improve multicluster resource controller

Signed-off-by: hongming <talonwan@yunify.com>
2020-06-15 14:09:32 +08:00
parent 61d827db54
commit 4fcaa78b45
51 changed files with 3583 additions and 381 deletions
--- a/pkg/apis/iam/v1alpha2/federated_types.go
+++ b/pkg/apis/iam/v1alpha2/federated_types.go
@@ -0,0 +1,161 @@
+/*
+
+ Copyright 2020 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package v1alpha2
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	ResourcesSingularFedUser                 = "federateduser"
+	ResourcesSingularFedGlobalRoleBinding    = "federatedglobalrolebinding"
+	ResourcesSingularFedWorkspaceRoleBinding = "federatedworkspacerolebinding"
+	ResourcesSingularFedGlobalRole           = "federatedglobalrole"
+	ResourcesSingularFedWorkspaceRole        = "federatedworkspacerole"
+	ResourcesPluralFedUser                   = "federatedusers"
+	ResourcesPluralFedGlobalRoleBinding      = "federatedglobalrolebindings"
+	ResourcesPluralFedWorkspaceRoleBinding   = "federatedworkspacerolebindings"
+	ResourcesPluralFedGlobalRole             = "federatedglobalroles"
+	ResourcesPluralFedWorkspaceRole          = "federatedworkspaceroles"
+	FedClusterRoleBindingKind                = "FederatedClusterRoleBinding"
+	FedClusterRoleKind                       = "FederatedClusterRole"
+	FedGlobalRoleKind                        = "FederatedGlobalRole"
+	FedWorkspaceRoleKind                     = "FederatedWorkspaceRole"
+	FedGlobalRoleBindingKind                 = "FederatedGlobalRoleBinding"
+	FedWorkspaceRoleBindingKind              = "FederatedWorkspaceRoleBinding"
+	fedResourceGroup                         = "types.kubefed.io"
+	fedResourceVersion                       = "v1beta1"
+	FedUserKind                              = "FederatedUser"
+)
+
+var (
+	FedUserResource = metav1.APIResource{
+		Name:         ResourcesPluralFedUser,
+		SingularName: ResourcesSingularFedUser,
+		Namespaced:   false,
+		Group:        fedResourceGroup,
+		Version:      fedResourceVersion,
+		Kind:         FedUserKind,
+	}
+	FedGlobalRoleBindingResource = metav1.APIResource{
+		Name:         ResourcesPluralFedGlobalRoleBinding,
+		SingularName: ResourcesSingularFedGlobalRoleBinding,
+		Namespaced:   false,
+		Group:        fedResourceGroup,
+		Version:      fedResourceVersion,
+		Kind:         FedGlobalRoleBindingKind,
+	}
+	FedWorkspaceRoleBindingResource = metav1.APIResource{
+		Name:         ResourcesPluralFedWorkspaceRoleBinding,
+		SingularName: ResourcesSingularFedWorkspaceRoleBinding,
+		Namespaced:   false,
+		Group:        fedResourceGroup,
+		Version:      fedResourceVersion,
+		Kind:         FedWorkspaceRoleBindingKind,
+	}
+	FedGlobalRoleResource = metav1.APIResource{
+		Name:         ResourcesPluralFedGlobalRole,
+		SingularName: ResourcesSingularFedGlobalRole,
+		Namespaced:   false,
+		Group:        fedResourceGroup,
+		Version:      fedResourceVersion,
+		Kind:         FedGlobalRoleKind,
+	}
+
+	FedWorkspaceRoleResource = metav1.APIResource{
+		Name:         ResourcesPluralFedWorkspaceRole,
+		SingularName: ResourcesSingularFedWorkspaceRole,
+		Namespaced:   false,
+		Group:        fedResourceGroup,
+		Version:      fedResourceVersion,
+		Kind:         FedWorkspaceRoleKind,
+	}
+
+	FederatedClusterRoleBindingResource = schema.GroupVersionResource{
+		Group:    fedResourceGroup,
+		Version:  fedResourceVersion,
+		Resource: "federatedclusterrolebindings",
+	}
+)
+
+type FederatedRoleBinding struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              FederatedRoleBindingSpec `json:"spec"`
+}
+
+type FederatedRoleBindingSpec struct {
+	Template  RoleBindingTemplate `json:"template"`
+	Placement Placement           `json:"placement"`
+}
+type RoleBindingTemplate struct {
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Subjects          []rbacv1.Subject `json:"subjects,omitempty"`
+	RoleRef           rbacv1.RoleRef   `json:"roleRef"`
+}
+
+type FederatedRole struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              FederatedRoleSpec `json:"spec"`
+}
+
+type FederatedRoleSpec struct {
+	Template  RoleTemplate `json:"template"`
+	Placement Placement    `json:"placement"`
+}
+
+type RoleTemplate struct {
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// +optional
+	Rules []rbacv1.PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+type FederatedUser struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              FederatedUserSpec `json:"spec"`
+}
+
+type FederatedUserSpec struct {
+	Template  UserTemplate `json:"template"`
+	Placement Placement    `json:"placement"`
+}
+
+type UserTemplate struct {
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              UserSpec `json:"spec"`
+	// +optional
+	Status UserStatus `json:"status,omitempty"`
+}
+
+type Placement struct {
+	Clusters        []Cluster       `json:"clusters,omitempty"`
+	ClusterSelector ClusterSelector `json:"clusterSelector,omitempty"`
+}
+
+type ClusterSelector struct {
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+}
+
+type Cluster struct {
+	Name string `json:"name"`
+}
--- a/pkg/apis/iam/v1alpha2/register.go
+++ b/pkg/apis/iam/v1alpha2/register.go
@@ -59,7 +59,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&WorkspaceRoleList{},
 		&WorkspaceRoleBinding{},
 		&WorkspaceRoleBindingList{},
-		&FederatedClusterRoleBinding{},
+		&RoleBase{},
+		&RoleBaseList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/pkg/apis/iam/v1alpha2/types.go
+++ b/pkg/apis/iam/v1alpha2/types.go
@@ -19,6 +19,7 @@ package v1alpha2
 import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 )

