... | ... |
@@ -170,7 +170,7 @@ func (o *ReconcileClusterRoleBindingsOptions) ChangedClusterRoleBindings() ([]*a |
170 | 170 |
actualClusterRoleBinding, err := o.RoleBindingClient.Get(expectedClusterRoleBinding.Name) |
171 | 171 |
if kapierrors.IsNotFound(err) { |
172 | 172 |
// Remove excluded subjects from the new role binding |
173 |
- expectedClusterRoleBinding.Subjects, _ = Diff(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects) |
|
173 |
+ expectedClusterRoleBinding.Subjects, _ = DiffObjectReferenceLists(expectedClusterRoleBinding.Subjects, o.ExcludeSubjects) |
|
174 | 174 |
changedRoleBindings = append(changedRoleBindings, expectedClusterRoleBinding) |
175 | 175 |
continue |
176 | 176 |
} |
... | ... |
@@ -249,11 +249,11 @@ func computeUpdatedBinding(expected authorizationapi.ClusterRoleBinding, actual |
249 | 249 |
} |
250 | 250 |
|
251 | 251 |
// compute the list of subjects we should not add roles for (existing subjects in the exclude list should be preserved) |
252 |
- doNotAddSubjects, _ := Diff(excludeSubjects, actual.Subjects) |
|
252 |
+ doNotAddSubjects, _ := DiffObjectReferenceLists(excludeSubjects, actual.Subjects) |
|
253 | 253 |
// remove any excluded subjects that do not exist from our expected subject list (so we don't add them) |
254 |
- expectedSubjects, _ := Diff(expected.Subjects, doNotAddSubjects) |
|
254 |
+ expectedSubjects, _ := DiffObjectReferenceLists(expected.Subjects, doNotAddSubjects) |
|
255 | 255 |
|
256 |
- missingSubjects, extraSubjects := Diff(expectedSubjects, actual.Subjects) |
|
256 |
+ missingSubjects, extraSubjects := DiffObjectReferenceLists(expectedSubjects, actual.Subjects) |
|
257 | 257 |
// Always add missing expected subjects |
258 | 258 |
if len(missingSubjects) > 0 { |
259 | 259 |
needsUpdating = true |
... | ... |
@@ -284,11 +284,11 @@ func contains(list []kapi.ObjectReference, item kapi.ObjectReference) bool { |
284 | 284 |
return false |
285 | 285 |
} |
286 | 286 |
|
287 |
-// Diff returns lists containing the items unique to each provided list: |
|
287 |
+// DiffObjectReferenceLists returns lists containing the items unique to each provided list: |
|
288 | 288 |
// list1Only = list1 - list2 |
289 | 289 |
// list2Only = list2 - list1 |
290 | 290 |
// if both returned lists are empty, the provided lists are equal |
291 |
-func Diff(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) { |
|
291 |
+func DiffObjectReferenceLists(list1 []kapi.ObjectReference, list2 []kapi.ObjectReference) (list1Only []kapi.ObjectReference, list2Only []kapi.ObjectReference) { |
|
292 | 292 |
for _, list1Item := range list1 { |
293 | 293 |
if !contains(list2, list1Item) { |
294 | 294 |
if !contains(list1Only, list1Item) { |
... | ... |
@@ -24,7 +24,7 @@ func refs(names ...string) []kapi.ObjectReference { |
24 | 24 |
return r |
25 | 25 |
} |
26 | 26 |
|
27 |
-func TestDiff(t *testing.T) { |
|
27 |
+func TestDiffObjectReferenceLists(t *testing.T) { |
|
28 | 28 |
tests := map[string]struct { |
29 | 29 |
A []kapi.ObjectReference |
30 | 30 |
B []kapi.ObjectReference |
... | ... |
@@ -61,7 +61,7 @@ func TestDiff(t *testing.T) { |
61 | 61 |
} |
62 | 62 |
|
63 | 63 |
for k, tc := range tests { |
64 |
- onlyA, onlyB := diff(tc.A, tc.B) |
|
64 |
+ onlyA, onlyB := DiffObjectReferenceLists(tc.A, tc.B) |
|
65 | 65 |
if !kapi.Semantic.DeepEqual(onlyA, tc.ExpectedOnlyA) { |
66 | 66 |
t.Errorf("%s: Expected %#v, got %#v", k, tc.ExpectedOnlyA, onlyA) |
67 | 67 |
} |
... | ... |
@@ -27,7 +27,7 @@ func (d *ClusterRoleBindings) Name() string { |
27 | 27 |
} |
28 | 28 |
|
29 | 29 |
func (d *ClusterRoleBindings) Description() string { |
30 |
- return "Check that the ClusterRoleBindings are up-to-date" |
|
30 |
+ return "Check that the default ClusterRoleBindings are present and contain the expected subjects" |
|
31 | 31 |
} |
32 | 32 |
|
33 | 33 |
func (d *ClusterRoleBindings) CanRun() (bool, error) { |
... | ... |
