Merge pull request kcp-dev#1177 from shawn-hurley/add-authorizer-vw-a…

…piexport adding authorizer for the api export virtual workspace Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov · Jun 8, 2022 · 4292768 · 4292768
2 parents 3385991 + caf8732
commit 4292768
Show file tree

Hide file tree

Showing 34 changed files with 1,249 additions and 247 deletions.
diff --git a/config/crds/tenancy.kcp.dev_clusterworkspaces.yaml b/config/crds/tenancy.kcp.dev_clusterworkspaces.yaml
@@ -68,17 +68,25 @@ spec:
               readOnly:
                 type: boolean
               type:
-                default: Universal
                 description: "type defines properties of the workspace both on creation
                   (e.g. initial resources and initially installed APIs) and during
                   runtime (e.g. permissions). \n The type is a reference to a ClusterWorkspaceType
-                  in the same workspace with the same name, but lower-cased. The ClusterWorkspaceType
+                  in the listed workspace, but lower-cased. The ClusterWorkspaceType
                   existence is validated at admission during creation, with the exception
                   of the \"Universal\" type whose existence is not required but respected
                   if it exists. The type is immutable after creation. The use of a
                   type is gated via the RBAC clusterworkspacetypes/use resource permission."
-                pattern: ^[A-Z][a-zA-Z0-9]+$
-                type: string
+                properties:
+                  name:
+                    description: name is the name of the ClusterWorkspaceType
+                    pattern: ^[A-Z][a-zA-Z0-9]+$
+                    type: string
+                  path:
+                    description: path is an absolute reference to the workspace that
+                      owns this type, e.g. root:org:ws.
+                    pattern: ^root(:[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                type: object
             type: object
           status:
             description: ClusterWorkspaceStatus communicates the observed state of

diff --git a/config/crds/tenancy.kcp.dev_clusterworkspacetypes.yaml b/config/crds/tenancy.kcp.dev_clusterworkspacetypes.yaml
@@ -44,6 +44,64 @@ spec:
                 description: additionalWorkspaceLabels are a set of labels that will
                   be added to a ClusterWorkspace on creation.
                 type: object
+              allowedSubWorkspaceTypes:
+                description: "allowedSubWorkspaceTypes is a list of ClusterWorkspaceTypes
+                  that can be created in a workspace of this type. \n If a workspace
+                  type extends a type definition of the same name at a higher level,
+                  the sets of allowed sub-workspace types are merged. A ClusterWorkspaceType
+                  can only add allowed sub-workspace types from the same workspace.
+                  \n For example, extending types from parent workspaces is not allowed,
+                  as seen with the following ClusterWorkspaceType objects: \n apiVersion:
+                  tenancy.kcp.dev/v1alpha1 | apiVersion: tenancy.kcp.dev/v1alpha1
+                  kind: ClusterWorkspaceType           | kind: ClusterWorkspaceType
+                  metadata:                            | metadata:   name: organization
+                  \                |   name: organization   clusterName: root                  |
+                  \  clusterName: root:something spec:                                |
+                  spec:  allowedSubWorkspaceTypes: []        |  allowedSubWorkspaceTypes:
+                  \                                     |  - organization \n The Organization
+                  type in root:something cannot add a type from higher in the chain,
+                  only that type can allow itself to be a sub-type. \n However, extending
+                  types from your own workspace is valid, as seen with the following
+                  ClusterWorkspaceType objects: \n apiVersion: tenancy.kcp.dev/v1alpha1
+                  | apiVersion: tenancy.kcp.dev/v1alpha1 kind: ClusterWorkspaceType
+                  \          | kind: ClusterWorkspaceType metadata:                            |
+                  metadata:   name: organization                 |   name: team   clusterName:
+                  root                  |   clusterName: root:something spec:                                |
+                  spec:  allowedSubWorkspaceTypes: []        |  allowedSubWorkspaceTypes:
+                  []                                      | apiVersion: tenancy.kcp.dev/v1alpha1
+                  \                                     | kind: ClusterWorkspaceType
+                  \                                     | metadata:                                      |
+                  \  name: organization                                      |   clusterName:
+                  root:something                                      | spec:                                      |
+                  \ allowedSubWorkspaceTypes:                                      |
+                  \ - team \n The Organization type in root:something is allowed to
+                  extend the allowed sub-types with a new Type that exists at the
+                  same level in the hierarchy. \n Furthermore, co-locating aliases
+                  is allowed, as is seen with the following ClusterWorkspaceType objects:
+                  \n apiVersion: tenancy.kcp.dev/v1alpha1 | apiVersion: tenancy.kcp.dev/v1alpha1
+                  kind: ClusterWorkspaceType           | kind: ClusterWorkspaceType
+                  metadata:                            | metadata:   name: organization
+                  \                |   name: team   clusterName: team                  |
+                  \  clusterName: root:something spec:                                |
+                  spec:  allowedSubWorkspaceTypes:           |  allowedSubWorkspaceTypes:
+                  \ - name: team                        |  - name: team \n The Team
+                  type in root:something can now have nested ClusterWorkspaces created
+                  of either type root:team *or* root:something:team. \n By default
+                  no type is allowed. This means no other workspace can be nested
+                  within a workspace of the given type."
+                items:
+                  type: string
+                type: array
+              defaultSubWorkspaceType:
+                description: "defaultSubWorkspaceType is the ClusterWorkspaceType
+                  that will be used by default if another, nested ClusterWorkspace
+                  is created in a workspace of this type. The default behaviour requires
+                  the user to specify a type. \n If a workspace type extends a type
+                  definition of the same name at a higher level, the child workspace's
+                  default is preferred. A ClusterWorkspaceType can only add a default
+                  type from the same workspace. Not specifying defaultSubWorkspaceType
+                  or an empty string means to inherit the value from the super-workspace."
+                type: string
               initializers:
                 description: initializers are set of a ClusterWorkspace on creation
                   and must be cleared by a controller before the workspace can be

