✨ Implement RulesFor for GlobalAuthorizer and LocalAuthorizer to enable SelfSubjectRulesReview

[embik]

Summary

This PR implements the stub RulesFor methods for both GlobalAuthorizer and LocalAuthorizer to enable usage of the SelfSubjectRulesReview API. I'll be completely honest, this felt "too easy", so I hope I'm doing the correct thing here. Output of kubectl auth can-i --list looked sensible to me.

Basically, I've aligned the way both the global and the local authorizer generate their cluster-specific authorizer and just called RulesFor on the scoped authorizer created from it. After PR review, I've also added two e2e test cases that make sure that the SelfSubjectRulesReview API gives expected responses.

On a minor note, this PR cleans up the OWNERS file because it's from the before times (unless we want to keep access to this package limited, which might be fair).

Related issue(s)

Fixes #1924

Release Notes

Implement `SelfSubjectRulesReview` API, enabling usage of e.g. `kubectl auth can-i --list`

[sttts]

these were intentional I believe to ensure the informers are started. If you move them into the hot path, the Lister() call might come to late after the shared informer factory has been started. Creates ugly races.

[mjudeikis]

code comment would be good if this is the case

[embik]

Yeah, let me bring this back and add a note. I wasn't aware of this and thought they were just written at different times and there was room to unify the code.

[embik]

I'll do a little PR history search to see if I can find some additional context.

[sttts]

we do similar things in the controllers. They all store listers in their struct to enforce creation of the informers at constructor time.

[embik]

Deleted my previous comment by mistake. I copied this pattern over from the GlobalAuthorizer, which also takes SharedInformerFactory input parameters. Should we adjust that one as well, or is there something special with it that will prevent those races mentioned?

[embik]

@sttts @mjudeikis ready for re-review.

[embik]

/retest

looks like flakes ...? Let's see. Tests are not related I think, but maybe I broke something.

[sttts]

nit: globalRoles

Would be less noisy.

[embik]

I tried to keep it consistent with LocalAuthorizer, which looks like this:

a := &LocalAuthorizer{
    // listers are saved in the struct here to ensure that informers are started and we do not encounter race conditions with them.
    roleLister:               versionedInformers.Rbac().V1().Roles().Lister(),
    roleBindingLister:        versionedInformers.Rbac().V1().RoleBindings().Lister(),
    clusterRoleLister:        versionedInformers.Rbac().V1().ClusterRoles().Lister(),
    clusterRoleBindingLister: versionedInformers.Rbac().V1().ClusterRoleBindings().Lister(),
}

[sttts]

nit: are instantiated early and ... with starting them

[embik]

Much clearer, thanks. Updated the comments.

[sttts]

Some nits.

/lgtm
/approve
/hold

if you want to address the nits.

[kcp-ci-bot]

LGTM label has been added.

Git tree hash: f0636f9bf7e16fa0a836af78aa11003cf66051b8

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/authorization/OWNERS [sttts]
• test/OWNERS [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[embik]

/hold cancel

Addressed comment nit. I'm not 100% sure how to proceed with the lister fields, but from my perspective it's okay, so this can go in with an lgtm.

[sttts]

/lgtm

[kcp-ci-bot]

LGTM label has been added.

Git tree hash: 7b33ee050e76409f80b7eff394e2ae23daa6a498