- 06 Mar, 2018 4 commits
-
-
Denise Schannon authored
-
Nathan Jenan authored
When a new namespace is created and assigned to a project and that project has a pod security policy, the pod security policy is not binding correctly. This is because when the service account handler looks to see if a binding exists for a given service account in a given namespace, it only looks for the first policy with a matching parent template annotation and then exits. This fixes the issue by making it compare the name and namespace of the subject in the clusterrole and then creating the role binding it if does not exist. Issue: https://github.com/rancher/rancher/issues/11887
-
Craig Jellick authored
-
Craig Jellick authored
If a PRTB/CRTB is created with the userPrincipalId set, we will ultimately need to ensure that the user exists in rancher. This is done in a controller, which does not have access to the principals API. So, set the principal's display name as an annotation on the RTB during the API request (where we do have access to the principals API) so that it can be used to ensure the user in the controller.
-
- 05 Mar, 2018 14 commits
-
-
Craig Jellick authored
kubernetes is case sensitive for role rules. This change ensures verbs and resources are all lowercase when syncing a roleTemplate.
-
Alena Prokharchyk authored
Vendor bump
-
Craig Jellick authored
-
Alena Prokharchyk authored
Workload ports update fix
-
moelsayed authored
-
Alena Prokharchyk authored
-
Craig Jellick authored
-
Nathan Jenan authored
-
Craig Jellick authored
So, for example, an RBAC rule for statefulsets is properly recognized as authorizing statefulSets.
-
Darren Shepherd authored
-
Craig Jellick authored
This change adds a status condition to namespace that indicates its initial roles have been populated from rancher. Namespaces do not natively support adding conditions. This change puts a status type object into an annotation so that we can control the rancher state.
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Alena Prokharchyk authored
Pipeline additional options
-
- 04 Mar, 2018 13 commits
-
-
gitlawr authored
support reuse global github config when enabling pipeline add option to run specific branch fix missing triggerUser when manually run add pipeline validator fix webhook/cron updates on pipeline updates
-
Daishan Peng authored
-
galal-hussein authored
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Alena Prokharchyk authored
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Craig Jellick authored
When in restricted access mode, if a user belongs to a group that has been assigned to a project or cluster, allow that user to log in.
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Darren Shepherd authored
-
- 03 Mar, 2018 9 commits
-
-
galal-hussein authored
-
zionwu authored
-
Murali Paluru authored
-
Nathan Jenan authored
This fixes 3 issues: 1) When the project handler runs, it doesn't enqueue the correct service accounts to be resynced. The namespace handlers picks up the slack most of the time, but generally not when a cluster is created with a PSPT attached, so clusterroles and rolebindings can fail to be created. 2) Changed logic in the project handler so a pod security policy did not need to be retrieved immediately after being created (sometimes causes errors if the cache(?) hasn't synced yet) 3) Optimized the namespace handler so it only syncs service accounts in its own namespace and not enqueing all of them 4) Changed confusing cluster.Namespace (which resolved to "" all namespaces) to "" explicitly. Issue: https://github.com/rancher/rancher/issues/11622
-
Alena Prokharchyk authored
-
Darren Shepherd authored
-
Darren Shepherd authored
-
Alena Prokharchyk authored
remove scheme from zookeeper config
-
Aiwantaozi authored
-