Merge pull request #13996 from mfojtik/fix-owner-ref

Merged by openshift-bot
openshift · May 22, 2017 · dc33c36 · dc33c36
2 parents a666b7c + c3d4af7
commit dc33c36
Show file tree

Hide file tree

Showing 21 changed files with 970 additions and 466 deletions.
diff --git a/pkg/authorization/authorizer/subjects_test.go b/pkg/authorization/authorizer/subjects_test.go
@@ -35,10 +35,21 @@ func TestSubjects(t *testing.T) {
 			Resource:        "pods",
 		},
 		expectedUsers: sets.NewString("Anna", "ClusterAdmin", "Ellen", "Valerie",
-			"system:serviceaccount:adze:second", "system:serviceaccount:foo:default", "system:serviceaccount:other:first",
-			"system:serviceaccount:kube-system:deployment-controller", "system:serviceaccount:kube-system:endpoint-controller", "system:serviceaccount:kube-system:generic-garbage-collector",
-			"system:serviceaccount:kube-system:namespace-controller", "system:serviceaccount:kube-system:persistent-volume-binder", "system:serviceaccount:kube-system:statefulset-controller",
-			"system:admin", "system:kube-scheduler"),
+			"system:serviceaccount:adze:second",
+			"system:serviceaccount:foo:default",
+			"system:serviceaccount:other:first",
+			"system:serviceaccount:kube-system:deployment-controller",
+			"system:serviceaccount:kube-system:endpoint-controller",
+			"system:serviceaccount:kube-system:generic-garbage-collector",
+			"system:serviceaccount:kube-system:namespace-controller",
+			"system:serviceaccount:kube-system:persistent-volume-binder",
+			"system:serviceaccount:kube-system:statefulset-controller",
+			"system:admin",
+			"system:kube-scheduler",
+			"system:serviceaccount:openshift-infra:build-controller",
+			"system:serviceaccount:openshift-infra:deployer-controller",
+			"system:serviceaccount:openshift-infra:deploymentconfig-controller",
+		),
 		expectedGroups: sets.NewString("RootUsers", "system:cluster-admins", "system:cluster-readers", "system:masters", "system:nodes"),
 	}
 	test.clusterPolicies = newDefaultClusterPolicies()

diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -0,0 +1,106 @@
+package bootstrappolicy
+
+import (
+	"strings"
+
+	"github.com/golang/glog"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rbac "k8s.io/kubernetes/pkg/apis/rbac"
+)
+
+const saRolePrefix = "system:openshift:controller:"
+
+var (
+	// controllerRoles is a slice of roles used for controllers
+	controllerRoles = []rbac.ClusterRole{}
+	// controllerRoleBindings is a slice of roles used for controllers
+	controllerRoleBindings = []rbac.ClusterRoleBinding{}
+)
+
+func addControllerRole(role rbac.ClusterRole) {
+	if !strings.HasPrefix(role.Name, saRolePrefix) {
+		glog.Fatalf(`role %q must start with %q`, role.Name, saRolePrefix)
+	}
+
+	for _, existingRole := range controllerRoles {
+		if role.Name == existingRole.Name {
+			glog.Fatalf("role %q was already registered", role.Name)
+		}
+	}
+
+	if role.Annotations == nil {
+		role.Annotations = map[string]string{}
+	}
+	role.Annotations[roleSystemOnly] = roleIsSystemOnly
+
+	controllerRoles = append(controllerRoles, role)
+
+	controllerRoleBindings = append(controllerRoleBindings,
+		rbac.NewClusterBinding(role.Name).SAs(DefaultOpenShiftInfraNamespace, role.Name[len(saRolePrefix):]).BindingOrDie())
+}
+
+func eventsRule() rbac.PolicyRule {
+	return rbac.NewRule("create", "update", "patch").Groups(kapiGroup).Resources("events").RuleOrDie()
+}
+
+func init() {
+	// build-controller
+	addControllerRole(rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraBuildControllerServiceAccountName},
+		Rules: []rbac.PolicyRule{
+			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(buildGroup, legacyBuildGroup).Resources("builds").RuleOrDie(),
+			rbac.NewRule("get").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs").RuleOrDie(),
+			rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline").RuleOrDie(),
+			rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(),
+			rbac.NewRule("get", "list", "create", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(),
+			rbac.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+
+	// deployer-controller
+	addControllerRole(rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeployerControllerServiceAccountName},
+		Rules: []rbac.PolicyRule{
+			rbac.NewRule("create", "get", "list", "watch", "patch", "delete").Groups(kapiGroup).Resources("pods").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+
+	// deploymentconfig-controller
+	addControllerRole(rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentConfigControllerServiceAccountName},
+		Rules: []rbac.PolicyRule{
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("pods").RuleOrDie(),
+			rbac.NewRule("create", "get", "list", "watch", "update", "delete").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(),
+			rbac.NewRule("update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/status").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+
+	// deployment-trigger-controller
+	addControllerRole(rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraDeploymentTriggerControllerServiceAccountName},
+		Rules: []rbac.PolicyRule{
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("replicationcontrollers").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(imageGroup, legacyImageGroup).Resources("imagestreams").RuleOrDie(),
+
+			rbac.NewRule("create").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs/instantiate").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+}
+
+// ControllerRoles returns the cluster roles used by controllers
+func ControllerRoles() []rbac.ClusterRole {
+	return controllerRoles
+}
+
+// ControllerRoleBindings returns the role bindings used by controllers
+func ControllerRoleBindings() []rbac.ClusterRoleBinding {
+	return controllerRoleBindings
+}
diff --git a/pkg/cmd/server/bootstrappolicy/dead.go b/pkg/cmd/server/bootstrappolicy/dead.go
@@ -46,4 +46,10 @@ func init() {
 	addDeadClusterRole("system:gc-controller")
 	addDeadClusterRole("system:certificate-signing-controller")
 	addDeadClusterRole("system:statefulset-controller")
+
+	// these were moved under system:openshift:controller:*
+	addDeadClusterRole("system:build-controller")
+	addDeadClusterRole("system:deploymentconfig-controller")
+	addDeadClusterRole("system:deployment-controller")
+
 }
diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
@@ -17,20 +17,18 @@ import (
 	buildapi "github.com/openshift/origin/pkg/build/api"
 	deployapi "github.com/openshift/origin/pkg/deploy/api"
 	imageapi "github.com/openshift/origin/pkg/image/api"
+
+	// we need the conversions registered for our init block
+	_ "github.com/openshift/origin/pkg/authorization/api/install"
 )
 
 const (
-	InfraBuildControllerServiceAccountName = "build-controller"
-	BuildControllerRoleName                = "system:build-controller"
-
-	InfraImageTriggerControllerServiceAccountName = "imagetrigger-controller"
-	ImageTriggerControllerRoleName                = "system:imagetrigger-controller"
-
-	InfraDeploymentConfigControllerServiceAccountName = "deploymentconfig-controller"
-	DeploymentConfigControllerRoleName                = "system:deploymentconfig-controller"
-
-	InfraDeploymentControllerServiceAccountName = "deployment-controller"
-	DeploymentControllerRoleName                = "system:deployment-controller"
+	InfraBuildControllerServiceAccountName             = "build-controller"
+	InfraImageTriggerControllerServiceAccountName      = "imagetrigger-controller"
+	ImageTriggerControllerRoleName                     = "system:imagetrigger-controller"
+	InfraDeploymentConfigControllerServiceAccountName  = "deploymentconfig-controller"
+	InfraDeploymentTriggerControllerServiceAccountName = "deployment-trigger-controller"
+	InfraDeployerControllerServiceAccountName          = "deployer-controller"
 
 	InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller"
 	PersistentVolumeBinderControllerRoleName                = "system:pv-binder-controller"
@@ -127,58 +125,11 @@ func (r *InfraServiceAccounts) AllRoles() []authorizationapi.ClusterRole {
 }
 
 func init() {
+	var err error
+
 	InfraSAs.serviceAccounts = sets.String{}
 	InfraSAs.saToRole = map[string]authorizationapi.ClusterRole{}
 
