refine tenant api

Signed-off-by: hongming <talonwan@yunify.com>

pkg/controller/add_clusterrolebinding.go

@@ -0,0 +1,28 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package controller
+
+import (
+	"kubesphere.io/kubesphere/pkg/controller/clusterrolebinding"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, clusterrolebinding.Add)
+}

pkg/controller/add_namespace.go

@@ -0,0 +1,28 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package controller
+
+import (
+	"kubesphere.io/kubesphere/pkg/controller/namespace"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, namespace.Add)
+}

pkg/controller/add_workspace.go

@@ -0,0 +1,26 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package controller
+
+import "kubesphere.io/kubesphere/pkg/controller/workspace"
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, workspace.Add)
+}

pkg/controller/clusterrolebinding/clusterrolebinding_controller.go

@@ -0,0 +1,220 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package clusterrolebinding
+
+import (
+	"context"
+	"fmt"
+	corev1 "k8s.io/api/core/v1"
+	rbac "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
+	"reflect"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var (
+	log = logf.Log.WithName("controller")
+)
+
+/**
+* USER ACTION REQUIRED: This is a scaffold file intended for the user to modify with their own Controller
+* business logic.  Delete these comments after modifying this file.*
+ */
+
+// Add creates a new Namespace Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
+// and Start it when the Manager is Started.
+func Add(mgr manager.Manager) error {
+	return add(mgr, newReconciler(mgr))
+}
+
+// newReconciler returns a new reconcile.Reconciler
+func newReconciler(mgr manager.Manager) reconcile.Reconciler {
+	return &ReconcileClusterRoleBinding{Client: mgr.GetClient(), scheme: mgr.GetScheme()}
+}
+
+// add adds a new Controller to mgr with r as the reconcile.Reconciler
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	// Create a new controller
+	c, err := controller.New("clusterrolebinding-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to Namespace
+	err = c.Watch(&source.Kind{Type: &rbac.ClusterRoleBinding{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileClusterRoleBinding{}
+
+// ReconcileClusterRoleBinding reconciles a Namespace object
+type ReconcileClusterRoleBinding struct {
+	client.Client
+	scheme *runtime.Scheme
+}
+
+// Reconcile reads that state of the cluster for a Namespace object and makes changes based on the state read
+// and what is in the Namespace.Spec
+// +kubebuilder:rbac:groups=core.kubesphere.io,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core.kubesphere.io,resources=namespaces/status,verbs=get;update;patch
+func (r *ReconcileClusterRoleBinding) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	// Fetch the Namespace instance
+	instance := &rbac.ClusterRoleBinding{}
+	err := r.Get(context.TODO(), request.NamespacedName, instance)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Object not found, return.  Created objects are automatically garbage collected.
+			// For additional cleanup logic use finalizers.
+			return reconcile.Result{}, nil
+		}
+		// Error reading the object - requeue the request.
+		return reconcile.Result{}, err
+	}
+	workspaceName := instance.Labels[constants.WorkspaceLabelKey]
+
+	if workspaceName != "" && k8sutil.IsControlledBy(instance.OwnerReferences, "Workspace", workspaceName) {
+		if instance.Name == getWorkspaceAdminRoleBindingName(workspaceName) ||
+			instance.Name == getWorkspaceViewerRoleBindingName(workspaceName) {
+			nsList := &corev1.NamespaceList{}
+			options := client.ListOptions{LabelSelector: labels.SelectorFromSet(labels.Set{constants.WorkspaceLabelKey: workspaceName})}
+			err = r.List(context.TODO(), &options, nsList)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+			for _, ns := range nsList.Items {
+				err = r.updateRoleBindings(instance, &ns)
+				if err != nil {
+					return reconcile.Result{}, err
+				}
+			}
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileClusterRoleBinding) updateRoleBindings(clusterRoleBinding *rbac.ClusterRoleBinding, namespace *corev1.Namespace) error {
+
+	workspaceName := namespace.Labels[constants.WorkspaceLabelKey]
+
+	if clusterRoleBinding.Name == getWorkspaceAdminRoleBindingName(workspaceName) {
+		adminBinding := &rbac.RoleBinding{}
+		adminBinding.Name = "admin"
+		adminBinding.Namespace = namespace.Name
+		adminBinding.RoleRef = rbac.RoleRef{Name: "admin", APIGroup: "rbac.authorization.k8s.io", Kind: "Role"}
+		adminBinding.Subjects = clusterRoleBinding.Subjects
+
+		found := &rbac.RoleBinding{}
+
+		err := r.Get(context.TODO(), types.NamespacedName{Namespace: namespace.Name, Name: adminBinding.Name}, found)
+
+		if errors.IsNotFound(err) {
+			log.Info("Creating default role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+			err = r.Create(context.TODO(), adminBinding)
+			if err != nil {
+				return err
+			}
+		} else if err != nil {
+			return err
+		}
+
+		if !reflect.DeepEqual(found.RoleRef, adminBinding.RoleRef) {
+			log.Info("Deleting conflict role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+			err = r.Delete(context.TODO(), found)
+			if err != nil {
+				return err
+			}
+			return fmt.Errorf("conflict role binding %s.%s, waiting for recreate", namespace.Name, adminBinding.Name)
+		}
+
+		if !reflect.DeepEqual(found.Subjects, adminBinding.Subjects) {
+			found.Subjects = adminBinding.Subjects
+			log.Info("Updating role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+			err = r.Update(context.TODO(), found)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if clusterRoleBinding.Name == getWorkspaceViewerRoleBindingName(workspaceName) {
+
+		found := &rbac.RoleBinding{}
+
+		viewerBinding := &rbac.RoleBinding{}
+		viewerBinding.Name = "viewer"
+		viewerBinding.Namespace = namespace.Name
+		viewerBinding.RoleRef = rbac.RoleRef{Name: "viewer", APIGroup: "rbac.authorization.k8s.io", Kind: "Role"}
+		viewerBinding.Subjects = clusterRoleBinding.Subjects
+
+		err := r.Get(context.TODO(), types.NamespacedName{Namespace: namespace.Name, Name: viewerBinding.Name}, found)
+
+		if errors.IsNotFound(err) {
+			log.Info("Creating default role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+			err = r.Create(context.TODO(), viewerBinding)
+			if err != nil {
+				return err
+			}
+		} else if err != nil {
+			return err
+		}
+
+		if !reflect.DeepEqual(found.RoleRef, viewerBinding.RoleRef) {
+			log.Info("Deleting conflict role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+			err = r.Delete(context.TODO(), found)
+			if err != nil {
+				return err
+			}
+			return fmt.Errorf("conflict role binding %s.%s, waiting for recreate", namespace.Name, viewerBinding.Name)
+		}
+
+		if !reflect.DeepEqual(found.Subjects, viewerBinding.Subjects) {
+			found.Subjects = viewerBinding.Subjects
+			log.Info("Updating role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+			err = r.Update(context.TODO(), found)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func getWorkspaceAdminRoleBindingName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:admin", workspaceName)
+}
+
+func getWorkspaceViewerRoleBindingName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:viewer", workspaceName)
+}

