-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClusterRole Aggregation #502
Comments
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ```
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@deads2k 👋 Please open a documentation PR and add a link to the tracking spreadsheet. Thanks in advance! |
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@deads2k Is there a plan to add E2E tests for this feature? |
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
@deads2k Bump for docs ☝️ /cc @idvoretskyi |
I can open a docs PR. cc @deads2k |
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@ericchiang @deads2k If so, can you please ensure the feature is up-to-date with the appropriate:
cc @idvoretskyi |
The feature has been remarkably stable. I'm ok promoting it as-is. @kubernetes/sig-auth-api-reviews opinions? |
IIRC all the bugs we saw were obvious (cluster failed to start) or wiring issues (incorrect upgrade). I do not think we had any issues in the actual controller that backs this feature. I am also unaware of any changes we need to make to the API. Thus I agree with @deads2k. /remove-lifecycle rotten |
@deads2k I saw your earlier reply about e2e tests for this feature. I am following up to see if and which of those tests should we promoted to the conformance test suite. Let me know if we already have coverage for this feature in Conformance suite As part of the process to increase conformance coverage, outlined by Conformance WG and Sig-Arch, we expect features going into stable/GA to have representation in Conformance suite. So your update on the same will help us evaluate this feature better. |
RBAC is not required for a cluster to be conformant, so no conformance tests require it. See discussion in kubernetes/kubernetes#62988 |
Thanks for the quick followup @liggitt |
@deads2k please fill out the appropriate line item of the |
Closing this as the feature is GA in 1.11. Please feel free to reopen if there is still a need to track this. |
Feature Description
The text was updated successfully, but these errors were encountered: