admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed role definition.

Browse Source
This commit is contained in:
hongming
2018-06-25 22:39:26 +08:00
parent 471c5d7b48
commit a1d8edc8d9
3 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
pkg/apis/v1alpha/iam/policy.go
View File

@@ -86,7 +86,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubsphere.io"}, APIGroups: []string{"kubsphere.io"},
Resources: []string{"components"}, Resources: []string{"components"},
}, },
@@ -101,7 +101,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"namespaces"}, Resources: []string{"namespaces"},
}, },
@@ -137,7 +137,7 @@ var (
{Name: "members", {Name: "members",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list", "create", "delete"}, Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"}, Resources: []string{"rolebindings"},
}, },
@@ -146,7 +146,7 @@ var (
{Name: "member_roles", {Name: "member_roles",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list", "create", "delete", "patch", "update"}, Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"}, Resources: []string{"roles"},
}, },
@@ -161,7 +161,7 @@ var (
{Name: "members", {Name: "members",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list", "create", "delete"}, Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"}, Resources: []string{"rolebindings"},
}, },
@@ -170,7 +170,7 @@ var (
{Name: "member_roles", {Name: "member_roles",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list", "create", "delete", "patch", "update"}, Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"}, Resources: []string{"roles"},
}, },
@@ -202,12 +202,12 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubesphere.io"}, APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"}, Resources: []string{"users"},
}, },
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterrolebindings"}, Resources: []string{"clusterrolebindings"},
}, },
@@ -259,7 +259,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"}, APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"}, Resources: []string{"clusterroles"},
}, },
@@ -302,7 +302,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"nodes"}, Resources: []string{"nodes"},
}, },
@@ -335,7 +335,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"persistentvolumes"}, Resources: []string{"persistentvolumes"},
}, },
@@ -349,7 +349,7 @@ var (
{Name: "create", {Name: "create",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"persistentvolumes"}, Resources: []string{"persistentvolumes"},
}, },
@@ -367,7 +367,7 @@ var (
{Name: "delete", {Name: "delete",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"persistentvolumes"}, Resources: []string{"persistentvolumes"},
}, },
@@ -382,7 +382,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"storage.k8s.io"}, APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"}, Resources: []string{"storageclasses"},
}, },
@@ -424,7 +424,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{ Resources: []string{
"secrets", "secrets",
@@ -479,7 +479,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"}, APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"}, Resources: []string{"appcatalog"},
}, },
@@ -521,7 +521,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"}, APIGroups: []string{"openpitrix.io"},
Resources: []string{"apps"}, Resources: []string{"apps"},
}, },
@@ -536,7 +536,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps"}, APIGroups: []string{"apps"},
Resources: []string{"statefulsets"}, Resources: []string{"statefulsets"},
}, },
@@ -546,7 +546,7 @@ var (
Resources: []string{"namespaces"}, Resources: []string{"namespaces"},
}, },
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"}, Resources: []string{"pods", "pods/log", "pods/status"},
}, },
@@ -597,7 +597,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"}, APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"}, Resources: []string{"daemonsets"},
}, },
@@ -607,7 +607,7 @@ var (
Resources: []string{"namespaces"}, Resources: []string{"namespaces"},
}, },
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"}, Resources: []string{"pods", "pods/log", "pods/status"},
}, },
@@ -649,7 +649,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"services"}, Resources: []string{"services"},
}, },
@@ -697,7 +697,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"extensions"}, APIGroups: []string{"extensions"},
Resources: []string{"ingresses"}, Resources: []string{"ingresses"},
}, },
@@ -744,7 +744,7 @@ var (
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"}, APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments", "deployments/scale"}, Resources: []string{"deployments", "deployments/scale"},
}, },
@@ -754,7 +754,7 @@ var (
Resources: []string{"namespaces"}, Resources: []string{"namespaces"},
}, },
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""}, APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"}, Resources: []string{"pods", "pods/log", "pods/status"},
}, },

8
pkg/models/controllers/namespaces.go
View File

@@ -48,8 +48,8 @@ const (
) )
var adminRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}} var adminRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}
var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}} var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}}
var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}} var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get", "watch"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}}
type runTime struct { type runTime struct {
RuntimeId string `json:"runtime_id"` RuntimeId string `json:"runtime_id"`
@@ -200,13 +200,13 @@ func (ctl *NamespaceCtl) createRoleAndRuntime(item v1.Namespace) {
return return
} }
err = ctl.createDefaultRoleBinding(ns, user) resp, err := ctl.createOpRuntime(ns)
if err != nil { if err != nil {
glog.Error(err) glog.Error(err)
return return
} }
resp, err := ctl.createOpRuntime(ns) err = ctl.createDefaultRoleBinding(ns, user)
if err != nil { if err != nil {
glog.Error(err) glog.Error(err)
return return

8
pkg/models/roles.go
View File

@@ -187,9 +187,13 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) {
for _, subject := range roleBinding.Subjects { for _, subject := range roleBinding.Subjects {
if subject.Kind == v1.UserKind && subject.Name == username { if subject.Kind == v1.UserKind && subject.Name == username {
if roleBinding.RoleRef.Kind == ClusterRoleKind { if roleBinding.RoleRef.Kind == ClusterRoleKind {
rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) role, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
if err == nil { if err == nil {
roles = append(roles, *rule) if role.Annotations == nil {
role.Annotations = make(map[string]string, 0)
}
role.Annotations["rbac.authorization.k8s.io/clusterrolebinding"] = roleBinding.Name
roles = append(roles, *role)
break break
} else if apierrors.IsNotFound(err) { } else if apierrors.IsNotFound(err) {
glog.Infoln(err.Error()) glog.Infoln(err.Error())