added new ACL capabilities related to autoscaling:
- read-job-scaling - scale-job - list-scaling-policies - read-scaling-policy updated the read and right policy dispositions, added the new autoscaler disposition
This commit is contained in:
Chris Baker
parent
233db5258a
commit
ca49563c94
|
|
@ -11,10 +11,11 @@ const (
|
|||
// The following levels are the only valid values for the `policy = "read"` stanza.
|
||||
// When policies are merged together, the most privilege is granted, except for deny
|
||||
// which always takes precedence and supercedes.
|
||||
PolicyDeny = "deny"
|
||||
PolicyRead = "read"
|
||||
PolicyList = "list"
|
||||
PolicyWrite = "write"
|
||||
PolicyDeny = "deny"
|
||||
PolicyRead = "read"
|
||||
PolicyList = "list"
|
||||
PolicyWrite = "write"
|
||||
PolicyAutoscaler = "autoscaler"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -23,23 +24,26 @@ const (
|
|||
// combined we take the union of all capabilities. If the deny capability is present, it
|
||||
// takes precedence and overwrites all other capabilities.
|
||||
|
||||
NamespaceCapabilityDeny = "deny"
|
||||
NamespaceCapabilityListJobs = "list-jobs"
|
||||
NamespaceCapabilityReadJob = "read-job"
|
||||
NamespaceCapabilityScaleJob = "scale-job"
|
||||
NamespaceCapabilitySubmitJob = "submit-job"
|
||||
NamespaceCapabilityDispatchJob = "dispatch-job"
|
||||
NamespaceCapabilityReadLogs = "read-logs"
|
||||
NamespaceCapabilityReadFS = "read-fs"
|
||||
NamespaceCapabilityAllocExec = "alloc-exec"
|
||||
NamespaceCapabilityAllocNodeExec = "alloc-node-exec"
|
||||
NamespaceCapabilityAllocLifecycle = "alloc-lifecycle"
|
||||
NamespaceCapabilitySentinelOverride = "sentinel-override"
|
||||
NamespaceCapabilityCSIRegisterPlugin = "csi-register-plugin"
|
||||
NamespaceCapabilityCSIWriteVolume = "csi-write-volume"
|
||||
NamespaceCapabilityCSIReadVolume = "csi-read-volume"
|
||||
NamespaceCapabilityCSIListVolume = "csi-list-volume"
|
||||
NamespaceCapabilityCSIMountVolume = "csi-mount-volume"
|
||||
NamespaceCapabilityDeny = "deny"
|
||||
NamespaceCapabilityListJobs = "list-jobs"
|
||||
NamespaceCapabilityReadJob = "read-job"
|
||||
NamespaceCapabilitySubmitJob = "submit-job"
|
||||
NamespaceCapabilityDispatchJob = "dispatch-job"
|
||||
NamespaceCapabilityReadLogs = "read-logs"
|
||||
NamespaceCapabilityReadFS = "read-fs"
|
||||
NamespaceCapabilityAllocExec = "alloc-exec"
|
||||
NamespaceCapabilityAllocNodeExec = "alloc-node-exec"
|
||||
NamespaceCapabilityAllocLifecycle = "alloc-lifecycle"
|
||||
NamespaceCapabilitySentinelOverride = "sentinel-override"
|
||||
NamespaceCapabilityCSIRegisterPlugin = "csi-register-plugin"
|
||||
NamespaceCapabilityCSIWriteVolume = "csi-write-volume"
|
||||
NamespaceCapabilityCSIReadVolume = "csi-read-volume"
|
||||
NamespaceCapabilityCSIListVolume = "csi-list-volume"
|
||||
NamespaceCapabilityCSIMountVolume = "csi-mount-volume"
|
||||
NamespaceCapabilityListScalingPolicies = "list-scaling-policies"
|
||||
NamespaceCapabilityReadScalingPolicy = "read-scaling-policy"
|
||||
NamespaceCapabilityReadJobScaling = "read-job-scaling"
|
||||
NamespaceCapabilityScaleJob = "scale-job"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -122,7 +126,7 @@ type PluginPolicy struct {
|
|||
// isPolicyValid makes sure the given string matches one of the valid policies.
