Merge pull request #2719 from wansir/rolebase
initial role differentiation of DevOps project and namespace
This commit is contained in:
KubeSphere CI Bot
@@ -60,6 +60,7 @@ const (
|
||||
ClusterRoleAnnotation = "iam.kubesphere.io/clusterrole"
|
||||
RoleAnnotation = "iam.kubesphere.io/role"
|
||||
RoleTemplateLabel = "iam.kubesphere.io/role-template"
|
||||
ScopeLabelFormat = "scope.kubesphere.io/%s"
|
||||
UserReferenceLabel = "iam.kubesphere.io/user-ref"
|
||||
IdentifyProviderLabel = "iam.kubesphere.io/identify-provider"
|
||||
PasswordEncryptedAnnotation = "iam.kubesphere.io/password-encrypted"
|
||||
@@ -68,6 +69,7 @@ const (
|
||||
ScopeWorkspace = "workspace"
|
||||
ScopeCluster = "cluster"
|
||||
ScopeNamespace = "namespace"
|
||||
ScopeDevOps = "devops"
|
||||
PlatformAdmin = "platform-admin"
|
||||
NamespaceAdmin = "admin"
|
||||
WorkspaceAdminFormat = "%s-admin"
|
||||
|
||||
@@ -25,6 +25,7 @@ import (
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/yaml"
|
||||
@@ -206,7 +207,6 @@ func (r *ReconcileNamespace) bindWorkspace(namespace *corev1.Namespace) error {
|
||||
|
||||
func (r *ReconcileNamespace) deleteRouter(namespace string) error {
|
||||
routerName := constants.IngressControllerPrefix + namespace
|
||||
|
||||
// delete service first
|
||||
found := corev1.Service{}
|
||||
err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.IngressControllerNamespace, Name: routerName}, &found)
|
||||
@@ -246,7 +246,16 @@ func (r *ReconcileNamespace) deleteRouter(namespace string) error {
|
||||
func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
|
||||
var roleBases iamv1alpha2.RoleBaseList
|
||||
|
||||
err := r.List(context.Background(), &roleBases)
|
||||
var labelKey string
|
||||
// filtering initial roles by label
|
||||
if namespace.Labels[constants.DevOpsProjectLabelKey] != "" {
|
||||
// scope.kubesphere.io/devops: ""
|
||||
labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeDevOps)
|
||||
} else {
|
||||
// scope.kubesphere.io/namespace: ""
|
||||
labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeNamespace)
|
||||
}
|
||||
err := r.List(context.Background(), &roleBases, client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labels.Set{labelKey: ""})})
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return err
|
||||
@@ -254,7 +263,6 @@ func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
|
||||
|
||||
for _, roleBase := range roleBases.Items {
|
||||
var role rbacv1.Role
|
||||
|
||||
if err = yaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(roleBase.Role.Raw), 1024).Decode(&role); err == nil && role.Kind == iamv1alpha2.ResourceKindRole {
|
||||
var old rbacv1.Role
|
||||
err := r.Client.Get(context.Background(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, &old)
|
||||
|
||||
@@ -105,18 +105,16 @@ func (d *rolesGetter) fetchAggregationRoles(namespace, name string) ([]*rbacv1.R
|
||||
if annotation := obj.(*rbacv1.Role).Annotations[iamv1alpha2.AggregationRolesAnnotation]; annotation != "" {
|
||||
var roleNames []string
|
||||
if err = json.Unmarshal([]byte(annotation), &roleNames); err == nil {
|
||||
|
||||
for _, roleName := range roleNames {
|
||||
role, err := d.Get(namespace, roleName)
|
||||
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
klog.Warningf("invalid aggregation role found: %s, %s", name, roleName)
|
||||
klog.V(6).Infof("invalid aggregation role found: %s, %s", name, roleName)
|
||||
continue
|
||||
}
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
roles = append(roles, role.(*rbacv1.Role))
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user