Merge pull request #1989 from wansir/dev

add iam crd

config/crds/iam.kubesphere.io_policyrules.yaml

@@ -0,0 +1,58 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: policyrules.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .scope
+    name: Scope
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: PolicyRule
+    listKind: PolicyRuleList
+    plural: policyrules
+    singular: policyrule
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        rego:
+          type: string
+        scope:
+          type: string
+      required:
+      - rego
+      - scope
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_rolebindings.yaml

@@ -0,0 +1,104 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: rolebindings.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .scope
+    name: Scope
+    type: string
+  - JSONPath: .roleRef.name
+    name: RoleRef
+    type: string
+  - JSONPath: .subjects[*].name
+    name: Subjects
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: RoleBinding
+    listKind: RoleBindingList
+    plural: rolebindings
+    singular: rolebinding
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      description: RoleBinding is the Schema for the rolebindings API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        roleRef:
+          description: RoleRef contains information that points to the role being
+            used
+          properties:
+            apiGroup:
+              description: APIGroup is the group for the resource being referenced
+              type: string
+            kind:
+              description: Kind is the type of resource being referenced
+              type: string
+            name:
+              description: Name is the name of resource being referenced
+              type: string
+          required:
+          - apiGroup
+          - kind
+          - name
+          type: object
+        scope:
+          type: string
+        subjects:
+          description: Subjects holds references to the users the role applies to.
+          items:
+            description: or a value for non-objects such as user and group names.
+            properties:
+              apiGroup:
+                description: APIGroup holds the API group of the referenced subject.
+                type: string
+              kind:
+                description: Kind of object being referenced. Values defined by this
+                  API group are "User", "Group", and "ServiceAccount". If the Authorizer
+                  does not recognized the kind value, the Authorizer should report
+                  an error.
+                type: string
+              name:
+                description: Name of the object being referenced.
+                type: string
+            required:
+            - apiGroup
+            - kind
+            - name
+            type: object
+          type: array
+      required:
+      - roleRef
+      - scope
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crds/iam.kubesphere.io_roles.yaml

@@ -0,0 +1,87 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: (devel)
+  creationTimestamp: null
+  name: roles.iam.kubesphere.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .target.scope
+    name: Scope
+    type: string
+  - JSONPath: .target.name
+    name: Target
+    type: string
+  group: iam.kubesphere.io
+  names:
+    categories:
+    - iam
+    kind: Role
+    listKind: RoleList
+    plural: roles
+    singular: role
+  scope: Cluster
+  subresources: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        rules:
+          items:
+            description: RuleRef contains information that points to the role being
+              used
+            properties:
+              apiGroup:
+                description: APIGroup is the group for the resource being referenced
+                type: string
+              kind:
+                description: Kind is the type of resource being referenced
+                type: string
+              name:
+                description: Name is the name of resource being referenced
+                type: string
+            required:
+            - apiGroup
+            - kind
+            - name
+            type: object
+          type: array
+        target:
+          properties:
+            name:
+              type: string
+            scope:
+              type: string
+          required:
+          - name
+          - scope
+          type: object
+      required:
+      - rules
+      - target
+      type: object
+  version: v1alpha2
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/samples/iam_v1alpha2_policyrule.yaml

@@ -0,0 +1,55 @@
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: PolicyRule
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: always-allow
+scope: Global
+rego: 'package authz\ndefault allow = true'
+
+---
+
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: PolicyRule
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: always-deny
+scope: Global
+rego: ｜
+  package authz
+  default allow = false
+
+---
+
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: PolicyRule
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: cluster-manage
+scope: Global
+rego: ｜
+  package authz
+  default allow = false
+  allow {
+    input.Resource == 'clusters'
+  }
+
+---
+
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: PolicyRule
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: some-namespace-manage
+scope: Namespace
+rego: ｜
+  package authz
+  default allow = false
+  allow {
+  input.Resource == 'clusters'
+  }
+
+

config/samples/iam_v1alpha2_role.yaml

@@ -0,0 +1,30 @@
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: Role
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: cluster-admin
+target:
+  scope: Global
+  name: ''
+rules:
+  - apiGroup: iam.kubesphere.io/v1alpha2
+    kind: PolicyRule
+    name: always-allow
+
+---
+
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: Role
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: anonymous
+target:
+  scope: Global
+  name: ''
+rules:
+  - apiGroup: iam.kubesphere.io/v1alpha2
+    kind: PolicyRule
+    name: always-deny
+

config/samples/iam_v1alpha2_rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: iam.kubesphere.io/v1alpha2
+kind: RoleBinding
+metadata:
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: cluster-admin
+scope: Global
+roleRef:
+  apiGroup: iam.kubesphere.io/v1alpha2
+  kind: Role
+  name: cluster-admin
+subjects:
+  - apiGroup: iam.kubesphere.io/v1alpha2
+    kind: User
+    name: admin

config/samples/iam_v1alpha2_user.yaml

@@ -6,4 +6,4 @@ metadata:
   name: admin
 spec:
   email: admin@kubesphere.io
-  password: d41d8cd98f00b204e9800998ecf8427e
+  password: $2a$04$wr/XmTQ99uQpgi335xPyoOM08h34ZQk265pdqHMv5Yw6Xo2vfiO/6

config/webhook/iam.yaml

@@ -0,0 +1,55 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kubesphere-iam-validator
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      caBundle: <caBundle>
+      service:
+        name: webhook-service
+        namespace: kubesphere-system
+        path: /validate-email-iam-kubesphere-io-v1alpha2-user
+    failurePolicy: Fail
+    name: vemail.iam.kubesphere.io
+    rules:
+      - apiGroups:
+          - iam.kubesphere.io
+        apiVersions:
+          - v1alpha2
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - users
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kubesphere-iam-injector
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      caBundle: <caBundle>
+      service:
+        name: webhook-service
+        namespace: kubesphere-system
+        path: /mutating-encrypt-password-iam-kubesphere-io-v1alpha2-user
+    failurePolicy: Fail
+    name: mpassword.iam.kubesphere.io
+    reinvocationPolicy: Never
+    rules:
+      - apiGroups:
+          - iam.kubesphere.io
+        apiVersions:
+          - v1alpha2
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - users