-
Notifications
You must be signed in to change notification settings - Fork 109
CNTRLPLANE-71: update cao to manage rolebindingrestriction crd #748
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
openshift-merge-bot
merged 5 commits into
openshift:master
from
everettraven:feature/manage-rbrs
Feb 20, 2025
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
986af2c
dependencymagnet: vendor rolebindingrestrictions crd from openshift/api
everettraven ea04596
makefile: add make targets to copy rolebindingrestrict crd to bindata…
everettraven 7de2b98
operator: add rolebindingrestriction crd to staticresourcecontroller
everettraven cf69e81
mom: update mom test-data
everettraven 2dc36e0
cmd: add render subcommand to be used by openshift/installer
everettraven File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
225 changes: 225 additions & 0 deletions
225
bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,225 @@ | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| api-approved.openshift.io: https://github.com/openshift/api/pull/470 | ||
| api.openshift.io/merged-by-featuregates: "true" | ||
| include.release.openshift.io/ibm-cloud-managed: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| release.openshift.io/bootstrap-required: "true" | ||
| name: rolebindingrestrictions.authorization.openshift.io | ||
| spec: | ||
| group: authorization.openshift.io | ||
| names: | ||
| kind: RoleBindingRestriction | ||
| listKind: RoleBindingRestrictionList | ||
| plural: rolebindingrestrictions | ||
| singular: rolebindingrestriction | ||
| scope: Namespaced | ||
| versions: | ||
| - name: v1 | ||
| schema: | ||
| openAPIV3Schema: | ||
| description: |- | ||
| RoleBindingRestriction is an object that can be matched against a subject | ||
| (user, group, or service account) to determine whether rolebindings on that | ||
| subject are allowed in the namespace to which the RoleBindingRestriction | ||
| belongs. If any one of those RoleBindingRestriction objects matches | ||
| a subject, rolebindings on that subject in the namespace are allowed. | ||
|
|
||
| Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). | ||
| properties: | ||
| apiVersion: | ||
| description: |- | ||
| APIVersion defines the versioned schema of this representation of an object. | ||
| Servers should convert recognized schemas to the latest internal value, and | ||
| may reject unrecognized values. | ||
| More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
| type: string | ||
| kind: | ||
| description: |- | ||
| Kind is a string value representing the REST resource this object represents. | ||
| Servers may infer this from the endpoint the client submits requests to. | ||
| Cannot be updated. | ||
| In CamelCase. | ||
| More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
| type: string | ||
| metadata: | ||
| type: object | ||
| spec: | ||
| description: spec defines the matcher. | ||
| properties: | ||
| grouprestriction: | ||
| description: grouprestriction matches against group subjects. | ||
| nullable: true | ||
| properties: | ||
| groups: | ||
| description: |- | ||
| groups is a list of groups used to match against an individual user's | ||
| groups. If the user is a member of one of the whitelisted groups, the user | ||
| is allowed to be bound to a role. | ||
| items: | ||
| type: string | ||
| nullable: true | ||
| type: array | ||
| labels: | ||
| description: Selectors specifies a list of label selectors over | ||
| group labels. | ||
| items: | ||
| description: |- | ||
| A label selector is a label query over a set of resources. The result of matchLabels and | ||
| matchExpressions are ANDed. An empty label selector matches all objects. A null | ||
| label selector matches no objects. | ||
| properties: | ||
| matchExpressions: | ||
| description: matchExpressions is a list of label selector | ||
| requirements. The requirements are ANDed. | ||
| items: | ||
| description: |- | ||
| A label selector requirement is a selector that contains values, a key, and an operator that | ||
| relates the key and values. | ||
| properties: | ||
| key: | ||
| description: key is the label key that the selector | ||
| applies to. | ||
| type: string | ||
| operator: | ||
| description: |- | ||
| operator represents a key's relationship to a set of values. | ||
| Valid operators are In, NotIn, Exists and DoesNotExist. | ||
| type: string | ||
| values: | ||
| description: |- | ||
| values is an array of string values. If the operator is In or NotIn, | ||
| the values array must be non-empty. If the operator is Exists or DoesNotExist, | ||
| the values array must be empty. This array is replaced during a strategic | ||
| merge patch. | ||
| items: | ||
| type: string | ||
| type: array | ||
| x-kubernetes-list-type: atomic | ||
| required: | ||
| - key | ||
| - operator | ||