|
||||
func isPolicyValid(policy string) bool {
|
||||
switch policy {
|
||||
case PolicyDeny, PolicyRead, PolicyWrite:
|
||||
case PolicyDeny, PolicyRead, PolicyWrite, PolicyAutoscaler:
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
|
|
@ -145,7 +149,8 @@ func isNamespaceCapabilityValid(cap string) bool {
|
|||
NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
|
||||
NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle,
|
||||
NamespaceCapabilityAllocExec, NamespaceCapabilityAllocNodeExec,
|
||||
NamespaceCapabilityCSIReadVolume, NamespaceCapabilityCSIWriteVolume, NamespaceCapabilityCSIListVolume, NamespaceCapabilityCSIMountVolume, NamespaceCapabilityCSIRegisterPlugin:
|
||||
NamespaceCapabilityCSIReadVolume, NamespaceCapabilityCSIWriteVolume, NamespaceCapabilityCSIListVolume, NamespaceCapabilityCSIMountVolume, NamespaceCapabilityCSIRegisterPlugin,
|
||||
NamespaceCapabilityListScalingPolicies, NamespaceCapabilityReadScalingPolicy, NamespaceCapabilityReadJobScaling, NamespaceCapabilityScaleJob:
|
||||
return true
|
||||
// Separate the enterprise-only capabilities
|
||||
case NamespaceCapabilitySentinelOverride:
|
||||
|
|
@ -163,9 +168,13 @@ func expandNamespacePolicy(policy string) []string {
|
|||
NamespaceCapabilityReadJob,
|
||||
NamespaceCapabilityCSIListVolume,
|
||||
NamespaceCapabilityCSIReadVolume,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
}
|
||||
|
||||
write := append(read, []string{
|
||||
NamespaceCapabilityScaleJob,
|
||||
NamespaceCapabilitySubmitJob,
|
||||
NamespaceCapabilityDispatchJob,
|
||||
NamespaceCapabilityReadLogs,
|
||||
|
|
@ -183,6 +192,13 @@ func expandNamespacePolicy(policy string) []string {
|
|||
return read
|
||||
case PolicyWrite:
|
||||
return write
|
||||
case PolicyAutoscaler:
|
||||
return []string{
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityScaleJob,
|
||||
}
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,6 +32,9 @@ func TestParse(t *testing.T) {
|
|||
NamespaceCapabilityReadJob,
|
||||
NamespaceCapabilityCSIListVolume,
|
||||
NamespaceCapabilityCSIReadVolume,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -48,6 +51,9 @@ func TestParse(t *testing.T) {
|
|||
namespace "secret" {
|
||||
capabilities = ["deny", "read-logs"]
|
||||
}
|
||||
namespace "autoscaler" {
|
||||
policy = "autoscaler"
|
||||
}
|
||||
agent {
|
||||
policy = "read"
|
||||
}
|
||||
|
|
@ -75,6 +81,9 @@ func TestParse(t *testing.T) {
|
|||
NamespaceCapabilityReadJob,
|
||||
NamespaceCapabilityCSIListVolume,
|
||||
NamespaceCapabilityCSIReadVolume,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -85,6 +94,10 @@ func TestParse(t *testing.T) {
|
|||
NamespaceCapabilityReadJob,
|
||||
NamespaceCapabilityCSIListVolume,
|
||||
NamespaceCapabilityCSIReadVolume,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
NamespaceCapabilityScaleJob,
|
||||
NamespaceCapabilitySubmitJob,
|
||||
NamespaceCapabilityDispatchJob,
|
||||
NamespaceCapabilityReadLogs,
|
||||
|
|
@ -102,6 +115,16 @@ func TestParse(t *testing.T) {
|
|||
NamespaceCapabilityReadLogs,
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "autoscaler",
|
||||
Policy: PolicyAutoscaler,
|
||||
Capabilities: []string{
|
||||
NamespaceCapabilityListScalingPolicies,
|
||||
NamespaceCapabilityReadScalingPolicy,
|
||||
NamespaceCapabilityReadJobScaling,
|
||||
NamespaceCapabilityScaleJob,
|
||||
},
|
||||
},
|
||||
},
|
||||
Agent: &AgentPolicy{
|
||||
Policy: PolicyRead,
|
||||
|
|
|
|||
Loading…
Reference in New Issue