* Add resource request and limit validation when creating a namespace
* Update test for number of namespace admitters
* cleaning up lint errors
* Allow for empty resource limit annotation to be present
* Update to allow for partial request/limits
* Revert "[0.6] Make sure to update the name in the mutator (#535)"
This reverts commit 7e0627b265.
* Revert "[v0.6] Populate backing namespace field for projects (#532)"
This reverts commit b17444735b.
* Merge pull request #316 from thatmidwesterncoder/toleration_validation (#459)
Add validation to Toleration and Affinitys Keys
* Bump to k8s 1.31
* Bump the maximum supported k8s version to 1.31
* Bump other k8s modules to be consistent with k8s 1.31
* Bump to versions of lasso and wrangler that support k8s 1.31
* Move go the go-uber gomock module.
* Update the wrangler module.
* Correct the mockgen install command.
* And re-correct the 'go install ... mockgen' command.
---------
Co-authored-by: Jacob Lindgren <jacob.lindgren@suse.com>
* Move common annotations to resources/common
* Add new annotation to opt out of creatorID
* Add comments and unit tests
* Fix integration test
* Update annotation name
* Add annotation check to project and cluster
* Move annotation check to create
* Fix unit tests
* Prevents dropping unknown cluster fields
Signed-off-by: Dharmit Shah <dharmit.shah@suse.com>
* add test for v3 cluster mutator & add rke to replace in go.mod
adding rke to replace section will avoid pulling in rc versions
when updating pkg/apis in webhook
* Drop the direct dependency on rke/types.
* Bump rancher/pkg/apis.
This means the module imports ancher/rke v1.6.0 from v1.6.0-rc10.
Without the pkg/apis bump 'go mod tidy' would regress to rke v1.6.0-rc9
* Pull in instance of rancher/pkg/apis from main.
* Verify ExternalRules in RoleTemplates
If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.
For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.
The previous verification process applies if the external-rules feature flag is disabled.
* Allow Restricted Admin to update external-rules feature flag (#102)
---------
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
* bump rancher to be able to use ExternalRules
* fix test conflict
---------
Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
- Validate the user have enough permission to create/update the rules defined in InheritedFleetWorkspacePermissions.ResourceRules
- Validate the user have enough permission to create/update the rules that are generated based on the InheritedFleetWorkspacePermissions.WorkspaceVerbs
---------
Co-authored-by: Michael Bolot <michael.bolot@suse.com>
* Bump to k8s modules v0.29.3 (for k8s 1.29)
* Remove local replacement module.
* Bump to a rancher/rancher commit that has k8s 1.29 support
* Back out rancher 2.9 change that breaks drone integration tests.
* Remove the minimum k8s version from this chart.
* No need to use an older rancher image.
Chad Roberts