| type: object | ||
| type: array | ||
| x-kubernetes-list-type: atomic | ||
| matchLabels: | ||
| additionalProperties: | ||
| type: string | ||
| description: |- | ||
| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels | ||
| map is equivalent to an element of matchExpressions, whose key field is "key", the | ||
| operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
| type: object | ||
| type: object | ||
| x-kubernetes-map-type: atomic | ||
| nullable: true | ||
| type: array | ||
| type: object | ||
| serviceaccountrestriction: | ||
| description: serviceaccountrestriction matches against service-account | ||
| subjects. | ||
| nullable: true | ||
| properties: | ||
| namespaces: | ||
| description: namespaces specifies a list of literal namespace | ||
| names. | ||
| items: | ||
| type: string | ||
| type: array | ||
| serviceaccounts: | ||
| description: serviceaccounts specifies a list of literal service-account | ||
| names. | ||
| items: | ||
| description: |- | ||
| ServiceAccountReference specifies a service account and namespace by their | ||
| names. | ||
| properties: | ||
| name: | ||
| description: name is the name of the service account. | ||
| type: string | ||
| namespace: | ||
| description: |- | ||
| namespace is the namespace of the service account. Service accounts from | ||
| inside the whitelisted namespaces are allowed to be bound to roles. If | ||
| Namespace is empty, then the namespace of the RoleBindingRestriction in | ||
| which the ServiceAccountReference is embedded is used. | ||
| type: string | ||
| type: object | ||
| type: array | ||
| type: object | ||
| userrestriction: | ||
| description: userrestriction matches against user subjects. | ||
| nullable: true | ||
| properties: | ||
| groups: | ||
| description: groups specifies a list of literal group names. | ||
| items: | ||
| type: string | ||
| nullable: true | ||
| type: array | ||
| labels: | ||
| description: Selectors specifies a list of label selectors over | ||
| user labels. | ||
| items: | ||
| description: |- | ||
| A label selector is a label query over a set of resources. The result of matchLabels and | ||
| matchExpressions are ANDed. An empty label selector matches all objects. A null | ||
| label selector matches no objects. | ||
| properties: | ||
| matchExpressions: | ||
| description: matchExpressions is a list of label selector | ||
| requirements. The requirements are ANDed. | ||
| items: | ||
| description: |- | ||
| A label selector requirement is a selector that contains values, a key, and an operator that | ||
| relates the key and values. | ||
| properties: | ||
| key: | ||
| description: key is the label key that the selector | ||
| applies to. | ||
| type: string | ||
| operator: | ||
| description: |- | ||
| operator represents a key's relationship to a set of values. | ||
| Valid operators are In, NotIn, Exists and DoesNotExist. | ||
| type: string | ||
| values: | ||
| description: |- | ||
| values is an array of string values. If the operator is In or NotIn, | ||
| the values array must be non-empty. If the operator is Exists or DoesNotExist, | ||
| the values array must be empty. This array is replaced during a strategic | ||
| merge patch. | ||
| items: | ||
| type: string | ||
| type: array | ||
| x-kubernetes-list-type: atomic | ||
| required: | ||
| - key | ||
| - operator | ||
| type: object | ||
| type: array | ||
| x-kubernetes-list-type: atomic | ||
| matchLabels: | ||
| additionalProperties: | ||
| type: string | ||
| description: |- | ||
| matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels | ||
| map is equivalent to an element of matchExpressions, whose key field is "key", the | ||
| operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
| type: object | ||
| type: object | ||
| x-kubernetes-map-type: atomic | ||
| nullable: true | ||
| type: array | ||
| users: | ||
| description: users specifies a list of literal user names. | ||
| items: | ||
| type: string | ||
| type: array | ||
| type: object | ||
| type: object | ||
| type: object | ||
| served: true | ||
| storage: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to make sure -- CI will run
checkwhich means that bindata will also be verified, and in case there's a diff between the api copy and the local copy, we'll get a failed test, right?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at https://github.com/openshift/release/blob/master/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-master.yaml I don't actually think
checkis run in CI explicitly, but I added this here since it seemed like a natural fit.I'll plan to add a new CI check to run this make target today (although it will fail until this PR is merged).
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created openshift/release#61456 to add verify-bindata as an explicit CI check