github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix specialized verbs in create role

pull/6/head
xilabao 2017-05-05 17:56:23 +08:00
parent 904b020756
commit 02deeb224e
2 changed files with 116 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pkg/kubectl/cmd/create_role.go
View File

@ -53,6 +53,40 @@ var (
// Valid resource verb list for validation.
validResourceVerbs = []string{"*", "get", "delete", "list", "create", "update", "patch", "watch", "proxy", "redirect", "deletecollection", "use", "bind", "impersonate"}
// Specialized verbs and GroupResources
specialVerbs = map[string][]schema.GroupResource{
"use": {
{
Group: "extensions",
Resource: "podsecuritypolicies",
},
},
"bind": {
{
Group: "rbac.authorization.k8s.io",
Resource: "roles",
},
{
Group: "rbac.authorization.k8s.io",
Resource: "clusterroles",
},
},
"impersonate": {
{
Group: "",
Resource: "users",
},
{
Group: "",
Resource: "groups",
},
{
Group: "authentication.k8s.io",
Resource: "userextras",
},
},
}
)
type ResourceOptions struct {
@ -202,7 +236,30 @@ func (c *CreateRoleOptions) Validate() error {
if len(r.Resource) == 0 {
return fmt.Errorf("resource must be specified if apiGroup/subresource specified")
}
if _, err := c.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}); err != nil {
resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
groupVersionResource, err := c.Mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
if err == nil {
resource = groupVersionResource
}
for _, v := range c.Verbs {
if groupResources, ok := specialVerbs[v]; ok {
match := false
for _, extra := range groupResources {
if resource.Resource == extra.Resource && resource.Group == extra.Group {
match = true
err = nil
break
}
}
if !match {
return fmt.Errorf("can not perform '%s' on '%s' in group '%s'", v, resource.Resource, resource.Group)
}
}
}
if err != nil {
return err
}
}
@ -255,10 +312,12 @@ func generateResourcePolicyRules(mapper meta.RESTMapper, verbs []string, resourc
// 2. Prevents pointing to non-existent resources.
// 3. Transfers resource short name to long name. E.g. rs.extensions is transferred to replicasets.extensions
for _, r := range resources {
resource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
if err != nil {
return []rbac.PolicyRule{}, err
resource := schema.GroupVersionResource{Resource: r.Resource, Group: r.Group}
groupVersionResource, err := mapper.ResourceFor(schema.GroupVersionResource{Resource: r.Resource, Group: r.Group})
if err == nil {
resource = groupVersionResource
}
if len(r.SubResource) > 0 {
resource.Resource = resource.Resource + "/" + r.SubResource
}

53
pkg/kubectl/cmd/create_role_test.go
View File

@ -229,6 +229,45 @@ func TestValidate(t *testing.T) {
},
expectErr: true,
},
"test-special-verb": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"use"},
Resources: []ResourceOptions{
{
Resource: "pods",
},
},
},
expectErr: true,
},
"test-mix-verbs": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate", "use"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
},
},
},
expectErr: true,
},
"test-special-verb-with-wrong-apigroup": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
Group: "extensions",
},
},
},
expectErr: true,
},
"test-invalid-resource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
@ -286,6 +325,20 @@ func TestValidate(t *testing.T) {
},
expectErr: false,
},
"test-valid-case-with-additional-resource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
Group: "authentication.k8s.io",
},
},
},
expectErr: false,
},
}
for name, test := range tests {