Skip to content

v0.3.12-rc1: [v0.3] s4: Fixes 374 (#407)

Pre-release
Pre-release
Compare
Choose a tag to compare
@rancherio-gh-m rancherio-gh-m released this 21 Jun 14:43
· 181 commits to main since this release
v0.3.12-rc1
9495ef3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode. 
* [v0.3.10] s4: Fixes 374 (#393)

* Update rancher/rancher/pkg/apis dependency
* [v0.3.s4] Backport Verify ExternalRules in RoleTemplates (#103)

If the feature flag external-rules is enabled, the validation for RT follows this sequence:
- 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates.
- 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true.
- 3) Use externalRules for resolving rules if provided.
- 4) Use backing ClusterRole in the local cluster if externalRules are not provided.
- 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster.

For PRTB or CRTB:
- 1) Use externalRules for resolving rules if provided.
- 2) Use backing ClusterRole in the local cluster if externalRules are not provided.

The previous verification process applies if the external-rules feature flag is disabled.

* [v0.3.s4] Allow Restricted Admin to update external-rules feature flag (#104)

---------
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com>

* bump rancher to commit 56a742be417f937c9189068110270271906556ba

---------

Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>
Assets 7
Loading