Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update bootstrap policy with replicaset/daemonset permissions in the apps API group #54309

Merged
merged 1 commit into from
Oct 20, 2017
Merged

Update bootstrap policy with replicaset/daemonset permissions in the apps API group #54309

merged 1 commit into from
Oct 20, 2017
+31 −9

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Oct 20, 2017
edited
Loading

Resolves #54310

Bootstrap policy was not updated when replicasets and daemonsets got promoted to the apps group

Resolves forbidden error when accessing replicasets and daemonsets via the apps API group

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 20, 2017
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 20, 2017
@liggitt liggitt added this to the v1.8 milestone Oct 20, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 20, 2017
@liggitt liggitt force-pushed the replicaset-permissions branch from 20a9767 to 3789051 Compare October 20, 2017 16:59
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 20, 2017
@ericchiang
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, liggitt

Associated issue: 54310

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@liggitt liggitt mentioned this pull request Oct 20, 2017
Merged
@liggitt liggitt added kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Oct 20, 2017
@jpbetz jpbetz added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed cherrypick-candidate labels Oct 20, 2017
@ericchiang
Copy link
Contributor

/test pull-kubernetes-bazel-test

@liggitt
Copy link
Member Author

liggitt commented Oct 20, 2017

@pwittrock saw an unexpected flake on https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/54309/pull-kubernetes-bazel-test/11424/ with apply

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 52147, 54309). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 10cafb8 into kubernetes:master Oct 20, 2017
k8s-github-robot pushed a commit that referenced this pull request Oct 21, 2017
Merge pull request #54311 from liggitt/automated-cherry-pick-of-#5430…
b4c54dc 
…9-upstream-release-1.8

Automatic merge from submit-queue.

Automated cherry pick of #54309

Cherry pick of #54309 on release-1.8.

#54309: Update bootstrap policy with replicaset/daemonset permissions
@liggitt liggitt deleted the replicaset-permissions branch October 23, 2017 04:56
foxish
foxish reviewed Oct 26, 2017
View reviewed changes
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -98,7 +98,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(),
rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we want to remove the extensions group from here in permissions?
cc @kow3ns

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not until the resource is removed from the extensions API grou

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, nvm. misread the change. I thought it was replacing extensions with apps.

@kow3ns
Copy link
Member

kow3ns commented Oct 26, 2017

@liggitt so the controllers only use extensions right now. When we move them to apps, they will only use apps. I don't think we actually need permissions for apps until then, and I don't see why we would ever add permissions for both.

@liggitt
Copy link
Member Author

liggitt commented Oct 27, 2017

I don't think we actually need permissions for apps until then, and I don't see why we would ever add permissions for both.

including the new group when the type moves ensures a smooth transition for the controller on rolling upgrades

@kow3ns
Copy link
Member

kow3ns commented Oct 30, 2017

@liggitt true, but we can only update to appsv1beta2 because we need to ensure everything works in a mixed mode, multi-master cluster during a 1.8 - 1.9 upgrade scenario. After we introduce v1, the subsequent release should see the controllers switched over to v1 while meeting that requirement. i.e. 1.9 - 1.10 upgrade would be correctly supported with all controllers using the AppsV1() interface.

@pwittrock
Copy link
Member

saw an unexpected flake on https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/54309/pull-kubernetes-bazel-test/11424/ with apply

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@foxish foxish foxish left review comments

Assignees

@ericchiang ericchiang

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.
9 participants
@liggitt @ericchiang @k8s-github-robot @kow3ns @pwittrock @foxish @jpbetz @deads2k @k8s-ci-robot