From 464b4d9c3858a91e3487a2d5537f030bd19d13d5 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 31 Jul 2018 15:58:41 -0400 Subject: [PATCH] switch to external SARs --- pkg/authorization/util/util.go | 16 +++++------ .../strategyrestrictions/admission.go | 28 +++++++++---------- .../strategyrestrictions/admission_test.go | 22 +++++++-------- .../controller/template.go | 1 + pkg/image/apiserver/apiserver.go | 2 +- .../registry/imagestream/etcd/etcd.go | 2 +- .../registry/imagestream/etcd/etcd_test.go | 2 +- .../registry/imagestream/strategy.go | 4 +-- .../registry/imagestream/strategy_test.go | 2 +- .../registry/imagestreamimage/rest_test.go | 2 +- .../registry/imagestreamimport/rest.go | 4 +-- .../registry/imagestreammapping/rest_test.go | 2 +- .../registry/imagestreamtag/rest_test.go | 2 +- pkg/project/apiserver/apiserver.go | 2 +- .../projectrequest/delegated/delegated.go | 4 +-- pkg/route/apiserver/apiserver.go | 2 +- .../apiserver/registry/route/strategy.go | 4 +-- .../apiserver/registry/route/strategy_test.go | 2 +- pkg/template/apiserver/apiserver.go | 2 +- .../registry/templateinstance/etcd/etcd.go | 4 +-- .../registry/templateinstance/strategy.go | 10 +++---- .../controller/templateinstance_controller.go | 17 ++++++----- .../templateinstance_controller_test.go | 9 ++++-- 23 files changed, 75 insertions(+), 70 deletions(-) diff --git a/pkg/authorization/util/util.go b/pkg/authorization/util/util.go index 0b15803e9120..03c2a68af425 100644 --- a/pkg/authorization/util/util.go +++ b/pkg/authorization/util/util.go @@ -3,24 +3,24 @@ package util import ( "errors" + authorizationv1 "k8s.io/api/authorization/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/kubernetes/pkg/apis/authorization" - "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" ) // AddUserToSAR adds the requisite user information to a SubjectAccessReview. // It returns the modified SubjectAccessReview. -func AddUserToSAR(user user.Info, sar *authorization.SubjectAccessReview) *authorization.SubjectAccessReview { +func AddUserToSAR(user user.Info, sar *authorizationv1.SubjectAccessReview) *authorizationv1.SubjectAccessReview { sar.Spec.User = user.GetName() // reminiscent of the bad old days of C. Copies copy the min number of elements of both source and dest sar.Spec.Groups = make([]string, len(user.GetGroups())) copy(sar.Spec.Groups, user.GetGroups()) - sar.Spec.Extra = map[string]authorization.ExtraValue{} + sar.Spec.Extra = map[string]authorizationv1.ExtraValue{} for k, v := range user.GetExtra() { - sar.Spec.Extra[k] = authorization.ExtraValue(v) + sar.Spec.Extra[k] = authorizationv1.ExtraValue(v) } return sar @@ -29,9 +29,9 @@ func AddUserToSAR(user user.Info, sar *authorization.SubjectAccessReview) *autho // Authorize verifies that a given user is permitted to carry out a given // action. If this cannot be determined, or if the user is not permitted, an // error is returned. -func Authorize(sarClient internalversion.SubjectAccessReviewInterface, user user.Info, resourceAttributes *authorization.ResourceAttributes) error { - sar := AddUserToSAR(user, &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ +func Authorize(sarClient authorizationclient.SubjectAccessReviewInterface, user user.Info, resourceAttributes *authorizationv1.ResourceAttributes) error { + sar := AddUserToSAR(user, &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ ResourceAttributes: resourceAttributes, }, }) diff --git a/pkg/build/apiserver/admission/strategyrestrictions/admission.go b/pkg/build/apiserver/admission/strategyrestrictions/admission.go index a4071356cbf6..60e5e708d73b 100644 --- a/pkg/build/apiserver/admission/strategyrestrictions/admission.go +++ b/pkg/build/apiserver/admission/strategyrestrictions/admission.go @@ -5,16 +5,15 @@ import ( "io" "strings" + authorizationv1 "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apiserver/pkg/admission" + "k8s.io/client-go/kubernetes" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/rest" - "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" - kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" "github.com/openshift/api/build" @@ -25,6 +24,7 @@ import ( "github.com/openshift/origin/pkg/build/buildscheme" oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" + "k8s.io/apiserver/pkg/admission/initializer" ) func Register(plugins *admission.Plugins) { @@ -40,7 +40,7 @@ type buildByStrategy struct { buildClient buildclient.Interface } -var _ = kubeadmission.WantsInternalKubeClientSet(&buildByStrategy{}) +var _ = initializer.WantsExternalKubeClientSet(&buildByStrategy{}) var _ = oadmission.WantsRESTClientConfig(&buildByStrategy{}) // NewBuildByStrategy returns an admission control for builds that checks @@ -86,8 +86,8 @@ func (a *buildByStrategy) Admit(attr admission.Attributes) error { } } -func (a *buildByStrategy) SetInternalKubeClientSet(c internalclientset.Interface) { - a.sarClient = c.Authorization().SubjectAccessReviews() +func (a *buildByStrategy) SetExternalKubeClientSet(c kubernetes.Interface) { + a.sarClient = c.AuthorizationV1().SubjectAccessReviews() } func (a *buildByStrategy) SetRESTClientConfig(restClientConfig rest.Config) { @@ -146,9 +146,9 @@ func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr ad subresource = tokens[1] } - sar := util.AddUserToSAR(attr.GetUserInfo(), &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ - ResourceAttributes: &authorization.ResourceAttributes{ + sar := util.AddUserToSAR(attr.GetUserInfo(), &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ Namespace: attr.GetNamespace(), Verb: "create", Group: resource.Group, @@ -174,9 +174,9 @@ func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.Bu subresource = tokens[1] } - sar := util.AddUserToSAR(attr.GetUserInfo(), &authorization.SubjectAccessReview{ - Spec: authorization.SubjectAccessReviewSpec{ - ResourceAttributes: &authorization.ResourceAttributes{ + sar := util.AddUserToSAR(attr.GetUserInfo(), &authorizationv1.SubjectAccessReview{ + Spec: authorizationv1.SubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ Namespace: attr.GetNamespace(), Verb: "create", Group: resource.Group, @@ -220,7 +220,7 @@ func (a *buildByStrategy) checkBuildRequestAuthorization(req *buildapi.BuildRequ } } -func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAccessReview *authorization.SubjectAccessReview, attr admission.Attributes) error { +func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAccessReview *authorizationv1.SubjectAccessReview, attr admission.Attributes) error { resp, err := a.sarClient.Create(subjectAccessReview) if err != nil { return admission.NewForbidden(attr, err) diff --git a/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go b/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go index 079700d4ee77..8927b6bd6eb4 100644 --- a/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go +++ b/pkg/build/apiserver/admission/strategyrestrictions/admission_test.go @@ -4,21 +4,19 @@ import ( "fmt" "testing" + authorizationv1 "k8s.io/api/authorization/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/user" + fakekubeclient "k8s.io/client-go/kubernetes/fake" clientgotesting "k8s.io/client-go/testing" - "k8s.io/kubernetes/pkg/apis/authorization" - fakekubeclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" - kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" buildapiv1 "github.com/openshift/api/build/v1" fakebuildclient "github.com/openshift/client-go/build/clientset/versioned/fake" buildapi "github.com/openshift/origin/pkg/build/apis/build" - oadmission "github.com/openshift/origin/pkg/cmd/server/admission" "github.com/openshift/api/build" _ "github.com/openshift/origin/pkg/build/apis/build/install" @@ -33,7 +31,7 @@ func TestBuildAdmission(t *testing.T) { object runtime.Object oldObject runtime.Object responseObject runtime.Object - reviewResponse *authorization.SubjectAccessReview + reviewResponse *authorizationv1.SubjectAccessReview expectedResource string expectedSubresource string expectAccept bool @@ -179,7 +177,7 @@ func TestBuildAdmission(t *testing.T) { }, } - emptyResponse := &authorization.SubjectAccessReview{} + emptyResponse := &authorizationv1.SubjectAccessReview{} ops := []admission.Operation{admission.Create, admission.Update} for _, test := range tests { t.Run(test.name, func(t *testing.T) { @@ -191,7 +189,7 @@ func TestBuildAdmission(t *testing.T) { fakeKubeClient := fakekubeclient.NewSimpleClientset() fakeKubeClient.PrependReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { - review, ok := action.(clientgotesting.CreateAction).GetObject().(*authorization.SubjectAccessReview) + review, ok := action.(clientgotesting.CreateAction).GetObject().(*authorizationv1.SubjectAccessReview) if !ok { return true, emptyResponse, fmt.Errorf("unexpected object received: %#v", review) } @@ -211,8 +209,8 @@ func TestBuildAdmission(t *testing.T) { }) c := NewBuildByStrategy() - c.(kubeadmission.WantsInternalKubeClientSet).SetInternalKubeClientSet(fakeKubeClient) - c.(oadmission.WantsOpenshiftInternalBuildClient).SetOpenshiftInternalBuildClient(fakeBuildClient) + c.(*buildByStrategy).sarClient = fakeKubeClient.AuthorizationV1().SubjectAccessReviews() + c.(*buildByStrategy).buildClient = fakeBuildClient attrs := admission.NewAttributesRecord(test.object, test.oldObject, test.kind.WithVersion("version"), "foo", "test-build", test.resource.WithVersion("version"), test.subResource, op, fakeUser()) err := c.(admission.MutationInterface).Admit(attrs) if err != nil && test.expectAccept { @@ -298,9 +296,9 @@ func v1TestBuildConfig(strategy buildapiv1.BuildStrategy) *buildapiv1.BuildConfi } } -func reviewResponse(allowed bool, msg string) *authorization.SubjectAccessReview { - return &authorization.SubjectAccessReview{ - Status: authorization.SubjectAccessReviewStatus{ +func reviewResponse(allowed bool, msg string) *authorizationv1.SubjectAccessReview { + return &authorizationv1.SubjectAccessReview{ + Status: authorizationv1.SubjectAccessReviewStatus{ Allowed: allowed, Reason: msg, }, diff --git a/pkg/cmd/openshift-controller-manager/controller/template.go b/pkg/cmd/openshift-controller-manager/controller/template.go index e827eea8f74e..7e66cc9e2672 100644 --- a/pkg/cmd/openshift-controller-manager/controller/template.go +++ b/pkg/cmd/openshift-controller-manager/controller/template.go @@ -21,6 +21,7 @@ func RunTemplateInstanceController(ctx ControllerContext) (bool, error) { go templatecontroller.NewTemplateInstanceController( ctx.RestMapper, dynamicClient, + ctx.ClientBuilder.ClientGoClientOrDie(saName).AuthorizationV1(), ctx.ClientBuilder.KubeInternalClientOrDie(saName), ctx.ClientBuilder.OpenshiftInternalBuildClientOrDie(saName), ctx.ClientBuilder.OpenshiftInternalTemplateClientOrDie(saName), diff --git a/pkg/image/apiserver/apiserver.go b/pkg/image/apiserver/apiserver.go index 7e2121e3e2a1..88a2c641c727 100644 --- a/pkg/image/apiserver/apiserver.go +++ b/pkg/image/apiserver/apiserver.go @@ -14,9 +14,9 @@ import ( knet "k8s.io/apimachinery/pkg/util/net" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" "k8s.io/client-go/util/flowcontrol" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" coreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion" imageapiv1 "github.com/openshift/api/image/v1" diff --git a/pkg/image/apiserver/registry/imagestream/etcd/etcd.go b/pkg/image/apiserver/registry/imagestream/etcd/etcd.go index a7e173b54995..450b6195e5fc 100644 --- a/pkg/image/apiserver/registry/imagestream/etcd/etcd.go +++ b/pkg/image/apiserver/registry/imagestream/etcd/etcd.go @@ -10,7 +10,7 @@ import ( "k8s.io/apiserver/pkg/registry/generic/registry" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/storage" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/printers" printerstorage "k8s.io/kubernetes/pkg/printers/storage" diff --git a/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go b/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go index 2ea2fb502472..2f20da37a1f2 100644 --- a/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go +++ b/pkg/image/apiserver/registry/imagestream/etcd/etcd_test.go @@ -7,6 +7,7 @@ import ( "github.com/openshift/origin/pkg/image/apis/image/validation/fake" admfake "github.com/openshift/origin/pkg/image/apiserver/admission/fake" "github.com/openshift/origin/pkg/util/restoptions" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -16,7 +17,6 @@ import ( "k8s.io/apiserver/pkg/registry/rest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" // install all APIs diff --git a/pkg/image/apiserver/registry/imagestream/strategy.go b/pkg/image/apiserver/registry/imagestream/strategy.go index a248330da1e7..04a132fa296b 100644 --- a/pkg/image/apiserver/registry/imagestream/strategy.go +++ b/pkg/image/apiserver/registry/imagestream/strategy.go @@ -6,6 +6,7 @@ import ( "strings" "github.com/golang/glog" + authorizationapi "k8s.io/api/authorization/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -14,11 +15,10 @@ import ( "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" authorizationutil "github.com/openshift/origin/pkg/authorization/util" imageapi "github.com/openshift/origin/pkg/image/apis/image" diff --git a/pkg/image/apiserver/registry/imagestream/strategy_test.go b/pkg/image/apiserver/registry/imagestream/strategy_test.go index 27dff1316927..ae0c5823fd25 100644 --- a/pkg/image/apiserver/registry/imagestream/strategy_test.go +++ b/pkg/image/apiserver/registry/imagestream/strategy_test.go @@ -9,6 +9,7 @@ import ( "strings" "testing" + authorizationapi "k8s.io/api/authorization/v1" kapierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -17,7 +18,6 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kquota "k8s.io/kubernetes/pkg/quota" diff --git a/pkg/image/apiserver/registry/imagestreamimage/rest_test.go b/pkg/image/apiserver/registry/imagestreamimage/rest_test.go index 74b3973c370e..75d307fe2242 100644 --- a/pkg/image/apiserver/registry/imagestreamimage/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreamimage/rest_test.go @@ -6,6 +6,7 @@ import ( etcd "github.com/coreos/etcd/clientv3" "golang.org/x/net/context" + authorizationapi "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -13,7 +14,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" imagev1 "github.com/openshift/api/image/v1" imageapi "github.com/openshift/origin/pkg/image/apis/image" diff --git a/pkg/image/apiserver/registry/imagestreamimport/rest.go b/pkg/image/apiserver/registry/imagestreamimport/rest.go index 0276114f53f2..eee6d573e007 100644 --- a/pkg/image/apiserver/registry/imagestreamimport/rest.go +++ b/pkg/image/apiserver/registry/imagestreamimport/rest.go @@ -10,6 +10,7 @@ import ( "github.com/golang/glog" gocontext "golang.org/x/net/context" + authorizationapi "k8s.io/api/authorization/v1" corev1 "k8s.io/api/core/v1" kapierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -18,11 +19,10 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" "github.com/openshift/api/image" imageapiv1 "github.com/openshift/api/image/v1" diff --git a/pkg/image/apiserver/registry/imagestreammapping/rest_test.go b/pkg/image/apiserver/registry/imagestreammapping/rest_test.go index 9d03bb82cb9a..86c4e6eb9381 100644 --- a/pkg/image/apiserver/registry/imagestreammapping/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreammapping/rest_test.go @@ -11,6 +11,7 @@ import ( etcd "github.com/coreos/etcd/clientv3" "k8s.io/apiserver/pkg/registry/rest" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -22,7 +23,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" imagegroup "github.com/openshift/api/image" diff --git a/pkg/image/apiserver/registry/imagestreamtag/rest_test.go b/pkg/image/apiserver/registry/imagestreamtag/rest_test.go index 03f27d164edf..650ecd2104e3 100644 --- a/pkg/image/apiserver/registry/imagestreamtag/rest_test.go +++ b/pkg/image/apiserver/registry/imagestreamtag/rest_test.go @@ -9,6 +9,7 @@ import ( "golang.org/x/net/context" "k8s.io/apiserver/pkg/registry/rest" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -18,7 +19,6 @@ import ( "k8s.io/apiserver/pkg/storage/etcd/etcdtest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" imagev1 "github.com/openshift/api/image/v1" diff --git a/pkg/project/apiserver/apiserver.go b/pkg/project/apiserver/apiserver.go index 6d1b3b5338c8..ba2f29e0767d 100644 --- a/pkg/project/apiserver/apiserver.go +++ b/pkg/project/apiserver/apiserver.go @@ -12,9 +12,9 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" projectapiv1 "github.com/openshift/api/project/v1" diff --git a/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go b/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go index e028d91e193b..d7228bc546b1 100644 --- a/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go +++ b/pkg/project/apiserver/registry/projectrequest/delegated/delegated.go @@ -8,6 +8,7 @@ import ( "time" "github.com/golang/glog" + authorizationapi "k8s.io/api/authorization/v1" kapierror "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metainternal "k8s.io/apimachinery/pkg/apis/meta/internalversion" @@ -21,11 +22,10 @@ import ( apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/client-go/dynamic" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/util/retry" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" "k8s.io/kubernetes/pkg/apis/rbac" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" "github.com/openshift/api/project" diff --git a/pkg/route/apiserver/apiserver.go b/pkg/route/apiserver/apiserver.go index 142080673940..3b3dfff186c2 100644 --- a/pkg/route/apiserver/apiserver.go +++ b/pkg/route/apiserver/apiserver.go @@ -9,12 +9,12 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" routeapiv1 "github.com/openshift/api/route/v1" routeetcd "github.com/openshift/origin/pkg/route/apiserver/registry/route/etcd" routeallocationcontroller "github.com/openshift/origin/pkg/route/controller/allocation" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" ) type ExtraConfig struct { diff --git a/pkg/route/apiserver/registry/route/strategy.go b/pkg/route/apiserver/registry/route/strategy.go index e463c830f290..781ecbb8e3d2 100644 --- a/pkg/route/apiserver/registry/route/strategy.go +++ b/pkg/route/apiserver/registry/route/strategy.go @@ -4,14 +4,14 @@ import ( "context" "fmt" + authorizationapi "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" kvalidation "k8s.io/kubernetes/pkg/apis/core/validation" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" authorizationutil "github.com/openshift/origin/pkg/authorization/util" "github.com/openshift/origin/pkg/route" diff --git a/pkg/route/apiserver/registry/route/strategy_test.go b/pkg/route/apiserver/registry/route/strategy_test.go index d4764a926cce..866b702a82ad 100644 --- a/pkg/route/apiserver/registry/route/strategy_test.go +++ b/pkg/route/apiserver/registry/route/strategy_test.go @@ -4,12 +4,12 @@ import ( "reflect" "testing" + authorizationapi "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" - authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" routeapi "github.com/openshift/origin/pkg/route/apis/route" ) diff --git a/pkg/template/apiserver/apiserver.go b/pkg/template/apiserver/apiserver.go index 4a05427c74aa..736017448154 100644 --- a/pkg/template/apiserver/apiserver.go +++ b/pkg/template/apiserver/apiserver.go @@ -8,8 +8,8 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" restclient "k8s.io/client-go/rest" - authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" templateapiv1 "github.com/openshift/api/template/v1" brokertemplateinstanceetcd "github.com/openshift/origin/pkg/template/apiserver/registry/brokertemplateinstance/etcd" diff --git