pkg/controller/clusterrolebinding/clusterrolebinding_controller_suite_test.go

@@ -0,0 +1,77 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package clusterrolebinding
+
+import (
+	stdlog "log"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"kubesphere.io/kubesphere/pkg/apis"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+var cfg *rest.Config
+
+func TestMain(m *testing.M) {
+	t := &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crds")},
+	}
+	apis.AddToScheme(scheme.Scheme)
+
+	var err error
+	if cfg, err = t.Start(); err != nil {
+		stdlog.Fatal(err)
+	}
+
+	code := m.Run()
+	t.Stop()
+	os.Exit(code)
+}
+
+// SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and
+// writes the request to requests after Reconcile is finished.
+func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) {
+	requests := make(chan reconcile.Request)
+	fn := reconcile.Func(func(req reconcile.Request) (reconcile.Result, error) {
+		result, err := inner.Reconcile(req)
+		requests <- req
+		return result, err
+	})
+	return fn, requests
+}
+
+// StartTestManager adds recFn
+func StartTestManager(mgr manager.Manager, g *gomega.GomegaWithT) (chan struct{}, *sync.WaitGroup) {
+	stop := make(chan struct{})
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		g.Expect(mgr.Start(stop)).NotTo(gomega.HaveOccurred())
+	}()
+	return stop, wg
+}

pkg/controller/clusterrolebinding/clusterrolebinding_controller_test.go

@@ -0,0 +1,19 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package clusterrolebinding

pkg/controller/namespace/namespace_controller.go

@@ -0,0 +1,436 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package namespace
+
+import (
+	"context"
+	"fmt"
+	"github.com/golang/glog"
+	corev1 "k8s.io/api/core/v1"
+	rbac "k8s.io/api/rbac/v1"
+	"k8s.io/api/storage/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubernetes/pkg/apis/core"
+	"kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
+	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
+	"reflect"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var (
+	log          = logf.Log.WithName("controller")
+	defaultRoles = []rbac.Role{
+		{ObjectMeta: metav1.ObjectMeta{Name: "admin"}, Rules: []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "operator"}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch", "logging.kubesphere.io", "monitoring.kubesphere.io", "iam.kubesphere.io", "resources.kubesphere.io", "autoscaling"}, Resources: []string{"*"}}}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "viewer"}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
+	}
+)
+
+/**
+* USER ACTION REQUIRED: This is a scaffold file intended for the user to modify with their own Controller
+* business logic.  Delete these comments after modifying this file.*
+ */
+
+// Add creates a new Namespace Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
+// and Start it when the Manager is Started.
+func Add(mgr manager.Manager) error {
+	return add(mgr, newReconciler(mgr))
+}
+
+// newReconciler returns a new reconcile.Reconciler
+func newReconciler(mgr manager.Manager) reconcile.Reconciler {
+	return &ReconcileNamespace{Client: mgr.GetClient(), scheme: mgr.GetScheme()}
+}
+
+// add adds a new Controller to mgr with r as the reconcile.Reconciler
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	// Create a new controller
+	c, err := controller.New("namespace-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to Namespace
+	err = c.Watch(&source.Kind{Type: &corev1.Namespace{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileNamespace{}
+
+// ReconcileNamespace reconciles a Namespace object
+type ReconcileNamespace struct {
+	client.Client
+	scheme *runtime.Scheme
+}
+
+// Reconcile reads that state of the cluster for a Namespace object and makes changes based on the state read
+// and what is in the Namespace.Spec
+// +kubebuilder:rbac:groups=core.kubesphere.io,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core.kubesphere.io,resources=namespaces/status,verbs=get;update;patch
+func (r *ReconcileNamespace) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	// Fetch the Namespace instance
+	instance := &corev1.Namespace{}
+	err := r.Get(context.TODO(), request.NamespacedName, instance)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Object not found, return.  Created objects are automatically garbage collected.
+			// For additional cleanup logic use finalizers.
+			return reconcile.Result{}, nil
+		}
+		// Error reading the object - requeue the request.
+		return reconcile.Result{}, err
+	}
+
+	if !instance.ObjectMeta.DeletionTimestamp.IsZero() {
+		// The object is being deleted
+		if err := r.deleteRuntime(instance); err != nil {
+			// if fail to delete the external dependency here, return with error
+			// so that it can be retried
+			return reconcile.Result{}, err
+		}
+
+		return reconcile.Result{}, nil
+	}
+
+	workspaceName := instance.Labels[constants.WorkspaceLabelKey]
+
+	// delete default role bindings
+	if workspaceName == "" {
+		adminBinding := &rbac.RoleBinding{}
+		adminBinding.Name = "admin"
+		adminBinding.Namespace = instance.Name
+		log.Info("Deleting default role binding", "namespace", instance.Name, "name", adminBinding.Name)
+		err := r.Delete(context.TODO(), adminBinding)
+		if err != nil && !errors.IsNotFound(err) {
+			return reconcile.Result{}, err
+		}
+		viewerBinding := &rbac.RoleBinding{}
+		viewerBinding.Name = "viewer"
+		viewerBinding.Namespace = instance.Name
+		log.Info("Deleting default role binding", "namespace", instance.Name, "name", viewerBinding.Name)
+		err = r.Delete(context.TODO(), viewerBinding)
+		if err != nil && !errors.IsNotFound(err) {
+			return reconcile.Result{}, err
+		}
+		return reconcile.Result{}, nil
+	}
+
+	if err = r.checkAndBindWorkspace(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.checkAndCreateRoles(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.checkAndCreateRoleBindings(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.checkAndCreateCephSecret(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err := r.checkAndCreateRuntime(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{}, nil
+}
+
+// Create default roles
+func (r *ReconcileNamespace) checkAndCreateRoles(namespace *corev1.Namespace) error {
+	for _, role := range defaultRoles {
+		found := &rbac.Role{}
+		err := r.Get(context.TODO(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, found)
+		if err != nil {
+			if errors.IsNotFound(err) {
+				role := role.DeepCopy()
+				role.Namespace = namespace.Name
+				log.Info("Creating default role", "namespace", namespace.Name, "role", role.Name)
+				err = r.Create(context.TODO(), role)
+				if err != nil {
+					return err
+				}
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileNamespace) checkAndCreateRoleBindings(namespace *corev1.Namespace) error {
+
+	workspaceName := namespace.Labels[constants.WorkspaceLabelKey]
+	creatorName := namespace.Labels[constants.CreatorLabelKey]
+
+	creator := rbac.Subject{APIGroup: "rbac.authorization.k8s.io", Kind: "User", Name: creatorName}
+
+	workspaceAdminBinding := &rbac.ClusterRoleBinding{}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: fmt.Sprintf("workspace:%s:admin", workspaceName)}, workspaceAdminBinding)
+
+	if err != nil {
+		return err
+	}
+
+	adminBinding := &rbac.RoleBinding{}
+	adminBinding.Name = "admin"
+	adminBinding.Namespace = namespace.Name
+	adminBinding.RoleRef = rbac.RoleRef{Name: "admin", APIGroup: "rbac.authorization.k8s.io", Kind: "Role"}
+	adminBinding.Subjects = workspaceAdminBinding.Subjects
+
+	if creator.Name != "" {
+		if adminBinding.Subjects == nil {
+			adminBinding.Subjects = make([]rbac.Subject, 0)
+		}
+		if !k8sutil.ContainsUser(adminBinding.Subjects, creatorName) {
+			adminBinding.Subjects = append(adminBinding.Subjects, creator)
+		}
+	}
+
+	found := &rbac.RoleBinding{}
+
+	err = r.Get(context.TODO(), types.NamespacedName{Namespace: namespace.Name, Name: adminBinding.Name}, found)
+
+	if errors.IsNotFound(err) {