 const (
@@ -65,6 +66,7 @@ const (
 	ScopeCluster                          = "cluster"
 	ScopeNamespace                        = "namespace"
 	PlatformAdmin                         = "platform-admin"
+	NamespaceAdmin                        = "admin"
 	ClusterAdmin                          = "cluster-admin"
 )

@@ -284,31 +286,22 @@ type WorkspaceRoleBindingList struct {
 	Items           []WorkspaceRoleBinding `json:"items"`
 }

+// +genclient
+// +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type FederatedClusterRoleBinding struct {
+// +kubebuilder:resource:categories="iam",scope="Cluster"
+type RoleBase struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FederatedClusterRoleBindingSpec `json:"spec"`
+
+	Role runtime.RawExtension `json:"role"`
 }

-type FederatedClusterRoleBindingSpec struct {
-	Template  Template  `json:"template"`
-	Placement Placement `json:"placement"`
-}
-type Template struct {
-	Subjects []rbacv1.Subject `json:"subjects,omitempty"`
-	RoleRef  rbacv1.RoleRef   `json:"roleRef"`
-}
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

-type Placement struct {
-	Clusters        []Cluster       `json:"clusters,omitempty"`
-	ClusterSelector ClusterSelector `json:"clusterSelector,omitempty"`
-}
-
-type ClusterSelector struct {
-	MatchLabels map[string]string `json:"matchLabels,omitempty"`
-}
-
-type Cluster struct {
-	Name string `json:"name"`
+// RoleBaseList contains a list of RoleBase
+type RoleBaseList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RoleBase `json:"items"`
 }
--- a/pkg/apis/iam/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/iam/v1alpha2/zz_generated.deepcopy.go
@@ -63,44 +63,106 @@ func (in *ClusterSelector) DeepCopy() *ClusterSelector {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FederatedClusterRoleBinding) DeepCopyInto(out *FederatedClusterRoleBinding) {
+func (in *FederatedRole) DeepCopyInto(out *FederatedRole) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedClusterRoleBinding.
-func (in *FederatedClusterRoleBinding) DeepCopy() *FederatedClusterRoleBinding {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedRole.
+func (in *FederatedRole) DeepCopy() *FederatedRole {
 	if in == nil {
 		return nil
 	}
-	out := new(FederatedClusterRoleBinding)
+	out := new(FederatedRole)
 	in.DeepCopyInto(out)
 	return out
 }