a/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go b/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go index e9afa24dbd04..9930727dd585 100644 --- a/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go +++ b/pkg/template/apiserver/registry/templateinstance/etcd/etcd.go @@ -8,7 +8,7 @@ import ( "k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic/registry" "k8s.io/apiserver/pkg/registry/rest" - authorizationinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/printers" printerstorage "k8s.io/kubernetes/pkg/printers/storage" @@ -27,7 +27,7 @@ type REST struct { var _ rest.StandardStorage = &REST{} // NewREST returns a RESTStorage object that will work against templateinstances. -func NewREST(optsGetter restoptions.Getter, authorizationClient authorizationinternalversion.AuthorizationInterface) (*REST, *StatusREST, error) { +func NewREST(optsGetter restoptions.Getter, authorizationClient authorizationclient.AuthorizationV1Interface) (*REST, *StatusREST, error) { strategy := templateinstance.NewStrategy(authorizationClient) store := ®istry.Store{ diff --git a/pkg/template/apiserver/registry/templateinstance/strategy.go b/pkg/template/apiserver/registry/templateinstance/strategy.go index afa998ada0ff..cea497f8af0a 100644 --- a/pkg/template/apiserver/registry/templateinstance/strategy.go +++ b/pkg/template/apiserver/registry/templateinstance/strategy.go @@ -4,6 +4,7 @@ import ( "context" "errors" + authorizationv1 "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" kutilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -11,10 +12,9 @@ import ( "k8s.io/apiserver/pkg/authentication/user" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/storage/names" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/apis/authorization" kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" - authorizationinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion" rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" "github.com/openshift/origin/pkg/authorization/util" @@ -26,10 +26,10 @@ import ( type templateInstanceStrategy struct { runtime.ObjectTyper names.NameGenerator - authorizationClient authorizationinternalversion.AuthorizationInterface + authorizationClient authorizationclient.AuthorizationV1Interface } -func NewStrategy(authorizationClient authorizationinternalversion.AuthorizationInterface) *templateInstanceStrategy { +func NewStrategy(authorizationClient authorizationclient.AuthorizationV1Interface) *templateInstanceStrategy { return &templateInstanceStrategy{legacyscheme.Scheme, names.SimpleNameGenerator, authorizationClient} } @@ -146,7 +146,7 @@ func (s *templateInstanceStrategy) validateImpersonation(templateInstance *templ } if templateInstance.Spec.Requester.Username != userinfo.GetName() { - if err := util.Authorize(s.authorizationClient.SubjectAccessReviews(), userinfo, &authorization.ResourceAttributes{ + if err := util.Authorize(s.authorizationClient.SubjectAccessReviews(), userinfo, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "assign", Group: templateapi.GroupName, diff --git a/pkg/template/controller/templateinstance_controller.go b/pkg/template/controller/templateinstance_controller.go index 02a545be65eb..8d47728c2293 100644 --- a/pkg/template/controller/templateinstance_controller.go +++ b/pkg/template/controller/templateinstance_controller.go @@ -6,6 +6,7 @@ import ( "strings" "time" + authorizationv1 "k8s.io/api/authorization/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" @@ -16,9 +17,9 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/dynamic" + authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" - "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "k8s.io/utils/clock" @@ -55,7 +56,8 @@ type TemplateInstanceController struct { // status of the last build. buildClient buildclient.Interface - kc kclientsetinternal.Interface + sarClient authorizationclient.SubjectAccessReviewsGetter + kc