From 5fdc6aaa304545e830ee2ad056240bc05965b23e Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 2 Jul 2018 11:49:45 -0400 Subject: [PATCH 1/2] UPSTREAM: revert: : make auth reconcile work with backlevel versions until ansible updates This reverts commit 979704ac34b42f25827c8fbaf9040904bca82eb1. Origin-commit: 0e5da1337dae91bb20b0dcfeca5104fb2dac6e12 --- pkg/kubectl/cmd/auth/reconcile.go | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/pkg/kubectl/cmd/auth/reconcile.go b/pkg/kubectl/cmd/auth/reconcile.go index f4e84e31e84b2..3346812deef52 100644 --- a/pkg/kubectl/cmd/auth/reconcile.go +++ b/pkg/kubectl/cmd/auth/reconcile.go @@ -25,7 +25,6 @@ import ( rbacv1 "k8s.io/api/rbac/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1" - "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/kubectl/cmd/templates" cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" "k8s.io/kubernetes/pkg/kubectl/genericclioptions" @@ -106,7 +105,7 @@ func (o *ReconcileOptions) Complete(cmd *cobra.Command, f cmdutil.Factory, args } r := f.NewBuilder(). - WithScheme(legacyscheme.Scheme). + WithScheme(scheme.Scheme, scheme.Scheme.PrioritizedVersionsAllGroups()...). ContinueOnError(). NamespaceParam(namespace).DefaultNamespace(). FilenameParam(enforceNamespace, o.FilenameOptions). @@ -171,14 +170,7 @@ func (o *ReconcileOptions) RunReconcile() error { return err } - obj, err := legacyscheme.Scheme.ConvertToVersion(info.Object, rbacv1.SchemeGroupVersion) - if err != nil { - glog.V(1).Infof("skipping %#v", info.Object.GetObjectKind()) - // skip ignored resources - return nil - } - - switch t := obj.(type) { + switch t := info.Object.(type) { case *rbacv1.Role: reconcileOptions := reconciliation.ReconcileRoleOptions{ Confirm: !o.DryRun, From 584a5ae42d9a17349a63426bb82157da680b80a5 Mon Sep 17 00:00:00 2001 From: David Eads Date: Thu, 5 Jul 2018 13:14:59 -0400 Subject: [PATCH 2/2] UPSTREAM: 65715: fail on rbac resources of non-v1 versions in reconcile Origin-commit: b10515ad58bda69b033bfdc1fd462e03448e4a7c --- hack/make-rules/test-cmd-util.sh | 3 +++ pkg/kubectl/cmd/auth/reconcile.go | 13 ++++++++++ .../pkg/kubectl/cmd/auth/rbac-v1beta1.yaml | 25 +++++++++++++++++++ 3 files changed, 41 insertions(+) create mode 100644 test/fixtures/pkg/kubectl/cmd/auth/rbac-v1beta1.yaml diff --git a/hack/make-rules/test-cmd-util.sh b/hack/make-rules/test-cmd-util.sh index a4c1102484194..6d26ae00e4ef6 100755 --- a/hack/make-rules/test-cmd-util.sh +++ b/hack/make-rules/test-cmd-util.sh @@ -5549,6 +5549,9 @@ runTests() { kube::test::get_object_assert 'clusterrolebindings -l test-cmd=auth' "{{range.items}}{{$id_field}}:{{end}}" 'testing-CRB:' kube::test::get_object_assert 'clusterroles -l test-cmd=auth' "{{range.items}}{{$id_field}}:{{end}}" 'testing-CR:' + failure_message=$(! kubectl auth reconcile "${kube_flags[@]}" -f test/fixtures/pkg/kubectl/cmd/auth/rbac-v1beta1.yaml 2>&1 ) + kube::test::if_has_string "${failure_message}" 'only rbac.authorization.k8s.io/v1 is supported' + kubectl delete "${kube_flags[@]}" rolebindings,role,clusterroles,clusterrolebindings -n some-other-random -l test-cmd=auth fi diff --git a/pkg/kubectl/cmd/auth/reconcile.go b/pkg/kubectl/cmd/auth/reconcile.go index 3346812deef52..a30fb101ed835 100644 --- a/pkg/kubectl/cmd/auth/reconcile.go +++ b/pkg/kubectl/cmd/auth/reconcile.go @@ -23,6 +23,8 @@ import ( "github.com/spf13/cobra" rbacv1 "k8s.io/api/rbac/v1" + rbacv1beta1 "k8s.io/api/rbac/v1beta1" + rbacv1alpha1 "k8s.io/api/rbac/v1alpha1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1" "k8s.io/kubernetes/pkg/kubectl/cmd/templates" @@ -32,6 +34,7 @@ import ( "k8s.io/kubernetes/pkg/kubectl/genericclioptions/resource" "k8s.io/kubernetes/pkg/kubectl/scheme" "k8s.io/kubernetes/pkg/registry/rbac/reconciliation" + "fmt" ) // ReconcileOptions is the start of the data required to perform the operation. As new fields are added, add them here instead of @@ -233,6 +236,16 @@ func (o *ReconcileOptions) RunReconcile() error { } o.PrintObject(result.RoleBinding.GetObject(), o.Out) + case *rbacv1beta1.Role, + *rbacv1beta1.RoleBinding, + *rbacv1beta1.ClusterRole, + *rbacv1beta1.ClusterRoleBinding, + *rbacv1alpha1.Role, + *rbacv1alpha1.RoleBinding, + *rbacv1alpha1.ClusterRole, + *rbacv1alpha1.ClusterRoleBinding: + return fmt.Errorf("only rbac.authorization.k8s.io/v1 is supported: not %T", t) + default: glog.V(1).Infof("skipping %#v", info.Object.GetObjectKind()) // skip ignored resources diff --git a/test/fixtures/pkg/kubectl/cmd/auth/rbac-v1beta1.yaml b/test/fixtures/pkg/kubectl/cmd/auth/rbac-v1beta1.yaml new file mode 100644 index 0000000000000..2fb1f1fbbae05 --- /dev/null +++ b/test/fixtures/pkg/kubectl/cmd/auth/rbac-v1beta1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + labels: + test-cmd: auth + name: testing-CR + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +kind: List +metadata: {}