// ensureComponentAuthorizationRules initializes the cluster policies func (c *MasterConfig) ensureComponentAuthorizationRules() { clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper)) ctx := kapi.WithNamespace(kapi.NewContext(), "") if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) { glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile) if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil { glog.Errorf("Error creating bootstrap policy: %v", err) } } else { glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found") } // Wait until the policy cache has caught up before continuing review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "clusterpolicies"}} err := wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (done bool, err error) { result, err := c.PolicyClient().SubjectAccessReviews().Create(review) if err == nil && result.Allowed { return true, nil } if kapierror.IsForbidden(err) || (err == nil && !result.Allowed) { glog.V(2).Infof("waiting for policy cache to initialize") return false, nil } return false, err }) if err != nil { glog.Errorf("error waiting for policy cache to initialize: %v", err) } }
// ensureComponentAuthorizationRules initializes the cluster policies func (c *MasterConfig) ensureComponentAuthorizationRules() { clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper)) ctx := kapi.WithNamespace(kapi.NewContext(), "") if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) { glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile) if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil { glog.Errorf("Error creating bootstrap policy: %v", err) } } else { glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found") } // Wait until the policy cache has caught up before continuing review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: authorizationapi.GroupName, Resource: "clusterpolicies"}} err := wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (done bool, err error) { result, err := c.PolicyClient().SubjectAccessReviews().Create(review) if err == nil && result.Allowed { return true, nil } if kapierror.IsForbidden(err) || (err == nil && !result.Allowed) { glog.V(2).Infof("waiting for policy cache to initialize") return false, nil } return false, err }) if err != nil { glog.Errorf("error waiting for policy cache to initialize: %v", err) } // Reconcile roles that must exist for the cluster to function // Be very judicious about what is placed in this list, since it will be enforced on every server start reconcileRoles := &policy.ReconcileClusterRolesOptions{ RolesToReconcile: []string{bootstrappolicy.DiscoveryRoleName}, Confirmed: true, Union: true, Out: ioutil.Discard, RoleClient: c.PrivilegedLoopbackOpenShiftClient.ClusterRoles(), } if err := reconcileRoles.RunReconcileClusterRoles(nil, nil); err != nil { glog.Errorf("Could not auto reconcile roles: %v\n", err) } // Reconcile rolebindings that must exist for the cluster to function // Be very judicious about what is placed in this list, since it will be enforced on every server start reconcileRoleBindings := &policy.ReconcileClusterRoleBindingsOptions{ RolesToReconcile: []string{bootstrappolicy.DiscoveryRoleName}, Confirmed: true, Union: true, Out: ioutil.Discard, RoleBindingClient: c.PrivilegedLoopbackOpenShiftClient.ClusterRoleBindings(), } if err := reconcileRoleBindings.RunReconcileClusterRoleBindings(nil, nil); err != nil { glog.Errorf("Could not auto reconcile role bindings: %v\n", err) } }
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) { testutil.RequireEtcd(t) masterConfig, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Errorf("unexpected error: %v", err) } if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil { t.Errorf("unexpected error: %v", err) } // after the policy is deleted, we must wait for it to be cleared from the policy cache err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) { _, err := client.ClusterPolicies().List(kapi.ListOptions{}) if err == nil { return false, nil } if !kapierror.IsForbidden(err) { t.Errorf("unexpected error: %v", err) } return true, nil }) if err != nil { t.Errorf("timeout: %v", err) } etcdClient, err := etcd.MakeNewEtcdClient(masterConfig.EtcdClientInfo) if err != nil { t.Errorf("unexpected error: %v", err) } storageVersion := unversioned.GroupVersion{Group: "", Version: masterConfig.EtcdStorageConfig.OpenShiftStorageVersion} etcdHelper, err := origin.NewEtcdStorage(etcdClient, storageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix) if err != nil { t.Errorf("unexpected error: %v", err) } if err := admin.OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil { t.Errorf("unexpected error: %v", err) } if _, err := client.ClusterPolicies().List(kapi.ListOptions{}); err != nil { t.Errorf("unexpected error: %v", err) } }
// ensureComponentAuthorizationRules initializes the cluster policies func (c *MasterConfig) ensureComponentAuthorizationRules() { clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper)) ctx := kapi.WithNamespace(kapi.NewContext(), "") if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) { glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile) if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil { glog.Errorf("Error creating bootstrap policy: %v", err) } } else { glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found") } }
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) { testutil.RequireEtcd(t) defer testutil.DumpEtcdOnFailure(t) masterConfig, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI() if err != nil { t.Fatalf("unexpected error: %v", err) } client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Errorf("unexpected error: %v", err) } if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil { t.Errorf("unexpected error: %v", err) } // after the policy is deleted, we must wait for it to be cleared from the policy cache err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) { _, err := client.ClusterPolicies().List(kapi.ListOptions{}) if err == nil { return false, nil } if !kapierror.IsForbidden(err) { t.Errorf("unexpected error: %v", err) } return true, nil }) if err != nil { t.Errorf("timeout: %v", err) } optsGetter := restoptions.NewConfigGetter(*masterConfig) if err := admin.OverwriteBootstrapPolicy(optsGetter, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil { t.Errorf("unexpected error: %v", err) } if _, err := client.ClusterPolicies().List(kapi.ListOptions{}); err != nil { t.Errorf("unexpected error: %v", err) } }