+		log.Info("Creating default role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+		err = r.Create(context.TODO(), adminBinding)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	if !reflect.DeepEqual(found.RoleRef, adminBinding.RoleRef) {
+		log.Info("Deleting conflict role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+		err = r.Delete(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("conflict role binding %s.%s, waiting for recreate", namespace.Name, adminBinding.Name)
+	}
+
+	if !reflect.DeepEqual(found.Subjects, adminBinding.Subjects) {
+		found.Subjects = adminBinding.Subjects
+		log.Info("Updating role binding", "namespace", namespace.Name, "name", adminBinding.Name)
+		err = r.Update(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+	}
+
+	workspaceViewerBinding := &rbac.ClusterRoleBinding{}
+
+	err = r.Get(context.TODO(), types.NamespacedName{Name: fmt.Sprintf("workspace:%s:viewer", workspaceName)}, workspaceViewerBinding)
+
+	if err != nil {
+		return err
+	}
+
+	viewerBinding := &rbac.RoleBinding{}
+	viewerBinding.Name = "viewer"
+	viewerBinding.Namespace = namespace.Name
+	viewerBinding.RoleRef = rbac.RoleRef{Name: "viewer", APIGroup: "rbac.authorization.k8s.io", Kind: "Role"}
+	viewerBinding.Subjects = workspaceViewerBinding.Subjects
+
+	err = r.Get(context.TODO(), types.NamespacedName{Namespace: namespace.Name, Name: viewerBinding.Name}, found)
+
+	if errors.IsNotFound(err) {
+		log.Info("Creating default role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+		err = r.Create(context.TODO(), viewerBinding)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	if !reflect.DeepEqual(found.RoleRef, viewerBinding.RoleRef) {
+		log.Info("Deleting conflict role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+		err = r.Delete(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("conflict role binding %s.%s, waiting for recreate", namespace.Name, viewerBinding.Name)
+	}
+
+	if !reflect.DeepEqual(found.Subjects, viewerBinding.Subjects) {
+		found.Subjects = viewerBinding.Subjects
+		log.Info("Updating role binding", "namespace", namespace.Name, "name", viewerBinding.Name)
+		err = r.Update(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Create openpitrix runtime
+func (r *ReconcileNamespace) checkAndCreateRuntime(namespace *corev1.Namespace) error {
+
+	if runtimeId := namespace.Annotations[constants.OpenPitrixRuntimeAnnotationKey]; runtimeId != "" {
+		return nil
+	}
+
+	cm := &corev1.ConfigMap{}
+	err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.KubeSphereControlNamespace, Name: constants.AdminUserName}, cm)
+
+	if err != nil {
+		return err
+	}
+
+	runtime := &openpitrix.RunTime{Name: namespace.Name, Zone: namespace.Name, Provider: "kubernetes", RuntimeCredential: cm.Data["config"]}
+
+	log.Info("Creating openpitrix runtime", "namespace", namespace.Name)
+	if err := openpitrix.Client().CreateRuntime(runtime); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Delete openpitrix runtime
+func (r *ReconcileNamespace) deleteRuntime(namespace *corev1.Namespace) error {
+
+	if runtimeId := namespace.Annotations[constants.OpenPitrixRuntimeAnnotationKey]; runtimeId != "" {
+		log.Info("Deleting openpitrix runtime", "namespace", namespace.Name, "runtime", runtimeId)
+		if err := openpitrix.Client().DeleteRuntime(runtimeId); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Create openpitrix runtime
+func (r *ReconcileNamespace) checkAndBindWorkspace(namespace *corev1.Namespace) error {
+
+	workspaceName := namespace.Labels[constants.WorkspaceLabelKey]
+
+	if workspaceName == "" {
+		return nil
+	}
+
+	workspace := &v1alpha1.Workspace{}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: workspaceName}, workspace)
+
+	if err != nil {
+		if errors.IsNotFound(err) {
+			log.Error(err, "namespace", namespace.Name)
+			delete(namespace.Labels, constants.WorkspaceLabelKey)
+			err = r.Update(context.TODO(), namespace)
+			if err != nil {
+				return err
+			}
+		}
+		return err
+	}
+
+	if !metav1.IsControlledBy(namespace, workspace) {
+		if err := controllerutil.SetControllerReference(workspace, namespace, r.scheme); err != nil {
+			return err
+		}
+		log.Info("Bind workspace", "namespace", namespace.Name, "workspace", workspaceName)
+		err = r.Update(context.TODO(), namespace)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+//Create Ceph secret in the new namespace
+func (r *ReconcileNamespace) checkAndCreateCephSecret(namespace *corev1.Namespace) error {
+
+	newNsName := namespace.Name
+	scList := &v1.StorageClassList{}
+	err := r.List(context.TODO(), &client.ListOptions{}, scList)
+	if err != nil {
+		return err
+	}
+	for _, sc := range scList.Items {
+		if sc.Provisioner == "kubernetes.io/rbd" {
+			log.Info("would create Ceph user secret in storage class %s at namespace %s", sc.GetName(), newNsName)
+			if secretName, ok := sc.Parameters["userSecretName"]; ok {
+				secret := &corev1.Secret{}
+				r.Get(context.TODO(), types.NamespacedName{Namespace: core.NamespaceSystem, Name: secretName}, secret)
+				if err != nil {
+					if errors.IsNotFound(err) {
+						log.Error(err, "cannot find secret in namespace %s, error: %s", core.NamespaceSystem, secretName)
+						continue
+					}
+					log.Error(err, fmt.Sprintf("failed to find secret in namespace %s", core.NamespaceSystem))
+					continue
+				}
+				glog.Infof("succeed to find secret %s in namespace %s", secret.GetName(), secret.GetNamespace())
+
+				newSecret := &corev1.Secret{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       secret.Kind,
+						APIVersion: secret.APIVersion,
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:                       secret.GetName(),
+						Namespace:                  newNsName,
+						Labels:                     secret.GetLabels(),
+						Annotations:                secret.GetAnnotations(),
+						DeletionGracePeriodSeconds: secret.GetDeletionGracePeriodSeconds(),
+						ClusterName:                secret.GetClusterName(),
+					},
+					Data:       secret.Data,
+					StringData: secret.StringData,
+					Type:       secret.Type,
+				}
+				log.Info(fmt.Sprintf("creating secret %s in namespace %s...", newSecret.GetName(), newSecret.GetNamespace()))
+
+				err = r.Create(context.TODO(), newSecret)
+				if err != nil {
+					log.Error(err, fmt.Sprintf("failed to create secret in namespace %s", newSecret.GetNamespace()))
+					continue
+				}
+			} else {
+				log.Error(err, fmt.Sprintf("failed to find user secret name in storage class %s", sc.GetName()))
+			}
+		}
+	}
+
+	return nil
+}

pkg/controller/namespace/namespace_controller_suite_test.go

@@ -0,0 +1,77 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package namespace
+
+import (
+	stdlog "log"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"kubesphere.io/kubesphere/pkg/apis"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+var cfg *rest.Config
+
+func TestMain(m *testing.M) {
+	t := &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crds")},
+	}
+	apis.AddToScheme(scheme.Scheme)
+
+	var err error
+	if cfg, err = t.Start(); err != nil {
+		stdlog.Fatal(err)
+	}
+
+	code := m.Run()
+	t.Stop()
+	os.Exit(code)
+}
+
+// SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and
+// writes the request to requests after Reconcile is finished.
+func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) {
+	requests := make(chan reconcile.Request)
+	fn := reconcile.Func(func(req reconcile.Request) (reconcile.Result, error) {
+		result, err := inner.Reconcile(req)
+		requests <- req
+		return result, err
+	})
+	return fn, requests
+}
+
+// StartTestManager adds recFn
+func StartTestManager(mgr manager.Manager, g *gomega.GomegaWithT) (chan struct{}, *sync.WaitGroup) {
+	stop := make(chan struct{})
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		g.Expect(mgr.Start(stop)).NotTo(gomega.HaveOccurred())
+	}()
+	return stop, wg
+}

pkg/controller/namespace/namespace_controller_test.go

@@ -0,0 +1,19 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package namespace