diff --git a/config/root/clusterworkspace-default.yaml b/config/root/clusterworkspace-default.yaml
@@ -3,4 +3,6 @@ kind: ClusterWorkspace
 metadata:
   name: default
 spec:
-  type: Organization
+  type:
+    name: Organization
+    path: root
diff --git a/config/root/clusterworkspacetype-organization.yaml b/config/root/clusterworkspacetype-organization.yaml
@@ -1,7 +1,11 @@
-apiVersion: tenancy.kcp.dev/v1alpha1
-kind: ClusterWorkspaceType
-metadata:
-  name: organization
-spec:
-  initializers:
-  - tenancy.kcp.dev/organization
+  apiVersion: tenancy.kcp.dev/v1alpha1
+  kind: ClusterWorkspaceType
+  metadata:
+    name: organization
+  spec:
+    initializers:
+    - tenancy.kcp.dev/organization
+    defaultSubWorkspaceType: Team
+    allowedSubWorkspaceTypes:
+    - Team
+    - Universal
diff --git a/...ganization/clusterworkspacetype-team.yaml → config/root/clusterworkspacetype-team.yaml b/...ganization/clusterworkspacetype-team.yaml → config/root/clusterworkspacetype-team.yaml
@@ -5,3 +5,6 @@ metadata:
 spec:
   initializers:
   - tenancy.kcp.dev/team
+  defaultSubWorkspaceType: Universal
+  allowedSubWorkspaceTypes:
+    - Universal
diff --git a/...ation/clusterworkspacetype-universal.yaml → .../root/clusterworkspacetype-universal.yaml b/...ation/clusterworkspacetype-universal.yaml → .../root/clusterworkspacetype-universal.yaml
@@ -7,3 +7,6 @@ spec:
   - tenancy.kcp.dev/universal
   additionalWorkspaceLabels:
     workloads.kcp.dev/schedulable: "true"
+  defaultSubWorkspaceType: Universal
+  allowedSubWorkspaceTypes:
+  - Universal
diff --git a/config/root/clusterworkspacetype-use-clusterrole.yaml b/config/root/clusterworkspacetype-use-clusterrole.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:kcp:universal-clusterworkspacetype-use
+rules:
+- apiGroups: ["tenancy.kcp.dev"]
+  resources:
+  - "clusterworkspacetypes"
+  resourceNames:
+  - "universal"
+  - "organization"
+  - "team"
+  verbs: ["use"]
diff --git a/config/root/clusterworkspacetype-use-clusterrolebinding.yaml b/config/root/clusterworkspacetype-use-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:kcp:authenticated:universal-clusterworkspacetype-use
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kcp:universal-clusterworkspacetype-use
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
diff --git a/config/team/clusterworkspacetype-universal.yaml b/config/team/clusterworkspacetype-universal.yaml
diff --git a/pkg/admission/clusterworkspace/admission.go b/pkg/admission/clusterworkspace/admission.go
@@ -107,7 +107,7 @@ func (o *clusterWorkspace) Validate(ctx context.Context, a admission.Attributes,
 		if errs := validation.ValidateImmutableField(cw.Spec.Type, old.Spec.Type, field.NewPath("spec", "type")); len(errs) > 0 {
 			return admission.NewForbidden(a, errs.ToAggregate())
 		}
-		if old.Spec.Type != cw.Spec.Type {
+		if old.Spec.Type.Path != cw.Spec.Type.Path || old.Spec.Type.Name != cw.Spec.Type.Name {
 			return admission.NewForbidden(a, errors.New("spec.type is immutable"))
 		}
 

