Skip to content

[user-authz] Allow project-scoped roles to access Cluster-wide objects #16896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nabokihms merged 2 commits into from
Dec 8, 2025
Merged

[user-authz] Allow project-scoped roles to access Cluster-wide objects #16896

nabokihms merged 2 commits into from
Dec 8, 2025

Conversation

@mvasl
Copy link
Member

@mvasl mvasl commented Dec 5, 2025
edited
Loading

Description

Allowed dict binding hook to bind d8:use:dict to project-scoped roles

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: user-authz
type: fix
summary: Allow project-scoped roles to access Cluster-wide objects
impact_level: default

@mvasl mvasl self-assigned this Dec 5, 2025
@github-actions github-actions bot added area/auth Pull requests that update auth modules go Pull requests that update Go code labels Dec 5, 2025
@mvasl mvasl added this to the v1.74.1 milestone Dec 5, 2025
@mvasl mvasl added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Dec 5, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Dec 5, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:project-roles-access-to-dicts succeeded in 53m20s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.32 - Connection string: ssh redos@51.250.11.177

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.32 succeeded in 51m33s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Dec 5, 2025
@mvasl
[user-authz] Allow project-scoped roles to access Cluster-wide objects
1fcea5e 
Signed-off-by: Maxim Vasilenko <maksim.vasilenko@flant.com>
@mvasl mvasl force-pushed the project-roles-access-to-dicts branch from ff57c45 to 1fcea5e Compare December 5, 2025 23:27
@mvasl
Copy link
Member Author

mvasl commented Dec 8, 2025
edited
Loading

Manual testing: user perm@d8.io is assigned as Admin for perm-test project, has access to global Certificates list now.
Снимок экрана 2025-12-08 в 12 28 38
Снимок экрана 2025-12-08 в 12 29 42
image
image

@mvasl mvasl marked this pull request as ready for review December 8, 2025 09:35
@mvasl mvasl requested a review from nabokihms as a code owner December 8, 2025 09:35
@mvasl mvasl force-pushed the project-roles-access-to-dicts branch from 863966f to e70caad Compare December 8, 2025 10:37
@mvasl
++
de82a4f 
Signed-off-by: Maxim Vasilenko <maksim.vasilenko@flant.com>
@mvasl mvasl force-pushed the project-roles-access-to-dicts branch from e70caad to de82a4f Compare December 8, 2025 13:57
@nabokihms nabokihms merged commit 21b2edc into main Dec 8, 2025
57 of 59 checks passed
@nabokihms nabokihms deleted the project-roles-access-to-dicts branch December 8, 2025 15:01
@nabokihms nabokihms added the status/backport Cherry-pick PR to the release branch from the Milestone label Dec 8, 2025
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Dec 8, 2025
Merged
github-actions bot pushed a commit that referenced this pull request Dec 8, 2025
@mvasl @nabokihms
[user-authz] Allow project-scoped roles to access Cluster-wide objects (
58b58ea 
#16896)

Signed-off-by: Maxim Vasilenko <maksim.vasilenko@flant.com>
deckhouse-BOaTswain added a commit that referenced this pull request Dec 8, 2025
@deckhouse-BOaTswain @mvasl
[user-authz] Allow project-scoped roles to access Cluster-wide objects (
3fb1b39 
#16896) (#16921)

Signed-off-by: Maxim Vasilenko <maksim.vasilenko@flant.com>
Co-authored-by: Maxim Vasilenko <5184586+mvasl@users.noreply.github.com>
@deckhouse-BOaTswain deckhouse-BOaTswain added status/backport/success and removed status/backport Cherry-pick PR to the release branch from the Milestone labels Dec 8, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Dec 8, 2025

Cherry pick PR 16921 to the branch release-1.74 successful!

@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Dec 23, 2025
Merged
@shvgn shvgn mentioned this pull request Dec 30, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nabokihms nabokihms nabokihms approved these changes

Assignees

@mvasl mvasl

Labels

area/auth Pull requests that update auth modules go Pull requests that update Go code status/backport/success

Projects

None yet

Milestone

v1.74.1

Development

Successfully merging this pull request may close these issues.

4 participants

@mvasl @deckhouse-BOaTswain @nabokihms