-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *FederatedClusterRoleBinding) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederatedRoleBinding) DeepCopyInto(out *FederatedRoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedRoleBinding.
+func (in *FederatedRoleBinding) DeepCopy() *FederatedRoleBinding {
+	if in == nil {
+		return nil
 	}
-	return nil
+	out := new(FederatedRoleBinding)
+	in.DeepCopyInto(out)
+	return out
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FederatedClusterRoleBindingSpec) DeepCopyInto(out *FederatedClusterRoleBindingSpec) {
+func (in *FederatedRoleBindingSpec) DeepCopyInto(out *FederatedRoleBindingSpec) {
 	*out = *in
 	in.Template.DeepCopyInto(&out.Template)
 	in.Placement.DeepCopyInto(&out.Placement)
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedClusterRoleBindingSpec.
-func (in *FederatedClusterRoleBindingSpec) DeepCopy() *FederatedClusterRoleBindingSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedRoleBindingSpec.
+func (in *FederatedRoleBindingSpec) DeepCopy() *FederatedRoleBindingSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(FederatedClusterRoleBindingSpec)
+	out := new(FederatedRoleBindingSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederatedRoleSpec) DeepCopyInto(out *FederatedRoleSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+	in.Placement.DeepCopyInto(&out.Placement)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedRoleSpec.
+func (in *FederatedRoleSpec) DeepCopy() *FederatedRoleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FederatedRoleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederatedUser) DeepCopyInto(out *FederatedUser) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedUser.
+func (in *FederatedUser) DeepCopy() *FederatedUser {
+	if in == nil {
+		return nil
+	}
+	out := new(FederatedUser)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FederatedUserSpec) DeepCopyInto(out *FederatedUserSpec) {
+	*out = *in
+	in.Template.DeepCopyInto(&out.Template)
+	in.Placement.DeepCopyInto(&out.Placement)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederatedUserSpec.
+func (in *FederatedUserSpec) DeepCopy() *FederatedUserSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FederatedUserSpec)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -254,8 +316,67 @@ func (in *Placement) DeepCopy() *Placement {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Template) DeepCopyInto(out *Template) {
+func (in *RoleBase) DeepCopyInto(out *RoleBase) {
 	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Role.DeepCopyInto(&out.Role)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBase.
+func (in *RoleBase) DeepCopy() *RoleBase {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBase)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBase) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBaseList) DeepCopyInto(out *RoleBaseList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBase, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBaseList.
+func (in *RoleBaseList) DeepCopy() *RoleBaseList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBaseList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBaseList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBindingTemplate) DeepCopyInto(out *RoleBindingTemplate) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	if in.Subjects != nil {
 		in, out := &in.Subjects, &out.Subjects
 		*out = make([]v1.Subject, len(*in))
@@ -264,12 +385,35 @@ func (in *Template) DeepCopyInto(out *Template) {
 	out.RoleRef = in.RoleRef
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Template.
-func (in *Template) DeepCopy() *Template {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingTemplate.
+func (in *RoleBindingTemplate) DeepCopy() *RoleBindingTemplate {
 	if in == nil {
 		return nil
 	}
-	out := new(Template)
+	out := new(RoleBindingTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleTemplate) DeepCopyInto(out *RoleTemplate) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]v1.PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleTemplate.
+func (in *RoleTemplate) DeepCopy() *RoleTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleTemplate)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -391,6 +535,24 @@ func (in *UserStatus) DeepCopy() *UserStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserTemplate) DeepCopyInto(out *UserTemplate) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserTemplate.
+func (in *UserTemplate) DeepCopy() *UserTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(UserTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceRole) DeepCopyInto(out *WorkspaceRole) {
 	*out = *in