Merge pull request #13 from sbunce/sbunce/rbacsyncconf_clusterrole

controller: allow RBACSyncConfig to bind to ClusterRole

Author: stevvooe

README.md

@@ -123,10 +123,14 @@ For namespace-scoped `RBACSyncConfig`, the behavior is nearly identical except
 for the following:
 
 1. `RBACSyncConfig` must be defined with a namespace.
-2. `RBACSyncConfig` can only reference `Roles`.
-3. All `RoleBindings` created as a result of the `RBACSyncConfig` will be in
+2. All `RoleBindings` created as a result of the `RBACSyncConfig` will be in
    the same namespace.
 
+`RBACSyncConfig` may reference a `ClusterRole` to grant permissions to
+namespaced resources defined in the `ClusterRole` within the `RoleBinding`’s
+namespace. This allows administrators to define a set of common roles for the
+entire cluster, then reuse them within multiple namespaces.
+
 When deciding between using the two, you should mostly only need to look at
 whether your assigning `ClusterRoles` or `Roles` and then use the equivalent
 configuration. Refer to the [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

pkg/controller/controller.go

@@ -337,10 +337,12 @@ func (c *Controller) handleConfig(config *rbacsyncv1alpha.RBACSyncConfig) error
 	active := map[string]struct{}{}
 
 	for _, binding := range config.Spec.Bindings {
-		// need to valdiate that we only create rolebindings with this configuration.
-		if binding.RoleRef.Kind != "Role" {
+		switch binding.RoleRef.Kind {
+		case "Role", "ClusterRole":
+			// valid role reference kind for the role binding.
+		default:
 			c.recorder.Eventf(config, corev1.EventTypeWarning,
-				EventReasonBindingError, "RoleRef kind %q invalid for RBACSyncConfig on group %q, use only Role",
+				EventReasonBindingError, "RoleRef kind %q invalid for RBACSyncConfig on group %q, use only Role or ClusterRole",
 				binding.RoleRef.Kind, binding.Group)
 			continue
 		}

pkg/controller/controller_test.go

@@ -64,6 +64,29 @@ func TestControllerRBACSyncConfig(t *testing.T) {
 			},
 		},
 
+		// Ensure that we can bind cluster roles.
+		{
+			input: newRBACSyncConfig("testing", "clusterrole",
+				[]rbacsyncv1alpha.Membership{
+					newMembership("group0",
+						[]rbacv1.Subject{
+							newUserSubject("user0"),
+							newUserSubject("user1"),
+						}),
+				},
+				[]rbacsyncv1alpha.Binding{
+					newBinding("group0", "role0", "Role"),
+					newBinding("group0", "role1", "ClusterRole"),
+					newBinding("upstream", "role0", "Role"),
+				}),
+			events: []string{
+				"Normal ConfigEnqueued RBACSyncConfig testing/clusterrole enqueued",
+				"Normal BindingConfigured RoleBinding testing/clusterrole-group0-role0 configured",
+				"Normal BindingConfigured RoleBinding testing/clusterrole-group0-role1 configured",
+				"Normal BindingConfigured RoleBinding testing/clusterrole-upstream-role0 configured",
+			},
+		},
+
 		// Ensure that we can reference a role in two separate bindings.
 		{
 			input: newRBACSyncConfig("testing", "duplicates",
@@ -106,16 +129,13 @@ func TestControllerRBACSyncConfig(t *testing.T) {
 				},
 				[]rbacsyncv1alpha.Binding{
 					newBinding("group0", "role0", "Role"),
-
-					// This will cause a failure event because we cannot
-					// create clusterroles from the non-cluster version.
-					newBinding("group0", "role1", "ClusterRole"),
+					newBinding("group0", "role1", "ThisRoleTypeDoesNotExist"),
 					newBinding("upstream", "role0", "Role"),
 				}),
 			events: []string{
 				"Normal ConfigEnqueued RBACSyncConfig testing/invalidrole enqueued",
 				"Normal BindingConfigured RoleBinding testing/invalidrole-group0-role0 configured",
-				"Warning BindingError RoleRef kind \"ClusterRole\" invalid for RBACSyncConfig on group \"group0\", use only Role",
+				"Warning BindingError RoleRef kind \"ThisRoleTypeDoesNotExist\" invalid for RBACSyncConfig on group \"group0\", use only Role or ClusterRole",
 				"Normal BindingConfigured RoleBinding testing/invalidrole-upstream-role0 configured",
 			},
 		},
@@ -716,7 +736,9 @@ func makeExpectedRoleBindings(t *testing.T, config *rbacsyncv1alpha.RBACSyncConf
 
 	seen := map[string]struct{}{}
 	for _, binding := range config.Spec.Bindings {
-		if binding.RoleRef.Kind != "Role" {
+		switch binding.RoleRef.Kind {
+		case "Role", "ClusterRole":
+		default:
 			// these are skipped
 			continue
 		}