9d7db6b376
Typo fix
...
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
2024-04-01 17:52:21 +05:30
40556337bc
Correct validating logic
...
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
2024-04-01 17:52:21 +05:30
89f65970b4
Update docs for cluster context
...
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
2024-04-01 17:52:21 +05:30
2148872946
Add unit test
...
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
2024-04-01 17:52:21 +05:30
5493772417
Add validation to not admit RoleTemplates with both context=cluster & ProjectCreatorDefault=true
...
Signed-off-by: Vatsal Parekh <vatsalparekh@outlook.com>
2024-04-01 17:52:21 +05:30
49160dee86
Add support for k8s 1.28 ( #341 )
2024-03-27 16:56:34 -04:00
8fe5a897de
Upgrade golangci-lint and fix all warnings/errors ( #346 )
2024-03-27 16:42:40 -04:00
128b387a3c
Remove CAPI webhook ( #338 )
2024-03-19 13:24:29 -04:00
e0d3de431b
Validate RoleTemplate as non-namespaced
2024-02-15 16:12:13 -05:00
75e382d09c
Merge pull request #326 from maxsokolovsky/2.9-validate-container-default-resource-limit
...
Validate container default resource limit on projects
2024-02-13 09:33:52 -05:00
41ae77d524
Validate container default resource limit on projects
2024-02-12 14:24:54 -05:00
9884b4f045
address comment: drop superfluous CheckForVerbs
...
note: drop/inline `validateFields`
fix: fields paths reported for globalroles
2024-01-30 10:36:07 +01:00
1d29e934e6
address comment: simplify ValidateRules
2024-01-30 10:27:13 +01:00
d7910fe65c
address comment: simplify unit tests, drop dependency on exact error message
2024-01-30 10:26:31 +01:00
aa922f09d0
chore: updated roletemplae, globalrole documentation
...
chore: regenerated main documentation file
2024-01-29 13:22:36 +01:00
c26d327d39
fix: added proper rule validation to roletemplate
...
note: possible superfluousness of CheckForVerbs
2024-01-29 12:54:55 +01:00
a13fbcb2aa
refactor: moved globalrole.validateRules to common.ValidateRules
...
fix: extended field path with proper index information for validated rule
chore: created unit tests for ValidateRules
2024-01-29 12:54:28 +01:00
9392f57ca1
Evaluate Rules from external RT with project context
...
This fixes a bug where a project owner is not able to give some
privileges that they have because those aren't accounted for in the
webhook.
2024-01-16 13:05:39 -05:00
23408dae65
Fix inherted -> inherited typo
2024-01-16 13:05:19 -05:00
b18c38740a
Add webhook checks for NamespacedRules ( #309 )
...
* Add role and rolebinding webhook validation. Add NamespacedRules escalation checks for GlobalRoles
* Update rancher/pkg/apis
* Fix linting issue
* Log error and add test for it
2024-01-15 17:17:15 -05:00
9253ca52d1
`go generate` to update copyright year
2024-01-11 10:06:31 -06:00
b5a9aaf8a0
Update docs gen to use cmp
2023-12-19 10:05:22 -05:00
38fc07916e
Revert "Merge pull request #277 from thatmidwesterncoder/bugfix_nodedriver_validation"
...
This reverts commit 3ed3c68118ddb05820d4
2023-11-28 17:31:44 -05:00
75cf0e58ca
Adding support for bind verb to globalRoles
...
Adds support for the bind verb on globalRoles, which follows upstream
behavior and allows users to create/update a binding to a globalRole
that has >= permissions than their own.
2023-10-03 09:35:14 -05:00
ffba7246e8
Adding support for "escalate" for globalRoles
...
Adds support for the escalate verb, like upstream, when checking for
escalation in global roles. This will allow users to change a global
role even if they don't have >= permissions of the target role
2023-10-03 09:22:36 -05:00
3a12b29402
Updating EscalationAuthorized function
...
Updates the EscalationAuthorized function to accept a resource name and
verb, allowing usage for specific resources and verbs like bind
2023-10-03 09:06:03 -05:00
b9ea614b30
Removing admin exception to gr cluster rules
...
Removes an exception given to allow admin users to have * on
inheritedClusterRoles. This will no longer be necessary due us honoring
the escalate and bind verbs
2023-10-03 09:05:59 -05:00
9692e02704
Revert "Adding SA exceptions to gr escalation"
...