kclientsetinternal.Interface lister templatelister.TemplateInstanceLister informer cache.SharedIndexInformer @@ -68,10 +70,11 @@ type TemplateInstanceController struct { } // NewTemplateInstanceController returns a new TemplateInstanceController. -func NewTemplateInstanceController(dynamicRestMapper meta.RESTMapper, dynamicClient dynamic.Interface, kc kclientsetinternal.Interface, buildClient buildclient.Interface, templateClient templateclient.Interface, informer internalversion.TemplateInstanceInformer) *TemplateInstanceController { +func NewTemplateInstanceController(dynamicRestMapper meta.RESTMapper, dynamicClient dynamic.Interface, sarClient authorizationclient.SubjectAccessReviewsGetter, kc kclientsetinternal.Interface, buildClient buildclient.Interface, templateClient templateclient.Interface, informer internalversion.TemplateInstanceInformer) *TemplateInstanceController { c := &TemplateInstanceController{ dynamicRestMapper: dynamicRestMapper, dynamicClient: dynamicClient, + sarClient: sarClient, kc: kc, templateClient: templateClient, buildClient: buildClient, @@ -215,7 +218,7 @@ func (c *TemplateInstanceController) checkReadiness(templateInstance *templateap return false, err } - if err = util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err = util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: object.Ref.Namespace, Verb: "get", Group: mapping.Resource.Group, @@ -345,7 +348,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T var secret *kapi.Secret if templateInstance.Spec.Secret != nil { - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "get", Group: kapi.GroupName, @@ -374,7 +377,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T } } - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: templateInstance.Namespace, Verb: "create", Group: templateapi.GroupName, @@ -424,7 +427,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T continue } - if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{ + if err := util.Authorize(c.sarClient.SubjectAccessReviews(), u, &authorizationv1.ResourceAttributes{ Namespace: namespace, Verb: "create", Group: restMapping.Resource.Group, diff --git a/pkg/template/controller/templateinstance_controller_test.go b/pkg/template/controller/templateinstance_controller_test.go index 15ba26ee9422..fb3c8a060203 100644 --- a/pkg/template/controller/templateinstance_controller_test.go +++ b/pkg/template/controller/templateinstance_controller_test.go @@ -8,15 +8,16 @@ import ( "testing" "time" + authorizationv1 "k8s.io/api/authorization/v1" batchv1 "k8s.io/api/batch/v1" "k8s.io/apimachinery/pkg/api/meta/testrestmapper" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/client-go/dynamic" + clientgofake "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/rest" clientgotesting "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/apis/authorization" kapi "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" "k8s.io/utils/clock" @@ -80,14 +81,16 @@ func TestControllerCheckReadiness(t *testing.T) { // fakeclient, respond "allowed" to any subjectaccessreview fakeclientset := &fake.Clientset{} + sarClient := clientgofake.NewSimpleClientset() c := &TemplateInstanceController{ dynamicRestMapper: testrestmapper.TestOnlyStaticRESTMapper(legacyscheme.Scheme, legacyscheme.Scheme.PrioritizedVersionsAllGroups()...), + sarClient: sarClient.AuthorizationV1(), kc: fakeclientset, clock: clock, dynamicClient: client, } - fakeclientset.AddReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { - return true, &authorization.SubjectAccessReview{Status: authorization.SubjectAccessReviewStatus{Allowed: true}}, nil + sarClient.PrependReactor("create", "subjectaccessreviews", func(action clientgotesting.Action) (handled bool, ret runtime.Object, err error) { + return true, &authorizationv1.SubjectAccessReview{Status: authorizationv1.SubjectAccessReviewStatus{Allowed: true}}, nil }) templateInstance := &templateapi.TemplateInstance{