Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClusterRole Aggregation #502

Closed
deads2k opened this issue Oct 27, 2017 · 16 comments
Closed

ClusterRole Aggregation #502

deads2k opened this issue Oct 27, 2017 · 16 comments
Assignees
Labels
do-not-merge/docs kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone

Comments

@deads2k
Copy link
Contributor

deads2k commented Oct 27, 2017

Feature Description

  • Add a way for API extenders to add permissions to existing roles
  • Primary contact (assignee): @deads2k
  • Responsible SIGs: @kubernetes/sig-auth-feature-requests
  • Design proposal link (community repo): add clusterrole aggregation doc community#1219
  • Reviewer(s) - @liggitt @ericchiang
  • Approver (likely from SIG/area to which feature belongs): @liggitt
  • Feature target (which target equals to which milestone):
    • Beta release target (x.y): 1.9
    • Stable release target (x.y): 1.11
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 27, 2017
@liggitt liggitt added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Nov 11, 2017
@liggitt liggitt added this to the v1.9 milestone Nov 13, 2017
@liggitt liggitt added the stage/beta Denotes an issue tracking an enhancement targeted for Beta status label Nov 13, 2017
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Nov 14, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll 


I added 
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews 

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```
sttts pushed a commit to sttts/api that referenced this issue Nov 14, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@zacharysarah
Copy link
Contributor

@deads2k 👋 Please open a documentation PR and add a link to the tracking spreadsheet. Thanks in advance!

sttts pushed a commit to sttts/api that referenced this issue Nov 27, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@lookuptable
Copy link

@deads2k Is there a plan to add E2E tests for this feature?

sttts pushed a commit to sttts/api that referenced this issue Nov 28, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@zacharysarah
Copy link
Contributor

@deads2k Bump for docs ☝️

/cc @idvoretskyi

@ericchiang
Copy link
Contributor

I can open a docs PR. cc @deads2k

k8s-publishing-bot pushed a commit to k8s-publishing-bot/api that referenced this issue Nov 29, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@deads2k
Copy link
Contributor Author

deads2k commented Nov 29, 2017

I can open a docs PR. cc @deads2k

Thanks. I forgot that I gave detail usage in the community pull and didn't open the corresponding website one.

@deads2k Is there a plan to add E2E tests for this feature?

We use this feature to bootstrap the cluster, so it is tested in every e2e run already.

k8s-publishing-bot pushed a commit to k8s-publishing-bot/api that referenced this issue Dec 7, 2017
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 27, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 29, 2018
@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 29, 2018
@justaugustus
Copy link
Member

@ericchiang @deads2k
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@deads2k
Copy link
Contributor Author

deads2k commented Apr 17, 2018

The feature has been remarkably stable. I'm ok promoting it as-is.

@kubernetes/sig-auth-api-reviews opinions?

@k8s-ci-robot k8s-ci-robot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Apr 17, 2018
@enj
Copy link
Member

enj commented Apr 17, 2018

IIRC all the bugs we saw were obvious (cluster failed to start) or wiring issues (incorrect upgrade). I do not think we had any issues in the actual controller that backs this feature. I am also unaware of any changes we need to make to the API. Thus I agree with @deads2k.

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Apr 17, 2018
@justaugustus justaugustus modified the milestones: v1.9, v1.11 Apr 17, 2018
@justaugustus
Copy link
Member

Updated the milestone. Thanks for the feedback, @deads2k + @enj!

@justaugustus justaugustus added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Apr 29, 2018
@AishSundar
Copy link

@deads2k I saw your earlier reply about e2e tests for this feature. I am following up to see if and which of those tests should we promoted to the conformance test suite. Let me know if we already have coverage for this feature in Conformance suite

As part of the process to increase conformance coverage, outlined by Conformance WG and Sig-Arch, we expect features going into stable/GA to have representation in Conformance suite. So your update on the same will help us evaluate this feature better.

@liggitt
Copy link
Member

liggitt commented May 23, 2018

Let me know if we already have coverage for this feature in Conformance suite

RBAC is not required for a cluster to be conformant, so no conformance tests require it. See discussion in kubernetes/kubernetes#62988

@AishSundar
Copy link

Thanks for the quick followup @liggitt

@mdlinville
Copy link

@deads2k please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@justaugustus
Copy link
Member

Closing this as the feature is GA in 1.11. Please feel free to reopen if there is still a need to track this.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-not-merge/docs kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
None yet
Development

No branches or pull requests