Code Review / icn / sdwan.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 92997e7) | patch
webhook: add bucket permission system 09/3509/3
authorchengli3 <cheng1.li@intel.com>
Wed, 6 May 2020 10:37:09 +0000 (10:37 +0000)
committerchengli3 <cheng1.li@intel.com>
Wed, 27 May 2020 02:29:12 +0000 (02:29 +0000)
commitafc270ad30f9b4a73cc159156b765ba432bc1843
tree484f7ddabb25a550541992ca4ab9d49adb3ee41atree | snapshot
parent92997e7048c9fa0a97893a4b77457df685046f67commit | diff
webhook: add bucket permission system

K8s support permission control on namespace level. For example, user1 may
be able to create/update/delete one kind of resource(e.g. pod) in
namespace ns1, but not namespace ns2. For Sdewan, this can't fit our
requirement. We want label level control of Sdewan rule CRs. For
example, user_onap can create/update/delete Mwan3Rule CR of label
sdewan-bucket-type=app-intent, but not label sdewan-bucket-type=basic.
To enable label based permission validation for sdewan CRs, this patch
parse Annotations["sdewan-bucket-type-permission"] in role and clusterrole.
At the meaning time, sdewan CR Labels.sdewan-bucket-type is also parsed.
We compare role/clusterrole Annotations["sdewan-bucket-type-permission"]
and sdewan CR Labels.sdewan-bucket-type to decide if the
user/serviceaccount has the permission to create/update/delete the CR.

- We grant group "system:master" all the permissions
- We support wildcard match of the permissions

Change-Id: I644f4d3c4efc18fba4cb45cb808301a6895c70e9
Signed-off-by: chengli3 <cheng1.li@intel.com>
30 files changed:
.gitignore diff | blob | history
platform/crd-ctrlr/README.md diff | blob | history
platform/crd-ctrlr/examples/clusterrole-allow-intent.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/examples/clusterrolebinding-allow-sa-intent.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/examples/create_serviceaccount.sh [new file with mode: 0755] blob
platform/crd-ctrlr/examples/ovn-net2.yaml [moved from platform/crd-ctrlr/examples/ovn-net2.yml with 100% similarity] blob | history
platform/crd-ctrlr/examples/role-allow-intent-in-default-namespace.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/examples/rolebinding-allow-sa-intent-in-default-namespace.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/examples/sdewan-controller.yaml diff | blob | history
platform/crd-ctrlr/examples/tmp/k8s-webhook-server/serving-certs/ca.crt [new file with mode: 0644] blob
platform/crd-ctrlr/examples/tmp/k8s-webhook-server/serving-certs/tls.crt [new file with mode: 0644] blob
platform/crd-ctrlr/examples/tmp/k8s-webhook-server/serving-certs/tls.key [new file with mode: 0644] blob
platform/crd-ctrlr/src/Makefile diff | blob | history
platform/crd-ctrlr/src/api/v1alpha1/bucket_permission_webhook.go [new file with mode: 0644] blob
platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go diff | blob | history
platform/crd-ctrlr/src/cnfprovider/openprovider.go diff | blob | history
platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_mwan3rules.yaml diff | blob | history
platform/crd-ctrlr/src/config/default/kustomization.yaml diff | blob | history
platform/crd-ctrlr/src/config/default/rbac_patch.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/src/config/default/webhookcainjection_patch.yaml diff | blob | history
platform/crd-ctrlr/src/config/local/webhook_config.yaml [new file with mode: 0644] blob
platform/crd-ctrlr/src/config/rbac/role.yaml diff | blob | history
platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml diff | blob | history
platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml diff | blob | history
platform/crd-ctrlr/src/config/webhook/kustomizeconfig.yaml diff | blob | history
platform/crd-ctrlr/src/config/webhook/manifests.yaml diff | blob | history
platform/crd-ctrlr/src/controllers/base_controller.go diff | blob | history
platform/crd-ctrlr/src/go.mod diff | blob | history
platform/crd-ctrlr/src/go.sum diff | blob | history
platform/crd-ctrlr/src/main.go diff | blob | history