// Describe returns the description of a role
func (d *ClusterRoleDescriber) Describe(namespace, name string) (string, error) {
c := d.ClusterRoles()
role, err := c.Get(name)
if err != nil {
return "", err
}
return DescribeRole(authorizationapi.ToRole(role))
}
// Describe returns the description of a roleBinding
func (d *ClusterRoleBindingDescriber) Describe(namespace, name string) (string, error) {
c := d.ClusterRoleBindings()
roleBinding, err := c.Get(name)
if err != nil {
return "", err
}
role, err := d.ClusterRoles().Get(roleBinding.RoleRef.Name)
return DescribeRoleBinding(authorizationapi.ToRoleBinding(roleBinding), authorizationapi.ToRole(role), err)
}
func (s *ClusterRoleStorage) Update(ctx kapi.Context, obj runtime.Object) (runtime.Object, bool, error) {
clusterObj := obj.(*authorizationapi.ClusterRole)
convertedObj := authorizationapi.ToRole(clusterObj)
ret, created, err := s.roleStorage.Update(ctx, convertedObj)
if ret == nil {
return nil, created, err
}
return authorizationapi.ToClusterRole(ret.(*authorizationapi.Role)), created, err
}
func (i convertingObjectInfo) UpdatedObject(ctx kapi.Context, old runtime.Object) (runtime.Object, error) {
oldObj := old.(*authorizationapi.Role)
convertedOldObj := authorizationapi.ToClusterRole(oldObj)
obj, err := i.UpdatedObjectInfo.UpdatedObject(ctx, convertedOldObj)
if err != nil {
return nil, err
}
clusterObj := obj.(*authorizationapi.ClusterRole)
convertedObj := authorizationapi.ToRole(clusterObj)
return convertedObj, nil
}
// Describe returns the description of a roleBinding
func (d *RoleBindingDescriber) Describe(namespace, name string) (string, error) {
c := d.RoleBindings(namespace)
roleBinding, err := c.Get(name)
if err != nil {
return "", err
}
var role *authorizationapi.Role
if len(roleBinding.RoleRef.Namespace) == 0 {
var clusterRole *authorizationapi.ClusterRole
clusterRole, err = d.ClusterRoles().Get(roleBinding.RoleRef.Name)
role = authorizationapi.ToRole(clusterRole)
} else {
role, err = d.Roles(roleBinding.RoleRef.Namespace).Get(roleBinding.RoleRef.Name)
}
return DescribeRoleBinding(roleBinding, role, err)
}
func printClusterRole(role *authorizationapi.ClusterRole, w io.Writer, opts kctl.PrintOptions) error {
return printRole(authorizationapi.ToRole(role), w, opts)
}
func ValidateClusterRoleUpdate(policy *authorizationapi.ClusterRole, oldRole *authorizationapi.ClusterRole) fielderrors.ValidationErrorList {
return ValidateRoleUpdate(authorizationapi.ToRole(policy), authorizationapi.ToRole(oldRole), false)
}
func (m *ClusterRoleStorage) CreateClusterRoleWithEscalation(ctx kapi.Context, obj *authorizationapi.ClusterRole) (*authorizationapi.ClusterRole, error) {
in := authorizationapi.ToRole(obj)
ret, err := m.roleStorage.CreateRoleWithEscalation(ctx, in)
return authorizationapi.ToClusterRole(ret), err
}
func printClusterRole(role *authorizationapi.ClusterRole, w io.Writer, withNamespace, wide bool, columnLabels []string) error {
return printRole(authorizationapi.ToRole(role), w, withNamespace, wide, columnLabels)
}
func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
if !change {
fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n")
}
mapper := cmdclientcmd.ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: registered.RESTMapper()}}
typer := kapi.Scheme
clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return nil, nil
})
r := resource.NewBuilder(mapper, typer, clientMapper, kapi.Codecs.UniversalDecoder()).
FilenameParam(false, false, policyFile).
Flatten().
