From 84ae024fbf0220a448c49b1a21a62dd9ec670703 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 24 Oct 2018 23:34:30 -0400 Subject: [PATCH] Update compilation for k8s 1.12 --- cmd/audit2rbac/audit2rbac.go | 24 +-- pkg/process.go | 44 ++--- pkg/process_test.go | 333 ++++++++++++++++++----------------- pkg/util.go | 19 +- 4 files changed, 213 insertions(+), 207 deletions(-) diff --git a/cmd/audit2rbac/audit2rbac.go b/cmd/audit2rbac/audit2rbac.go index 39a4417..aab23ea 100644 --- a/cmd/audit2rbac/audit2rbac.go +++ b/cmd/audit2rbac/audit2rbac.go @@ -16,6 +16,8 @@ import ( "github.com/liggitt/audit2rbac/pkg" "github.com/spf13/cobra" + + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -25,7 +27,7 @@ import ( "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" - rbacinternal "k8s.io/kubernetes/pkg/apis/rbac" + rbacv1helper "k8s.io/kubernetes/pkg/apis/rbac/v1" ) func main() { @@ -582,22 +584,22 @@ func eventToAttributes(event *audit.Event) authorizer.AttributesRecord { func getDiscoveryRoles() pkg.RBACObjects { return pkg.RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{ - &rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").URLs("/healthz", "/version", "/swagger*", "/openapi*", "/api*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").URLs("/healthz", "/version", "/swagger*", "/openapi*", "/api*").RuleOrDie(), }, }, }, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{ - &rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{ + &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Subjects: []rbacinternal.Subject{ - {Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:authenticated"}, - {Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:unauthenticated"}, + Subjects: []rbacv1.Subject{ + {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:authenticated"}, + {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:unauthenticated"}, }, - RoleRef: rbacinternal.RoleRef{APIGroup: rbacinternal.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, + RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, }, }, } diff --git a/pkg/process.go b/pkg/process.go index 5e991f4..b91151e 100644 --- a/pkg/process.go +++ b/pkg/process.go @@ -3,19 +3,21 @@ package pkg import ( "reflect" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/kubernetes/pkg/apis/rbac" + rbacv1helper "k8s.io/kubernetes/pkg/apis/rbac/v1" "k8s.io/kubernetes/pkg/registry/rbac/validation" rbacauthorizer "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" ) // RBACObjects holds lists of RBAC API objects type RBACObjects struct { - Roles []*rbac.Role - RoleBindings []*rbac.RoleBinding - ClusterRoles []*rbac.ClusterRole - ClusterRoleBindings []*rbac.ClusterRoleBinding + Roles []*rbacv1.Role + RoleBindings []*rbacv1.RoleBinding + ClusterRoles []*rbacv1.ClusterRole + ClusterRoleBindings []*rbacv1.ClusterRoleBinding } // GenerateOptions specifies options for generating RBAC roles @@ -57,10 +59,10 @@ type Generator struct { generated RBACObjects generatedGetter *validation.StaticRoles - clusterRole *rbac.ClusterRole - clusterRoleBinding *rbac.ClusterRoleBinding - namespacedRole map[string]*rbac.Role - namespacedRoleBinding map[string]*rbac.RoleBinding + clusterRole *rbacv1.ClusterRole + clusterRoleBinding *rbacv1.ClusterRoleBinding + namespacedRole map[string]*rbacv1.Role + namespacedRoleBinding map[string]*rbacv1.RoleBinding } // NewGenerator creates a new Generator @@ -71,8 +73,8 @@ func NewGenerator(existing RBACObjects, requests []authorizer.AttributesRecord, existing: existing, requests: requests, Options: options, - namespacedRole: map[string]*rbac.Role{}, - namespacedRoleBinding: map[string]*rbac.RoleBinding{}, + namespacedRole: map[string]*rbacv1.Role{}, + namespacedRoleBinding: map[string]*rbacv1.RoleBinding{}, generatedGetter: getter, } } @@ -97,7 +99,7 @@ func (g *Generator) Generate() *RBACObjects { if !request.ResourceRequest { clusterRole := g.ensureClusterRoleAndBinding(userToSubject(request.User)) - clusterRole.Rules = append(clusterRole.Rules, rbac.NewRule(request.Verb).URLs(request.Path).RuleOrDie()) + clusterRole.Rules = append(clusterRole.Rules, rbacv1helper.NewRule(request.Verb).URLs(request.Path).RuleOrDie()) continue } @@ -156,18 +158,18 @@ func (g *Generator) Generate() *RBACObjects { return &g.generated } -func (g *Generator) ensureClusterRoleAndBinding(subject rbac.Subject) *rbac.ClusterRole { +func (g *Generator) ensureClusterRoleAndBinding(subject rbacv1.Subject) *rbacv1.ClusterRole { if g.clusterRole != nil { return g.clusterRole } - g.clusterRole = &rbac.ClusterRole{ + g.clusterRole = &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: g.Options.Name, Labels: g.Options.Labels, Annotations: g.Options.Annotations}, } - g.clusterRoleBinding = &rbac.ClusterRoleBinding{ + g.clusterRoleBinding = &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: g.Options.Name, Labels: g.Options.Labels, Annotations: g.Options.Annotations}, - RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: g.clusterRole.Name}, - Subjects: []rbac.Subject{subject}, + RoleRef: rbacv1.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: g.clusterRole.Name}, + Subjects: []rbacv1.Subject{subject}, } g.generated.ClusterRoles = append(g.generated.ClusterRoles, g.clusterRole) @@ -179,18 +181,18 @@ func (g *Generator) ensureClusterRoleAndBinding(subject rbac.Subject) *rbac.Clus return g.clusterRole } -func (g *Generator) ensureNamespacedRoleAndBinding(subject rbac.Subject, namespace string) *rbac.Role { +func (g *Generator) ensureNamespacedRoleAndBinding(subject rbacv1.Subject, namespace string) *rbacv1.Role { if g.namespacedRole[namespace] != nil { return g.namespacedRole[namespace] } - g.namespacedRole[namespace] = &rbac.Role{ + g.namespacedRole[namespace] = &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: g.Options.Name, Namespace: namespace, Labels: g.Options.Labels, Annotations: g.Options.Annotations}, } - g.namespacedRoleBinding[namespace] = &rbac.RoleBinding{ + g.namespacedRoleBinding[namespace] = &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: g.Options.Name, Namespace: namespace, Labels: g.Options.Labels, Annotations: g.Options.Annotations}, - RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: g.namespacedRole[namespace].Name}, - Subjects: []rbac.Subject{subject}, + RoleRef: rbacv1.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: g.namespacedRole[namespace].Name}, + Subjects: []rbacv1.Subject{subject}, } g.generated.Roles = append(g.generated.Roles, g.namespacedRole[namespace]) diff --git a/pkg/process_test.go b/pkg/process_test.go index b17ac7e..5e4cd9a 100644 --- a/pkg/process_test.go +++ b/pkg/process_test.go @@ -5,42 +5,43 @@ import ( "os" "testing" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/equality" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" - rbacinternal "k8s.io/kubernetes/pkg/apis/rbac" + rbacv1helper "k8s.io/kubernetes/pkg/apis/rbac/v1" ) func TestProcessOptions(t *testing.T) { bob := &user.DefaultInfo{Name: "bob", Groups: []string{"system:authenticated"}} existing := RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{ - &rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("*").Groups("*").Resources("*").RuleOrDie(), - rbacinternal.NewRule("*").URLs("*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("*").Groups("*").Resources("*").RuleOrDie(), + rbacv1helper.NewRule("*").URLs("*").RuleOrDie(), }, }, - &rbacinternal.ClusterRole{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), }, }, }, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{ - &rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{ + &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, - Subjects: []rbacinternal.Subject{{Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:masters"}}, - RoleRef: rbacinternal.RoleRef{APIGroup: rbacinternal.GroupName, Kind: "ClusterRole", Name: "cluster-admin"}, + Subjects: []rbacv1.Subject{{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:masters"}}, + RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "cluster-admin"}, }, - &rbacinternal.ClusterRoleBinding{ + &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Subjects: []rbacinternal.Subject{{Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:authenticated"}}, - RoleRef: rbacinternal.RoleRef{APIGroup: rbacinternal.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, + Subjects: []rbacv1.Subject{{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:authenticated"}}, + RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, }, }, } @@ -73,14 +74,14 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: false, Verb: "get", Path: "/foo"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").URLs("/foo").