-	var err error
-	err = InfraSAs.addServiceAccount(
-		InfraBuildControllerServiceAccountName,
-		authorizationapi.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: BuildControllerRoleName,
-			},
-			Rules: []authorizationapi.PolicyRule{
-				// BuildControllerFactory.buildLW
-				// BuildControllerFactory.buildDeleteLW
-				{
-					Verbs:     sets.NewString("get", "list", "watch"),
-					Resources: sets.NewString("builds"),
-				},
-				// BuildController.BuildUpdater (OSClientBuildClient)
-				{
-					Verbs:     sets.NewString("update"),
-					Resources: sets.NewString("builds"),
-				},
-				// Create permission on virtual build type resources allows builds of those types to be updated
-				{
-					Verbs:     sets.NewString("create"),
-					Resources: sets.NewString("builds/docker", "builds/source", "builds/custom", "builds/jenkinspipeline"),
-					APIGroups: []string{buildapi.GroupName, buildapi.LegacyGroupName},
-				},
-				// BuildController.ImageStreamClient (ControllerClient)
-				{
-					Verbs:     sets.NewString("get"),
-					Resources: sets.NewString("imagestreams"),
-				},
-				// BuildController.PodManager (ControllerClient)
-				// BuildDeleteController.PodManager (ControllerClient)
-				// BuildControllerFactory.buildDeleteLW
-				{
-					Verbs:     sets.NewString("get", "list", "create", "delete"),
-					Resources: sets.NewString("pods"),
-				},
-				// BuildController.Recorder (EventBroadcaster)
-				{
-					Verbs:     sets.NewString("create", "update", "patch"),
-					Resources: sets.NewString("events"),
-				},
-			},
-		},
-	)
-	if err != nil {
-		panic(err)
-	}
-
 	err = InfraSAs.addServiceAccount(
 		InfraImageTriggerControllerServiceAccountName,
 		authorizationapi.ClusterRole{
@@ -230,81 +181,6 @@ func init() {
 		panic(err)
 	}
 
-	err = InfraSAs.addServiceAccount(
-		InfraDeploymentConfigControllerServiceAccountName,
-		authorizationapi.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: DeploymentConfigControllerRoleName,
-			},
-			Rules: []authorizationapi.PolicyRule{
-				// DeploymentControllerFactory.deploymentLW
-				{
-					Verbs:     sets.NewString("list", "watch"),
-					Resources: sets.NewString("replicationcontrollers"),
-				},
-				// DeploymentControllerFactory.deploymentClient
-				{
-					Verbs:     sets.NewString("get", "update"),
-					Resources: sets.NewString("replicationcontrollers"),
-				},
-				// DeploymentController.podClient
-				{
-					Verbs:     sets.NewString("get", "list", "create", "watch", "delete", "update"),
-					Resources: sets.NewString("pods"),
-				},
-				// DeploymentController.recorder (EventBroadcaster)
-				{
-					Verbs:     sets.NewString("create", "update", "patch"),
-					Resources: sets.NewString("events"),
-				},
-			},
-		},
-	)
-	if err != nil {
-		panic(err)
-	}
-
-	err = InfraSAs.addServiceAccount(
-		InfraDeploymentControllerServiceAccountName,
-		authorizationapi.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: DeploymentControllerRoleName,
-			},
-			Rules: []authorizationapi.PolicyRule{
-				{
-					APIGroups: []string{extensions.GroupName},
-					Verbs:     sets.NewString("get", "list", "watch", "update"),
-					Resources: sets.NewString("deployments"),
-				},
-				{
-					APIGroups: []string{extensions.GroupName},
-					Verbs:     sets.NewString("update"),
-					Resources: sets.NewString("deployments/status"),
-				},
-				{
-					APIGroups: []string{extensions.GroupName},
-					Verbs:     sets.NewString("list", "watch", "get", "create", "patch", "update", "delete"),
-					Resources: sets.NewString("replicasets"),
-				},
-				{
-					APIGroups: []string{""},
-					// TODO: remove "update" once
-					// https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
-					Verbs:     sets.NewString("get", "list", "watch", "update"),
-					Resources: sets.NewString("pods"),
-				},
-				{
-					APIGroups: []string{""},
-					Verbs:     sets.NewString("create", "update", "patch"),
-					Resources: sets.NewString("events"),
-				},
-			},
-		},
-	)
-	if err != nil {
-		panic(err)
-	}
-
 	err = InfraSAs.addServiceAccount(
 		InfraPersistentVolumeRecyclerControllerServiceAccountName,
 		authorizationapi.ClusterRole{

diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -959,6 +959,11 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 	if err != nil {
 		panic(err)
 	}
+	openshiftControllerRoles, err := GetOpenshiftControllerBootstrapClusterRoles()
+	// coder error
+	if err != nil {
+		panic(err)
+	}
 
 	// Eventually openshift controllers and kube controllers have different prefixes
 	// so we will only need to check conflicts on the "normal" cluster roles
@@ -990,6 +995,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 	finalClusterRoles := []authorizationapi.ClusterRole{}
 	finalClusterRoles = append(finalClusterRoles, openshiftClusterRoles...)
 	finalClusterRoles = append(finalClusterRoles, openshiftSAClusterRoles...)
+	finalClusterRoles = append(finalClusterRoles, openshiftControllerRoles...)
 	finalClusterRoles = append(finalClusterRoles, kubeSAClusterRoles...)
 	for i := range kubeClusterRoles {
 		if !clusterRoleConflicts.Has(kubeClusterRoles[i].Name) {
@@ -1189,7 +1195,12 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding {
 	if err != nil {
 		panic(err)
 	}
-	kubeSAClusterRoleBindings, err := GetKubeControllerBootstrapClusterRoleBindings()
+	kubeControllerClusterRoleBindings, err := GetKubeControllerBootstrapClusterRoleBindings()
+	// coder error
+	if err != nil {
+		panic(err)
+	}
+	openshiftControllerClusterRoleBindings, err := GetOpenshiftControllerBootstrapClusterRoleBindings()
 	// coder error
 	if err != nil {
 		panic(err)
@@ -1220,7 +1231,8 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding {
 
 	finalClusterRoleBindings := []authorizationapi.ClusterRoleBinding{}
 	finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftClusterRoleBindings...)
-	finalClusterRoleBindings = append(finalClusterRoleBindings, kubeSAClusterRoleBindings...)
+	finalClusterRoleBindings = append(finalClusterRoleBindings, kubeControllerClusterRoleBindings...)
+	finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftControllerClusterRoleBindings...)
 	for i := range kubeClusterRoleBindings {
 		if !clusterRoleBindingConflicts.Has(kubeClusterRoleBindings[i].Name) {
 			finalClusterRoleBindings = append(finalClusterRoleBindings, kubeClusterRoleBindings[i])
@@ -1263,6 +1275,10 @@ func GetKubeControllerBootstrapClusterRoleBindings() ([]authorizationapi.Cluster
 	return convertClusterRoleBindings(bootstrappolicy.ControllerRoleBindings())
 }
 
+func GetOpenshiftControllerBootstrapClusterRoleBindings() ([]authorizationapi.ClusterRoleBinding, error) {
+	return convertClusterRoleBindings(ControllerRoleBindings())
+}
+
 func convertClusterRoleBindings(in []rbac.ClusterRoleBinding) ([]authorizationapi.ClusterRoleBinding, error) {
 	out := []authorizationapi.ClusterRoleBinding{}
 	errs := []error{}
@@ -1287,6 +1303,10 @@ func GetKubeControllerBootstrapClusterRoles() ([]authorizationapi.ClusterRole, e
 	return convertClusterRoles(bootstrappolicy.ControllerRoles())
 }
 
+func GetOpenshiftControllerBootstrapClusterRoles() ([]authorizationapi.ClusterRole, error) {
+	return convertClusterRoles(ControllerRoles())
+}
+
 func convertClusterRoles(in []rbac.ClusterRole) ([]authorizationapi.ClusterRole, error) {
 	out := []authorizationapi.ClusterRole{}
 	errs := []error{}