pkg/controller/workspace/workspace_controller.go

@@ -0,0 +1,534 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package workspace
+
+import (
+	"context"
+	"fmt"
+	rbac "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/models"
+	"kubesphere.io/kubesphere/pkg/simple/client/kubesphere"
+	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
+	"reflect"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var log = logf.Log.WithName("controller")
+
+/**
+* USER ACTION REQUIRED: This is a scaffold file intended for the user to modify with their own Controller
+* business logic.  Delete these comments after modifying this file.*
+ */
+
+// Add creates a new Workspace Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
+// and Start it when the Manager is Started.
+func Add(mgr manager.Manager) error {
+	return add(mgr, newReconciler(mgr))
+}
+
+// newReconciler returns a new reconcile.Reconciler
+func newReconciler(mgr manager.Manager) reconcile.Reconciler {
+	return &ReconcileWorkspace{Client: mgr.GetClient(), scheme: mgr.GetScheme(),
+		recorder: mgr.GetRecorder("workspace-controller"), ksclient: kubesphere.Client()}
+}
+
+// add adds a new Controller to mgr with r as the reconcile.Reconciler
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	// Create a new controller
+	c, err := controller.New("workspace-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to Workspace
+	err = c.Watch(&source.Kind{Type: &tenantv1alpha1.Workspace{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileWorkspace{}
+
+// ReconcileWorkspace reconciles a Workspace object
+type ReconcileWorkspace struct {
+	client.Client
+	scheme   *runtime.Scheme
+	recorder record.EventRecorder
+	ksclient kubesphere.Interface
+}
+
+// Reconcile reads that state of the cluster for a Workspace object and makes changes based on the state read
+// and what is in the Workspace.Spec
+// +kubebuilder:rbac:groups=tenant.kubesphere.io,resources=workspaces,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=tenant.kubesphere.io,resources=workspaces/status,verbs=get;update;patch
+func (r *ReconcileWorkspace) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	// Fetch the Workspace instance
+	instance := &tenantv1alpha1.Workspace{}
+	err := r.Get(context.TODO(), request.NamespacedName, instance)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// Object not found, return.  Created objects are automatically garbage collected.
+			// For additional cleanup logic use finalizers.
+			return reconcile.Result{}, nil
+		}
+		// Error reading the object - requeue the request.
+		return reconcile.Result{}, err
+	}
+
+	// name of your custom finalizer
+	finalizer := "finalizers.tenant.kubesphere.io"
+
+	if instance.ObjectMeta.DeletionTimestamp.IsZero() {
+		// The object is not being deleted, so if it does not have our finalizer,
+		// then lets add the finalizer and update the object.
+		if !sliceutil.HasString(instance.ObjectMeta.Finalizers, finalizer) {
+			instance.ObjectMeta.Finalizers = append(instance.ObjectMeta.Finalizers, finalizer)
+			if err := r.Update(context.Background(), instance); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+	} else {
+		// The object is being deleted
+		if sliceutil.HasString(instance.ObjectMeta.Finalizers, finalizer) {
+			// our finalizer is present, so lets handle our external dependency
+			if err := r.deleteGroup(instance); err != nil {
+				// if fail to delete the external dependency here, return with error
+				// so that it can be retried
+				return reconcile.Result{}, err
+			}
+
+			// remove our finalizer from the list and update it.
+			instance.ObjectMeta.Finalizers = sliceutil.RemoveString(instance.ObjectMeta.Finalizers, func(item string) bool {
+				return item == finalizer
+			})
+			if err := r.Update(context.Background(), instance); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+
+		// Our finalizer has finished, so the reconciler can do nothing.
+		return reconcile.Result{}, nil
+	}
+
+	if err = r.createWorkspaceAdmin(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.createWorkspaceRegular(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.createWorkspaceViewer(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.createGroup(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	if err = r.createWorkspaceRoleBindings(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileWorkspace) createWorkspaceAdmin(instance *tenantv1alpha1.Workspace) error {
+	found := &rbac.ClusterRole{}
+
+	admin := getWorkspaceAdmin(instance.Name)
+
+	if err := controllerutil.SetControllerReference(instance, admin, r.scheme); err != nil {
+		return err
+	}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: admin.Name}, found)
+
+	if err != nil && errors.IsNotFound(err) {
+		log.Info("Creating workspace role", "workspace", instance.Name, "name", admin.Name)
+		err = r.Create(context.TODO(), admin)
+		if err != nil {
+			return err
+		}
+		found = admin
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(admin.Rules, found.Rules) || !reflect.DeepEqual(admin.Labels, found.Labels) {
+		found.Rules = admin.Rules
+		found.Labels = admin.Labels
+		log.Info("Updating workspace role", "workspace", instance.Name, "name", admin.Name)
+		err = r.Update(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileWorkspace) createWorkspaceRegular(instance *tenantv1alpha1.Workspace) error {
+	found := &rbac.ClusterRole{}
+
+	regular := getWorkspaceRegular(instance.Name)
+
+	if err := controllerutil.SetControllerReference(instance, regular, r.scheme); err != nil {
+		return err
+	}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: regular.Name}, found)
+
+	if err != nil && errors.IsNotFound(err) {
+
+		log.Info("Creating workspace role", "workspace", instance.Name, "name", regular.Name)
+		err = r.Create(context.TODO(), regular)
+		// Error reading the object - requeue the request.
+		if err != nil {
+			return err
+		}
+		found = regular
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(regular.Rules, found.Rules) || !reflect.DeepEqual(regular.Labels, found.Labels) {
+		found.Rules = regular.Rules
+		found.Labels = regular.Labels
+		log.Info("Updating workspace role", "workspace", instance.Name, "name", regular.Name)
+		err = r.Update(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *ReconcileWorkspace) createWorkspaceViewer(instance *tenantv1alpha1.Workspace) error {
+	found := &rbac.ClusterRole{}
+
+	viewer := getWorkspaceViewer(instance.Name)
+
+	if err := controllerutil.SetControllerReference(instance, viewer, r.scheme); err != nil {
+		return err
+	}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: viewer.Name}, found)
+
+	if err != nil && errors.IsNotFound(err) {
+		log.Info("Creating workspace role", "workspace", instance.Name, "name", viewer.Name)
+		err = r.Create(context.TODO(), viewer)
+		// Error reading the object - requeue the request.
+		if err != nil {
+			return err
+		}
+		found = viewer
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(viewer.Rules, found.Rules) || !reflect.DeepEqual(viewer.Labels, found.Labels) {
+		found.Rules = viewer.Rules
+		found.Labels = viewer.Labels
+		log.Info("Updating workspace role", "workspace", instance.Name, "name", viewer.Name)
+		err = r.Update(context.TODO(), found)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *ReconcileWorkspace) createGroup(instance *tenantv1alpha1.Workspace) error {
+	_, err := r.ksclient.DescribeGroup(instance.Name)
+
+	group := &models.Group{
+		Name: instance.Name,
+	}
+
+	if err != nil && kubesphere.IsNotFound(err) {
+		log.Info("Creating group", "group name", instance.Name)
+		_, err = r.ksclient.CreateGroup(group)
+		if err != nil {
+			if kubesphere.IsExist(err) {
+				return nil
+			}
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *ReconcileWorkspace) deleteGroup(instance *tenantv1alpha1.Workspace) error {
+	log.Info("Creating group", "group name", instance.Name)
+	if err := r.ksclient.DeleteGroup(instance.Name); err != nil {
+		if kubesphere.IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+	return nil
+}
+
