hongming
@@ -37,7 +37,8 @@ const (
|
||||
WorkspaceLabelKey = "kubesphere.io/workspace"
|
||||
DisplayNameAnnotationKey = "displayName"
|
||||
DescriptionAnnotationKey = "desc"
|
||||
CreatorLabelAnnotationKey = "creator"
|
||||
CreatorAnnotationKey = "creator"
|
||||
System = "system"
|
||||
OpenPitrixRuntimeAnnotationKey = "openpitrix_runtime"
|
||||
WorkspaceAdmin = "workspace-admin"
|
||||
ClusterAdmin = "cluster-admin"
|
||||
|
||||
@@ -204,7 +204,7 @@ func (r *ReconcileNamespace) checkAndCreateRoles(namespace *corev1.Namespace) er
|
||||
func (r *ReconcileNamespace) checkAndCreateRoleBindings(namespace *corev1.Namespace) error {
|
||||
|
||||
workspaceName := namespace.Labels[constants.WorkspaceLabelKey]
|
||||
creatorName := namespace.Annotations[constants.CreatorLabelAnnotationKey]
|
||||
creatorName := namespace.Annotations[constants.CreatorAnnotationKey]
|
||||
|
||||
creator := rbac.Subject{APIGroup: "rbac.authorization.k8s.io", Kind: "User", Name: creatorName}
|
||||
|
||||
|
||||
@@ -517,7 +517,7 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
|
||||
admin := &rbac.ClusterRole{}
|
||||
admin.Name = getWorkspaceAdminRoleName(workspaceName)
|
||||
admin.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
|
||||
admin.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceAdmin, constants.DescriptionAnnotationKey: workspaceAdminDescription}
|
||||
admin.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceAdmin, constants.DescriptionAnnotationKey: workspaceAdminDescription, constants.CreatorAnnotationKey: constants.System}
|
||||
admin.Rules = []rbac.PolicyRule{
|
||||
{
|
||||
Verbs: []string{"*"},
|
||||
@@ -539,7 +539,7 @@ func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
|
||||
regular := &rbac.ClusterRole{}
|
||||
regular.Name = getWorkspaceRegularRoleName(workspaceName)
|
||||
regular.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
|
||||
regular.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceRegular, constants.DescriptionAnnotationKey: workspaceRegularDescription}
|
||||
regular.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceRegular, constants.DescriptionAnnotationKey: workspaceRegularDescription, constants.CreatorAnnotationKey: constants.System}
|
||||
regular.Rules = []rbac.PolicyRule{
|
||||
{
|
||||
Verbs: []string{"get"},
|
||||
@@ -567,7 +567,7 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
|
||||
viewer := &rbac.ClusterRole{}
|
||||
viewer.Name = getWorkspaceViewerRoleName(workspaceName)
|
||||
viewer.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
|
||||
viewer.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceViewer, constants.DescriptionAnnotationKey: workspaceViewerDescription}
|
||||
viewer.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceViewer, constants.DescriptionAnnotationKey: workspaceViewerDescription, constants.CreatorAnnotationKey: constants.System}
|
||||
viewer.Rules = []rbac.PolicyRule{
|
||||
{
|
||||
Verbs: []string{"get", "list"},
|
||||
|
||||
@@ -451,7 +451,7 @@ func NamespaceUsers(namespaceName string) ([]*models.User, error) {
|
||||
if subject.Kind == rbacv1.UserKind && !k8sutil.ContainsUser(users, subject.Name) {
|
||||
|
||||
// show creator
|
||||
if roleBinding.Name == NamespaceAdminRoleBindName && subject.Name != namespace.Annotations[constants.CreatorLabelAnnotationKey] {
|
||||
if roleBinding.Name == NamespaceAdminRoleBindName && subject.Name != namespace.Annotations[constants.CreatorAnnotationKey] {
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
@@ -145,7 +145,7 @@ func (s *clusterRoleSearcher) search(namespace string, conditions *params.Condit
|
||||
}
|
||||
|
||||
func isUserFacingClusterRole(role *rbac.ClusterRole) bool {
|
||||
if role.Annotations[constants.CreatorLabelAnnotationKey] != "" && role.Labels[constants.WorkspaceLabelKey] == "" {
|
||||
if role.Annotations[constants.CreatorAnnotationKey] != "" && role.Labels[constants.WorkspaceLabelKey] == "" {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
package tenant
|
||||
|
||||
import (
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
@@ -90,20 +91,31 @@ func (*namespaceSearcher) GetNamespaces(username string) ([]*v1.Namespace, error
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
namespaces := make([]*v1.Namespace, 0)
|
||||
namespaceLister := informers.SharedInformerFactory().Core().V1().Namespaces().Lister()
|
||||
for _, role := range roles {
|
||||
namespace, err := namespaceLister.Get(role.Namespace)
|
||||
if err != nil {
|
||||
glog.Errorf("get namespace failed: %+v", err)
|
||||
return nil, err
|
||||
}
|
||||
namespaces = append(namespaces, namespace)
|
||||
if !containsNamespace(namespaces, namespace) {
|
||||
namespaces = append(namespaces, namespace)
|
||||
}
|
||||
}
|
||||
|
||||
return namespaces, nil
|
||||
}
|
||||
|
||||
func containsNamespace(namespaces []*v1.Namespace, namespace *v1.Namespace) bool {
|
||||
for _, item := range namespaces {
|
||||
if item.Name == namespace.Name {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (s *namespaceSearcher) search(username string, conditions *params.Conditions, orderBy string, reverse bool) ([]*v1.Namespace, error) {
|
||||
|
||||
rules, err := iam.GetUserClusterRules(username)
|
||||
|
||||
@@ -39,7 +39,7 @@ func CreateNamespace(workspaceName string, namespace *v1.Namespace, username str
|
||||
namespace.Labels = make(map[string]string, 0)
|
||||
}
|
||||
if username != "" {
|
||||
namespace.Annotations[constants.CreatorLabelAnnotationKey] = username
|
||||
namespace.Annotations[constants.CreatorAnnotationKey] = username
|
||||
}
|
||||
|
||||
namespace.Labels[constants.WorkspaceLabelKey] = workspaceName
|
||||
@@ -87,20 +87,14 @@ func appendAnnotations(username string, workspace *v1alpha1.Workspace) *v1alpha1
|
||||
ns, err := ListNamespaces(username, ¶ms.Conditions{Match: map[string]string{constants.WorkspaceLabelKey: workspace.Name}}, "", false, 1, 0)
|
||||
if err == nil {
|
||||
workspace.Annotations["kubesphere.io/namespace-count"] = strconv.Itoa(ns.TotalCount)
|
||||
} else {
|
||||
workspace.Annotations["kubesphere.io/namespace-count"] = "-1"
|
||||
}
|
||||
devops, err := ListDevopsProjects(workspace.Name, username, ¶ms.Conditions{}, "", false, 1, 0)
|
||||
if err == nil {
|
||||
workspace.Annotations["kubesphere.io/devops-count"] = strconv.Itoa(devops.TotalCount)
|
||||
} else {
|
||||
workspace.Annotations["kubesphere.io/devops-count"] = "-1"
|
||||
}
|
||||
userCount, err := ws.WorkspaceUserCount(workspace.Name)
|
||||
if err == nil {
|
||||
workspace.Annotations["kubesphere.io/member-count"] = strconv.Itoa(userCount)
|
||||
} else {
|
||||
workspace.Annotations["kubesphere.io/member-count"] = "-1"
|
||||
}
|
||||
return workspace
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user