admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial role differentiation of DevOps project and namespace

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-07-31 12:22:17 +08:00
parent 74533cb533
commit 03e7987655
3 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/apis/iam/v1alpha2/types.go
View File

@@ -60,6 +60,7 @@ const (
ClusterRoleAnnotation = "iam.kubesphere.io/clusterrole" ClusterRoleAnnotation = "iam.kubesphere.io/clusterrole"
RoleAnnotation = "iam.kubesphere.io/role" RoleAnnotation = "iam.kubesphere.io/role"
RoleTemplateLabel = "iam.kubesphere.io/role-template" RoleTemplateLabel = "iam.kubesphere.io/role-template"
ScopeLabelFormat = "scope.kubesphere.io/%s"
UserReferenceLabel = "iam.kubesphere.io/user-ref" UserReferenceLabel = "iam.kubesphere.io/user-ref"
IdentifyProviderLabel = "iam.kubesphere.io/identify-provider" IdentifyProviderLabel = "iam.kubesphere.io/identify-provider"
PasswordEncryptedAnnotation = "iam.kubesphere.io/password-encrypted" PasswordEncryptedAnnotation = "iam.kubesphere.io/password-encrypted"
@@ -68,6 +69,7 @@ const (
ScopeWorkspace = "workspace" ScopeWorkspace = "workspace"
ScopeCluster = "cluster" ScopeCluster = "cluster"
ScopeNamespace = "namespace" ScopeNamespace = "namespace"
ScopeDevOps = "devops"
PlatformAdmin = "platform-admin" PlatformAdmin = "platform-admin"
NamespaceAdmin = "admin" NamespaceAdmin = "admin"
WorkspaceAdminFormat = "%s-admin" WorkspaceAdminFormat = "%s-admin"

14
pkg/controller/namespace/namespace_controller.go
View File

@@ -25,6 +25,7 @@ import (
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/yaml" "k8s.io/apimachinery/pkg/util/yaml"
@@ -206,7 +207,6 @@ func (r *ReconcileNamespace) bindWorkspace(namespace *corev1.Namespace) error {
func (r *ReconcileNamespace) deleteRouter(namespace string) error { func (r *ReconcileNamespace) deleteRouter(namespace string) error {
routerName := constants.IngressControllerPrefix + namespace routerName := constants.IngressControllerPrefix + namespace
// delete service first // delete service first
found := corev1.Service{} found := corev1.Service{}
err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.IngressControllerNamespace, Name: routerName}, &found) err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.IngressControllerNamespace, Name: routerName}, &found)
@@ -246,7 +246,16 @@ func (r *ReconcileNamespace) deleteRouter(namespace string) error {
func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error { func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
var roleBases iamv1alpha2.RoleBaseList var roleBases iamv1alpha2.RoleBaseList
err := r.List(context.Background(), &roleBases) var labelKey string
// filtering initial roles by label
if namespace.Labels[constants.DevOpsProjectLabelKey] != "" {
// scope.kubesphere.io/devops: ""
labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeDevOps)
} else {
// scope.kubesphere.io/namespace: ""
labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeNamespace)
}
err := r.List(context.Background(), &roleBases, client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labels.Set{labelKey: ""})})
if err != nil { if err != nil {
klog.Error(err) klog.Error(err)
return err return err
@@ -254,7 +263,6 @@ func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
for _, roleBase := range roleBases.Items { for _, roleBase := range roleBases.Items {
var role rbacv1.Role var role rbacv1.Role
if err = yaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(roleBase.Role.Raw), 1024).Decode(&role); err == nil && role.Kind == iamv1alpha2.ResourceKindRole { if err = yaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(roleBase.Role.Raw), 1024).Decode(&role); err == nil && role.Kind == iamv1alpha2.ResourceKindRole {
var old rbacv1.Role var old rbacv1.Role
err := r.Client.Get(context.Background(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, &old) err := r.Client.Get(context.Background(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, &old)

6
pkg/models/resources/v1alpha3/role/roles.go
View File

@@ -105,18 +105,16 @@ func (d *rolesGetter) fetchAggregationRoles(namespace, name string) ([]*rbacv1.R
if annotation := obj.(*rbacv1.Role).Annotations[iamv1alpha2.AggregationRolesAnnotation]; annotation != "" { if annotation := obj.(*rbacv1.Role).Annotations[iamv1alpha2.AggregationRolesAnnotation]; annotation != "" {
var roleNames []string var roleNames []string
if err = json.Unmarshal([]byte(annotation), &roleNames); err == nil { if err = json.Unmarshal([]byte(annotation), &roleNames); err == nil {
for _, roleName := range roleNames { for _, roleName := range roleNames {
role, err := d.Get(namespace, roleName) role, err := d.Get(namespace, roleName)
if err != nil { if err != nil {
if errors.IsNotFound(err) { if errors.IsNotFound(err) {
klog.Warningf("invalid aggregation role found: %s, %s", name, roleName) klog.V(6).Infof("invalid aggregation role found: %s, %s", name, roleName)
continue continue
} }
klog.Error(err)
return nil, err return nil, err
} }
roles = append(roles, role.(*rbacv1.Role)) roles = append(roles, role.(*rbacv1.Role))
} }
} }