Move project creation to use RBAC objects #15973
Conversation
openshift-merge-robot
added
the
size/L
|
You ran a generate script that added junk to your commit. |
|
/test cmd |
simo5
force-pushed
the
newprjrbac
branch
2 times, most recently
from
2980e12
to
6ebdbe4
Compare
simo5
changed the title
simo5
force-pushed
the
newprjrbac
branch
2 times, most recently
from
c435189
to
222ab5d
Compare
|
@enj PTAL |
| for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) { | ||
| binding, err := authzregutil.RoleBindingFromRBAC(&rbacBinding) | ||
| if err != nil { | ||
| glog.Errorf("Could not convert Role Bindning %v n the %q namespace: %v\n", rbacBinding.Name, namespace.Name, err) |
| @@ -142,9 +143,16 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti | |||
| continue | |||
| } | |||
|
|
|||
| // Check for new RBAS RoleBinding first | |||
|
nits, lgtm |
|
/approve |
openshift-merge-robot
added
the
approved
|
@liggitt fixed nits |
openshift-merge-robot
added
the
needs-rebase
| @@ -187,8 +195,8 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti | |||
| } | |||
|
|
|||
| // wait for a rolebinding if we created one | |||
| if lastRoleBinding != nil { | |||
| r.waitForRoleBinding(createdProject.Name, lastRoleBinding.Name) | |||
| if lastRoleBindingName != "" { | |||
There was a problem hiding this comment.
len(lastRoleBindingName) != 0 is the convention
| if lastRoleBinding != nil { | ||
| r.waitForRoleBinding(createdProject.Name, lastRoleBinding.Name) | ||
| if lastRoleBindingName != "" { | ||
| r.waitForRoleBinding(createdProject.Name, lastRoleBindingName) |
There was a problem hiding this comment.
Update waitForRoleBinding to use Get instead of List.
| @@ -142,9 +143,16 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti | |||
| continue | |||
| } | |||
|
|
|||
| // Check for new RBAC RoleBinding first | |||
| if roleBinding, ok := list.Objects[i].(*rbac.RoleBinding); ok { | |||
There was a problem hiding this comment.
Change this block to use a type switch since that what we are doing here with mutually exclusive if statements.
| @@ -31,6 +31,7 @@ import ( | |||
| "github.com/openshift/origin/pkg/api/v1" | |||
| "github.com/openshift/origin/pkg/authorization/authorizer" | |||
| authorizationinformer "github.com/openshift/origin/pkg/authorization/generated/informers/internalversion" | |||
| authzregutil "github.com/openshift/origin/pkg/authorization/registry/util" | |||
| for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) { | ||
| binding, err := authzregutil.RoleBindingFromRBAC(&rbacBinding) | ||
| if err != nil { | ||
| glog.Errorf("Could not convert Role Binding %v n the %q namespace: %v\n", rbacBinding.Name, namespace.Name, err) |
There was a problem hiding this comment.
glog.Errorf("Could not convert Role Binding %s in the %q namespace: %v", rbacBinding.Name, namespace.Name, err)
pkg/oc/admin/project/new_project.go
Outdated
| for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) { | ||
| binding, err := authzregutil.RoleBindingFromRBAC(&rbacBinding) | ||
| if err != nil { | ||
| errs = append(errs, err) |
There was a problem hiding this comment.
fmt.Printf("Could not convert Role Binding %s in the %q namespace: %v\n", rbacBinding.Name, o.ProjectName, err)
pkg/oc/admin/project/new_project.go
Outdated
| @@ -14,6 +14,7 @@ import ( | |||
| kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" | |||
|
|
|||
| oapi "github.com/openshift/origin/pkg/api" | |||
| authzregutil "github.com/openshift/origin/pkg/authorization/registry/util" | |||
openshift-merge-robot
removed
the
needs-rebase
|
|
||
| return false, nil | ||
| _, err := r.roleBindings.RoleBindings(namespace).Get(name) | ||
| return (err == nil), nil |
There was a problem hiding this comment.
Why the redundant parentheses?
@liggitt there wasn't some archaic reason this was using list before right?
There was a problem hiding this comment.
maybe the lister we implemented for the virtual resources didn't implement Get?
| @@ -133,18 +133,18 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti | |||
|
|
|||
| // one of the items in this list should be the project. We are going to locate it, remove it from the list, create it separately | |||
| var projectFromTemplate *projectapi.Project | |||
| var lastRoleBinding *authorizationapi.RoleBinding | |||
| lastRoleBindingName := "" | |||
| objectsToCreate := &kapi.List{} | |||
| for i := range list.Objects { | |||
There was a problem hiding this comment.
for _, lobj := range list.Objects {
switch t := lobj.(type) {
case *projectapi.Project:
projectFromTemplate = t
// don't add this to the list to create. We'll create the project separately.
continue
case *rbac.RoleBinding:
lastRoleBindingName = t.Name
case *authorizationapi.RoleBinding:
lastRoleBindingName = t.Name
default:
// no-op we only skip creation of project
}
objectsToCreate.Items = append(objectsToCreate.Items, lobj)
}@liggitt any reason we were doing list.Objects[i] before? Also, do we want to error if we see more than one project in the template?
There was a problem hiding this comment.
@liggitt any reason we were doing list.Objects[i] before?
so we didn't have to reason about range variable reuse outside the loop
Also, do we want to error if we see more than one project in the template?
probably
There was a problem hiding this comment.
so we didn't have to reason about range variable reuse outside the loop
At worst it would only shadow a var outside the loop (I picked a unique name to avoid that as well)?
There was a problem hiding this comment.
at worst, you'd reuse a memory address and actually append the same item to the list of items to create N times
There was a problem hiding this comment.
at worst, you'd reuse a memory address and actually append the same item to the list of items to create N times
Ah you are correct, I always forget the "don't use range vars + append together".
for i := range list.Objects {
switch t := list.Objects[i].(type) {
case *projectapi.Project:
projectFromTemplate = t
// don't add this to the list to create. We'll create the project separately.
continue
case *rbac.RoleBinding:
lastRoleBindingName = t.Name
case *authorizationapi.RoleBinding:
lastRoleBindingName = t.Name
default:
// no-op we only skip creation of project
}
// use list.Objects[i] in append to avoid range memory address reuse
objectsToCreate.Items = append(objectsToCreate.Items, list.Objects[i])
}| for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) { | ||
| binding, err := authorizationregistryutil.RoleBindingFromRBAC(&rbacBinding) | ||
| if err != nil { | ||
| glog.Errorf("Could not convert Role Binding %v n the %q namespace: %v\n", rbacBinding.Name, namespace.Name, err) |
|
/retest |
|
Still seeing this flake even if it has been closed #14575 |
|
/retest |
|
@simo5 clean up the type switch and have it fail on multiple projects. |
Also move Service Account Project Role Bindings to RBAC objects Signed-off-by: Simo Sorce <[email protected]>
|
@enj PTAL |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, simo5 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 15885, 15973, 16000) |
Also move Service Account Project Role Bindings to RBAC objects
Fixes #15818
Fixes #15856