diff --git a/pkg/apis/iam/v1alpha2/types.go b/pkg/apis/iam/v1alpha2/types.go index d3bbe9df9..3e203b818 100644 --- a/pkg/apis/iam/v1alpha2/types.go +++ b/pkg/apis/iam/v1alpha2/types.go @@ -60,6 +60,7 @@ const ( ClusterRoleAnnotation = "iam.kubesphere.io/clusterrole" RoleAnnotation = "iam.kubesphere.io/role" RoleTemplateLabel = "iam.kubesphere.io/role-template" + ScopeLabelFormat = "scope.kubesphere.io/%s" UserReferenceLabel = "iam.kubesphere.io/user-ref" IdentifyProviderLabel = "iam.kubesphere.io/identify-provider" PasswordEncryptedAnnotation = "iam.kubesphere.io/password-encrypted" @@ -68,6 +69,7 @@ const ( ScopeWorkspace = "workspace" ScopeCluster = "cluster" ScopeNamespace = "namespace" + ScopeDevOps = "devops" PlatformAdmin = "platform-admin" NamespaceAdmin = "admin" WorkspaceAdminFormat = "%s-admin" diff --git a/pkg/controller/namespace/namespace_controller.go b/pkg/controller/namespace/namespace_controller.go index 990fb01f4..c9113e5ed 100644 --- a/pkg/controller/namespace/namespace_controller.go +++ b/pkg/controller/namespace/namespace_controller.go @@ -25,6 +25,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/yaml" @@ -206,7 +207,6 @@ func (r *ReconcileNamespace) bindWorkspace(namespace *corev1.Namespace) error { func (r *ReconcileNamespace) deleteRouter(namespace string) error { routerName := constants.IngressControllerPrefix + namespace - // delete service first found := corev1.Service{} err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.IngressControllerNamespace, Name: routerName}, &found) @@ -246,7 +246,16 @@ func (r *ReconcileNamespace) deleteRouter(namespace string) error { func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error { var roleBases iamv1alpha2.RoleBaseList - err := r.List(context.Background(), &roleBases) + var labelKey string + // filtering initial roles by label + if namespace.Labels[constants.DevOpsProjectLabelKey] != "" { + // scope.kubesphere.io/devops: "" + labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeDevOps) + } else { + // scope.kubesphere.io/namespace: "" + labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeNamespace) + } + err := r.List(context.Background(), &roleBases, client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labels.Set{labelKey: ""})}) if err != nil { klog.Error(err) return err @@ -254,7 +263,6 @@ func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error { for _, roleBase := range roleBases.Items { var role rbacv1.Role - if err = yaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(roleBase.Role.Raw), 1024).Decode(&role); err == nil && role.Kind == iamv1alpha2.ResourceKindRole { var old rbacv1.Role err := r.Client.Get(context.Background(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, &old) diff --git a/pkg/models/resources/v1alpha3/role/roles.go b/pkg/models/resources/v1alpha3/role/roles.go index 470035d96..ef99ef6fe 100644 --- a/pkg/models/resources/v1alpha3/role/roles.go +++ b/pkg/models/resources/v1alpha3/role/roles.go @@ -105,18 +105,16 @@ func (d *rolesGetter) fetchAggregationRoles(namespace, name string) ([]*rbacv1.R if annotation := obj.(*rbacv1.Role).Annotations[iamv1alpha2.AggregationRolesAnnotation]; annotation != "" { var roleNames []string if err = json.Unmarshal([]byte(annotation), &roleNames); err == nil { - for _, roleName := range roleNames { role, err := d.Get(namespace, roleName) - if err != nil { if errors.IsNotFound(err) { - klog.Warningf("invalid aggregation role found: %s, %s", name, roleName) + klog.V(6).Infof("invalid aggregation role found: %s, %s", name, roleName) continue } + klog.Error(err) return nil, err } - roles = append(roles, role.(*rbacv1.Role)) } }