Move project creation to use RBAC objects

Also move Service Account Project Role Bindings to RBAC objects Signed-off-by: Simo Sorce <[email protected]>
openshift · Aug 25, 2017 · c435189 · c435189
1 parent 02eb0a3
commit c435189
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 65 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -913,6 +913,12 @@ func newOriginRoleBinding(bindingName, roleName, namespace string) *rbac.RoleBin
 	return builder
 }
 
+func newOriginRoleBindingForClusterRole(bindingName, roleName, namespace string) *rbac.RoleBindingBuilder {
+	builder := rbac.NewRoleBindingForClusterRole(roleName, namespace)
+	builder.RoleBinding.Name = bindingName
+	return builder
+}
+
 func newOriginClusterBinding(bindingName, roleName string) *rbac.ClusterRoleBindingBuilder {
 	builder := rbac.NewClusterBinding(roleName)
 	builder.ClusterRoleBinding.Name = bindingName

diff --git a/pkg/cmd/server/bootstrappolicy/project_policy.go b/pkg/cmd/server/bootstrappolicy/project_policy.go
@@ -1,44 +1,20 @@
 package bootstrappolicy
 
 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
-	kapi "k8s.io/kubernetes/pkg/api"
-
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 )
 
-func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authorizationapi.RoleBinding {
-	return []authorizationapi.RoleBinding{
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      ImagePullerRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: ImagePullerRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.SystemGroupKind, Name: serviceaccount.MakeNamespaceGroupName(namespace)}},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      ImageBuilderRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: ImageBuilderRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.ServiceAccountKind, Name: BuilderServiceAccountName}},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      DeployerRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: DeployerRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.ServiceAccountKind, Name: DeployerServiceAccountName}},
-		},
+func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbac.RoleBinding {
+	return []rbac.RoleBinding{
+		newOriginRoleBindingForClusterRole(ImagePullerRoleBindingName, ImagePullerRoleName, namespace).
+			Groups(serviceaccount.MakeNamespaceGroupName(namespace)).
+			BindingOrDie(),
+		newOriginRoleBindingForClusterRole(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace).
+			SAs(namespace, BuilderServiceAccountName).
+			BindingOrDie(),
+		newOriginRoleBindingForClusterRole(DeployerRoleBindingName, DeployerRoleName, namespace).
+			SAs(namespace, DeployerServiceAccountName).
+			BindingOrDie(),
 	}
 }
diff --git a/pkg/cmd/server/origin/openshift_apiserver.go b/pkg/cmd/server/origin/openshift_apiserver.go
@@ -31,6 +31,7 @@ import (
 	"github.com/openshift/origin/pkg/api/v1"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 	authorizationinformer "github.com/openshift/origin/pkg/authorization/generated/informers/internalversion"
+	authzregutil "github.com/openshift/origin/pkg/authorization/registry/util"
 	osclient "github.com/openshift/origin/pkg/client"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
@@ -552,7 +553,13 @@ func EnsureNamespaceServiceAccountRoleBindings(kubeClientInternal kclientsetinte
 	}
 
 	hasErrors := false
-	for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) {
+	for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) {
+		binding, err := authzregutil.RoleBindingFromRBAC(&rbacBinding)
+		if err != nil {
+			glog.Errorf("Could not convert Role Bindning %v n the %q namespace: %v\n", rbacBinding.Name, namespace.Name, err)
+			hasErrors = true
+			continue
+		}
 		addRole := &policy.RoleModificationOptions{
 			RoleName:            binding.RoleRef.Name,
 			RoleNamespace:       binding.RoleRef.Namespace,

diff --git a/pkg/oc/admin/project/new_project.go b/pkg/oc/admin/project/new_project.go
@@ -14,6 +14,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	oapi "github.com/openshift/origin/pkg/api"
+	authzregutil "github.com/openshift/origin/pkg/authorization/registry/util"
 	"github.com/openshift/origin/pkg/client"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
@@ -127,7 +128,12 @@ func (o *NewProjectOptions) Run(useNodeSelector bool) error {
 		}
 	}
 
-	for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) {
+	for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) {
+		binding, err := authzregutil.RoleBindingFromRBAC(&rbacBinding)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
 		addRole := &policy.RoleModificationOptions{
 			RoleName:            binding.RoleRef.Name,
 			RoleNamespace:       binding.RoleRef.Namespace,

diff --git a/pkg/project/registry/projectrequest/delegated/delegated.go b/pkg/project/registry/projectrequest/delegated/delegated.go
@@ -19,6 +19,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	restclient "k8s.io/client-go/rest"
 	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 	rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
 	"k8s.io/kubernetes/pkg/client/retry"
 	"k8s.io/kubernetes/pkg/kubectl/resource"
@@ -133,7 +134,7 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti
 
 	// one of the items in this list should be the project.  We are going to locate it, remove it from the list, create it separately
 	var projectFromTemplate *projectapi.Project
-	var lastRoleBinding *authorizationapi.RoleBinding
+	lastRoleBindingName := ""
 	objectsToCreate := &kapi.List{}
 	for i := range list.Objects {
 		if templateProject, ok := list.Objects[i].(*projectapi.Project); ok {
@@ -142,9 +143,16 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti
 			continue
 		}
 
+		// Check for new RBAS RoleBinding first
+		if roleBinding, ok := list.Objects[i].(*rbac.RoleBinding); ok {
+			// keep track of the rolebinding, but still add it to the list
+			lastRoleBindingName = roleBinding.Name
+		}
+
+		// Then fallback to the legacy type in case an old template was loaded
 		if roleBinding, ok := list.Objects[i].(*authorizationapi.RoleBinding); ok {
 			// keep track of the rolebinding, but still add it to the list
-			lastRoleBinding = roleBinding
+			lastRoleBindingName = roleBinding.Name
 		}
 
 		objectsToCreate.Items = append(objectsToCreate.Items, list.Objects[i])
@@ -187,8 +195,8 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti
 	}
 
 	// wait for a rolebinding if we created one
-	if lastRoleBinding != nil {
-		r.waitForRoleBinding(createdProject.Name, lastRoleBinding.Name)
+	if lastRoleBindingName != "" {
+		r.waitForRoleBinding(createdProject.Name, lastRoleBindingName)
 	}
 
 	return r.openshiftClient.Projects().Get(createdProject.Name, metav1.GetOptions{})

diff --git a/pkg/project/registry/projectrequest/delegated/sample_template.go b/pkg/project/registry/projectrequest/delegated/sample_template.go
@@ -2,11 +2,10 @@ package delegated
 
 import (
 	"k8s.io/apimachinery/pkg/runtime"
-	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
 
 	oapi "github.com/openshift/origin/pkg/api"
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	authorizationapiv1 "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	projectapi "github.com/openshift/origin/pkg/project/apis/project"
 	projectapiv1 "github.com/openshift/origin/pkg/project/apis/project/v1"
@@ -46,17 +45,14 @@ func DefaultTemplate() *templateapi.Template {
 
 	serviceAccountRoleBindings := bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(ns)
 	for i := range serviceAccountRoleBindings {
-		if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&serviceAccountRoleBindings[i]}, authorizationapiv1.SchemeGroupVersion); err != nil {
+		if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&serviceAccountRoleBindings[i]}, v1beta1.SchemeGroupVersion); err != nil {
 			panic(err)
 		}
 	}
 
-	binding := &authorizationapi.RoleBinding{}
-	binding.Name = bootstrappolicy.AdminRoleName
-	binding.Namespace = ns
-	binding.Subjects = []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "${" + ProjectAdminUserParam + "}"}}
-	binding.RoleRef.Name = bootstrappolicy.AdminRoleName
-	if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{binding}, authorizationapiv1.SchemeGroupVersion); err != nil {
+	binding := rbac.NewRoleBindingForClusterRole(bootstrappolicy.AdminRoleName, ns).Users("${" + ProjectAdminUserParam + "}").BindingOrDie()
+
+	if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&binding}, v1beta1.SchemeGroupVersion); err != nil {
 		// this should never happen because we're tightly controlling what goes in.
 		panic(err)
 	}

diff --git a/test/testdata/bootstrappolicy/bootstrap_service_account_project_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_service_account_project_role_bindings.yaml
@@ -1,46 +1,45 @@
 apiVersion: v1
 items:
-- apiVersion: v1
-  groupNames:
-  - system:serviceaccounts:myproject
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:image-pullers
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
     name: system:image-puller
   subjects:
-  - kind: SystemGroup
+  - kind: Group
     name: system:serviceaccounts:myproject
-  userNames: null
-- apiVersion: v1
-  groupNames: null
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:image-builders
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
     name: system:image-builder
   subjects:
   - kind: ServiceAccount
     name: builder
-  userNames:
-  - system:serviceaccount:myproject:builder
-- apiVersion: v1
-  groupNames: null
+    namespace: myproject
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:deployers
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
     name: system:deployer
   subjects:
   - kind: ServiceAccount
     name: deployer
-  userNames:
-  - system:serviceaccount:myproject:deployer
+    namespace: myproject
 kind: List
 metadata: {}