Skip to content

[v0.4] s4: Fixes 374 #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
raulcabello merged 2 commits into from
Jun 19, 2024
Merged

[v0.4] s4: Fixes 374 #408

raulcabello merged 2 commits into from
Jun 19, 2024

Conversation

@raulcabello
Copy link
Contributor

@raulcabello raulcabello commented Jun 18, 2024

port of #392

@pmatseykanets @raulcabello @JonCrowther
[v0.4.6] s4: Fixes 374 (rancher#392)
09b3965 
* Update rancher/rancher/pkg/apis dependency
* Verify ExternalRules in RoleTemplates

If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.

For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.

The previous verification process applies if the external-rules feature flag is disabled.

* Allow Restricted Admin to update external-rules feature flag (rancher#102)

---------
Co-authored-by: Raul Cabello Martin <[email protected]>
Co-authored-by: Jonathan Crowther <[email protected]>
@raulcabello raulcabello requested a review from a team as a code owner June 18, 2024 07:56
pmatseykanets
pmatseykanets reviewed Jun 18, 2024
View reviewed changes
go.mod Outdated
github.com/rancher/lasso v0.0.0-20240123150939-7055397d6dfa
github.com/rancher/rancher/pkg/apis v0.0.0-20240507213626-07f244b8be3a
github.com/rancher/rke v1.5.9-rc2
github.com/rancher/rancher/pkg/apis v0.0.0-20240611034301-19a4362e2243
Copy link
Contributor

@pmatseykanets pmatseykanets Jun 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may need to be bumped to a commit of rancher/rancher#45852

@raulcabello raulcabello merged commit e4c1115 into rancher:release/v0.4 Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmatseykanets pmatseykanets pmatseykanets approved these changes

@enrichman enrichman enrichman approved these changes

@andreas-kupries andreas-kupries Awaiting requested review from andreas-kupries

@JonCrowther JonCrowther Awaiting requested review from JonCrowther

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@raulcabello @andreas-kupries @pmatseykanets @enrichman