github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
60,963 Commits 1 Branch 31 Tags 1,019 MiB
92bb4caaea
Commit Graph

44 Commits

Author SHA1 Message Date
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
David Eads
a53e5de3db generated 2017-11-13 08:18:00 -05:00
David Eads
0f0a5223df rbac api changes for aggregation 2017-11-13 08:14:37 -05:00
Dr. Stefan Schimanski
bec617f3cc Update generated files 2017-11-09 12:14:08 +01:00
Dr. Stefan Schimanski
012b085ac8 pkg/apis/core: mechanical import fixes in dependencies 2017-11-09 12:14:08 +01:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Mike Danese
a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
Jordan Liggitt
2a76fa1c8f
Switch RBAC subject apiVersion to apiGroup in v1beta1 2017-02-13 15:33:09 -05:00
deads2k
c6fd6941a1 move pkg/api/validation/path to apimachinery 2017-01-27 08:49:29 -05:00
Clayton Coleman
9009c1ac14
generated: informer,client 2017-01-23 17:52:47 -05:00
Clayton Coleman
469df12038
refactor: move ListOptions references to metav1 2017-01-23 17:52:46 -05:00
Clayton Coleman
9a2a50cda7
refactor: use metav1.ObjectMeta in other types 2017-01-17 16:17:19 -05:00
Clayton Coleman
36acd90aba
Move APIs and core code to use metav1.ObjectMeta 2017-01-17 16:17:18 -05:00
Dr. Stefan Schimanski
4a1d507756 Update bazel 2017-01-11 18:53:24 +01:00
Dr. Stefan Schimanski
cf60bec396 Split out server side code from pkg/apis/rbac/validation 2017-01-11 18:31:58 +01:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Jeff Grafton
20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
Jordan Liggitt
b8c2ad6d42
Deprecate RBAC UserAll, convert v1alpha1 User * rolebindings to Group system:authenticated 2017-01-04 17:11:16 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Dr. Stefan Schimanski
87dd990bb7 Move pkg/api.{Context,RequestContextMapper} into pkg/genericapiserver/api/request 2017-01-03 14:57:33 +01:00
Mike Danese
161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Mike Danese
c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
deads2k
252d8b7066 add rbac action to subjects type 2016-11-08 07:47:11 -05:00
Mike Danese
3b6a067afc autogenerated 2016-10-21 17:32:32 -07:00
deads2k
ceaf026881 slim down authorization listing interfaces 2016-10-13 07:50:01 -04:00
deads2k
1943d256d2 make rbac authorizer use rule comparison, not covers 2016-09-16 15:53:42 -04:00
deads2k
8c788233e7 change rbac roleref type 2016-09-09 09:55:51 -04:00
Kubernetes Submit Queue
bf9a62035d Merge pull request #31289 from deads2k/remove-cast-utilities 
Automatic merge from submit-queue

remove cast utilities from rbac

Casting functions like these are a source of pain in OpenShift.  We should eliminate them to avoid drift problems like we've had downstream.

@kubernetes/sig-auth 

@ericchiang ptal
 2016-09-08 08:23:01 -07:00
deads2k
da32d31aac remove cast utilities from rbac 2016-08-30 09:55:34 -04:00
Kris
e87edf9bd5 Split path validation into a separate library 2016-08-26 08:05:20 -07:00
Kubernetes Submit Queue
16454277aa Merge pull request #29930 from ericchiang/rbac-validation-dont-mix-non-resource-urls-and-resources 
Automatic merge from submit-queue

rbac validation: rules can't combine non-resource URLs and regular resources

This PR updates the validation used for RBAC to prevent rules from mixing non-resource URLs and regular resources.

For example the following is no longer valid

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
    nonResourceURLs: ["*"]
```

And must be rewritten as so.

```yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admins
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
``` 

It also:
* Mandates non-zero length arrays for required resources.
* Mandates non-resource URLs only be used for ClusterRoles (not namespaced Roles).
* Updates the swagger validation so `verbs` are the only required field in a rule. Further validation is done by the server.

Also, do we need to bump the API version?

Discussed by @erictune and @liggitt  in #28304

Updates kubernetes/features#2

cc @kubernetes/sig-auth 

Edit:
* Need to update the RBAC docs if this change goes in.
 2016-08-04 04:52:51 -07:00
Eric Chiang
93947663d9 RBAC: don't allow rules to mix non-resource URLs and resources 2016-08-02 13:33:34 -07:00
lixiaobing10051267
be8d081539 Check all places to break the loop when object found 2016-07-23 13:49:04 +08:00
albatross0
d1b14e2fae Fix RBAC authorizer of ServiceAccount 
RBAC authorizer assigns a role to a wrong service account.
 2016-07-21 01:50:08 +09:00
Eric Chiang
addc4b166c rbac authorizer: support non-resource urls with stars ("/apis/*") 2016-07-12 10:01:53 -07:00
Eric Chiang
411922f66c rbac authorizer: include verb in non-resource url requests 2016-07-12 10:01:53 -07:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Eric Chiang
d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Eric Chiang
88119903e5 pkg/apis/rbac: make apiversion optional for subjects and fix validation 2016-06-13 15:02:48 -07:00
Eric Chiang
e3604e2590 add validation to rbac group and apply small cleanups 2016-05-25 14:19:04 -07:00
Tim Hockin
152c86ab06 Make name validators return string slices 2016-05-18 00:48:01 -07:00
Eric Chiang
6a1f46895e pkg/apis: rbac types added 2016-05-11 12:01:06 +02:00