Merge pull request #36568 from xilabao/add-label-to-rbac-bootstrap-policy

Automatic merge from submit-queue add default label to rbac bootstrap policy allow people to retrieve information of bootstrap policy by label : `kubectl get clusterroles -l key=value` `kubectl get clusterrolebindings -l key=value`
2016-12-07 06:13:47 -08:00 · 2016-12-07 06:13:47 -08:00 · 28df1d948f
parent ffda42fa07 1d475edd1c
commit 28df1d948f
8 changed files with 174 additions and 3 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
@ -32,6 +32,7 @@ go_test(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/api/install:go_default_library",
+        "//pkg/api/meta:go_default_library",
        "//pkg/api/v1:go_default_library",
        "//pkg/apis/rbac:go_default_library",
        "//pkg/apis/rbac/install:go_default_library",
@ -50,5 +51,8 @@ go_test(
    srcs = ["controller_policy_test.go"],
    library = "go_default_library",
    tags = ["automanaged"],
-    deps = ["//pkg/util/sets:go_default_library"],
+    deps = [
+        "//pkg/api/meta:go_default_library",
+        "//pkg/util/sets:go_default_library",
+    ],
 )
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -46,8 +46,11 @@ func addControllerRole(role rbac.ClusterRole) {
 	}

 	controllerRoles = append(controllerRoles, role)
+	addClusterRoleLabel(controllerRoles)
+
 	controllerRoleBindings = append(controllerRoleBindings,
 		rbac.NewClusterBinding(role.Name).SAs("kube-system", role.Name[len(saRolePrefix):]).BindingOrDie())
+	addClusterRoleBindingLabel(controllerRoleBindings)
 }

 func eventsRule() rbac.PolicyRule {
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go
@ -17,8 +17,10 @@ limitations under the License.
 package bootstrappolicy

 import (
+	"reflect"
 	"testing"

+	"k8s.io/kubernetes/pkg/api/meta"
 	"k8s.io/kubernetes/pkg/util/sets"
 )

@ -58,3 +60,29 @@ func TestNoStarsForControllers(t *testing.T) {
 		}
 	}
 }
+
+func TestControllerRoleLabel(t *testing.T) {
+	roles := ControllerRoles()
+	for i := range roles {
+		role := roles[i]
+		accessor, err := meta.Accessor(&role)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) {
+			t.Errorf("ClusterRole: %s GetLabels() = %s, want %s", accessor.GetName(), got, want)
+		}
+	}
+
+	rolebindings := ControllerRoleBindings()
+	for i := range rolebindings {
+		rolebinding := rolebindings[i]
+		accessor, err := meta.Accessor(&rolebinding)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) {
+			t.Errorf("ClusterRoleBinding: %s GetLabels() = %s, want %s", accessor.GetName(), got, want)
+		}
+	}
+}
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -25,6 +25,8 @@ import (
 var (
 	ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
 	Read      = []string{"get", "list", "watch"}
+
+	Label = map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}
 )

 const (
@ -41,9 +43,33 @@ const (
 	storageGroup        = "storage.k8s.io"
 )

+func addClusterRoleLabel(roles []rbac.ClusterRole) {
+	for i := range roles {
+		if roles[i].ObjectMeta.Labels == nil {
+			roles[i].ObjectMeta.Labels = make(map[string]string)
+		}
+		for k, v := range Label {
+			roles[i].ObjectMeta.Labels[k] = v
+		}
+	}
+	return
+}
+
+func addClusterRoleBindingLabel(rolebindings []rbac.ClusterRoleBinding) {
+	for i := range rolebindings {
+		if rolebindings[i].ObjectMeta.Labels == nil {
+			rolebindings[i].ObjectMeta.Labels = make(map[string]string)
+		}
+		for k, v := range Label {
+			rolebindings[i].ObjectMeta.Labels[k] = v
+		}
+	}
+	return
+}
+
 // ClusterRoles returns the cluster roles to bootstrap an API server with
 func ClusterRoles() []rbac.ClusterRole {
-	return []rbac.ClusterRole{
+	roles := []rbac.ClusterRole{
 		{
 			// a "root" role which can do absolutely anything
 			ObjectMeta: api.ObjectMeta{Name: "cluster-admin"},
@ -204,15 +230,19 @@ func ClusterRoles() []rbac.ClusterRole {
 			},
 		},
 	}
+	addClusterRoleLabel(roles)
+	return roles
 }

 // ClusterRoleBindings return default rolebindings to the default roles
 func ClusterRoleBindings() []rbac.ClusterRoleBinding {
-	return []rbac.ClusterRoleBinding{
+	rolebindings := []rbac.ClusterRoleBinding{
 		rbac.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
 		rbac.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
 		rbac.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
 		rbac.NewClusterBinding("system:node").Groups(user.NodesGroup).BindingOrDie(),
 		rbac.NewClusterBinding("system:node-proxier").Groups(user.NodesGroup).BindingOrDie(),
 	}
+	addClusterRoleBindingLabel(rolebindings)
+	return rolebindings
 }
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
@ -20,12 +20,14 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"reflect"
 	"testing"

 	"github.com/ghodss/yaml"

 	"k8s.io/kubernetes/pkg/api"
 	_ "k8s.io/kubernetes/pkg/api/install"
+	"k8s.io/kubernetes/pkg/api/meta"
 	"k8s.io/kubernetes/pkg/api/v1"
 	rbac "k8s.io/kubernetes/pkg/apis/rbac"
 	_ "k8s.io/kubernetes/pkg/apis/rbac/install"
@ -233,3 +235,29 @@ func testObjects(t *testing.T, list *api.List, fixtureFilename string) {
 		}
 	}
 }
+
+func TestClusterRoleLabel(t *testing.T) {
+	roles := bootstrappolicy.ClusterRoles()
+	for i := range roles {
+		role := roles[i]
+		accessor, err := meta.Accessor(&role)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) {
+			t.Errorf("ClusterRole: %s GetLabels() = %s, want %s", accessor.GetName(), got, want)
+		}
+	}
+
+	rolebindings := bootstrappolicy.ClusterRoleBindings()
+	for i := range rolebindings {
+		rolebinding := rolebindings[i]
+		accessor, err := meta.Accessor(&rolebinding)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if got, want := accessor.GetLabels(), map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}; !reflect.DeepEqual(got, want) {
+			t.Errorf("ClusterRoleBinding: %s GetLabels() = %s, want %s", accessor.GetName(), got, want)
+		}
+	}
+}
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -4,6 +4,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: admin
  rules:
  - apiGroups:
@ -170,6 +172,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: cluster-admin
  rules:
  - apiGroups:
@ -188,6 +192,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: edit
  rules:
  - apiGroups:
@ -332,6 +338,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:auth-delegator
  rules:
  - apiGroups:
@ -352,6 +360,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:basic-user
  rules:
  - apiGroups:
@ -365,6 +375,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:discovery
  rules:
  - attributeRestrictions: null
@ -380,6 +392,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:node
  rules:
  - apiGroups:
@ -484,6 +498,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:node-proxier
  rules:
  - apiGroups:
@ -499,6 +515,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: view
  rules:
  - apiGroups:
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
@ -4,6 +4,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:attachdetach-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -17,6 +19,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:cronjob-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -30,6 +34,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:daemon-set-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -43,6 +49,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:deployment-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -56,6 +64,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:disruption-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -69,6 +79,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:endpoint-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -82,6 +94,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:horizontal-pod-autoscaler
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -95,6 +109,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:job-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -108,6 +124,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:namespace-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -121,6 +139,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:persistent-volume-binder
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -134,6 +154,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:pod-garbage-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -147,6 +169,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:replicaset-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -160,6 +184,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:replication-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -173,6 +199,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:service-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
@ -186,6 +214,8 @@ items:
  kind: ClusterRoleBinding
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:statefulset-controller
  roleRef:
    apiGroup: rbac.authorization.k8s.io
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@ -4,6 +4,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:attachdetach-controller
  rules:
  - apiGroups:
@ -53,6 +55,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:cronjob-controller
  rules:
  - apiGroups:
@ -96,6 +100,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:daemon-set-controller
  rules:
  - apiGroups:
@ -152,6 +158,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:deployment-controller
  rules:
  - apiGroups:
@ -206,6 +214,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:disruption-controller
  rules:
  - apiGroups:
@ -252,6 +262,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:endpoint-controller
  rules:
  - apiGroups:
@ -295,6 +307,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:horizontal-pod-autoscaler
  rules:
  - apiGroups:
@ -361,6 +375,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:job-controller
  rules:
  - apiGroups:
@ -405,6 +421,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:namespace-controller
  rules:
  - apiGroups:
@ -439,6 +457,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:persistent-volume-binder
  rules:
  - apiGroups:
@ -527,6 +547,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:pod-garbage-controller
  rules:
  - apiGroups:
@ -542,6 +564,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:replicaset-controller
  rules:
  - apiGroups:
@ -584,6 +608,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:replication-controller
  rules:
  - apiGroups:
@ -626,6 +652,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:service-controller
  rules:
  - apiGroups:
@ -665,6 +693,8 @@ items:
  kind: ClusterRole
  metadata:
    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
    name: system:controller:statefulset-controller
  rules:
  - apiGroups: