* Update dependency golangci/golangci-lint to v2
* Migrate the golangci config file.
* Fix golangci-lint-flagged problems
Most of them fall in these categories:
* stop ignoring returned errors from function calls
* Apply deMorgan's law to complex negative boolean expressions
* Delete unused local variables and struct fields
* Successfully get the linter to stop complaining about
uncommented global names
* If one import in a block has an import prefix, all must
* Deal with deprecated code
* Prefer switch-blocks to if/else if/...
* Remove unnecessary intermediate struct fields.
* Orphans are now deleted only via propagation-policy
* Stop checking goimports on generated files.
* Remove unused field comment
---------
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
Co-authored-by: Eric Promislow <epromislow@suse.com>
* Upgrade go version to 1.23
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
* Update golangci-lint to v1.63.4 for Go 1.23 support
* Add codegen fix for Go 1.23 support
---------
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
Co-authored-by: Tom Lebreux <tom.lebreux@suse.com>
* Verify ExternalRules in RoleTemplates
If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.
For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.
The previous verification process applies if the external-rules feature flag is disabled.
* Allow Restricted Admin to update external-rules feature flag (#102)
---------
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
* bump rancher to be able to use ExternalRules
* fix test conflict
---------
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
- Validate the user have enough permission to create/update the rules defined in InheritedFleetWorkspacePermissions.ResourceRules
- Validate the user have enough permission to create/update the rules that are generated based on the InheritedFleetWorkspacePermissions.WorkspaceVerbs
---------
Co-authored-by: Michael Bolot <michael.bolot@suse.com>
* Add role and rolebinding webhook validation. Add NamespacedRules escalation checks for GlobalRoles
* Update rancher/pkg/apis
* Fix linting issue
* Log error and add test for it
Adds validation on clusterName and projectName for prtbs to make sure
they refer to existing projects/clusters and that the project refers to
the cluster in the spec
Adds validation on the grb owner label, allowing crtbs with this label
to use locked roleTemplates, and prventing users from changing this
value or setting it to an invalid grb
New validations:
- prohibit deleting the system project
- check that quota fields are consistent with one another and sufficient
for existing quota usage
New mutations:
- adds creator-role-bindings annotation
In order to provide RBAC access to rke-machine-configs created by a user, a
creatorID annotation is added as a mutation webhook on create. In addition, a
validation webhook is added, similar to the provisioning cluster objects, so
that the creatorID annotation can only be updated in certain situations.
In order to validate objects, the new and old objects, if they exist,
should be pull from the webhook request. This process is identical for
all objects except that the return types would be different. This is a
candidate for code generation, and this generation is added.
Problem:
Adding the role restricted-admin in rancher requires validation of
objects through diferent means to validate the user doing the action
Solution:
Add webhook validation to GRBs PRTBs and CRTBs.
GRBs: Validation is done to ensure the GRB being created by the user will
not cause escalated privileges so the user creating the GRB must have at
minimum the permissions they are attempting to grant through the GRB
PRTBs and CRTBs: The same check is done for both. First validation is
only done on the local cluster. Then a subject access review is done for
the requester checking that they have '**' access in the local cluster.
renovate-rancher[bot]