support NonResourceURL for kubectl create clusterrole #45809
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/M
|
Hi @CaoShuFeng. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
|
@k8s-bot ok to test |
k8s-ci-robot
removed
the
needs-ok-to-test
eparis
added
release-note
| @@ -72,16 +77,46 @@ func NewCmdCreateClusterRole(f cmdutil.Factory, cmdOut io.Writer) *cobra.Command | |||
| cmdutil.AddPrinterFlags(cmd) | |||
| cmdutil.AddDryRunFlag(cmd) | |||
| cmd.Flags().StringSliceVar(&c.Verbs, "verb", []string{}, "verb that applies to the resources contained in the rule") | |||
| cmd.Flags().StringSliceVar(&c.NonResourceURLs, "prefix", []string{}, "a partial url that user should have access to.") | |||
There was a problem hiding this comment.
--prefix is misleading... /foo does not give access to /foo/bar. I would call this --non-resource-url
CaoShuFeng
force-pushed
the
non-resource-url-create-rolebinding
branch
from
6a094ac
to
ffc31a8
Compare
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
2 similar comments
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
pkg/kubectl/cmd/create_role.go
Outdated
| @@ -336,6 +338,12 @@ func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resourc | |||
| rule.ResourceNames = resourceNames | |||
| rules = append(rules, rule) | |||
| } | |||
| for _, u := range nonResourceURLs { | |||
| rule := rbac.PolicyRule{} | |||
| rule.Verbs = verbs | |||
There was a problem hiding this comment.
verbs are going to be tricky if you are trying to create a role containing both resources and non-resource urls (the verbs that apply to those are different... see https://kubernetes.io/docs/admin/authorization/#review-your-request-attributes)
| @@ -3018,6 +3018,9 @@ runTests() { | |||
| kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.resources}}{{.}}:{{end}}{{end}}" 'pods:' | |||
| kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.apiGroups}}{{.}}:{{end}}{{end}}" ':' | |||
| kube::test::get_object_assert clusterrole/resourcename-reader "{{range.rules}}{{range.resourceNames}}{{.}}:{{end}}{{end}}" 'foo:' | |||
| kubectl create "${kube_flags[@]}" clusterrole url-reader --verb=get --non-resource-url=/logs/* --non-resource-url=/healthz/* | |||
There was a problem hiding this comment.
surprised the * didn't need quoting
|
@kubernetes/sig-cli-pr-reviews |
k8s-ci-robot
added
the
sig/cli
CaoShuFeng
force-pushed
the
non-resource-url-create-rolebinding
branch
from
ffc31a8
to
301cec6
Compare
| kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*`)) | ||
|
|
||
| // Valid nonResource verb list for validation. | ||
| validNonResourceVerbs = []string{"*", "get", "post", "put", "delete"} |
There was a problem hiding this comment.
include patch, head, and options
pkg/kubectl/cmd/create_role.go
Outdated
| @@ -336,6 +338,12 @@ func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resourc | |||
| rule.ResourceNames = resourceNames | |||
| rules = append(rules, rule) | |||
| } | |||
| for _, u := range nonResourceURLs { | |||
There was a problem hiding this comment.
all the nonResourceURLs can go in a single rule
CaoShuFeng
force-pushed
the
non-resource-url-create-rolebinding
branch
from
301cec6
to
a65052d
Compare
|
|
||
| func (c *CreateClusterRoleOptions) Validate() error { | ||
| err := c.CreateRoleOptions.Validate() | ||
| if err == nonResourceErr { |
There was a problem hiding this comment.
depending on an error condition this way is a little odd... I'd factor out a validateResources() helper and use it from both Validate() methods, rather than delegate to CreateRoleOptions.Validate() and ignore specific returned errors. You'll end up duplicating the empty name and verbs check but that's not a big deal.
CaoShuFeng
force-pushed
the
non-resource-url-create-rolebinding
branch
from
a65052d
to
93e50b1
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, deads2k, liggitt
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue |
…binding Automatic merge from submit-queue (batch tested with PRs 46432, 46701, 46326, 40848, 46396) add some unit tests for "kubectl create clusterrole" kubernetes#45809 adds support for non-resource-url to "kubectl create clusterrole" This pr add some unit test for kubernetes#45809 **Release note**: ``` NONE ```
Release note: