Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.6] Populate backing namespace field for projects #532

Merged
merged 2 commits into from
Oct 30, 2024
Merged

[v0.6] Populate backing namespace field for projects #532

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
993da4d
Populate backing namespace field for projects
JonCrowther Oct 30, 2024
72e6f00
Address comments
JonCrowther Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion docs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,9 @@ This admission webhook prevents the disabling or deletion of a NodeDriver if the

ClusterName must be equal to the namespace, and must refer to an existing `management.cattle.io/v3.Cluster` object. In addition, users cannot update the field after creation.

#### BackingNamespace validation
The `BackingNamespace` field cannot be changed once set. Projects without the `BackingNamespace` field can have it added.

#### Protects system project

The system project cannot be deleted.
Expand Down Expand Up @@ -277,8 +280,17 @@ If `field.cattle.io/no-creator-rbac` annotation is set, `field.cattle.io/creator

#### On create

Populates the `BackingNamespace` field by concatenating `Project.ClusterName` and `Project.Name`.

If the project is using a generated name (ie `GenerateName` is not empty), the generation happens within the mutating webhook.
The reason for this is that the `BackingNamespace` is made up of the `Project.Name`, and name generation happens after mutating and before validating webhooks.

Adds the authz.management.cattle.io/creator-role-bindings annotation.

#### On update

If the `BackingNamespace` field is empty, it's populated with the project name.

## ProjectRoleTemplateBinding

### Validation Checks
Expand All @@ -297,7 +309,6 @@ Users cannot create ProjectRoleTemplateBindings that violate the following const
- The `ProjectName` field must be:
- Provided as a non-empty value
- Specified using the format of `clusterName:projectName`; `clusterName` is the `metadata.name` of a cluster, and `projectName` is the `metadata.name` of a project
- The `projectName` part of the field must match the namespace of the ProjectRoleTemplateBinding
- Refer to a valid project and cluster (both must exist and project.Spec.ClusterName must equal the cluster)
- Either a user subject (through `UserName` or `UserPrincipalName`), or a group subject (through `GroupName`
or `GroupPrincipalName`), or a service account subject (through `ServiceAccount`) must be specified. Exactly one
Expand Down
49 changes: 24 additions & 25 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,21 +41,21 @@ require (
github.com/gorilla/mux v1.8.1
github.com/rancher/dynamiclistener v0.6.1-rc.1
github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813
github.com/rancher/rancher/pkg/apis v0.0.0-20240903164338-21e4787cd0b3
github.com/rancher/rke v1.6.0
github.com/rancher/rancher/pkg/apis v0.0.0-20241030141955-e2d0b42c9125
github.com/rancher/rke v1.7.0-rc.5
github.com/rancher/wrangler/v3 v3.1.0-rc.1
github.com/robfig/cron v1.2.0
github.com/sirupsen/logrus v1.9.3
github.com/stretchr/testify v1.9.0
go.uber.org/mock v0.5.0
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
golang.org/x/text v0.17.0
golang.org/x/text v0.19.0
golang.org/x/tools v0.24.0
k8s.io/api v0.31.1
k8s.io/apimachinery v0.31.1
k8s.io/apiserver v0.31.1
k8s.io/client-go v12.0.0+incompatible
k8s.io/kubernetes v1.31.0
k8s.io/kubernetes v1.31.1
k8s.io/pod-security-admission v0.31.1
k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3
sigs.k8s.io/controller-runtime v0.19.0
Expand Down Expand Up @@ -109,11 +109,11 @@ require (
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rancher/aks-operator v1.9.1 // indirect
github.com/rancher/eks-operator v1.9.1 // indirect
github.com/rancher/fleet/pkg/apis v0.10.0 // indirect
github.com/rancher/gke-operator v1.9.1 // indirect
github.com/rancher/norman v0.0.0-20240822182819-60ccfabc4ac5 // indirect
github.com/rancher/aks-operator v1.10.0-rc.2 // indirect
github.com/rancher/eks-operator v1.10.0-rc.2 // indirect
github.com/rancher/fleet/pkg/apis v0.11.0-beta.2 // indirect
github.com/rancher/gke-operator v1.10.0-rc.2 // indirect
github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab // indirect
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
Expand All @@ -122,29 +122,29 @@ require (
go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect
go.etcd.io/etcd/client/v3 v3.5.15 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
go.opentelemetry.io/otel v1.29.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/sdk v1.28.0 // indirect
go.opentelemetry.io/otel/trace v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.29.0 // indirect
go.opentelemetry.io/otel/sdk v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/crypto v0.28.0 // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.28.0 // indirect
golang.org/x/oauth2 v0.22.0 // indirect
golang.org/x/net v0.30.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0 // indirect
golang.org/x/time v0.7.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/grpc v1.65.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
google.golang.org/grpc v1.67.1 // indirect
google.golang.org/protobuf v1.35.1 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
Expand All @@ -165,7 +165,6 @@ require (
k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 // indirect
k8s.io/kubelet v0.31.1 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
sigs.k8s.io/cli-utils v0.37.2 // indirect
sigs.k8s.io/cluster-api v1.8.3 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
Expand Down
Loading
Loading