Move project creation to use RBAC objects

pkg/cmd/server/bootstrappolicy/policy.go

@@ -913,6 +913,12 @@ func newOriginRoleBinding(bindingName, roleName, namespace string) *rbac.RoleBin
 	return builder
 }
 
+func newOriginRoleBindingForClusterRole(bindingName, roleName, namespace string) *rbac.RoleBindingBuilder {
+	builder := rbac.NewRoleBindingForClusterRole(roleName, namespace)
+	builder.RoleBinding.Name = bindingName
+	return builder
+}
+
 func newOriginClusterBinding(bindingName, roleName string) *rbac.ClusterRoleBindingBuilder {
 	builder := rbac.NewClusterBinding(roleName)
 	builder.ClusterRoleBinding.Name = bindingName

pkg/cmd/server/bootstrappolicy/project_policy.go

@@ -1,44 +1,20 @@
 package bootstrappolicy
 
 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
-	kapi "k8s.io/kubernetes/pkg/api"
-
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 )
 
-func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []authorizationapi.RoleBinding {
-	return []authorizationapi.RoleBinding{
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      ImagePullerRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: ImagePullerRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.SystemGroupKind, Name: serviceaccount.MakeNamespaceGroupName(namespace)}},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      ImageBuilderRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: ImageBuilderRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.ServiceAccountKind, Name: BuilderServiceAccountName}},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      DeployerRoleBindingName,
-				Namespace: namespace,
-			},
-			RoleRef: kapi.ObjectReference{
-				Name: DeployerRoleName,
-			},
-			Subjects: []kapi.ObjectReference{{Kind: authorizationapi.ServiceAccountKind, Name: DeployerServiceAccountName}},
-		},
+func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbac.RoleBinding {
+	return []rbac.RoleBinding{
+		newOriginRoleBindingForClusterRole(ImagePullerRoleBindingName, ImagePullerRoleName, namespace).
+			Groups(serviceaccount.MakeNamespaceGroupName(namespace)).
+			BindingOrDie(),
+		newOriginRoleBindingForClusterRole(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace).
+			SAs(namespace, BuilderServiceAccountName).
+			BindingOrDie(),
+		newOriginRoleBindingForClusterRole(DeployerRoleBindingName, DeployerRoleName, namespace).
+			SAs(namespace, DeployerServiceAccountName).
+			BindingOrDie(),
 	}
 }

pkg/cmd/server/origin/openshift_apiserver.go

@@ -31,6 +31,7 @@ import (
 	"github.com/openshift/origin/pkg/api/v1"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 	authorizationinformer "github.com/openshift/origin/pkg/authorization/generated/informers/internalversion"
+	authorizationregistryutil "github.com/openshift/origin/pkg/authorization/registry/util"
 	buildapiserver "github.com/openshift/origin/pkg/build/apiserver"
 	osclient "github.com/openshift/origin/pkg/client"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
@@ -625,15 +626,21 @@ func EnsureNamespaceServiceAccountRoleBindings(kubeClientInternal kclientsetinte
 	}
 
 	hasErrors := false
-	for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) {
+	for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) {
+		binding, err := authorizationregistryutil.RoleBindingFromRBAC(&rbacBinding)
+		if err != nil {
+			glog.Errorf("Could not convert Role Binding %s in the %q namespace: %v\n", rbacBinding.Name, namespace.Name, err)
+			hasErrors = true
+			continue
+		}
 		addRole := &policy.RoleModificationOptions{
 			RoleName:            binding.RoleRef.Name,
 			RoleNamespace:       binding.RoleRef.Namespace,
 			RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace.Name, deprecatedOpenshiftClient),
 			Subjects:            binding.Subjects,
 		}
 		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error { return addRole.AddRole() }); err != nil {
-			glog.Errorf("Could not add service accounts to the %v role in the %q namespace: %v\n", binding.RoleRef.Name, namespace.Name, err)
+			glog.Errorf("Could not add service accounts to the %s role in the %q namespace: %v\n", binding.RoleRef.Name, namespace.Name, err)
 			hasErrors = true
 		}
 	}

pkg/oc/admin/project/new_project.go

@@ -14,6 +14,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	oapi "github.com/openshift/origin/pkg/api"
+	authorizationregistryutil "github.com/openshift/origin/pkg/authorization/registry/util"
 	"github.com/openshift/origin/pkg/client"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
@@ -127,7 +128,13 @@ func (o *NewProjectOptions) Run(useNodeSelector bool) error {
 		}
 	}
 
-	for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) {
+	for _, rbacBinding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) {
+		binding, err := authorizationregistryutil.RoleBindingFromRBAC(&rbacBinding)
+		if err != nil {
+			fmt.Printf("Could not convert Role Binding %s in the %q namespace: %v\n", rbacBinding.Name, o.ProjectName, err)
+			errs = append(errs, err)
+			continue
+		}
 		addRole := &policy.RoleModificationOptions{
 			RoleName:            binding.RoleRef.Name,
 			RoleNamespace:       binding.RoleRef.Namespace,

pkg/project/registry/projectrequest/delegated/delegated.go

@@ -10,7 +10,6 @@ import (
 	kapierror "k8s.io/apimachinery/pkg/api/errors"
 	metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -19,6 +18,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	restclient "k8s.io/client-go/rest"
 	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 	rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
 	"k8s.io/kubernetes/pkg/client/retry"
 	"k8s.io/kubernetes/pkg/kubectl/resource"
@@ -133,20 +133,26 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti
 
 	// one of the items in this list should be the project.  We are going to locate it, remove it from the list, create it separately
 	var projectFromTemplate *projectapi.Project
-	var lastRoleBinding *authorizationapi.RoleBinding
+	lastRoleBindingName := ""
 	objectsToCreate := &kapi.List{}
 	for i := range list.Objects {
-		if templateProject, ok := list.Objects[i].(*projectapi.Project); ok {
-			projectFromTemplate = templateProject
+		switch t := list.Objects[i].(type) {
+		case *projectapi.Project:
+			if projectFromTemplate != nil {
+				return nil, kapierror.NewInternalError(fmt.Errorf("the project template (%s/%s) is not correctly configured: must contain only one project resource", r.templateNamespace, r.templateName))
+			}
+			projectFromTemplate = t
 			// don't add this to the list to create.  We'll create the project separately.
 			continue
+		case *rbac.RoleBinding:
+			lastRoleBindingName = t.Name
+		case *authorizationapi.RoleBinding:
+			lastRoleBindingName = t.Name
+		default:
+			// noop, we care only for special handling projects and roles
 		}
 
-		if roleBinding, ok := list.Objects[i].(*authorizationapi.RoleBinding); ok {
-			// keep track of the rolebinding, but still add it to the list
-			lastRoleBinding = roleBinding
-		}
-
+		// use list.Objects[i] in append to avoid range memory address reuse
 		objectsToCreate.Items = append(objectsToCreate.Items, list.Objects[i])
 	}
 	if projectFromTemplate == nil {
@@ -187,8 +193,8 @@ func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, includeUniniti
 	}
 
 	// wait for a rolebinding if we created one
-	if lastRoleBinding != nil {
-		r.waitForRoleBinding(createdProject.Name, lastRoleBinding.Name)
+	if len(lastRoleBindingName) != 0 {
+		r.waitForRoleBinding(createdProject.Name, lastRoleBindingName)
 	}
 
 	return r.openshiftClient.Projects().Get(createdProject.Name, metav1.GetOptions{})
@@ -201,14 +207,8 @@ func (r *REST) waitForRoleBinding(namespace, name string) {
 	backoff := retry.DefaultBackoff
 	backoff.Steps = 6 // this effectively waits for 6-ish seconds
 	err := wait.ExponentialBackoff(backoff, func() (bool, error) {
-		roleBindings, _ := r.roleBindings.RoleBindings(namespace).List(labels.Everything())
-		for _, roleBinding := range roleBindings {
-			if roleBinding.Name == name {
-				return true, nil
-			}
-		}
-
-		return false, nil
+		_, err := r.roleBindings.RoleBindings(namespace).Get(name)
+		return err == nil, nil
 	})
 
 	if err != nil {

pkg/project/registry/projectrequest/delegated/sample_template.go

@@ -2,11 +2,10 @@ package delegated
 
 import (
 	"k8s.io/apimachinery/pkg/runtime"
-	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/rbac"
+	"k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
 
 	oapi "github.com/openshift/origin/pkg/api"
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	authorizationapiv1 "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	projectapi "github.com/openshift/origin/pkg/project/apis/project"
 	projectapiv1 "github.com/openshift/origin/pkg/project/apis/project/v1"
@@ -46,17 +45,14 @@ func DefaultTemplate() *templateapi.Template {
 
 	serviceAccountRoleBindings := bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(ns)
 	for i := range serviceAccountRoleBindings {
-		if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&serviceAccountRoleBindings[i]}, authorizationapiv1.SchemeGroupVersion); err != nil {
+		if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&serviceAccountRoleBindings[i]}, v1beta1.SchemeGroupVersion); err != nil {
 			panic(err)
 		}
 	}
 
-	binding := &authorizationapi.RoleBinding{}
-	binding.Name = bootstrappolicy.AdminRoleName
-	binding.Namespace = ns
-	binding.Subjects = []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "${" + ProjectAdminUserParam + "}"}}
-	binding.RoleRef.Name = bootstrappolicy.AdminRoleName
-	if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{binding}, authorizationapiv1.SchemeGroupVersion); err != nil {
+	binding := rbac.NewRoleBindingForClusterRole(bootstrappolicy.AdminRoleName, ns).Users("${" + ProjectAdminUserParam + "}").BindingOrDie()
+
+	if err := templateapi.AddObjectsToTemplate(ret, []runtime.Object{&binding}, v1beta1.SchemeGroupVersion); err != nil {
 		// this should never happen because we're tightly controlling what goes in.
 		panic(err)
 	}

test/testdata/bootstrappolicy/bootstrap_service_account_project_role_bindings.yaml

@@ -1,46 +1,45 @@
 apiVersion: v1
 items:
-- apiVersion: v1
-  groupNames:
-  - system:serviceaccounts:myproject
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:image-pullers
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
     name: system:image-puller
   subjects:
-  - kind: SystemGroup
+  - kind: Group
     name: system:serviceaccounts:myproject
-  userNames: null
-- apiVersion: v1
-  groupNames: null
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:image-builders
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
     name: system:image-builder
   subjects:
   - kind: ServiceAccount
     name: builder
-  userNames:
-  - system:serviceaccount:myproject:builder
-- apiVersion: v1
-  groupNames: null
+    namespace: myproject
+- apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: RoleBinding
   metadata:
     creationTimestamp: null
     name: system:deployers
     namespace: myproject
   roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
     name: system:deployer
   subjects:
   - kind: ServiceAccount
     name: deployer
-  userNames:
-  - system:serviceaccount:myproject:deployer
+    namespace: myproject
 kind: List
 metadata: {}