diff --git a/pkg/admission/clusterworkspace/admission_test.go b/pkg/admission/clusterworkspace/admission_test.go
@@ -76,15 +76,21 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 			},
 				&tenancyv1alpha1.ClusterWorkspace{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Universal",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Universal",
+							Path: "root:org",
+						},
 					},
 				}),
 			wantErr: true,
@@ -96,7 +102,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Location: tenancyv1alpha1.ClusterWorkspaceLocation{
@@ -108,7 +117,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Location: tenancyv1alpha1.ClusterWorkspaceLocation{
@@ -125,7 +137,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{},
 			},
@@ -134,7 +149,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						BaseURL: "https://cluster/clsuters/test",
@@ -149,7 +167,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,
@@ -163,7 +184,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Phase:        tenancyv1alpha1.ClusterWorkspacePhaseInitializing,
@@ -179,7 +203,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,
@@ -193,7 +220,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Phase:        tenancyv1alpha1.ClusterWorkspacePhaseInitializing,
@@ -210,7 +240,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,
@@ -224,7 +257,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Phase:        tenancyv1alpha1.ClusterWorkspacePhaseScheduling,
@@ -239,7 +275,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,
@@ -256,7 +295,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,
@@ -269,7 +311,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Phase:        tenancyv1alpha1.ClusterWorkspacePhaseScheduling,
@@ -285,7 +330,10 @@ func TestValidate(t *testing.T) {
 					Name: "test",
 				},
 				Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-					Type: "Foo",
+					Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+						Name: "Foo",
+						Path: "root:org",
+					},
 				},
 				Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 					Phase:        tenancyv1alpha1.ClusterWorkspacePhaseInitializing,
@@ -299,7 +347,10 @@ func TestValidate(t *testing.T) {
 						Name: "test",
 					},
 					Spec: tenancyv1alpha1.ClusterWorkspaceSpec{
-						Type: "Foo",
+						Type: tenancyv1alpha1.ClusterWorkspaceTypeReference{
+							Name: "Foo",
+							Path: "root:org",
+						},
 					},
 					Status: tenancyv1alpha1.ClusterWorkspaceStatus{
 						Phase:        tenancyv1alpha1.ClusterWorkspacePhaseReady,

diff --git a/pkg/admission/clusterworkspaceshard/admission_test.go b/pkg/admission/clusterworkspaceshard/admission_test.go
@@ -281,7 +281,9 @@ func TestAdmit(t *testing.T) {
 						"name":              "test",
 						"creationTimestamp": nil,
 					},
-					"spec": map[string]interface{}{},
+					"spec": map[string]interface{}{
+						"type": map[string]interface{}{},
+					},
 					"status": map[string]interface{}{
 						"location": map[string]interface{}{},
 					},