Skip to content

Commit 1065a0c

Browse files
csheremetacsheremeta
committed
Allow cluster-admins to install/upgrade logging 4.5+
1 parent e48132e commit 1065a0c

File tree

2 files changed

+146
-2
lines changed

2 files changed

+146
-2
lines changed

pkg/webhooks/subscription/subscription.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ const (
2424

2525
var (
2626
privilegedUsers = []string{"kube:admin", "system:admin", "system:serviceaccount:kube-system:generic-garbage-collector"}
27-
adminGroups = []string{"osd-sre-admins", "osd-sre-cluster-admins"}
27+
adminGroups = []string{"osd-sre-admins", "osd-sre-cluster-admins", "cluster-admins"}
2828
blockedChannels = []string{"4.5", "4.6"}
2929

3030
log = logf.Log.WithName(WebhookName)
@@ -157,7 +157,7 @@ func (s *SubscriptionWebhook) authorized(request admissionctl.Request) admission
157157

158158
// if we're here, non-privileged user is attempting to CREATE or UPDATE logging
159159
// operator at 4.5 or 4.6 - deny this
160-
ret = admissionctl.Denied("Only Red Hat SREs can install or upgrade to the v4.5 or v4.6 logging operator at this time, as there are known issues with logging v4.5/v4.6 which we are working to resolve.")
160+
ret = admissionctl.Denied("Only cluster-admins and Red Hat SREs can install or upgrade to the v4.5 or v4.6 logging operator at this time, as there are known issues with logging v4.5/v4.6 which we are working to resolve.")
161161
ret.UID = request.AdmissionRequest.UID
162162
return ret
163163
}

pkg/webhooks/subscription/subscription_test.go

Lines changed: 144 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1109,6 +1109,150 @@ func TestPrivilegedUsers(t *testing.T) {
11091109
channel: "4.6",
11101110
shouldBeAllowed: true,
11111111
},
1112+
{
1113+
testID: "cluster-admin-can-install-ES-logging-44",
1114+
username: "testuser@testgroup.com",
1115+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1116+
operation: v1beta1.Create,
1117+
subscriptionName: "elasticsearch-operator",
1118+
channel: "4.4",
1119+
shouldBeAllowed: true,
1120+
},
1121+
{
1122+
testID: "cluster-admin-can-install-cluster-logging-44",
1123+
username: "testuser@testgroup.com",
1124+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1125+
operation: v1beta1.Create,
1126+
subscriptionName: "cluster-logging",
1127+
channel: "4.4",
1128+
shouldBeAllowed: true,
1129+
},
1130+
{
1131+
testID: "cluster-admin-can-install-other-45",
1132+
username: "testuser@testgroup.com",
1133+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1134+
operation: v1beta1.Create,
1135+
subscriptionName: "random-cool-operator",
1136+
channel: "4.5",
1137+
shouldBeAllowed: true,
1138+
},
1139+
{
1140+
testID: "cluster-admin-can-install-other",
1141+
username: "testuser@testgroup.com",
1142+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1143+
operation: v1beta1.Create,
1144+
subscriptionName: "other-cool-operator",
1145+
channel: "4.4",
1146+
shouldBeAllowed: true,
1147+
},
1148+
{
1149+
testID: "cluster-admin-can-install-cluster-logging-45",
1150+
username: "testuser@testgroup.com",
1151+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1152+
operation: v1beta1.Create,
1153+
subscriptionName: "cluster-logging",
1154+
channel: "4.5",
1155+
shouldBeAllowed: true,
1156+
},
1157+
{
1158+
testID: "cluster-admin-can-install-ES-logging-45",
1159+
username: "testuser@testgroup.com",
1160+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1161+
operation: v1beta1.Create,
1162+
subscriptionName: "elasticsearch-operator",
1163+
channel: "4.5",
1164+
shouldBeAllowed: true,
1165+
},
1166+
{
1167+
testID: "cluster-admin-can-install-cluster-logging-46",
1168+
username: "testuser@testgroup.com",
1169+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1170+
operation: v1beta1.Create,
1171+
subscriptionName: "cluster-logging",
1172+
channel: "4.6",
1173+
shouldBeAllowed: true,
1174+
},
1175+
{
1176+
testID: "cluster-admin-can-install-ES-logging-46",
1177+
username: "testuser@testgroup.com",
1178+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1179+
operation: v1beta1.Create,
1180+
subscriptionName: "elasticsearch-operator",
1181+
channel: "4.6",
1182+
shouldBeAllowed: true,
1183+
},
1184+
{
1185+
testID: "cluster-admin-can-upgrade-ES-logging-44",
1186+
username: "testuser@testgroup.com",
1187+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1188+
operation: v1beta1.Update,
1189+
subscriptionName: "elasticsearch-operator",
1190+
channel: "4.4",
1191+
shouldBeAllowed: true,
1192+
},
1193+
{
1194+
testID: "cluster-admin-can-upgrade-cluster-logging-44",
1195+
username: "testuser@testgroup.com",
1196+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1197+
operation: v1beta1.Update,
1198+
subscriptionName: "cluster-logging",
1199+
channel: "4.4",
1200+
shouldBeAllowed: true,
1201+
},
1202+
{
1203+
testID: "cluster-admin-can-upgrade-other-45",
1204+
username: "testuser@testgroup.com",
1205+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1206+
operation: v1beta1.Update,
1207+
subscriptionName: "random-cool-operator",
1208+
channel: "4.5",
1209+
shouldBeAllowed: true,
1210+
},
1211+
{
1212+
testID: "cluster-admin-can-upgrade-other",
1213+
username: "testuser@testgroup.com",
1214+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1215+
operation: v1beta1.Update,
1216+
subscriptionName: "other-cool-operator",
1217+
channel: "43.2",
1218+
shouldBeAllowed: true,
1219+
},
1220+
{
1221+
testID: "cluster-admin-can-upgrade-cluster-logging-45",
1222+
username: "testuser@testgroup.com",
1223+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1224+
operation: v1beta1.Update,
1225+
subscriptionName: "cluster-logging",
1226+
channel: "4.5",
1227+
shouldBeAllowed: true,
1228+
},
1229+
{
1230+
testID: "cluster-admin-can-upgrade-ES-logging-45",
1231+
username: "testuser@testgroup.com",
1232+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1233+
operation: v1beta1.Update,
1234+
subscriptionName: "elasticsearch-operator",
1235+
channel: "4.5",
1236+
shouldBeAllowed: true,
1237+
},
1238+
{
1239+
testID: "cluster-admin-can-upgrade-cluster-logging-46",
1240+
username: "testuser@testgroup.com",
1241+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1242+
operation: v1beta1.Update,
1243+
subscriptionName: "cluster-logging",
1244+
channel: "4.6",
1245+
shouldBeAllowed: true,
1246+
},
1247+
{
1248+
testID: "cluster-admin-can-upgrade-ES-logging-46",
1249+
username: "testuser@testgroup.com",
1250+
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
1251+
operation: v1beta1.Update,
1252+
subscriptionName: "elasticsearch-operator",
1253+
channel: "4.6",
1254+
shouldBeAllowed: true,
1255+
},
11121256
}
11131257
runSubscriptionTests(t, tests)
11141258
}

0 commit comments

Comments
 (0)