fix: auto create workspace manager rolebinding
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -67,6 +67,7 @@ const (
|
|||||||
ScopeNamespace = "namespace"
|
ScopeNamespace = "namespace"
|
||||||
PlatformAdmin = "platform-admin"
|
PlatformAdmin = "platform-admin"
|
||||||
NamespaceAdmin = "admin"
|
NamespaceAdmin = "admin"
|
||||||
|
WorkspaceAdminFormat = "%s-admin"
|
||||||
ClusterAdmin = "cluster-admin"
|
ClusterAdmin = "cluster-admin"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
rbacv1 "k8s.io/api/rbac/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
@@ -253,6 +254,11 @@ func (c *Controller) reconcile(key string) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err = c.initManagerRoleBinding(workspaceTemplate); err != nil {
|
||||||
|
klog.Error(err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
if c.multiClusterEnabled {
|
if c.multiClusterEnabled {
|
||||||
if err = c.multiClusterSync(workspaceTemplate); err != nil {
|
if err = c.multiClusterSync(workspaceTemplate); err != nil {
|
||||||
klog.Error(err)
|
klog.Error(err)
|
||||||
@@ -492,3 +498,39 @@ func (r *Controller) initRoles(workspace *tenantv1alpha2.WorkspaceTemplate) erro
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *Controller) initManagerRoleBinding(workspace *tenantv1alpha2.WorkspaceTemplate) error {
|
||||||
|
if manager := workspace.Spec.Manager; manager != "" {
|
||||||
|
|
||||||
|
workspaceAdminRoleName := fmt.Sprintf(iamv1alpha2.WorkspaceAdminFormat, workspace.Name)
|
||||||
|
|
||||||
|
managerRoleBinding := &iamv1alpha2.WorkspaceRoleBinding{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: fmt.Sprintf("%s-%s", manager, workspaceAdminRoleName),
|
||||||
|
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: workspace.Name},
|
||||||
|
},
|
||||||
|
RoleRef: rbacv1.RoleRef{
|
||||||
|
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
|
||||||
|
Kind: iamv1alpha2.ResourceKindWorkspaceRole,
|
||||||
|
Name: workspaceAdminRoleName,
|
||||||
|
},
|
||||||
|
Subjects: []rbacv1.Subject{
|
||||||
|
{
|
||||||
|
Name: manager,
|
||||||
|
Kind: iamv1alpha2.ResourceKindUser,
|
||||||
|
APIGroup: rbacv1.GroupName,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
_, err := r.ksClient.IamV1alpha2().WorkspaceRoleBindings().Create(managerRoleBinding)
|
||||||
|
if err != nil {
|
||||||
|
if errors.IsAlreadyExists(err) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
klog.Error(err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user