Skip to content

Commit 3405b38

Browse files
anniegracehuanniegracehu
committed
Shrink update path; fix revoke no-op; align parser with legacy.
Use _load_permission_data only in _update_rbac and keep the original rule loop. Drop dual-parser parity and its test. Match _parse_permission_rules to legacy by always appending rule_group. Return early from revoke when no update ClusterRole exists to avoid rewriting perms configmap. Made-with: Cursor
1 parent 49356a3 commit 3405b38

File tree

2 files changed

+22
-67
lines changed

2 files changed

+22
-67
lines changed

provider-kubeconfig.py

Lines changed: 22 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,7 @@ def _parse_permission_rules(self, perms):
8181
rule_group["resourceNames"] = [parts[1].strip()]
8282
else:
8383
rule_group["resources"] = [resource]
84-
if rule_group:
85-
rule_list.append(rule_group)
84+
rule_list.append(rule_group)
8685
return rule_list, resources
8786

8887
def _read_perm_configmap_resources(self, sa, namespace, kubeconfig):
@@ -651,14 +650,13 @@ def _apply_provider_rbac(self, sa, namespace, kubeconfig):
651650
def _update_rbac(self, permissionfile, sa, namespace, kubeconfig):
652651
"""Add permissions from JSON/YAML file to provider (update command)."""
653652
perms = self._load_permission_data(permissionfile)
654-
# Keep old update parser path inline as source of truth.
655-
old_rule_list = []
656-
old_resources = []
653+
rule_list = []
654+
new_resources = []
657655
for api_group, res_actions in perms.items():
658656
for res in res_actions:
659657
for resource, verbs in res.items():
660-
if resource not in old_resources:
661-
old_resources.append(resource.strip())
658+
if resource not in new_resources:
659+
new_resources.append(resource.strip())
662660
rule_group = {}
663661
if api_group == "non-apigroup":
664662
if "nonResourceURL" in resource:
@@ -675,13 +673,7 @@ def _update_rbac(self, permissionfile, sa, namespace, kubeconfig):
675673
rule_group["resourceNames"] = [parts[1].strip()]
676674
else:
677675
rule_group["resources"] = [resource]
678-
old_rule_list.append(rule_group)
679-
new_rule_list, new_resources = self._parse_permission_rules(perms)
680-
if os.getenv("KUBEPLUS_UPDATE_EQ_CHECK", "0") == "1":
681-
self._assert_rule_parity("update-parser", old_rule_list, new_rule_list)
682-
self._assert_all_resources_parity("update-parser", old_resources, new_resources)
683-
rule_list = old_rule_list
684-
new_resources = old_resources
676+
rule_list.append(rule_group)
685677

686678
role = {
687679
"apiVersion": "rbac.authorization.k8s.io/v1",
@@ -712,21 +704,22 @@ def _revoke_rbac(self, permissionfile, sa, namespace, kubeconfig):
712704

713705
role_name = sa + "-update"
714706
out, _ = run_command("kubectl get clusterrole " + role_name + " -o json" + kubeconfig)
715-
if out:
716-
role_obj = json.loads(out)
717-
existing_rules = role_obj.get("rules", [])
718-
remaining_rules = []
719-
for rule in existing_rules:
720-
norm = self._normalize_rule(rule)
721-
norm_key = tuple(sorted(norm.items()))
722-
if norm_key not in revoke_norm:
723-
remaining_rules.append(rule)
724-
if remaining_rules:
725-
role_obj["rules"] = remaining_rules
726-
create_role_rolebinding(role_obj, sa + "-update-role.yaml", kubeconfig)
727-
else:
728-
run_command("kubectl delete clusterrole " + role_name + kubeconfig)
729-
run_command("kubectl delete clusterrolebinding " + role_name + kubeconfig)
707+
if not out:
708+
return
709+
role_obj = json.loads(out)
710+
existing_rules = role_obj.get("rules", [])
711+
remaining_rules = []
712+
for rule in existing_rules:
713+
norm = self._normalize_rule(rule)
714+
norm_key = tuple(sorted(norm.items()))
715+
if norm_key not in revoke_norm:
716+
remaining_rules.append(rule)
717+
if remaining_rules:
718+
role_obj["rules"] = remaining_rules
719+
create_role_rolebinding(role_obj, sa + "-update-role.yaml", kubeconfig)
720+
else:
721+
run_command("kubectl delete clusterrole " + role_name + kubeconfig)
722+
run_command("kubectl delete clusterrolebinding " + role_name + kubeconfig)
730723

731724
current_resources = self._read_perm_configmap_resources(sa, namespace, kubeconfig)
732725
remaining_resources = [res for res in current_resources if res not in set(revoke_resources)]

tests/test_provider_kubeconfig.py

Lines changed: 0 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -133,44 +133,6 @@ def test_load_permission_data_accepts_yaml(self):
133133
finally:
134134
os.remove(path)
135135

136-
def test_update_old_and_new_parsers_match(self):
137-
perms = {
138-
"apps": [
139-
{"deployments": ["get", "create"]},
140-
{"deployments/resourceName::sample": ["get"]},
141-
],
142-
"non-apigroup": [
143-
{"nonResourceURL::/metrics": ["get"]},
144-
],
145-
}
146-
old_rules = []
147-
old_resources = []
148-
for api_group, res_actions in perms.items():
149-
for res in res_actions:
150-
for resource, verbs in res.items():
151-
if resource not in old_resources:
152-
old_resources.append(resource.strip())
153-
rule_group = {}
154-
if api_group == "non-apigroup":
155-
if "nonResourceURL" in resource:
156-
parts = resource.split("nonResourceURL::")
157-
non_res = parts[1].strip() if len(parts) > 1 else parts[0].strip()
158-
rule_group["nonResourceURLs"] = [non_res]
159-
rule_group["verbs"] = verbs
160-
else:
161-
rule_group["apiGroups"] = [api_group]
162-
rule_group["verbs"] = verbs
163-
if "resourceName" in resource:
164-
parts = resource.split("/resourceName::")
165-
rule_group["resources"] = [parts[0].strip()]
166-
rule_group["resourceNames"] = [parts[1].strip()]
167-
else:
168-
rule_group["resources"] = [resource]
169-
old_rules.append(rule_group)
170-
new_rules, new_resources = self.generator._parse_permission_rules(perms)
171-
self.generator._assert_rule_parity("test-update-parser", old_rules, new_rules)
172-
self.generator._assert_all_resources_parity("test-update-parser", old_resources, new_resources)
173-
174136

175137
class TestKubeconfigIntegration(unittest.TestCase):
176138
"""

0 commit comments

Comments
 (0)