Do()
if r.Err() != nil {
return r.Err()
}
policyStorage, err := policyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyListerNamespacer{registry: policyRegistry},
policyBindingListerNamespacer{registry: policyBindingRegistry},
clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterPolicyBindingRegistry},
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
return r.Visit(func(info *resource.Info, err error) error {
if err != nil {
return err
}
template, ok := info.Object.(*templateapi.Template)
if !ok {
return errors.New("policy must be contained in a template. One can be created with '" + createBootstrapPolicyCommand + "'.")
}
runtime.DecodeList(template.Objects, kapi.Codecs.UniversalDecoder())
for _, item := range template.Objects {
switch t := item.(type) {
case *authorizationapi.Role:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
roleStorage.Delete(ctx, t.Name, nil)
if _, err := roleStorage.CreateRoleWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(t); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.RoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
roleBindingStorage.Delete(ctx, t.Name, nil)
if _, err := roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(t, nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRole:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
clusterRoleStorage.Delete(ctx, t.Name, nil)
if _, err := clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(authorizationapi.ToRole(t)); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
clusterRoleBindingStorage.Delete(ctx, t.Name, nil)
if _, err := clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(authorizationapi.ToRoleBinding(t), nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
default:
return fmt.Errorf("only roles and rolebindings may be created in this mode, not: %v", reflect.TypeOf(t))
}
}
if !change {
fmt.Fprintf(out, "To make the changes described above, pass --force\n")
}
return nil
})
}
func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
if !change {
fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n")
}
mapper := cmdclientcmd.ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: registered.RESTMapper()}}
typer := kapi.Scheme
clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return nil, nil
})
r := resource.NewBuilder(mapper, typer, clientMapper, kapi.Codecs.UniversalDecoder()).
FilenameParam(false, false, policyFile).
Flatten().
Do()
if r.Err() != nil {
return r.Err()
}
policyStorage, err := policyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyListerNamespacer{registry: policyRegistry},
policyBindingListerNamespacer{registry: policyBindingRegistry},
clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterPolicyBindingRegistry},
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver, nil, authorizationapi.Resource("role"))
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver, nil, authorizationapi.Resource("rolebinding"))
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry, nil)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry, nil)
return r.Visit(func(info *resource.Info, err error) error {
if err != nil {
return err
}
template, ok := info.Object.(*templateapi.Template)
if !ok {
return errors.New("policy must be contained in a template. One can be created with '" + createBootstrapPolicyCommand + "'.")
}
runtime.DecodeList(template.Objects, kapi.Codecs.UniversalDecoder())
// For each object, we attempt the following to maximize our ability to persist the desired objects, while minimizing etcd write thrashing:
// 1. Create the object (no-ops if the object already exists)
// 2. If the object already exists, attempt to update the object (no-ops if an identical object is already persisted)
// 3. If we encounter any error updating, delete and recreate
errs := []error{}
for _, item := range template.Objects {
switch t := item.(type) {
case *authorizationapi.Role:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := roleStorage.CreateRoleWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = roleStorage.UpdateRoleWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
roleStorage.Delete(ctx, t.Name, nil)
_, err = roleStorage.CreateRoleWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(t); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.RoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = roleBindingStorage.UpdateRoleBindingWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
roleBindingStorage.Delete(ctx, t.Name, nil)
_, err = roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(t, nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRole:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = clusterRoleStorage.UpdateClusterRoleWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
clusterRoleStorage.Delete(ctx, t.Name, nil)
_, err = clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(authorizationapi.ToRole(t)); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = clusterRoleBindingStorage.UpdateClusterRoleBindingWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
clusterRoleBindingStorage.Delete(ctx, t.Name, nil)
_, err = clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(authorizationapi.ToRoleBinding(t), nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
default:
errs = append(errs, fmt.Errorf("only roles and rolebindings may be created in this mode, not: %v", reflect.TypeOf(t)))
}
}
if !change {
fmt.Fprintf(out, "To make the changes described above, pass --force\n")
}
return kerrors.NewAggregate(errs)
})
}
func ValidateClusterRole(policy *authorizationapi.ClusterRole) field.ErrorList {
return ValidateRole(authorizationapi.ToRole(policy), false)
}
func printClusterRole(role *authorizationapi.ClusterRole, w io.Writer, withNamespace bool) error {
return printRole(authorizationapi.ToRole(role), w, withNamespace)
}
