Aggregate cluster-reader role

Turn cluster-reader into an aggregate-able role. Aggregate the view role
into cluster-reader and remove duplicates from the stock cluster-reader
role. Update test fixtures.

Author: Matt Rogers

pkg/cmd/server/bootstrappolicy/constants.go

@@ -53,22 +53,23 @@ const (
 
 // Roles
 const (
-	ClusterAdminRoleName       = "cluster-admin"
-	SudoerRoleName             = "sudoer"
-	ScopeImpersonationRoleName = "system:scope-impersonation"
-	ClusterReaderRoleName      = "cluster-reader"
-	StorageAdminRoleName       = "storage-admin"
-	ClusterDebuggerRoleName    = "cluster-debugger"
-	AdminRoleName              = "admin"
-	EditRoleName               = "edit"
-	ViewRoleName               = "view"
-	AggregatedAdminRoleName    = "system:openshift:aggregate-to-admin"
-	AggregatedEditRoleName     = "system:openshift:aggregate-to-edit"
-	AggregatedViewRoleName     = "system:openshift:aggregate-to-view"
-	SelfProvisionerRoleName    = "self-provisioner"
-	BasicUserRoleName          = "basic-user"
-	StatusCheckerRoleName      = "cluster-status"
-	SelfAccessReviewerRoleName = "self-access-reviewer"
+	ClusterAdminRoleName            = "cluster-admin"
+	SudoerRoleName                  = "sudoer"
+	ScopeImpersonationRoleName      = "system:scope-impersonation"
+	ClusterReaderRoleName           = "cluster-reader"
+	StorageAdminRoleName            = "storage-admin"
+	ClusterDebuggerRoleName         = "cluster-debugger"
+	AdminRoleName                   = "admin"
+	EditRoleName                    = "edit"
+	ViewRoleName                    = "view"
+	AggregatedAdminRoleName         = "system:openshift:aggregate-to-admin"
+	AggregatedEditRoleName          = "system:openshift:aggregate-to-edit"
+	AggregatedViewRoleName          = "system:openshift:aggregate-to-view"
+	AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader"
+	SelfProvisionerRoleName         = "self-provisioner"
+	BasicUserRoleName               = "basic-user"
+	StatusCheckerRoleName           = "cluster-status"
+	SelfAccessReviewerRoleName      = "self-access-reviewer"
 
 	RegistryAdminRoleName  = "registry-admin"
 	RegistryViewerRoleName = "registry-viewer"

pkg/cmd/server/bootstrappolicy/policy.go

@@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{
 				Name: ClusterReaderRoleName,
 			},
+			AggregationRule: &rbacv1.AggregationRule{
+				ClusterRoleSelectors: []metav1.LabelSelector{{MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}}},
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: AggregatedClusterReaderRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges",
 					"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
@@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 
 				rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log",
-					"deploymentconfigs/status").RuleOrDie(),
-
-				rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages",
-					"imagestreams/status").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(),
 				// pull images
 				rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(oauthGroup, legacyOauthGroup).Resources("oauthclientauthorizations").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
-
-				rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(),
+				rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(),
 
-				rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(),
 
 				rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(),
@@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(),
 
 				rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(),
-
-				// backwards compatibility
-				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(),
-				rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(),
 			},
 		},
 		{
@@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
 		{
 			// a role for namespace level viewing.  It grants Read-only access to non-escalating resources in
 			// a namespace.
-			ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
+			ObjectMeta: metav1.ObjectMeta{Name: AggregatedViewRoleName, Labels: map[string]string{
+				"rbac.authorization.k8s.io/aggregate-to-view":           "true",
+				"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true",
+			}},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "buildconfigs", "buildconfigs/webhooks").RuleOrDie(),
 				rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/log").RuleOrDie(),
@@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding {
 
 func GetBootstrapClusterRolesToAggregate() map[string]string {
 	return map[string]string{
-		AdminRoleName: AggregatedAdminRoleName,
-		EditRoleName:  AggregatedEditRoleName,
-		ViewRoleName:  AggregatedViewRoleName,
+		AdminRoleName:         AggregatedAdminRoleName,
+		EditRoleName:          AggregatedEditRoleName,
+		ViewRoleName:          AggregatedViewRoleName,
+		ClusterReaderRoleName: AggregatedClusterReaderRoleName,
 	}
 }

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -66,14 +66,29 @@ items:
     - userextras/scopes.authorization.openshift.io
     verbs:
     - impersonate
-- apiVersion: rbac.authorization.k8s.io/v1
+- aggregationRule:
+    clusterRoleSelectors:
+    - matchLabels:
+        rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+  apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     annotations:
       authorization.openshift.io/system-only: "true"
       rbac.authorization.kubernetes.io/autoupdate: "true"
     creationTimestamp: null
     name: cluster-reader
+  rules: null
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    labels:
+      rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+    name: system:openshift:aggregate-to-cluster-reader
   rules:
   - apiGroups:
     - ""
@@ -293,23 +308,7 @@ items:
     - ""
     - build.openshift.io
     resources:
-    - buildconfigs
-    - buildconfigs/webhooks
-    - builds
     - builds/details
-    - builds/log
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - ""
-    - apps.openshift.io
-    resources:
-    - deploymentconfigs
-    - deploymentconfigs/log
-    - deploymentconfigs/scale
-    - deploymentconfigs/status
     verbs:
     - get
     - list
@@ -320,10 +319,6 @@ items:
     resources:
     - images
     - imagesignatures
-    - imagestreamimages
-    - imagestreams
-    - imagestreams/status
-    - imagestreamtags
     verbs:
     - get
     - list
@@ -358,23 +353,12 @@ items:
     - ""
     - quota.openshift.io
     resources:
-    - appliedclusterresourcequotas
     - clusterresourcequotas
     - clusterresourcequotas/status
     verbs:
     - get
     - list
     - watch
-  - apiGroups:
-    - ""
-    - route.openshift.io
-    resources:
-    - routes
-    - routes/status
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups:
     - ""
     - network.openshift.io
@@ -404,18 +388,6 @@ items:
     - get
     - list
     - watch
-  - apiGroups:
-    - ""
-    - template.openshift.io
-    resources:
-    - processedtemplates
-    - templateconfigs
-    - templateinstances
-    - templates
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups:
     - ""
     - template.openshift.io
@@ -492,23 +464,6 @@ items:
     - '*'
     verbs:
     - get
-  - apiGroups:
-    - ""
-    - build.openshift.io
-    resources:
-    - buildlogs
-    verbs:
-    - get
-    - list
-    - watch
-  - apiGroups:
-    - ""
-    resources:
-    - resourcequotausages
-    verbs:
-    - get
-    - list
-    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
@@ -1170,6 +1125,7 @@ items:
       rbac.authorization.kubernetes.io/autoupdate: "true"
     creationTimestamp: null
     labels:
+      rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
       rbac.authorization.k8s.io/aggregate-to-view: "true"
     name: system:openshift:aggregate-to-view
   rules: