v0.3.12-rc1: [v0.3] s4: Fixes 374 (#407)
Pre-release
Pre-release
rancherio-gh-m
released this
21 Jun 14:43
·
181 commits
to main
since this release
* [v0.3.10] s4: Fixes 374 (#393) * Update rancher/rancher/pkg/apis dependency * [v0.3.s4] Backport Verify ExternalRules in RoleTemplates (#103) If the feature flag external-rules is enabled, the validation for RT follows this sequence: - 1) Reject if externalRules are provided and the user doesn’t have escalate permissions on RoleTemplates. - 2) Validate the policy rules defined in externalRules the same way as the already existing rules field. This validation leverages Kubernetes’ upstream validation. Webhook will validate this only if external is set to true. - 3) Use externalRules for resolving rules if provided. - 4) Use backing ClusterRole in the local cluster if externalRules are not provided. - 5) Reject if externalRules are not provided and there is no backing ClusterRole in the local cluster. For PRTB or CRTB: - 1) Use externalRules for resolving rules if provided. - 2) Use backing ClusterRole in the local cluster if externalRules are not provided. The previous verification process applies if the external-rules feature flag is disabled. * [v0.3.s4] Allow Restricted Admin to update external-rules feature flag (#104) --------- Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com> Co-authored-by: Raul Cabello Martin <raulcabm@gmail.com> * bump rancher to commit 56a742be417f937c9189068110270271906556ba --------- Co-authored-by: Peter Matseykanets <peter.matseykanets@suse.com>