fix: remove the incorrect RBAC rule merging logic (#6209)

Signed-off-by: hongming <coder.scala@gmail.com>
2024-09-26 16:13:18 +08:00
parent e50de15ec9
commit 083927137d
5 changed files with 11 additions and 8 deletions
--- a/pkg/componenthelper/auth/rbac/helper.go
+++ b/pkg/componenthelper/auth/rbac/helper.go
@@ -157,8 +157,7 @@ func (h *Helper) AggregationRole(ctx context.Context, ruleOwner RuleOwner, recor
 	if !cover {
 		needUpdate = true
 		newRule := append(ruleOwner.GetRules(), uncovered...)
-		squashedRules := SquashRules(len(newRule), newRule)
-		ruleOwner.SetRules(squashedRules)
+		ruleOwner.SetRules(newRule)
 	}

 	if !templateNamesEqual {
--- a/pkg/componenthelper/auth/rbac/policy_comparator.go
+++ b/pkg/componenthelper/auth/rbac/policy_comparator.go
@@ -149,7 +149,8 @@ func ruleCovers(ownerRule, subRule rbacv1.PolicyRule) bool {
 	verbMatches := has(ownerRule.Verbs, rbacv1.VerbAll) || hasAll(ownerRule.Verbs, subRule.Verbs)
 	groupMatches := has(ownerRule.APIGroups, rbacv1.APIGroupAll) || hasAll(ownerRule.APIGroups, subRule.APIGroups)
 	resourceMatches := resourceCoversAll(ownerRule.Resources, subRule.Resources)
-	nonResourceURLMatches := nonResourceURLsCoversAll(ownerRule.NonResourceURLs, subRule.NonResourceURLs)
+	nonResourceURLMatches := (len(ownerRule.NonResourceURLs) == 0 && len(subRule.NonResourceURLs) == 0) || (len(ownerRule.Resources) == 0 &&
+		len(subRule.Resources) == 0 && nonResourceURLsCoversAll(ownerRule.NonResourceURLs, subRule.NonResourceURLs))

 	resourceNameMatches := false

--- a/pkg/controller/namespace/namespace_controller.go
+++ b/pkg/controller/namespace/namespace_controller.go
@@ -140,7 +140,7 @@ func (r *Reconciler) reconcileWorkspaceOwnerReference(ctx context.Context, names
 		return nil
 	}

-	if !metav1.IsControlledBy(namespace, workspace) {
+	if !metav1.IsControlledBy(namespace, workspace) && namespace.Labels[constants.KubeSphereManagedLabel] == "true" {
 		namespace = namespace.DeepCopy()
 		if err := controllerutil.SetControllerReference(workspace, namespace, scheme.Scheme); err != nil {
 			return err
--- a/pkg/controller/namespace/namespace_controller_test.go
+++ b/pkg/controller/namespace/namespace_controller_test.go
@@ -42,8 +42,11 @@ var _ = Describe("Namespace", func() {
 		It("Should create successfully", func() {
 			namespace := &corev1.Namespace{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:   "test-namespace",
-					Labels: map[string]string{tenantv1beta1.WorkspaceLabel: workspace.Name},
+					Name: "test-namespace",
+					Labels: map[string]string{
+						tenantv1beta1.WorkspaceLabel:     workspace.Name,
+						constants.KubeSphereManagedLabel: "true",
+					},
 				},
 			}

--- a/pkg/controller/role/role_controller.go
+++ b/pkg/controller/role/role_controller.go
@@ -96,9 +96,9 @@ func (r *Reconciler) syncToKubernetes(ctx context.Context, role *iamv1beta1.Role
 	})

 	if err != nil {
-		r.logger.Error(err, "sync role failed", "role", role.Name)
+		r.logger.Error(err, "sync role failed", "namespace", role.Namespace, "role", role.Name)
 	}

-	r.logger.V(4).Info("sync role to K8s", "role", role.Name, "op", op)
+	r.logger.V(4).Info("sync role to K8s", "namespace", role.Namespace, "role", role.Name, "op", op)
 	return nil
 }