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").URLs("/foo").RuleOrDie()}, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -93,17 +94,17 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", APIGroup: "storage.k8s.io", Resource: "storageclasses", Name: "mysc"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("nodes").Names("mynode").RuleOrDie(), - rbacinternal.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").Names("mysc").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("nodes").Names("mynode").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").Names("mysc").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -117,17 +118,17 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", APIGroup: "storage.k8s.io", Resource: "storageclasses", Name: "sc2"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("nodes").RuleOrDie(), - rbacinternal.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("nodes").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -145,17 +146,17 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", APIGroup: "storage.k8s.io", Resource: "storageclasses", Name: "sc2"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("nodes").Names("node1", "node2").RuleOrDie(), - rbacinternal.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").Names("sc1", "sc2").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("nodes").Names("node1", "node2").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("storage.k8s.io").Resources("storageclasses").Names("sc1", "sc2").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -176,17 +177,17 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "list", APIGroup: "storage.k8s.io", Resource: "storageclasses"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get", "list", "watch").Groups("").Resources("nodes").RuleOrDie(), - rbacinternal.NewRule("get", "list", "watch").Groups("storage.k8s.io").Resources("storageclasses").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get", "list", "watch").Groups("").Resources("nodes").RuleOrDie(), + rbacv1helper.NewRule("get", "list", "watch").Groups("storage.k8s.io").Resources("storageclasses").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -199,26 +200,26 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", Namespace: "ns2", APIGroup: "", Resource: "pods", Name: "pod1"}, }, expected: RBACObjects{ - Roles: []*rbacinternal.Role{ - &rbacinternal.Role{ + Roles: []*rbacv1.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod1").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod1").RuleOrDie()}, }, }, - RoleBindings: []*rbacinternal.RoleBinding{ - &rbacinternal.RoleBinding{ + RoleBindings: []*rbacv1.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, }, }, @@ -241,28 +242,28 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", Namespace: "ns2", APIGroup: "apps", Resource: "deployments", Name: "dep2"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, - Roles: []*rbacinternal.Role{&rbacinternal.Role{ + Roles: []*rbacv1.Role{&rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie(), }, }}, - RoleBindings: []*rbacinternal.RoleBinding{&rbacinternal.RoleBinding{ + RoleBindings: []*rbacv1.RoleBinding{&rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -290,53 +291,53 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", Namespace: "ns3", APIGroup: "apps", Resource: "deployments", Name: "dep3"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod1").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").Names("dep1").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod1").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").Names("dep1").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, - Roles: []*rbacinternal.Role{ - &rbacinternal.Role{ + Roles: []*rbacv1.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod2").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").Names("dep2").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod2").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").Names("dep2").RuleOrDie(), }, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod3").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").Names("dep3").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod3").