From a1d8edc8d9a0e6ca841af51e34d1fd70f7840807 Mon Sep 17 00:00:00 2001 From: hongming Date: Mon, 25 Jun 2018 22:39:26 +0800 Subject: [PATCH] Fixed role definition. --- pkg/apis/v1alpha/iam/policy.go | 50 ++++++++++++++-------------- pkg/models/controllers/namespaces.go | 8 ++--- pkg/models/roles.go | 8 +++-- 3 files changed, 35 insertions(+), 31 deletions(-) diff --git a/pkg/apis/v1alpha/iam/policy.go b/pkg/apis/v1alpha/iam/policy.go index 19b007cc6..54e603104 100644 --- a/pkg/apis/v1alpha/iam/policy.go +++ b/pkg/apis/v1alpha/iam/policy.go @@ -86,7 +86,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"kubsphere.io"}, Resources: []string{"components"}, }, @@ -101,7 +101,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"namespaces"}, }, @@ -137,7 +137,7 @@ var ( {Name: "members", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list", "create", "delete"}, + Verbs: []string{"get", "watch", "list", "create", "delete"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"rolebindings"}, }, @@ -146,7 +146,7 @@ var ( {Name: "member_roles", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list", "create", "delete", "patch", "update"}, + Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"roles"}, }, @@ -161,7 +161,7 @@ var ( {Name: "members", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list", "create", "delete"}, + Verbs: []string{"get", "watch", "list", "create", "delete"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"rolebindings"}, }, @@ -170,7 +170,7 @@ var ( {Name: "member_roles", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list", "create", "delete", "patch", "update"}, + Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"roles"}, }, @@ -202,12 +202,12 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"clusterrolebindings"}, }, @@ -259,7 +259,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"rbac.authorization.k8s.io"}, Resources: []string{"clusterroles"}, }, @@ -302,7 +302,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"nodes"}, }, @@ -335,7 +335,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"persistentvolumes"}, }, @@ -349,7 +349,7 @@ var ( {Name: "create", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"persistentvolumes"}, }, @@ -367,7 +367,7 @@ var ( {Name: "delete", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"persistentvolumes"}, }, @@ -382,7 +382,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"storage.k8s.io"}, Resources: []string{"storageclasses"}, }, @@ -424,7 +424,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{ "secrets", @@ -479,7 +479,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"openpitrix.io"}, Resources: []string{"appcatalog"}, }, @@ -521,7 +521,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"openpitrix.io"}, Resources: []string{"apps"}, }, @@ -536,7 +536,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, }, @@ -546,7 +546,7 @@ var ( Resources: []string{"namespaces"}, }, { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"pods", "pods/log", "pods/status"}, }, @@ -597,7 +597,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"apps", "extensions"}, Resources: []string{"daemonsets"}, }, @@ -607,7 +607,7 @@ var ( Resources: []string{"namespaces"}, }, { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"pods", "pods/log", "pods/status"}, }, @@ -649,7 +649,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"services"}, }, @@ -697,7 +697,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"extensions"}, Resources: []string{"ingresses"}, }, @@ -744,7 +744,7 @@ var ( {Name: "view", Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{"apps", "extensions"}, Resources: []string{"deployments", "deployments/scale"}, }, @@ -754,7 +754,7 @@ var ( Resources: []string{"namespaces"}, }, { - Verbs: []string{"get", "list"}, + Verbs: []string{"get", "watch", "list"}, APIGroups: []string{""}, Resources: []string{"pods", "pods/log", "pods/status"}, }, diff --git a/pkg/models/controllers/namespaces.go b/pkg/models/controllers/namespaces.go index 582f1e69d..562a25f12 100644 --- a/pkg/models/controllers/namespaces.go +++ b/pkg/models/controllers/namespaces.go @@ -48,8 +48,8 @@ const ( ) var adminRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}} -var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}} -var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}} +var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}} +var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get", "watch"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}} type runTime struct { RuntimeId string `json:"runtime_id"` @@ -200,13 +200,13 @@ func (ctl *NamespaceCtl) createRoleAndRuntime(item v1.Namespace) { return } - err = ctl.createDefaultRoleBinding(ns, user) + resp, err := ctl.createOpRuntime(ns) if err != nil { glog.Error(err) return } - resp, err := ctl.createOpRuntime(ns) + err = ctl.createDefaultRoleBinding(ns, user) if err != nil { glog.Error(err) return diff --git a/pkg/models/roles.go b/pkg/models/roles.go index c9cd8aaaf..e695b47f6 100644 --- a/pkg/models/roles.go +++ b/pkg/models/roles.go @@ -187,9 +187,13 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) { for _, subject := range roleBinding.Subjects { if subject.Kind == v1.UserKind && subject.Name == username { if roleBinding.RoleRef.Kind == ClusterRoleKind { - rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) + role, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) if err == nil { - roles = append(roles, *rule) + if role.Annotations == nil { + role.Annotations = make(map[string]string, 0) + } + role.Annotations["rbac.authorization.k8s.io/clusterrolebinding"] = roleBinding.Name + roles = append(roles, *role) break } else if apierrors.IsNotFound(err) { glog.Infoln(err.Error())