hide internal user

Signed-off-by: hongming <talonwan@yunify.com>
2019-04-28 12:22:07 +08:00
parent 9a530c2cec
commit ebd681770e
9 changed files with 186 additions and 74 deletions
--- a/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
+++ b/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
@@ -40,7 +40,7 @@ import (
 )

 var (
-	log = logf.Log.WithName("controller")
+	log = logf.Log.WithName("clusterrolebinding-controller")
 )

 /**
--- a/pkg/controller/job/job_controller.go
+++ b/pkg/controller/job/job_controller.go
@@ -272,9 +272,7 @@ func (v *JobController) getCurrentRevision(item *batchv1.Job) JobRevision {
 			revision.Status = Failed
 			revision.Reasons = append(revision.Reasons, condition.Reason)
 			revision.Messages = append(revision.Messages, condition.Message)
-		}
-
-		if condition.Type == batchv1.JobComplete && condition.Status == v1.ConditionTrue {
+		} else if condition.Type == batchv1.JobComplete && condition.Status == v1.ConditionTrue {
 			revision.Status = Completed
 		}
 	}
--- a/pkg/controller/namespace/namespace_controller.go
+++ b/pkg/controller/namespace/namespace_controller.go
@@ -45,13 +45,19 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 )

+const (
+	adminDescription    = "Allows admin access to perform any action on any resource, it gives full control over every resource in the namespace."
+	operatorDescription = "The maintainer of the namespace who can manage resources other than users and roles in the namespace."
+	viewerDescription   = "Allows viewer access to view all resources in the namespace."
+)
+
 var (
-	log          = logf.Log.WithName("controller")
+	log          = logf.Log.WithName("namespace-controller")
 	defaultRoles = []rbac.Role{
-		{ObjectMeta: metav1.ObjectMeta{Name: "admin"}, Rules: []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
-		{ObjectMeta: metav1.ObjectMeta{Name: "operator"}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
-			{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch", "logging.kubesphere.io", "monitoring.kubesphere.io", "iam.kubesphere.io", "resources.kubesphere.io", "autoscaling"}, Resources: []string{"*"}}}},
-		{ObjectMeta: metav1.ObjectMeta{Name: "viewer"}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "admin", Annotations: map[string]string{constants.DescriptionAnnotationKey: adminDescription}}, Rules: []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "operator", Annotations: map[string]string{constants.DescriptionAnnotationKey: operatorDescription}}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch", "logging.kubesphere.io", "monitoring.kubesphere.io", "iam.kubesphere.io", "resources.kubesphere.io", "autoscaling", "alerting.kubesphere.io"}, Resources: []string{"*"}}}},
+		{ObjectMeta: metav1.ObjectMeta{Name: "viewer", Annotations: map[string]string{constants.DescriptionAnnotationKey: viewerDescription}}, Rules: []rbac.PolicyRule{{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}},
 	}
 )

--- a/pkg/controller/workspace/workspace_controller.go
+++ b/pkg/controller/workspace/workspace_controller.go
@@ -21,8 +21,11 @@ package workspace
 import (
 	"context"
 	"fmt"
+	corev1 "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
@@ -42,7 +45,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 )

-var log = logf.Log.WithName("controller")
+const (
+	workspaceAdminDescription   = "Allows admin access to perform any action on any resource, it gives full control over every resource in the workspace."
+	workspaceRegularDescription = "Normal user in the workspace, can create namespace and DevOps project."
+	workspaceViewerDescription  = "Allows viewer access to view all resources in the workspace."
+)
+
+var log = logf.Log.WithName("workspace-controller")

 /**
 * USER ACTION REQUIRED: This is a scaffold file intended for the user to modify with their own Controller
@@ -161,6 +170,10 @@ func (r *ReconcileWorkspace) Reconcile(request reconcile.Request) (reconcile.Res
 		return reconcile.Result{}, err
 	}

+	if err = r.bindNamespaces(instance); err != nil {
+		return reconcile.Result{}, err
+	}
+
 	return reconcile.Result{}, nil
 }

@@ -442,6 +455,33 @@ func (r *ReconcileWorkspace) createWorkspaceRoleBindings(instance *tenantv1alpha
 	return nil
 }

+func (r *ReconcileWorkspace) bindNamespaces(instance *tenantv1alpha1.Workspace) error {
+
+	nsList := &corev1.NamespaceList{}
+	options := client.ListOptions{LabelSelector: labels.SelectorFromSet(labels.Set{constants.WorkspaceLabelKey: instance.Name})}
+	err := r.List(context.TODO(), &options, nsList)
+
+	if err != nil {
+		log.Error(err, fmt.Sprintf("list workspace %s namespace failed", instance.Name))
+		return err
+	}
+
+	for _, namespace := range nsList.Items {
+		if !metav1.IsControlledBy(&namespace, instance) {
+			if err := controllerutil.SetControllerReference(instance, &namespace, r.scheme); err != nil {
+				return err
+			}
+			log.Info("Bind workspace", "namespace", namespace.Name, "workspace", instance.Name)
+			err = r.Update(context.TODO(), &namespace)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func hasSubject(subjects []rbac.Subject, user rbac.Subject) bool {
 	for _, subject := range subjects {
 		if reflect.DeepEqual(subject, user) {
@@ -477,7 +517,7 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
 	admin := &rbac.ClusterRole{}
 	admin.Name = getWorkspaceAdminRoleName(workspaceName)
 	admin.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
-	admin.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceAdmin}
+	admin.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceAdmin, constants.DescriptionAnnotationKey: workspaceAdminDescription}
 	admin.Rules = []rbac.PolicyRule{
 		{
 			Verbs:         []string{"*"},
@@ -499,7 +539,7 @@ func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
 	regular := &rbac.ClusterRole{}
 	regular.Name = getWorkspaceRegularRoleName(workspaceName)
 	regular.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
-	regular.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceRegular}
+	regular.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceRegular, constants.DescriptionAnnotationKey: workspaceRegularDescription}
 	regular.Rules = []rbac.PolicyRule{
 		{
 			Verbs:         []string{"get"},
@@ -527,7 +567,7 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
 	viewer := &rbac.ClusterRole{}
 	viewer.Name = getWorkspaceViewerRoleName(workspaceName)
 	viewer.Labels = map[string]string{constants.WorkspaceLabelKey: workspaceName}
-	viewer.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceViewer}
+	viewer.Annotations = map[string]string{constants.DisplayNameAnnotationKey: constants.WorkspaceViewer, constants.DescriptionAnnotationKey: workspaceViewerDescription}
 	viewer.Rules = []rbac.PolicyRule{
 		{
 			Verbs:         []string{"get", "list"},