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").Names("dep3").RuleOrDie(), }, }, }, - RoleBindings: []*rbacinternal.RoleBinding{ - &rbacinternal.RoleBinding{ + RoleBindings: []*rbacv1.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, }, }, @@ -367,41 +368,41 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", Namespace: "ns3", APIGroup: "apps", Resource: "deployments", Name: "dep3"}, }, expected: RBACObjects{ - Roles: []*rbacinternal.Role{ - &rbacinternal.Role{ + Roles: []*rbacv1.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), }, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").RuleOrDie(), }, }, }, - RoleBindings: []*rbacinternal.RoleBinding{ - &rbacinternal.RoleBinding{ + RoleBindings: []*rbacv1.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, }, }, @@ -427,41 +428,41 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "get", Namespace: "ns3", APIGroup: "apps", Resource: "deployments", Name: "dep3"}, }, expected: RBACObjects{ - Roles: []*rbacinternal.Role{ - &rbacinternal.Role{ + Roles: []*rbacv1.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - Rules: []rbacinternal.PolicyRule{rbacinternal.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, + Rules: []rbacv1.PolicyRule{rbacv1helper.NewRule("get").Groups("").Resources("configmaps").Names("cm1").RuleOrDie()}, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod1", "pod2").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").Names("dep1", "dep2").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod1", "pod2").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").Names("dep1", "dep2").RuleOrDie(), }, }, - &rbacinternal.Role{ + &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").Groups("").Resources("pods").Names("pod1", "pod3").RuleOrDie(), - rbacinternal.NewRule("get").Groups("apps").Resources("deployments").Names("dep1", "dep3").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").Groups("").Resources("pods").Names("pod1", "pod3").RuleOrDie(), + rbacv1helper.NewRule("get").Groups("apps").Resources("deployments").Names("dep1", "dep3").RuleOrDie(), }, }, }, - RoleBindings: []*rbacinternal.RoleBinding{ - &rbacinternal.RoleBinding{ + RoleBindings: []*rbacv1.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns1"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns2"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, - &rbacinternal.RoleBinding{ + &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac", Namespace: "ns3"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "Role", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }, }, }, @@ -491,17 +492,17 @@ func TestProcessOptions(t *testing.T) { authorizer.AttributesRecord{User: bob, ResourceRequest: true, Verb: "list", APIGroup: "", Resource: "pods"}, }, expected: RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{&rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{&rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get", "list", "watch").Groups("").Resources("configmaps", "pods").RuleOrDie(), - rbacinternal.NewRule("get", "list", "watch").Groups("apps").Resources("deployments").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get", "list", "watch").Groups("").Resources("configmaps", "pods").RuleOrDie(), + rbacv1helper.NewRule("get", "list", "watch").Groups("apps").Resources("deployments").RuleOrDie(), }, }}, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{&rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{&rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "audit2rbac"}, - RoleRef: rbacinternal.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, - Subjects: []rbacinternal.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, + RoleRef: rbacv1.RoleRef{Name: "audit2rbac", Kind: "ClusterRole", APIGroup: "rbac.authorization.k8s.io"}, + Subjects: []rbacv1.Subject{{Name: "bob", Kind: "User", APIGroup: "rbac.authorization.k8s.io"}}, }}, }, }, @@ -533,31 +534,31 @@ func TestProcessOptions(t *testing.T) { func TestProcess(t *testing.T) { bob := &user.DefaultInfo{Name: "bob", Groups: []string{"system:authenticated"}} existing := RBACObjects{ - ClusterRoles: []*rbacinternal.ClusterRole{ - &rbacinternal.ClusterRole{ + ClusterRoles: []*rbacv1.ClusterRole{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("*").Groups("*").Resources("*").RuleOrDie(), - rbacinternal.NewRule("*").URLs("*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("*").Groups("*").Resources("*").RuleOrDie(), + rbacv1helper.NewRule("*").URLs("*").RuleOrDie(), }, }, - &rbacinternal.ClusterRole{ + &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Rules: []rbacinternal.PolicyRule{ - rbacinternal.