+func (r *ReconcileWorkspace) createWorkspaceRoleBindings(instance *tenantv1alpha1.Workspace) error {
+
+	adminRoleBinding := &rbac.ClusterRoleBinding{}
+	adminRoleBinding.Name = getWorkspaceAdminRoleBindingName(instance.Name)
+	adminRoleBinding.Labels = map[string]string{constants.WorkspaceLabelKey: instance.Name}
+	adminRoleBinding.RoleRef = rbac.RoleRef{APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: getWorkspaceAdminRoleName(instance.Name)}
+
+	workspaceManager := rbac.Subject{APIGroup: "rbac.authorization.k8s.io", Kind: "User", Name: instance.Spec.Manager}
+
+	if workspaceManager.Name != "" {
+		adminRoleBinding.Subjects = []rbac.Subject{workspaceManager}
+	} else {
+		adminRoleBinding.Subjects = []rbac.Subject{}
+	}
+
+	if err := controllerutil.SetControllerReference(instance, adminRoleBinding, r.scheme); err != nil {
+		return err
+	}
+
+	foundRoleBinding := &rbac.ClusterRoleBinding{}
+
+	err := r.Get(context.TODO(), types.NamespacedName{Name: adminRoleBinding.Name}, foundRoleBinding)
+
+	if err != nil && errors.IsNotFound(err) {
+		log.Info("Creating workspace role binding", "workspace", instance.Name, "name", adminRoleBinding.Name)
+		err = r.Create(context.TODO(), adminRoleBinding)
+		// Error reading the object - requeue the request.
+		if err != nil {
+			return err
+		}
+		foundRoleBinding = adminRoleBinding
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(adminRoleBinding.RoleRef, foundRoleBinding.RoleRef) {
+		log.Info("Deleting conflict workspace role binding", "workspace", instance.Name, "name", adminRoleBinding.Name)
+		err = r.Delete(context.TODO(), foundRoleBinding)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("conflict workspace role binding %s, waiting for recreate", foundRoleBinding.Name)
+	}
+
+	if workspaceManager.Name != "" && !hasSubject(foundRoleBinding.Subjects, workspaceManager) {
+		foundRoleBinding.Subjects = append(foundRoleBinding.Subjects, workspaceManager)
+		log.Info("Updating workspace role binding", "workspace", instance.Name, "name", adminRoleBinding.Name)
+		err = r.Update(context.TODO(), foundRoleBinding)
+		if err != nil {
+			return err
+		}
+	}
+
+	regularRoleBinding := &rbac.ClusterRoleBinding{}
+	regularRoleBinding.Name = getWorkspaceRegularRoleBindingName(instance.Name)
+	regularRoleBinding.Labels = map[string]string{constants.WorkspaceLabelKey: instance.Name}
+	regularRoleBinding.RoleRef = rbac.RoleRef{APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: getWorkspaceViewerRoleName(instance.Name)}
+	regularRoleBinding.Subjects = []rbac.Subject{}
+
+	if err = controllerutil.SetControllerReference(instance, regularRoleBinding, r.scheme); err != nil {
+		return err
+	}
+
+	err = r.Get(context.TODO(), types.NamespacedName{Name: regularRoleBinding.Name}, foundRoleBinding)
+
+	if err != nil && errors.IsNotFound(err) {
+		log.Info("Creating workspace role binding", "workspace", instance.Name, "name", regularRoleBinding.Name)
+		err = r.Create(context.TODO(), regularRoleBinding)
+		// Error reading the object - requeue the request.
+		if err != nil {
+			return err
+		}
+		foundRoleBinding = regularRoleBinding
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(regularRoleBinding.RoleRef, foundRoleBinding.RoleRef) {
+		log.Info("Deleting conflict workspace role binding", "workspace", instance.Name, "name", regularRoleBinding.Name)
+		err = r.Delete(context.TODO(), foundRoleBinding)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("conflict workspace role binding %s, waiting for recreate", foundRoleBinding.Name)
+	}
+
+	viewerRoleBinding := &rbac.ClusterRoleBinding{}
+	viewerRoleBinding.Name = getWorkspaceViewerRoleBindingName(instance.Name)
+	viewerRoleBinding.Labels = map[string]string{constants.WorkspaceLabelKey: instance.Name}
+	viewerRoleBinding.RoleRef = rbac.RoleRef{APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: getWorkspaceViewerRoleName(instance.Name)}
+	viewerRoleBinding.Subjects = []rbac.Subject{}
+
+	if err = controllerutil.SetControllerReference(instance, viewerRoleBinding, r.scheme); err != nil {
+		return err
+	}
+
+	err = r.Get(context.TODO(), types.NamespacedName{Name: viewerRoleBinding.Name}, foundRoleBinding)
+
+	if err != nil && errors.IsNotFound(err) {
+		log.Info("Creating workspace role binding", "workspace", instance.Name, "name", viewerRoleBinding.Name)
+		err = r.Create(context.TODO(), viewerRoleBinding)
+		// Error reading the object - requeue the request.
+		if err != nil {
+			return err
+		}
+		foundRoleBinding = viewerRoleBinding
+	} else if err != nil {
+		// Error reading the object - requeue the request.
+		return err
+	}
+
+	// Update the found object and write the result back if there are any changes
+	if !reflect.DeepEqual(viewerRoleBinding.RoleRef, foundRoleBinding.RoleRef) {
+		log.Info("Deleting conflict workspace role binding", "workspace", instance.Name, "name", viewerRoleBinding.Name)
+		err = r.Delete(context.TODO(), foundRoleBinding)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("conflict workspace role binding %s, waiting for recreate", foundRoleBinding.Name)
+	}
+
+	return nil
+}
+
+func hasSubject(subjects []rbac.Subject, user rbac.Subject) bool {
+	for _, subject := range subjects {
+		if reflect.DeepEqual(subject, user) {
+			return true
+		}
+	}
+	return false
+}
+
+func getWorkspaceAdminRoleName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:admin", workspaceName)
+}
+func getWorkspaceRegularRoleName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:regular", workspaceName)
+}
+func getWorkspaceViewerRoleName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:viewer", workspaceName)
+}
+
+func getWorkspaceAdminRoleBindingName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:admin", workspaceName)
+}
+
+func getWorkspaceRegularRoleBindingName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:regular", workspaceName)
+}
+
+func getWorkspaceViewerRoleBindingName(workspaceName string) string {
+	return fmt.Sprintf("workspace:%s:viewer", workspaceName)
+}
+
+func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
+	admin := &rbac.ClusterRole{}
+	admin.Name = getWorkspaceAdminRoleName(workspaceName)
+	admin.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName, constants.DisplayNameLabelKey: constants.WorkspaceAdmin}
+	admin.Rules = []rbac.PolicyRule{
+		{
+			Verbs:         []string{"*"},
+			APIGroups:     []string{"*"},
+			ResourceNames: []string{workspaceName},
+			Resources:     []string{"workspaces", "workspaces/*"},
+		},
+		{
+			Verbs:     []string{"list"},
+			APIGroups: []string{"iam.kubesphere.io"},
+			Resources: []string{"users"},
+		},
+	}
+
+	return admin
+}
+
+func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
+	regular := &rbac.ClusterRole{}
+	regular.Name = getWorkspaceRegularRoleName(workspaceName)
+	regular.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName, constants.DisplayNameLabelKey: constants.WorkspaceRegular}
+	regular.Rules = []rbac.PolicyRule{
+		{
+			Verbs:         []string{"get"},
+			APIGroups:     []string{"*"},
+			Resources:     []string{"workspaces"},
+			ResourceNames: []string{workspaceName},
+		}, {
+			Verbs:         []string{"create"},
+			APIGroups:     []string{"tenant.kubesphere.io"},
+			Resources:     []string{"workspaces/namespaces", "workspaces/devops"},
+			ResourceNames: []string{workspaceName},
+		},
+		{
+			Verbs:         []string{"get"},
+			APIGroups:     []string{"iam.kubesphere.io"},
+			ResourceNames: []string{workspaceName},
+			Resources:     []string{"workspaces/members"},
+		},
+	}
+
+	return regular
+}
+
+func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
+	viewer := &rbac.ClusterRole{}
+	viewer.Name = getWorkspaceViewerRoleName(workspaceName)
+	viewer.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName, constants.DisplayNameLabelKey: constants.WorkspaceViewer}
+	viewer.Rules = []rbac.PolicyRule{
+		{
+			Verbs:         []string{"get", "list"},
+			APIGroups:     []string{"*"},
+			ResourceNames: []string{workspaceName},
+			Resources:     []string{"workspaces", "workspaces/*"},
+		},
+	}
+	return viewer
+}

