use the upstream RBAC roles for reconciliation #20638
Conversation
openshift-ci-robot
added
size/XXL
|
/retest |
deads2k
force-pushed
the
server-17-rbac-enable
branch
from
ac982da
to
004c02d
Compare
Which annotations is that? |
| @@ -127,7 +127,7 @@ const ( | |||
| NodeAdminRoleBindingName = NodeAdminRoleName + "s" | |||
| SDNReaderRoleBindingName = SDNReaderRoleName + "s" | |||
| WebHooksRoleBindingName = WebHooksRoleName + "s" | |||
| DiscoveryRoleBindingName = DiscoveryRoleName + "-binding" | |||
| DiscoveryRoleBindingName = DiscoveryRoleName | |||
There was a problem hiding this comment.
Drop this const and switch the code to use NewClusterBinding
| @@ -96,7 +96,7 @@ const ( | |||
| SDNManagerRoleName = "system:sdn-manager" | |||
| OAuthTokenDeleterRoleName = "system:oauth-token-deleter" | |||
| WebHooksRoleName = "system:webhook" | |||
| DiscoveryRoleName = "system:discovery" | |||
| DiscoveryRoleName = "system:openshift:discovery" | |||
There was a problem hiding this comment.
Drop the duplicate rules from this cluster role?
There was a problem hiding this comment.
Drop the duplicate rules from this cluster role?
That would affect the scope authorizer amongst other spots. This solves 90% of our problem. I'd live with extra rules we can transition at some later point.
|
Also does the |
system only and descriptions. |
Only if we're worried about re-use I think. Are we? |
deads2k
force-pushed
the
server-17-rbac-enable
branch
from
004c02d
to
fa149e8
Compare
|
Comments addressed. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
12 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test all |
This starts using the upstream RBAC post starthook for reconciliation of RBAC resources. We keep the duplication of the core upstream roles to provide webconsole annotations another release.