Skip to content

Commit 19cb2bb

Browse files
horis233horis233
authored
Use a hash in the role&rolebinding name (#45)
1 parent bc5791b commit 19cb2bb

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

controllers/namespacescope_controller.go

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ package controllers
1818

1919
import (
2020
"context"
21+
"crypto/sha256"
22+
"encoding/hex"
2123
"strings"
2224
"time"
2325

@@ -415,7 +417,7 @@ func (r *NamespaceScopeReconciler) generateRBACToNamespace(instance *operatorv1.
415417
return err
416418
}
417419

418-
if err := r.CreateRole(roleList, labels, fromNs, toNs); err != nil {
420+
if err := r.CreateRole(roleList, labels, sa, fromNs, toNs); err != nil {
419421
if errors.IsForbidden(err) {
420422
r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s. Please authorize service account ibm-namespace-scope-operator namespace admin permission of %s namespace", toNs, toNs)
421423
}
@@ -491,7 +493,7 @@ func (r *NamespaceScopeReconciler) GetRolesFromServiceAccount(sa string, namespa
491493
return util.ToStringSlice(util.MakeSet(roleNameList)), nil
492494
}
493495

494-
func (r *NamespaceScopeReconciler) CreateRole(roleNames []string, labels map[string]string, fromNs string, toNs string) error {
496+
func (r *NamespaceScopeReconciler) CreateRole(roleNames []string, labels map[string]string, saName, fromNs, toNs string) error {
495497
for _, roleName := range roleNames {
496498
originalRole := &rbacv1.Role{}
497499
if err := r.Get(ctx, types.NamespacedName{Name: roleName, Namespace: fromNs}, originalRole); err != nil {
@@ -502,7 +504,8 @@ func (r *NamespaceScopeReconciler) CreateRole(roleNames []string, labels map[str
502504
klog.Errorf("Failed to get role %s in namespace %s: %v", roleName, fromNs, err)
503505
return err
504506
}
505-
name := strings.Split(roleName, ".")[0] + "-" + labels["namespace-scope-configmap"]
507+
hashedServiceAccount := sha256.Sum256([]byte(saName + fromNs))
508+
name := strings.Split(roleName, ".")[0] + "-" + hex.EncodeToString(hashedServiceAccount[:7])
506509
namespace := toNs
507510
role := &rbacv1.Role{
508511
ObjectMeta: metav1.ObjectMeta{
@@ -543,7 +546,8 @@ func (r *NamespaceScopeReconciler) DeleteRole(labels map[string]string, toNs str
543546

544547
func (r *NamespaceScopeReconciler) CreateRoleBinding(roleNames []string, labels map[string]string, saName, fromNs, toNs string) error {
545548
for _, roleName := range roleNames {
546-
name := strings.Split(roleName, ".")[0] + "-" + labels["namespace-scope-configmap"]
549+
hashedServiceAccount := sha256.Sum256([]byte(saName + fromNs))
550+
name := strings.Split(roleName, ".")[0] + "-" + hex.EncodeToString(hashedServiceAccount[:7])
547551
namespace := toNs
548552
subjects := []rbacv1.Subject{}
549553
subject := rbacv1.Subject{

0 commit comments

Comments
 (0)