fix up the delegation logic

Author: deads2k

hack/local-up-master/kube-apiserver-manifests/01_role_binding_restriction_crd.yaml

@@ -11,7 +11,7 @@ spec:
     singular: rolebindingrestriction
   subresources:
     status: {}
-  scope: Cluster
+  scope: Namespaced
   versions:
   - name: v1
     served: true
@@ -46,12 +46,14 @@ spec:
                   items:
                     type: string
                   type: array
+                  nullable: true
                 labels:
                   description: Selectors specifies a list of label selectors over
                     group labels.
                   items:
                     type: object
                   type: array
+                  nullable: true
               type: object
             serviceaccountrestriction:
               description: ServiceAccountRestriction matches against service-account
@@ -90,12 +92,14 @@ spec:
                   items:
                     type: string
                   type: array
+                  nullable: true
                 labels:
                   description: Selectors specifies a list of label selectors over
                     user labels.
                   items:
                     type: object
                   type: array
+                  nullable: true
                 users:
                   description: Users specifies a list of literal user names.
                   items:

pkg/admission/customresourcevalidation/rolebindingrestriction/validate_rbr.go

@@ -56,7 +56,7 @@ func (roleBindingRestrictionV1) ValidateCreate(obj runtime.Object) field.ErrorLi
 		return errs
 	}
 
-	errs = append(errs, validation.ValidateObjectMeta(&roleBindingRestrictionObj.ObjectMeta, false, validation.NameIsDNSSubdomain, field.NewPath("metadata"))...)
+	errs = append(errs, validation.ValidateObjectMeta(&roleBindingRestrictionObj.ObjectMeta, true, validation.NameIsDNSSubdomain, field.NewPath("metadata"))...)
 	errs = append(errs, rbrvalidation.ValidateRoleBindingRestriction(roleBindingRestrictionObj)...)
 
 	return errs
@@ -72,7 +72,7 @@ func (roleBindingRestrictionV1) ValidateUpdate(obj runtime.Object, oldObj runtim
 		return errs
 	}
 
-	errs = append(errs, validation.ValidateObjectMeta(&roleBindingRestrictionObj.ObjectMeta, false, validation.NameIsDNSSubdomain, field.NewPath("metadata"))...)
+	errs = append(errs, validation.ValidateObjectMeta(&roleBindingRestrictionObj.ObjectMeta, true, validation.NameIsDNSSubdomain, field.NewPath("metadata"))...)
 	errs = append(errs, rbrvalidation.ValidateRoleBindingRestrictionUpdate(roleBindingRestrictionObj, roleBindingRestrictionOldObj)...)
 
 	return errs

pkg/cmd/openshift-kube-apiserver/server.go

@@ -26,6 +26,7 @@ func RunOpenShiftKubeAPIServerServer(kubeAPIServerConfig *kubecontrolplanev1.Kub
 	apiserver.AddAlwaysLocalDelegateForPrefix("/apis/quota.openshift.io/v1/clusterresourcequotas")
 	apiserver.AddAlwaysLocalDelegateForPrefix("/apis/security.openshift.io/v1/securitycontextconstraints")
 	apiserver.AddAlwaysLocalDelegateForPrefix("/apis/authorization.openshift.io/v1/rolebindingrestrictions")
+	apiserver.AddAlwaysLocalDelegateGroupResource(schema.GroupResource{Group: "authorization.openshift.io", Resource: "rolebindingrestrictions"})
 
 	// This allows the CRD registration to avoid fighting with the APIService from the operator
 	apiserver.AddOverlappingGroupVersion(schema.GroupVersion{Group: "authorization.openshift.io", Version: "v1"})