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), + Rules: []rbacv1.PolicyRule{ + rbacv1helper.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), }, }, }, - ClusterRoleBindings: []*rbacinternal.ClusterRoleBinding{ - &rbacinternal.ClusterRoleBinding{ + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{ + &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"}, - Subjects: []rbacinternal.Subject{{Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:masters"}}, - RoleRef: rbacinternal.RoleRef{APIGroup: rbacinternal.GroupName, Kind: "ClusterRole", Name: "cluster-admin"}, + Subjects: []rbacv1.Subject{{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:masters"}}, + RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "cluster-admin"}, }, - &rbacinternal.ClusterRoleBinding{ + &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, - Subjects: []rbacinternal.Subject{{Kind: rbacinternal.GroupKind, APIGroup: rbacinternal.GroupName, Name: "system:authenticated"}}, - RoleRef: rbacinternal.RoleRef{APIGroup: rbacinternal.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, + Subjects: []rbacv1.Subject{{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "system:authenticated"}}, + RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "system:discovery"}, }, }, } diff --git a/pkg/util.go b/pkg/util.go index 79bbdc9..9eeb9f2 100644 --- a/pkg/util.go +++ b/pkg/util.go @@ -19,19 +19,20 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/kubernetes/pkg/apis/rbac" + rbacv1helper "k8s.io/kubernetes/pkg/apis/rbac/v1" "k8s.io/kubernetes/pkg/registry/rbac/validation" ) -func userToSubject(user user.Info) rbac.Subject { +func userToSubject(user user.Info) rbacv1.Subject { if ns, name, err := serviceaccount.SplitUsername(user.GetName()); err == nil { - return rbac.Subject{Name: name, Namespace: ns, Kind: "ServiceAccount"} + return rbacv1.Subject{Name: name, Namespace: ns, Kind: "ServiceAccount"} } - return rbac.Subject{Name: user.GetName(), Kind: "User", APIGroup: rbac.GroupName} + return rbacv1.Subject{Name: user.GetName(), Kind: "User", APIGroup: rbac.GroupName} } -func attributesToResourceRule(request authorizer.AttributesRecord, options GenerateOptions) rbac.PolicyRule { +func attributesToResourceRule(request authorizer.AttributesRecord, options GenerateOptions) rbacv1.PolicyRule { verbs := append([]string{request.Verb}, options.VerbExpansions[request.Verb]...) - rule := rbac.NewRule(verbs...).Groups(request.APIGroup).Resources(request.Resource).RuleOrDie() + rule := rbacv1helper.NewRule(verbs...).Groups(request.APIGroup).Resources(request.Resource).RuleOrDie() if request.Subresource != "" { rule.Resources[0] = rule.Resources[0] + "/" + request.Subresource } @@ -41,8 +42,8 @@ func attributesToResourceRule(request authorizer.AttributesRecord, options Gener return rule } -func compactRules(rules []rbac.PolicyRule) []rbac.PolicyRule { - breakdownRules := []rbac.PolicyRule{} +func compactRules(rules []rbacv1.PolicyRule) []rbacv1.PolicyRule { + breakdownRules := []rbacv1.PolicyRule{} for _, rule := range rules { breakdownRules = append(breakdownRules, validation.BreakdownRule(rule)...) } @@ -55,7 +56,7 @@ func compactRules(rules []rbac.PolicyRule) []rbac.PolicyRule { compactRules[i].Verbs = sets.NewString(compactRules[i].Verbs...).List() } - accumulatingRules := []rbac.PolicyRule{} + accumulatingRules := []rbacv1.PolicyRule{} for _, rule := range compactRules { // Non-resource rules just accumulate if len(rule.Resources) == 0 { @@ -105,7 +106,7 @@ func compactRules(rules []rbac.PolicyRule) []rbac.PolicyRule { if c := strings.Compare(strings.Join(accumulatingRules[i].APIGroups, ","), strings.Join(accumulatingRules[j].APIGroups, ",")); c != 0 { return c < 0 } - return strings.Compare(accumulatingRules[i].CompactString(), accumulatingRules[j].CompactString()) < 0 + return strings.Compare(rbacv1helper.CompactString(accumulatingRules[i]), rbacv1helper.CompactString(accumulatingRules[j])) < 0 }) return accumulatingRules }