scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-01 02:38:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #41184 from liggitt/subject-apigroup

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 41357, 41178, 41280, 41184, 41278)

Switch RBAC subject apiVersion to apiGroup in v1beta1

Referencing a subject from an RBAC role binding, the API group and kind of the subject is needed to fully-qualify the reference.

The version is not, and adds complexity around re-writing the reference when returning the binding from different versions of the API, and when reconciling subjects.

This PR:
* v1beta1: change the subject `apiVersion` field to `apiGroup` (to match roleRef)
* v1alpha1: convert apiVersion to apiGroup for backwards compatibility
* all versions: add defaulting for the three allowed subject kinds
* all versions: add validation to the field so we can count on the data in etcd being good until we decide to relax the apiGroup restriction

```release-note
RBAC `v1beta1` RoleBinding/ClusterRoleBinding subjects changed `apiVersion` to `apiGroup` to fully-qualify a subject. ServiceAccount subjects default to an apiGroup of `""`, User and Group subjects default to an apiGroup of `"rbac.authorization.k8s.io"`.
```

@deads2k @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-pr-reviews
This commit is contained in:
Kubernetes Submit Queue
2017-02-13 21:07:10 -08:00
committed by GitHub
parent 1dcb1a237b 09d51e3ee8
commit 1f4e2efc5b
36 changed files with 356 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/generated/openapi/zz_generated.openapi.go
View File

@@ -11697,7 +11697,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion holds the API group and version of the referenced object.",
Description: "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
Type: []string{"string"},
Format: "",
},
@@ -15314,9 +15314,9 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
Format: "",
},
},
"apiVersion": {
"apiGroup": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion holds the API group and version of the referenced object.",
Description: "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
Type: []string{"string"},
Format: "",
},