@@ -57,6 +57,7 @@ func (d *ClusterRoleBindings) Check() types.DiagnosticResult { |
57 | 57 |
changedClusterRoleBindings, err := reconcileOptions.ChangedClusterRoleBindings() |
58 | 58 |
if err != nil { |
59 | 59 |
r.Error("CRBD1000", err, fmt.Sprintf("Error inspecting ClusterRoleBindings: %v", err)) |
60 |
+ return r |
|
60 | 61 |
} |
61 | 62 |
|
62 | 63 |
// success |
... | ... |
@@ -74,14 +75,14 @@ func (d *ClusterRoleBindings) Check() types.DiagnosticResult { |
74 | 74 |
r.Error("CRBD1002", err, fmt.Sprintf("Unable to get clusterrolebinding/%s: %v", changedClusterRoleBinding.Name, err)) |
75 | 75 |
} |
76 | 76 |
|
77 |
- missingSubjects, extraSubjects := policycmd.Diff(changedClusterRoleBinding.Subjects, actualClusterRole.Subjects) |
|
77 |
+ missingSubjects, extraSubjects := policycmd.DiffObjectReferenceLists(changedClusterRoleBinding.Subjects, actualClusterRole.Subjects) |
|
78 | 78 |
switch { |
79 | 79 |
case len(missingSubjects) > 0: |
80 | 80 |
// Only a warning, because they can remove things like self-provisioner role from system:unauthenticated, and it's not an error |
81 |
- r.Warn("CRBD1003", nil, fmt.Sprintf("clusterrolebinding/%s is missing expected subjects.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to include expected subjects.", changedClusterRoleBinding.Name)) |
|
81 |
+ r.Warn("CRBD1003", nil, fmt.Sprintf("clusterrolebinding/%s is missing expected subjects.\n\nUse the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to include expected subjects.", changedClusterRoleBinding.Name)) |
|
82 | 82 |
case len(extraSubjects) > 0: |
83 | 83 |
// Only info, because it is normal to use policy to grant cluster roles to users |
84 |
- r.Info("CRBD1004", fmt.Sprintf("clusterrolebinding/%s has more subjects than expected.\n\nUse the `oadm policy reconcile-cluster-role bindings` command to update the role binding to remove extra subjects.", changedClusterRoleBinding.Name)) |
|
84 |
+ r.Info("CRBD1004", fmt.Sprintf("clusterrolebinding/%s has more subjects than expected.\n\nUse the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.", changedClusterRoleBinding.Name)) |
|
85 | 85 |
} |
86 | 86 |
|
87 | 87 |
for _, missingSubject := range missingSubjects { |
... | ... |
@@ -28,7 +28,7 @@ func (d *ClusterRoles) Name() string { |
28 | 28 |
} |
29 | 29 |
|
30 | 30 |
func (d *ClusterRoles) Description() string { |
31 |
- return "Check that the ClusterRoles are up-to-date" |
|
31 |
+ return "Check that the default ClusterRoles are present and contain the expected permissions" |
|
32 | 32 |
} |
33 | 33 |
|
34 | 34 |
func (d *ClusterRoles) CanRun() (bool, error) { |
... | ... |
@@ -58,6 +58,7 @@ func (d *ClusterRoles) Check() types.DiagnosticResult { |
58 | 58 |
changedClusterRoles, err := reconcileOptions.ChangedClusterRoles() |
59 | 59 |
if err != nil { |
60 | 60 |
r.Error("CRD1000", err, fmt.Sprintf("Error inspecting ClusterRoles: %v", err)) |
61 |
+ return r |
|
61 | 62 |
} |
62 | 63 |
|
63 | 64 |
// success |
... | ... |
@@ -277,8 +277,9 @@ wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz" "apiserver: " 0.2 |
277 | 277 |
wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz/ready" "apiserver(ready): " 0.25 80 |
278 | 278 |
wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/api/v1beta3/nodes/${KUBELET_HOST}" "apiserver(nodes): " 0.25 80 |
279 | 279 |
|
280 |
-# COMPATIBILITY update the cluster roles so that new images can be used. |
|
280 |
+# COMPATIBILITY update the cluster roles and role bindings so that new images can be used. |
|
281 | 281 |
oadm policy reconcile-cluster-roles --confirm |
282 |
+oadm policy reconcile-cluster-role-bindings --confirm |
|
282 | 283 |
# COMPATIBILITY create a service account for the router |
283 | 284 |
echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"router"}}' | oc create -f - |
284 | 285 |
# COMPATIBILITY add the router SA to the privileged SCC so that it can be use to create the router |