[WIP] oc create clusterrole: new command

[php-coder]

Add a new command oc create clusterrole that takes role name, list of actions, list of resources and creates a new cluster role.

Example:

$ oc create clusterrole dockerbuilder --verbs create --resources builds/docker
clusterrole "dockerbuilder" created
$ oc get clusterrole dockerbuilder -o yaml
apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: 2016-11-16T18:06:28Z
  name: dockerbuilder
  resourceVersion: "42371"
  selfLink: /oapi/v1/clusterroles/dockerbuilder4
  uid: 65470a15-ac27-11e6-8811-080027242396
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - builds/docker
  verbs:
  - create

Fixes #3804

TODO:

• rename to oc create clusterrole
• validate the actions and resources
• add --force option
• don't assume "" api group
• add example
• PR with the equivalent command upstream for rbac clusterroles
• add tests

[php-coder]

@csrwng @deads2k Cesar, David, is this what you had in mind?

[liggitt]

name the options and flags to match the API object fields? (verbs, resources, api-groups, etc)?

[php-coder]

Fixed. I named it "actions" because such name were used in the original issue.

[liggitt]

are we happy not ever allowing commas in verbs or resources?

[deads2k]

are we happy not ever allowing commas in verbs or resources?

I'm fine with that.

[liggitt]

don't assume "" api group

[liggitt]

we'll likely need to express distinct verb/resource pairings ("create a role that lets me get,list,watch pods and create,update,delete,list,watch replicasets")

[deads2k]

we'll likely need to express distinct verb/resource pairings ("create a role that lets me get,list,watch pods and create,update,delete,list,watch replicasets")

I'd like to have set commands to handle that sort of thing as well. That would make the need to handle distinct tuples in a single command less important.

[php-coder]

I'm not understand yet for what this field is used and which values it accepts. Will investigate it..

[liggitt]

this should go under the create subtree, not the policy subtree

[deads2k]

this should go under the create subtree, not the policy subtree

I agree. I'd also like to see a pull with the equivalent command upstream for rbac clusterroles.

[php-coder]

I don't see "create" subtree in oadm command. I see only commands with prefix "create-" in the "Configuration" subtree. Did you mean this section?

[liggitt]

it's under oc create

[deads2k]

I don't see "create" subtree in oadm command. I see only commands with prefix "create-" in the "Configuration" subtree. Did you mean this section?

oc create clusterrole is appropriate since its an API resource.

[csrwng]

Based on comments in the original issue, it's also desirable to validate the actions and resources passed in. @deads2k is that possible?

[deads2k]

Based on comments in the original issue, it's also desirable to validate the actions and resources passed in. @deads2k is that possible?

I'd like to see them linted, possibly with a --force for "I know what I'm doing, just make it!". All lowercase, known verbs, maybe matches discovery for some resource plus a whitelist. We want to avoid dumb typos.

[csrwng]

Is there a place that we can get a list of known verbs or resources from?

[deads2k]

Is there a place that we can get a list of known verbs or resources from?

For resources you can see the discovery doc. For verbs, you could start a "well-known" set upstream.

[liggitt]

resources from discovery, if the server's up (though that won't include virtual resources like builds/jenkinspipeline or imagestreams/layers)

nothing in discovery for verbs yet (and even if there is eventually, it won't include verbs like impersonate and use)

[openshift-bot]

Origin Action Required: Pull request cannot be automatically merged, please rebase your branch from latest HEAD and push again

[php-coder]

I'm closing this in favor of kubernetes/kubernetes#41538 that will be available after next rebase to the next version of Kubernetes.