* Update dependency golangci/golangci-lint to v2
* Migrate the golangci config file.
* Fix golangci-lint-flagged problems
Most of them fall in these categories:
* stop ignoring returned errors from function calls
* Apply deMorgan's law to complex negative boolean expressions
* Delete unused local variables and struct fields
* Successfully get the linter to stop complaining about
uncommented global names
* If one import in a block has an import prefix, all must
* Deal with deprecated code
* Prefer switch-blocks to if/else if/...
* Remove unnecessary intermediate struct fields.
* Orphans are now deleted only via propagation-policy
* Stop checking goimports on generated files.
* Remove unused field comment
---------
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
Co-authored-by: Eric Promislow <epromislow@suse.com>
* Merge pull request #316 from thatmidwesterncoder/toleration_validation (#459)
Add validation to Toleration and Affinitys Keys
* Bump to k8s 1.31
* Bump the maximum supported k8s version to 1.31
* Bump other k8s modules to be consistent with k8s 1.31
* Bump to versions of lasso and wrangler that support k8s 1.31
* Move go the go-uber gomock module.
* Update the wrangler module.
* Correct the mockgen install command.
* And re-correct the 'go install ... mockgen' command.
---------
Co-authored-by: Jacob Lindgren <jacob.lindgren@suse.com>
* Move common annotations to resources/common
* Add new annotation to opt out of creatorID
* Add comments and unit tests
* Fix integration test
* Update annotation name
* Add annotation check to project and cluster
* Move annotation check to create
* Fix unit tests
* Verify ExternalRules in RoleTemplates
If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.
For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.
The previous verification process applies if the external-rules feature flag is disabled.
* Allow Restricted Admin to update external-rules feature flag (#102)
---------
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
* bump rancher to be able to use ExternalRules
* fix test conflict
---------
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
- Validate the user have enough permission to create/update the rules defined in InheritedFleetWorkspacePermissions.ResourceRules
- Validate the user have enough permission to create/update the rules that are generated based on the InheritedFleetWorkspacePermissions.WorkspaceVerbs
---------
Co-authored-by: Michael Bolot <michael.bolot@suse.com>
Removes an exception given to allow admin users to have * on
inheritedClusterRoles. This will no longer be necessary due us honoring
the escalate and bind verbs
Adds validations for inheritedClusterRoles, including checks
to validate bound roleTemplates are not locked and have a cluster
context, a check to make sure roleTemplates in use by global roles
can't be deleted, an escalation check for the inheritedClusterRoles field,
and a new GlobalRoleResolver to assist with escalation checks.
EscalationChecker struct has been replaced with static functions.
All function changes have associated unit tests.
The Wrangler version was bumped to add testing capabilities to the
validators. Which required a k8 version bump to 1.24.2.
Problem:
Adding the role restricted-admin in rancher requires validation of
objects through diferent means to validate the user doing the action
Solution:
Add webhook validation to GRBs PRTBs and CRTBs.
GRBs: Validation is done to ensure the GRB being created by the user will
not cause escalated privileges so the user creating the GRB must have at
minimum the permissions they are attempting to grant through the GRB
PRTBs and CRTBs: The same check is done for both. First validation is
only done on the local cluster. Then a subject access review is done for
the requester checking that they have '**' access in the local cluster.
renovate-rancher[bot]