github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
70,914 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

48 Commits (060218a862ba69488aae7edc0313ccf1b448eab6)

Author SHA1 Message Date
tanshanshan d300706683 fixdup 2018-07-14 14:13:28 +08:00
Jeff Grafton 23ceebac22 Run hack/update-bazel.sh 2018-06-22 16:22:57 -07:00
Monis Khan fc6ee7e782
Export RBAC validation functions 
This change exports the RBAC validation functions to allow types
outside of the RBAC API group to embed a RBAC type and reuse this
validation logic.  Note that only ValidateRBACName,
ValidatePolicyRule and ValidateRoleBindingSubject were exported.
The rest of the functions were already exported.

Signed-off-by: Monis Khan <mkhan@redhat.com>
 2018-04-19 11:01:07 -04:00
Jeff Grafton ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Jeff Grafton efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
David Eads a53e5de3db generated 2017-11-13 08:18:00 -05:00
David Eads 0f0a5223df rbac api changes for aggregation 2017-11-13 08:14:37 -05:00
Dr. Stefan Schimanski bec617f3cc Update generated files 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski 012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Jeff Grafton aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jeff Grafton a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton 33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Mike Danese a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
Jordan Liggitt 2a76fa1c8f
Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
deads2k c6fd6941a1 move pkg/api/validation/path to apimachinery 2017-01-27 08:49:29 -05:00
Clayton Coleman 9009c1ac14
generated: informer,client 2017-01-23 17:52:47 -05:00
Clayton Coleman 469df12038
refactor: move ListOptions references to metav1 2017-01-23 17:52:46 -05:00
Clayton Coleman 9a2a50cda7
refactor: use metav1.ObjectMeta in other types 2017-01-17 16:17:19 -05:00
Clayton Coleman 36acd90aba
Move APIs and core code to use metav1.ObjectMeta 2017-01-17 16:17:18 -05:00
Dr. Stefan Schimanski 4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k 6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Jeff Grafton 20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
Jordan Liggitt b8c2ad6d42
Deprecate RBAC UserAll, convert v1alpha1 User * rolebindings to Group system:authenticated 2017-01-04 17:11:16 -05:00
deads2k ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Dr. Stefan Schimanski 87dd990bb7 Move pkg/api.{Context,RequestContextMapper} into pkg/genericapiserver/api/request 2017-01-03 14:57:33 +01:00
Mike Danese 161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Mike Danese c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
deads2k 252d8b7066 add rbac action to subjects type 2016-11-08 07:47:11 -05:00
Mike Danese 3b6a067afc autogenerated 2016-10-21 17:32:32 -07:00
deads2k ceaf026881 slim down authorization listing interfaces 2016-10-13 07:50:01 -04:00
deads2k 1943d256d2 make rbac authorizer use rule comparison, not covers 2016-09-16 15:53:42 -04:00
deads2k 8c788233e7 change rbac roleref type 2016-09-09 09:55:51 -04:00
Kubernetes Submit Queue bf9a62035d Merge pull request #31289 from deads2k/remove-cast-utilities 
Automatic merge from submit-queue

remove cast utilities from rbac

Casting functions like these are a source of pain in OpenShift.  We should eliminate them to avoid drift problems like we've had downstream.

@kubernetes/sig-auth 

@ericchiang ptal
 2016-09-08 08:23:01 -07:00
deads2k da32d31aac remove cast utilities from rbac 2016-08-30 09:55:34 -04:00
Kris e87edf9bd5 Split path validation into a separate library 2016-08-26 08:05:20 -07:00
Kubernetes Submit Queue 16454277aa Merge pull request #29930 from ericchiang/rbac-validation-dont-mix-non-resource-urls-and-resources 
Automatic merge from submit-queue

rbac validation: rules can't combine non-resource URLs and regular resources

This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.

For example the following is no longer valid

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    nonResourceURLs: ["*"]
```

And must be rewritten as so.

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
``` 

It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.

Also, do we need to bump the API version?

Discussed by @erictune and @liggitt  in #28304

Updates kubernetes/features#2

cc @kubernetes/sig-auth 

Edit:
* Need to update the RBAC docs if this change goes in.
 2016-08-04 04:52:51 -07:00
Eric Chiang 93947663d9 RBAC: don't allow rules to mix non-resource URLs and resources 2016-08-02 13:33:34 -07:00
lixiaobing10051267 be8d081539 Check all places to break the loop when object found 2016-07-23 13:49:04 +08:00
albatross0 d1b14e2fae Fix RBAC authorizer of ServiceAccount 
RBAC authorizer assigns a role to a wrong service account.
 2016-07-21 01:50:08 +09:00
Eric Chiang addc4b166c rbac authorizer: support non-resource urls with stars ("/apis/*") 2016-07-12 10:01:53 -07:00
Eric Chiang 411922f66c rbac authorizer: include verb in non-resource url requests 2016-07-12 10:01:53 -07:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Eric Chiang d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Eric Chiang 88119903e5 pkg/apis/rbac: make apiversion optional for subjects and fix validation 2016-06-13 15:02:48 -07:00
Eric Chiang e3604e2590 add validation to rbac group and apply small cleanups 2016-05-25 14:19:04 -07:00
Tim Hockin 152c86ab06 Make name validators return string slices 2016-05-18 00:48:01 -07:00
Eric Chiang 6a1f46895e pkg/apis: rbac types added 2016-05-11 12:01:06 +02:00