Skip to content

Commit 8049a92

Browse files
author
Kubernetes Submit Queue
authored
Merge pull request kubernetes#48545 from liggitt/automated-cherry-pick-of-#48480-upstream-release-1.6
Automatic merge from submit-queue Automated cherry pick of kubernetes#48480 Cherry pick of kubernetes#48480 on release-1.6. kubernetes#48480: Ensure namespace exists as part of RBAC reconciliation
2 parents 313fd31 + c384896 commit 8049a92

File tree

5 files changed

+32
-4
lines changed

5 files changed

+32
-4
lines changed

pkg/registry/rbac/reconciliation/BUILD

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ go_library(
3737
deps = [
3838
"//pkg/api:go_default_library",
3939
"//pkg/apis/rbac:go_default_library",
40+
"//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
4041
"//pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion:go_default_library",
4142
"//pkg/registry/rbac/validation:go_default_library",
4243
"//vendor:k8s.io/apimachinery/pkg/api/errors",

pkg/registry/rbac/reconciliation/role_interfaces.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,11 @@ limitations under the License.
1717
package reconciliation
1818

1919
import (
20+
apierrors "k8s.io/apimachinery/pkg/api/errors"
2021
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
22+
"k8s.io/kubernetes/pkg/api"
2123
"k8s.io/kubernetes/pkg/apis/rbac"
24+
core "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
2225
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
2326
)
2427

@@ -59,7 +62,8 @@ func (o RoleRuleOwner) SetRules(in []rbac.PolicyRule) {
5962
}
6063

6164
type RoleModifier struct {
62-
Client internalversion.RolesGetter
65+
Client internalversion.RolesGetter
66+
NamespaceClient core.NamespaceInterface
6367
}
6468

6569
func (c RoleModifier) Get(namespace, name string) (RuleOwner, error) {
@@ -71,6 +75,11 @@ func (c RoleModifier) Get(namespace, name string) (RuleOwner, error) {
7175
}
7276

7377
func (c RoleModifier) Create(in RuleOwner) (RuleOwner, error) {
78+
ns := &api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
79+
if _, err := c.NamespaceClient.Create(ns); err != nil && !apierrors.IsAlreadyExists(err) {
80+
return nil, err
81+
}
82+
7483
ret, err := c.Client.Roles(in.GetNamespace()).Create(in.(RoleRuleOwner).Role)
7584
if err != nil {
7685
return nil, err

pkg/registry/rbac/reconciliation/rolebinding_interfaces.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,12 @@ limitations under the License.
1717
package reconciliation
1818

1919
import (
20+
apierrors "k8s.io/apimachinery/pkg/api/errors"
2021
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2122
"k8s.io/apimachinery/pkg/types"
23+
"k8s.io/kubernetes/pkg/api"
2224
"k8s.io/kubernetes/pkg/apis/rbac"
25+
core "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
2326
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
2427
)
2528

@@ -68,7 +71,8 @@ func (o RoleBindingAdapter) SetSubjects(in []rbac.Subject) {
6871
}
6972

7073
type RoleBindingClientAdapter struct {
71-
Client internalversion.RoleBindingsGetter
74+
Client internalversion.RoleBindingsGetter
75+
NamespaceClient core.NamespaceInterface
7276
}
7377

7478
func (c RoleBindingClientAdapter) Get(namespace, name string) (RoleBinding, error) {
@@ -80,6 +84,11 @@ func (c RoleBindingClientAdapter) Get(namespace, name string) (RoleBinding, erro
8084
}
8185

8286
func (c RoleBindingClientAdapter) Create(in RoleBinding) (RoleBinding, error) {
87+
ns := &api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: in.GetNamespace()}}
88+
if _, err := c.NamespaceClient.Create(ns); err != nil && !apierrors.IsAlreadyExists(err) {
89+
return nil, err
90+
}
91+
8392
ret, err := c.Client.RoleBindings(in.GetNamespace()).Create(in.(RoleBindingAdapter).RoleBinding)
8493
if err != nil {
8594
return nil, err

pkg/registry/rbac/rest/BUILD

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ go_library(
1616
"//pkg/apis/rbac:go_default_library",
1717
"//pkg/apis/rbac/v1alpha1:go_default_library",
1818
"//pkg/apis/rbac/v1beta1:go_default_library",
19+
"//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
1920
"//pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion:go_default_library",
2021
"//pkg/client/retry:go_default_library",
2122
"//pkg/registry/rbac/clusterrole:go_default_library",

pkg/registry/rbac/rest/storage_rbac.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ import (
3636
"k8s.io/kubernetes/pkg/apis/rbac"
3737
rbacapiv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
3838
rbacapiv1beta1 "k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
39+
coreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
3940
rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
4041
"k8s.io/kubernetes/pkg/client/retry"
4142
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
@@ -132,6 +133,13 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
132133
// intializing roles is really important. On some e2e runs, we've seen cases where etcd is down when the server
133134
// starts, the roles don't initialize, and nothing works.
134135
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
136+
137+
coreclientset, err := coreclient.NewForConfig(hookContext.LoopbackClientConfig)
138+
if err != nil {
139+
utilruntime.HandleError(fmt.Errorf("unable to initialize client: %v", err))
140+
return false, nil
141+
}
142+
135143
clientset, err := rbacclient.NewForConfig(hookContext.LoopbackClientConfig)
136144
if err != nil {
137145
utilruntime.HandleError(fmt.Errorf("unable to initialize client: %v", err))
@@ -210,7 +218,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
210218
for _, role := range roles {
211219
opts := reconciliation.ReconcileRoleOptions{
212220
Role: reconciliation.RoleRuleOwner{Role: &role},
213-
Client: reconciliation.RoleModifier{Client: clientset},
221+
Client: reconciliation.RoleModifier{Client: clientset, NamespaceClient: coreclientset.Namespaces()},
214222
Confirm: true,
215223
}
216224
err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
@@ -240,7 +248,7 @@ func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
240248
for _, roleBinding := range roleBindings {
241249
opts := reconciliation.ReconcileRoleBindingOptions{
242250
RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: &roleBinding},
243-
Client: reconciliation.RoleBindingClientAdapter{Client: clientset},
251+
Client: reconciliation.RoleBindingClientAdapter{Client: clientset, NamespaceClient: coreclientset.Namespaces()},
244252
Confirm: true,
245253
}
246254
err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {

0 commit comments

Comments
 (0)