mirror of https://github.com/k3s-io/k3s
16454277aa
Automatic merge from submit-queue
rbac validation: rules can't combine non-resource URLs and regular resources
This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.
For example the following is no longer valid
```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admins
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
nonResourceURLs: ["*"]
```
And must be rewritten as so.
```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: admins
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
```
It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.
Also, do we need to bump the API version?
Discussed by @erictune and @liggitt in #28304
Updates kubernetes/features#2
cc @kubernetes/sig-auth
Edit:
* Need to update the RBAC docs if this change goes in.
|
||
|---|---|---|
| .. | ||
| api.json | ||
| apis.json | ||
| apps.json | ||
| apps_v1alpha1.json | ||
| authentication.k8s.io.json | ||
| authentication.k8s.io_v1.json | ||
| authentication.k8s.io_v1beta1.json | ||
| autoscaling.json | ||
| autoscaling_v1.json | ||
| batch.json | ||
| batch_v1.json | ||
| batch_v2alpha1.json | ||
| certificates.json | ||
| certificates_v1alpha1.json | ||
| extensions.json | ||
| extensions_v1beta1.json | ||
| policy.json | ||
| policy_v1alpha1.json | ||
| rbac.authorization.k8s.io.json | ||
| rbac.authorization.k8s.io_v1alpha1.json | ||
| resourceListing.json | ||
| v1.json | ||
| version.json | ||