects, rbac.Subject{
Kind: rbac.GroupKind,
APIVersion: "rbac.authorization.k8s.io/v1beta1",
Name: group,
Kind: rbac.GroupKind,
APIGroup: rbac.GroupName,
Name: group,
})
}
for _, sa := range s.ServiceAccounts {
......@@ -151,6 +151,7 @@ func (s RoleBindingGeneratorV1) StructuredGenerate() (runtime.Object, error) {
}
roleBinding.Subjects = append(roleBinding.Subjects, rbac.Subject{
Kind: rbac.ServiceAccountKind,
APIGroup: "",
Namespace: tokens[0],
Name: tokens[1],
})
......
......@@ -12,7 +12,8 @@ items:
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
......@@ -26,9 +27,11 @@ items:
kind: ClusterRole
name: system:basic-user
subjects:
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
......@@ -42,9 +45,11 @@ items:
kind: ClusterRole
name: system:discovery
subjects:
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
......@@ -58,7 +63,8 @@ items:
kind: ClusterRole
name: system:kube-controller-manager
subjects:
- kind: User
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-controller-manager
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
......@@ -72,7 +78,8 @@ items:
kind: ClusterRole
name: system:node
subjects:
- kind: Group
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
......@@ -86,7 +93,8 @@ items:
kind: ClusterRole
name: system:node-proxier
subjects:
- kind: User
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-proxy
kind: List
metadata: {}
......@@ -64,6 +64,15 @@ func newClusterRoleBinding(roleName string, subjects ...string) *rbac.ClusterRol
for i, subject := range subjects {
split := strings.SplitN(subject, ":", 2)
r.Subjects[i].Kind, r.Subjects[i].Name = split[0], split[1]
switch r.Subjects[i].Kind {
case rbac.ServiceAccountKind:
r.Subjects[i].APIGroup = ""
case rbac.UserKind, rbac.GroupKind:
r.Subjects[i].APIGroup = rbac.GroupName
default:
panic(fmt.Errorf("invalid kind %s", r.Subjects[i].Kind))
}
}
return r
}
......@@ -82,6 +91,15 @@ func newRoleBinding(namespace, roleName string, bindType uint16, subjects ...str
for i, subject := range subjects {
split := strings.SplitN(subject, ":", 2)
r.Subjects[i].Kind, r.Subjects[i].Name = split[0], split[1]
switch r.Subjects[i].Kind {
case rbac.ServiceAccountKind:
r.Subjects[i].APIGroup = ""
case rbac.UserKind, rbac.GroupKind:
r.Subjects[i].APIGroup = rbac.GroupName
default:
panic(fmt.Errorf("invalid kind %s", r.Subjects[i].Kind))
}
}
return r
}
......
......@@ -54,9 +54,9 @@ func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBind
// AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list.
// It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.
func (r *SubjectAccessEvaluator) AllowedSubjects(requestAttributes authorizer.Attributes) ([]rbac.Subject, error) {
subjects := []rbac.Subject{{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup}}
subjects := []rbac.Subject{{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup}}
if len(r.superUser) > 0 {
subjects = append(subjects, rbac.Subject{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: r.superUser})
subjects = append(subjects, rbac.Subject{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: r.superUser})
}
errorlist := []error{}
......
......@@ -58,29 +58,29 @@ func TestSubjectLocator(t *testing.T) {
{
&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.UserKind, Name: "admin"},
{Kind: rbac.GroupKind, Name: "admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "admins"},
},
},
{
// cluster role matches star in namespace
&defaultAttributes{"", "", "*", "Pods", "", "*", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
},
},
{
// empty ns
&defaultAttributes{"", "", "*", "Pods", "", "", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
},
},
},
......@@ -104,32 +104,32 @@ func TestSubjectLocator(t *testing.T) {
{
&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.UserKind, Name: "admin"},
{Kind: rbac.GroupKind, Name: "admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "admins"},
},
},
{
// verb matchies correctly
&defaultAttributes{"", "", "create", "Pods", "", "ns1", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
},
},
{
// binding only works in correct ns
&defaultAttributes{"", "", "get", "Pods", "", "ns2", ""},
[]rbac.Subject{
{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
{Kind: rbac.UserKind, Name: "super-admin"},
{Kind: rbac.GroupKind, Name: "super-admins"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
},
},
},
......@@ -144,7 +144,7 @@ func TestSubjectLocator(t *testing.T) {
t.Errorf("case %q %d: error %v", tt.name, i, err)
}
if !reflect.DeepEqual(actualSubjects, action.subjects) {
t.Errorf("case %q %d: expected %v actual %v", tt.name, i, action.subjects, actualSubjects)
t.Errorf("case %q %d: expected\n%v\nactual\n%v", tt.name, i, action.subjects, actualSubjects)
}
}
}
......
......@@ -181,7 +181,7 @@ var (
"name": "write-jobs"
},
"subjects": [{
"apiVersion": "rbac/v1alpha1",
"apiGroup": "rbac.authorization.k8s.io",
"kind": "User",
"name": "admin"
}]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment