In order to provide RBAC access to rke-machine-configs created by a user, a
creatorID annotation is added as a mutation webhook on create. In addition, a
validation webhook is added, similar to the provisioning cluster objects, so
that the creatorID annotation can only be updated in certain situations.
In order to validate objects, the new and old objects, if they exist,
should be pull from the webhook request. This process is identical for
all objects except that the return types would be different. This is a
candidate for code generation, and this generation is added.
Problem:
Adding the role restricted-admin in rancher requires validation of
objects through diferent means to validate the user doing the action
Solution:
Add webhook validation to GRBs PRTBs and CRTBs.
GRBs: Validation is done to ensure the GRB being created by the user will
not cause escalated privileges so the user creating the GRB must have at
minimum the permissions they are attempting to grant through the GRB
PRTBs and CRTBs: The same check is done for both. First validation is
only done on the local cluster. Then a subject access review is done for
the requester checking that they have '**' access in the local cluster.
Max Sokolovsky