From 91c292173310b951f455a05ed21b97f5134b0e22 Mon Sep 17 00:00:00 2001 From: KubeSphere CI Bot <47586280+ks-ci-bot@users.noreply.github.com> Date: Mon, 13 Jan 2025 16:25:26 +0800 Subject: [PATCH] fix: sa binds rbac role (#2187) * fix: sa binds rbac role Signed-off-by: wenhaozhou * fix ut test Signed-off-by: wenhaozhou * make goimports Signed-off-by: wenhaozhou --------- Signed-off-by: wenhaozhou Co-authored-by: wenhaozhou Signed-off-by: hongming --- .../serviceaccount_controller.go | 29 +++++++++++++++---- .../serviceaccount_controller_test.go | 6 +++- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/pkg/controller/serviceaccount/serviceaccount_controller.go b/pkg/controller/serviceaccount/serviceaccount_controller.go index 71a5b7bfa..02a378da2 100644 --- a/pkg/controller/serviceaccount/serviceaccount_controller.go +++ b/pkg/controller/serviceaccount/serviceaccount_controller.go @@ -9,11 +9,10 @@ import ( "context" "fmt" - kscontroller "kubesphere.io/kubesphere/pkg/controller" - "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" @@ -22,6 +21,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" iamv1beta1 "kubesphere.io/api/iam/v1beta1" + + kscontroller "kubesphere.io/kubesphere/pkg/controller" + rbacutils "kubesphere.io/kubesphere/pkg/utils/rbac" ) const ( @@ -73,13 +75,28 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu return ctrl.Result{}, nil } +func (r *Reconciler) getReferenceRole(ctx context.Context, roleName, namespace string) (*rbacv1.Role, error) { + refRole := &rbacv1.Role{} + refRoleName := rbacutils.RelatedK8sResourceName(roleName) + err := r.Client.Get(ctx, types.NamespacedName{Name: refRoleName, Namespace: namespace}, refRole) + if err != nil { + return nil, err + } + if v := refRole.Labels[iamv1beta1.RoleReferenceLabel]; v != roleName { + return nil, errors.NewNotFound(rbacv1.Resource("roles"), refRoleName) + } + return refRole, nil +} + func (r *Reconciler) CreateOrUpdateRoleBinding(ctx context.Context, logger logr.Logger, sa *corev1.ServiceAccount) error { roleName := sa.Annotations[iamv1beta1.RoleAnnotation] if roleName == "" { return nil } - var role rbacv1.Role - if err := r.Get(ctx, types.NamespacedName{Name: roleName, Namespace: sa.Namespace}, &role); err != nil { + var role *rbacv1.Role + role, err := r.getReferenceRole(ctx, roleName, sa.Namespace) + if err != nil { + logger.Error(err, "cannot get reference role", "roleName", roleName) return err } @@ -95,8 +112,8 @@ func (r *Reconciler) CreateOrUpdateRoleBinding(ctx context.Context, logger logr. }, RoleRef: rbacv1.RoleRef{ APIGroup: rbacv1.GroupName, - Kind: iamv1beta1.ResourceKindRole, - Name: roleName, + Kind: "Role", + Name: role.Name, }, Subjects: []rbacv1.Subject{ { diff --git a/pkg/controller/serviceaccount/serviceaccount_controller_test.go b/pkg/controller/serviceaccount/serviceaccount_controller_test.go index 9bad6edb9..ddb21e1e2 100644 --- a/pkg/controller/serviceaccount/serviceaccount_controller_test.go +++ b/pkg/controller/serviceaccount/serviceaccount_controller_test.go @@ -37,6 +37,7 @@ var _ = Describe("ServiceAccount", func() { saName = "test-serviceaccount" saNamespace = "default" saRole = "test-role" + refRole = "kubesphere:iam:test-role" ) var role *rbacv1.Role var sa *corev1.ServiceAccount @@ -45,8 +46,11 @@ var _ = Describe("ServiceAccount", func() { BeforeEach(func() { role = &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ - Name: saRole, + Name: refRole, Namespace: saNamespace, + Labels: map[string]string{ + iamv1beta1.RoleReferenceLabel: saRole, + }, }, }