Merge pull request #268 from maxsokolovsky/document-prtb-validation

Document PRTB validation

docs.md

@@ -127,24 +127,34 @@ This admission webhook prevents the disabling or deletion of a NodeDriver if the
 
 #### Escalation Prevention
 
-Users can only create/update ProjectRoleTemplateBindings with rights less than or equal to those they currently possess. This is to prevent privilege escalation. 
+Users can only create/update ProjectRoleTemplateBindings with rights less than or equal to those they currently possess.
+This is to prevent privilege escalation.
 
 #### Invalid Fields - Create
 
-Users cannot create ProjectRoleTemplateBindings which violate the following constraints:
-- Either a user subject (through `UserName` or `UserPrincipalName`) or a group subject (through `GroupName` or `GroupPrincipalName`) must be specified; both a user subject and a group subject cannot be specified
+Users cannot create ProjectRoleTemplateBindings that violate the following constraints:
+
+- Either a user subject (through `UserName` or `UserPrincipalName`), or a group subject (through `GroupName`
+  or `GroupPrincipalName`), or a service account subject (through `ServiceAccount`) must be specified. Exactly one
+  subject type of the three must be provided.
 - `ProjectName` must be specified
 - The roleTemplate indicated in `RoleTemplateName` must be:
-  - Valid (i.e. is an existing `roleTemplate` object in the `management.cattle.io/v3` API group)
-  - Not locked (i.e. `roleTemplate.Locked` must be `false`)
+    - Provided as a non-empty value
+    - Valid (there must exist a `roleTemplate` object of given name in the `management.cattle.io/v3` API group)
+    - Not locked (`roleTemplate.Locked` must be `false`)
+    - Associated with its appropriate context (`roleTemplate.Context` must be equal to "project")
 
 #### Invalid Fields - Update
 
 Users cannot update the following fields after creation:
+
 - RoleTemplateName
 - ProjectName
+- ServiceAccount
+
+Users can update the following fields if they had not been set. But after getting initial values, the fields cannot be
+changed:
 
-Users can update the following fields if they have not been set, but after they have been set, they cannot be changed:
 - UserName
 - UserPrincipalName
 - GroupName

pkg/resources/management.cattle.io/v3/projectroletemplatebinding/ProjectRoleTemplateBinding.md

@@ -2,24 +2,34 @@
 
 ### Escalation Prevention
 
-Users can only create/update ProjectRoleTemplateBindings with rights less than or equal to those they currently possess. This is to prevent privilege escalation. 
+Users can only create/update ProjectRoleTemplateBindings with rights less than or equal to those they currently possess.
+This is to prevent privilege escalation.
 
 ### Invalid Fields - Create
 
-Users cannot create ProjectRoleTemplateBindings which violate the following constraints:
-- Either a user subject (through `UserName` or `UserPrincipalName`) or a group subject (through `GroupName` or `GroupPrincipalName`) must be specified; both a user subject and a group subject cannot be specified
+Users cannot create ProjectRoleTemplateBindings that violate the following constraints:
+
+- Either a user subject (through `UserName` or `UserPrincipalName`), or a group subject (through `GroupName`
+  or `GroupPrincipalName`), or a service account subject (through `ServiceAccount`) must be specified. Exactly one
+  subject type of the three must be provided.
 - `ProjectName` must be specified
 - The roleTemplate indicated in `RoleTemplateName` must be:
-  - Valid (i.e. is an existing `roleTemplate` object in the `management.cattle.io/v3` API group)
-  - Not locked (i.e. `roleTemplate.Locked` must be `false`)
+    - Provided as a non-empty value
+    - Valid (there must exist a `roleTemplate` object of given name in the `management.cattle.io/v3` API group)
+    - Not locked (`roleTemplate.Locked` must be `false`)
+    - Associated with its appropriate context (`roleTemplate.Context` must be equal to "project")
 
 ### Invalid Fields - Update
 
 Users cannot update the following fields after creation:
+
 - RoleTemplateName
 - ProjectName
+- ServiceAccount
+
+Users can update the following fields if they had not been set. But after getting initial values, the fields cannot be
+changed:
 
-Users can update the following fields if they have not been set, but after they have been set, they cannot be changed:
 - UserName
 - UserPrincipalName
 - GroupName

scripts/validate-ci

@@ -18,6 +18,7 @@ source ./scripts/version
 
 if [ -n "$DIRTY" ]; then
     echo Git is dirty
+    echo "You may need to run 'go generate' to re-generate the docs."
     git status
     git --no-pager diff
     exit 1