Skip to content

[v0.5] s4: Fixes 374 #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
raulcabello merged 3 commits into from
Jun 25, 2024
Merged

[v0.5] s4: Fixes 374 #409

raulcabello merged 3 commits into from
Jun 25, 2024

Conversation

@raulcabello
Copy link
Contributor

@raulcabello raulcabello commented Jun 18, 2024

port of #392

@raulcabello raulcabello requested a review from a team as a code owner June 18, 2024 07:58
@raulcabello raulcabello marked this pull request as draft June 18, 2024 08:32
@raulcabello raulcabello marked this pull request as ready for review June 21, 2024 08:44
pmatseykanets
pmatseykanets previously approved these changes Jun 21, 2024
View reviewed changes
maxsokolovsky
maxsokolovsky previously approved these changes Jun 21, 2024
View reviewed changes
Copy link
Contributor

@maxsokolovsky maxsokolovsky left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM: a clean port with the only difference being in go.mod and go.sum.

JonCrowther
JonCrowther previously approved these changes Jun 21, 2024
View reviewed changes
pmatseykanets and others added 3 commits June 24, 2024 11:44
@pmatseykanets @raulcabello @JonCrowther
[v0.4.6] s4: Fixes 374 (rancher#392)
70ed144 
* Update rancher/rancher/pkg/apis dependency
* Verify ExternalRules in RoleTemplates

If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.

For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.

The previous verification process applies if the external-rules feature flag is disabled.

* Allow Restricted Admin to update external-rules feature flag (rancher#102)

---------
Co-authored-by: Raul Cabello Martin <[email protected]>
Co-authored-by: Jonathan Crowther <[email protected]>
@raulcabello
bump rancher to be able to use ExternalRules
de9a600
@raulcabello
fix test conflict
3b1ed50
@raulcabello raulcabello merged commit f5cfd98 into rancher:release/v0.5 Jun 25, 2024
@raulcabello raulcabello deleted the v0.5-port-374 branch June 25, 2024 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreas-kupries andreas-kupries andreas-kupries approved these changes

@bigkevmcd bigkevmcd bigkevmcd approved these changes

@enrichman enrichman enrichman approved these changes

@tomleb tomleb Awaiting requested review from tomleb

@pmatseykanets pmatseykanets Awaiting requested review from pmatseykanets

@maxsokolovsky maxsokolovsky Awaiting requested review from maxsokolovsky

@JonCrowther JonCrowther Awaiting requested review from JonCrowther

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@raulcabello @andreas-kupries @pmatseykanets @bigkevmcd @enrichman @JonCrowther @maxsokolovsky