Origin to/from Kube conversions for SAR #13156
Labels
area/techdebt
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
lifecycle/frozen
Indicates that an issue or PR should not be auto-closed due to staleness.
priority/P2
Comments
4 tasks
openshift-merge-robot
added a commit
that referenced
this issue
Aug 17, 2017
Automatic merge from submit-queue Migrate to Kubernetes RBAC Trello xref: https://trello.com/c/n3bR3Ys9 Fixes #12303 Fixes #13549 Fixes #13432 Fixes #15338 Fixes #14168 Fixes #10056 Need to investigate: - [x] ... Dependencies: - [x] Prerequisite #15342 - [x] Requires openshift/openshift-ansible/pull/4933 @sdodson - [x] Blocked on openshift/openshift-ansible/issues/4967 - [x] Prerequisite kubernetes/kubernetes#50639 Followups: - [ ] #15412 - [ ] #13316 - [ ] #13156 - [ ] #13430 - [ ] Should delete with proxy return details? - [ ] Make project creation use RBAC instead of proxy endpoints? - [ ] Remove policy objects from bootstrap roles - [ ] Check if delegated_test.go can be revived - [ ] Check to see if the deleted unit tests are reflected upstream and fix gaps - [ ] Open issue to remove `openshiftSubjectLocator` - [ ] Open issue to revisit forbidden message maker - [ ] Update upstream `subject_locator_test` with origin's extensive testing - [ ] Fix proxied create: ` _ bool is includeUnintialized, which we should really be passing through to the underlying API... it's odd there's not a CreateOptions parameter to Create` - [ ] Fix proxied update: `if initializers use Update() to initialize objects (which I think they do), we may need to pass GetOptions{IncludeUninitialized: true} here...` - [ ] Fix panics() in Convert...OrDie() functions - [ ] glog.Fatal on post stark hook error - [ ] Remove `TestPolicyCache`? - [ ] Use discovery API based gating? - [ ] upstream rules have always required a group. followup issue to remove getAPIGroupLegacy from `pkg/authorization/authorizer/scope/converter.go` - [ ] issue to remove "normalizeResources" from `pkg/cmd/server/bootstrappolicy/policy.go` - [ ] issue to find callers of `clusterpolicyregistry "github.com/openshift/origin/pkg/authorization/registry/clusterpolicy"` and move to point of use - [ ] issue to switch our encoding to rbac in `pkg/cmd/server/admin/create_bootstrappolicy_file.go` - [ ] Exercise proxied endpoints - [ ] hack/test-cmd.sh of gated overwrite bootstrap policy - [ ] Delete unused legacy policy registry code - [ ] Make RBAC discovery rule authoritative `pkg/authorization/apis/authorization/types.go` - [ ] Fix `ignoreError` in `pkg/oc/admin/router/router.go` - [ ] Confirm changes to `TestAuthorizationResolution` and `TestAuthorizationResourceAccessReview` in `test/integration/authorization_test.go` Done: - Store ClusterRoles as native RBAC Objects via Kubernetes. - Provides backwards compatible API for the old policy based roles. - Use Kubernetes authorizer TODO: - [x] Delete policy end points - [x] Decide what to do with overwrite policy - [x] Remove or gate `oc create policybinding` - [x] Move new impersonation code to `pkg/auth/client/impersonate.go` - [x] Remove any unnecessary conversions - [x] Review new `proxy.go` files - [x] Remove reason logic `allowed by rule in ...` - [x] Add interface assertion to proxy files - [x] Confirm we need `pkg/authorization/util/convert/convert.go` - [x] Confrim we need to expose some of the private conversion functions - [x] Add protect/autoupdate annotation conversion to general conversion functions - [x] ~~Support watch on proxied endpoints~~ - [x] Cherry pick kubernetes/kubernetes#49868 -> #15721 - [x] Fix upstream commits - [x] Restore and version gate `NewCmdMigrateAuthorization` - [x] ~~Wrap other errors in proxy files?~~ Remove all error wrapping - [x] Make `NewImpersonatingRBACFromContext` more generic - [x] Kube authorizer's reason on deny contains evaluation errors - do we want to preserve those? - [x] Review `ImpersonatingRESTClient` in `pkg/auth/client/impersonate.go` - [ ] Review `pkg/project/auth/cache.go` and ` pkg/project/auth/cache_test.go` - [ ] Review ` pkg/authorization/authorizer/scope/converter_test.go` - [ ] Review `k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/request.go`
enj
added
the
help wanted
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
enj
added
lifecycle/frozen
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For example, origin SAR scopes can be translated to kube SAR extras.
Full round trip conversion may not be possible.
xref: #13128
The text was updated successfully, but these errors were encountered: