* Update dependency golangci/golangci-lint to v2
* Migrate the golangci config file.
* Fix golangci-lint-flagged problems
Most of them fall in these categories:
* stop ignoring returned errors from function calls
* Apply deMorgan's law to complex negative boolean expressions
* Delete unused local variables and struct fields
* Successfully get the linter to stop complaining about
uncommented global names
* If one import in a block has an import prefix, all must
* Deal with deprecated code
* Prefer switch-blocks to if/else if/...
* Remove unnecessary intermediate struct fields.
* Orphans are now deleted only via propagation-policy
* Stop checking goimports on generated files.
* Remove unused field comment
---------
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
Co-authored-by: Eric Promislow <epromislow@suse.com>
* Revert "[0.6] Make sure to update the name in the mutator (#535)"
This reverts commit 7e0627b265.
* Revert "[v0.6] Populate backing namespace field for projects (#532)"
This reverts commit b17444735b.
* Merge pull request #316 from thatmidwesterncoder/toleration_validation (#459)
Add validation to Toleration and Affinitys Keys
* Bump to k8s 1.31
* Bump the maximum supported k8s version to 1.31
* Bump other k8s modules to be consistent with k8s 1.31
* Bump to versions of lasso and wrangler that support k8s 1.31
* Move go the go-uber gomock module.
* Update the wrangler module.
* Correct the mockgen install command.
* And re-correct the 'go install ... mockgen' command.
---------
Co-authored-by: Jacob Lindgren <jacob.lindgren@suse.com>
* Verify ExternalRules in RoleTemplates
If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.
For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.
The previous verification process applies if the external-rules feature flag is disabled.
* Allow Restricted Admin to update external-rules feature flag (#102)
---------
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
* bump rancher to be able to use ExternalRules
* fix test conflict
---------
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
- Validate the user have enough permission to create/update the rules defined in InheritedFleetWorkspacePermissions.ResourceRules
- Validate the user have enough permission to create/update the rules that are generated based on the InheritedFleetWorkspacePermissions.WorkspaceVerbs
---------
Co-authored-by: Michael Bolot <michael.bolot@suse.com>
* Add role and rolebinding webhook validation. Add NamespacedRules escalation checks for GlobalRoles
* Update rancher/pkg/apis
* Fix linting issue
* Log error and add test for it
Adds support for the bind verb on globalRoles, which follows upstream
behavior and allows users to create/update a binding to a globalRole
that has >= permissions than their own.
Adds support for the escalate verb, like upstream, when checking for
escalation in global roles. This will allow users to change a global
role even if they don't have >= permissions of the target role
Adds validation on clusterName and projectName for prtbs to make sure
they refer to existing projects/clusters and that the project refers to
the cluster in the spec
Adds validation for the clusterName field for projects, and fixes and
unrelated error where error messages for globalRoleBindings indicated
their own name as the missing resource instead of the target GlobalRole
Adds validations for inheritedClusterRoles, including checks
to validate bound roleTemplates are not locked and have a cluster
context, a check to make sure roleTemplates in use by global roles
can't be deleted, an escalation check for the inheritedClusterRoles field,
and a new GlobalRoleResolver to assist with escalation checks.
Adds validation on the grb owner label, allowing crtbs with this label
to use locked roleTemplates, and prventing users from changing this
value or setting it to an invalid grb
Refactor code that was largely copied from the norman store in Rancher:
- rename variables and functions for clarity
- break up functions into logical units
- rename imports according to standard conventions and for clarity
- remove the ephemeral updates to the used quota object,
quotav1.LessThanOrEqual already does not compare resources that aren't
present in both objects[1]
- remove project mutex. Only one goroutine (the webhook) should be
accessing the project and its namespaces. Callers (rancher/rancher)
should implement their own lock before counting namespaces.
- remove default namespace quota check, which is not useful since it
does not have any impact on existing namespaces
[1] d2172f30e1/pkg/quota/v1/resources.go (L50-L62)
New validations:
- prohibit deleting the system project
- check that quota fields are consistent with one another and sufficient
for existing quota usage
New mutations:
- adds creator-role-bindings annotation
Add the ability to authenticate incoming requests, verifying that all
requests originate from the Kubernetes API server and no where else.
Authenticating the API server requires manual steps to configure both
the API server and the webhook. Follow the Kubernetes webhook
documentation[1] to create an admission configuration and kubeconfig for
the API server, and update the kube-apiserver flags to use them. Only
cert-based authentication is supported, basic auth and token
authentication will not be recognized. Then, set auth.clientCA in the
webhook chart's values.yaml to the base64-encoded CA for the certs, and
set auth.allowedCNs to the CN for the client cert the apiserver will
present.
[1] https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers
Mary