pkg/controller/workspace/workspace_controller_suite_test.go

@@ -0,0 +1,77 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package workspace
+
+import (
+	stdlog "log"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"kubesphere.io/kubesphere/pkg/apis"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+var cfg *rest.Config
+
+func TestMain(m *testing.M) {
+	t := &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crds")},
+	}
+	apis.AddToScheme(scheme.Scheme)
+
+	var err error
+	if cfg, err = t.Start(); err != nil {
+		stdlog.Fatal(err)
+	}
+
+	code := m.Run()
+	t.Stop()
+	os.Exit(code)
+}
+
+// SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and
+// writes the request to requests after Reconcile is finished.
+func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) {
+	requests := make(chan reconcile.Request)
+	fn := reconcile.Func(func(req reconcile.Request) (reconcile.Result, error) {
+		result, err := inner.Reconcile(req)
+		requests <- req
+		return result, err
+	})
+	return fn, requests
+}
+
+// StartTestManager adds recFn
+func StartTestManager(mgr manager.Manager, g *gomega.GomegaWithT) (chan struct{}, *sync.WaitGroup) {
+	stop := make(chan struct{})
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		g.Expect(mgr.Start(stop)).NotTo(gomega.HaveOccurred())
+	}()
+	return stop, wg
+}

pkg/controller/workspace/workspace_controller_test.go

@@ -0,0 +1,19 @@
+/*
+
+ Copyright 2019 The KubeSphere Authors.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+*/
+
+package workspace