Merge pull request #54005 from deads2k/rbac-02-aggregation

Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

aggregate cluster roles

xref kubernetes/community#1219 kubernetes/enhancements#502

This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view.  Once we agree on the shape, I'll

I added
```yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: true
```
to the `ClusterRole`.  A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles.

@kubernetes/sig-auth-pr-reviews

```release-note
RBAC ClusterRoles can now select other roles to aggregate
```

Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93

Author: k8s-publish-robot

Godeps/Godeps.json

@@ -170,6 +170,20 @@ type ClusterRole struct {
 
 	// Rules holds all the PolicyRules for this ClusterRole
 	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	// +optional
+	AggregationRule *AggregationRule `json:"aggregationRule,omitempty" protobuf:"bytes,3,opt,name=aggregationRule"`
+}
+
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
+type AggregationRule struct {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
+	// +optional
+	ClusterRoleSelectors []metav1.LabelSelector `json:"clusterRoleSelectors,omitempty" protobuf:"bytes,1,rep,name=clusterRoleSelectors"`
 }
 
 // +genclient

rbac/v1/generated.pb.go

@@ -27,10 +27,20 @@ package v1
 // Those methods can be generated by using hack/update-generated-swagger-docs.sh
 
 // AUTO-GENERATED FUNCTIONS START HERE
+var map_AggregationRule = map[string]string{
+	"": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole",
+	"clusterRoleSelectors": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added",
+}
+
+func (AggregationRule) SwaggerDoc() map[string]string {
+	return map_AggregationRule
+}
+
 var map_ClusterRole = map[string]string{
-	"":         "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
-	"metadata": "Standard object's metadata.",
-	"rules":    "Rules holds all the PolicyRules for this ClusterRole",
+	"":                "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
+	"metadata":        "Standard object's metadata.",
+	"rules":           "Rules holds all the PolicyRules for this ClusterRole",
+	"aggregationRule": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.",
 }
 
 func (ClusterRole) SwaggerDoc() map[string]string {

rbac/v1/generated.proto

@@ -21,9 +21,33 @@ limitations under the License.
 package v1
 
 import (
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AggregationRule) DeepCopyInto(out *AggregationRule) {
+	*out = *in
+	if in.ClusterRoleSelectors != nil {
+		in, out := &in.ClusterRoleSelectors, &out.ClusterRoleSelectors
+		*out = make([]meta_v1.LabelSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AggregationRule.
+func (in *AggregationRule) DeepCopy() *AggregationRule {
+	if in == nil {
+		return nil
+	}
+	out := new(AggregationRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterRole) DeepCopyInto(out *ClusterRole) {
 	*out = *in
@@ -36,6 +60,15 @@ func (in *ClusterRole) DeepCopyInto(out *ClusterRole) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.AggregationRule != nil {
+		in, out := &in.AggregationRule, &out.AggregationRule
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AggregationRule)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }