* Add resource request and limit validation when creating a namespace
* Update test for number of namespace admitters
* cleaning up lint errors
* Allow for empty resource limit annotation to be present
* Update to allow for partial request/limits
* Revert "[0.6] Make sure to update the name in the mutator (#535)"
This reverts commit 7e0627b265.
* Revert "[v0.6] Populate backing namespace field for projects (#532)"
This reverts commit b17444735b.
* Move common annotations to resources/common
* Add new annotation to opt out of creatorID
* Add comments and unit tests
* Fix integration test
* Update annotation name
* Add annotation check to project and cluster
* Move annotation check to create
* Fix unit tests
* Verify ExternalRules in RoleTemplates
If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.
For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.
The previous verification process applies if the external-rules feature flag is disabled.
* Allow Restricted Admin to update external-rules feature flag (#102)
---------
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
* bump rancher to be able to use ExternalRules
* fix test conflict
---------
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
- Validate the user have enough permission to create/update the rules defined in InheritedFleetWorkspacePermissions.ResourceRules
- Validate the user have enough permission to create/update the rules that are generated based on the InheritedFleetWorkspacePermissions.WorkspaceVerbs
---------
Co-authored-by: Michael Bolot <michael.bolot@suse.com>
* Add role and rolebinding webhook validation. Add NamespacedRules escalation checks for GlobalRoles
* Update rancher/pkg/apis
* Fix linting issue
* Log error and add test for it
Adds support for the bind verb on globalRoles, which follows upstream
behavior and allows users to create/update a binding to a globalRole
that has >= permissions than their own.
Adds support for the escalate verb, like upstream, when checking for
escalation in global roles. This will allow users to change a global
role even if they don't have >= permissions of the target role
The clusterName field of projects was already immutable in effect since
it needed to match the namespace, which is immutable. This makes it
explcitly immutable, and changes the check for cluster existence to only
occur on create requests
Adds validation on clusterName and projectName for prtbs to make sure
they refer to existing projects/clusters and that the project refers to
the cluster in the spec
Adds validation for the clusterName field for projects, and fixes and
unrelated error where error messages for globalRoleBindings indicated
their own name as the missing resource instead of the target GlobalRole
Jake Hyde