This reverts commit fc3f4d171c
2023-10-02 10:45:44 -05:00
23cc28881a
Merge pull request #301 from MbolotSuse/projects-deleting
...
Make project.spec.ClusterName immutable
2023-09-29 16:34:38 -05:00
afd79ef81f
Merge pull request #298 from MbolotSuse/gr-inherited-roles-sa-allow
...
Adding SA exceptions to gr escalation
2023-09-29 11:42:27 -05:00
4015d3ef48
Make project.spec.ClusterName immutable
...
The clusterName field of projects was already immutable in effect since
it needed to match the namespace, which is immutable. This makes it
explcitly immutable, and changes the check for cluster existence to only
occur on create requests
2023-09-29 09:56:13 -05:00
fc3f4d171c
Adding SA exceptions to gr escalation
...
Adds an exception for the fleet/backup-restore for the
inheritedClusterRoles escalation check
2023-09-28 12:25:47 -05:00
749b8bd5fc
Adding clusterName validation to crtbs
...
Adds a check to ensure the cluster referred to by clusterName exists
2023-09-25 13:56:35 -05:00
707f7876c7
Adding validation for cluster/projectName for prtb
...
Adds validation on clusterName and projectName for prtbs to make sure
they refer to existing projects/clusters and that the project refers to
the cluster in the spec
2023-09-25 13:56:30 -05:00
9d4951c711
Adding validation for clusterName to projects
...
Adds validation for the clusterName field for projects, and fixes and
unrelated error where error messages for globalRoleBindings indicated
their own name as the missing resource instead of the target GlobalRole
2023-09-22 16:35:31 -05:00
36404b748f
Merge pull request #295 from KevinJoiner/start-err
...
Adds startup error.
2023-09-19 10:53:12 -04:00
8a45bf3f41
Adds startup error.
2023-09-19 10:18:56 -04:00
aaf253732b
Merge pull request #260 from raulcabello/namespace-exists
...
Reject workspace creation if namespace already exists
2023-09-18 11:13:28 -04:00
fc284bd621
Reject fleet workspace creation if namespace already exists
...
Prevent valid workspace rejection if Admit is called more than once
Check if the namespace has a label added by the webhook to determine if the namespace was created by the webhook
2023-09-18 16:56:53 +02:00
731edbadf5
Prevent CRTBs from being created with mismatching Namespace and ClusterName ( #294 )
...
* Fix 42754
* Update create error message to have consistent wording
* Update CRTB docs
* Address comments
* Update integration test
2023-09-15 15:48:11 -04:00
8937b3dee5
Don't allow PRTB namespace and the project ID of projectName to differ
2023-09-14 16:42:28 -04:00
cf14a569e7
Disallows the updating GlobalRoles to be builtin.
2023-09-14 10:01:27 -04:00
3ed3c68118
Merge pull request #277 from thatmidwesterncoder/bugfix_nodedriver_validation
...
Fix NodeDriver validation to ensure uniqueness + prevent race condition of CRD creation
2023-09-12 11:12:14 -05:00
0f4e9854e8
Migrates GlobalRoles and GlobalRoleBinding.
...
Migrates Noramn validation done on GlobalRoles and GlobalRoleBinding
in Rancher to the webhook.
2023-09-08 12:59:35 -04:00
5f186eec2e
Upgrade to k8s 1.27
2023-09-08 10:55:11 -04:00
bd1de5c562
Merge pull request #284 from maxsokolovsky/disallow-service-account-update-on-prtb
...
Disallow changes to ServiceAccount field on PRTB update rather than its presence
2023-09-01 15:22:06 -04:00
1c398ab015
Disallow changes to ServiceAccount field on PRTB update rather than its presence
2023-09-01 14:24:45 -04:00
147d8663c4
Adding docs for new checks
...
Adds docs for checks related to the inheritedClusterRoles field on
globalRoleObjects
2023-09-01 09:24:07 -05:00
f99acfa075
Tests for escalation on inheritedClusterRoles
2023-09-01 09:24:07 -05:00
6fa7bfba55
Tests for grb owner label immutability
2023-09-01 09:24:07 -05:00
Vatsal Parekh