@@ -21,6 +21,7 @@ import (
21
21
"strings"
22
22
"time"
23
23
24
+ authorizationv1 "k8s.io/api/authorization/v1"
24
25
corev1 "k8s.io/api/core/v1"
25
26
rbacv1 "k8s.io/api/rbac/v1"
26
27
"k8s.io/apimachinery/pkg/api/errors"
@@ -87,7 +88,7 @@ func (r *NamespaceScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
87
88
}
88
89
}
89
90
90
- instance = setDefaults (instance )
91
+ instance = r . setDefaults (instance )
91
92
92
93
klog .Infof ("Reconciling NamespaceScope: %s" , req .NamespacedName )
93
94
if err := r .InitConfigMap (instance ); err != nil {
@@ -147,6 +148,9 @@ func (r *NamespaceScopeReconciler) InitConfigMap(instance *operatorv1.NamespaceS
147
148
return err
148
149
}
149
150
klog .Infof ("Created ConfigMap %s in namespace %s" , cmName , cmNamespace )
151
+ if err := r .RestartPods (instance .Spec .RestartLabels , instance .Namespace ); err != nil {
152
+ return err
153
+ }
150
154
return nil
151
155
}
152
156
return err
@@ -290,7 +294,7 @@ func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *op
290
294
291
295
// When delete NamespaceScope instance, cleanup all RBAC resources
292
296
func (r * NamespaceScopeReconciler ) DeleteAllRbac (instance * operatorv1.NamespaceScope ) error {
293
- instance = setDefaults (instance )
297
+ instance = r . setDefaults (instance )
294
298
labels := map [string ]string {
295
299
"namespace-scope-configmap" : instance .Namespace + "-" + instance .Spec .ConfigmapName ,
296
300
}
@@ -349,7 +353,7 @@ func (r *NamespaceScopeReconciler) GetServiceAccountFromNamespace(labels map[str
349
353
}
350
354
351
355
func (r * NamespaceScopeReconciler ) CreateRole (labels map [string ]string , toNs string ) error {
352
- name := constant .NamespaceScopeManagedRoleName + labels ["namespace-scope-configmap" ]
356
+ name := constant .NamespaceScopeManagedPrefix + labels ["namespace-scope-configmap" ]
353
357
namespace := toNs
354
358
role := & rbacv1.Role {
355
359
ObjectMeta : metav1.ObjectMeta {
@@ -390,7 +394,7 @@ func (r *NamespaceScopeReconciler) DeleteRole(labels map[string]string, toNs str
390
394
}
391
395
392
396
func (r * NamespaceScopeReconciler ) CreateUpdateRoleBinding (labels map [string ]string , saNames []string , fromNs , toNs string ) error {
393
- name := constant .NamespaceScopeManagedRoleBindingName + labels ["namespace-scope-configmap" ]
397
+ name := constant .NamespaceScopeManagedPrefix + labels ["namespace-scope-configmap" ]
394
398
namespace := toNs
395
399
subjects := []rbacv1.Subject {}
396
400
for _ , saName := range saNames {
@@ -410,7 +414,7 @@ func (r *NamespaceScopeReconciler) CreateUpdateRoleBinding(labels map[string]str
410
414
Subjects : subjects ,
411
415
RoleRef : rbacv1.RoleRef {
412
416
Kind : "Role" ,
413
- Name : constant .NamespaceScopeManagedRoleName + labels ["namespace-scope-configmap" ],
417
+ Name : constant .NamespaceScopeManagedPrefix + labels ["namespace-scope-configmap" ],
414
418
APIGroup : "rbac.authorization.k8s.io" ,
415
419
},
416
420
}
@@ -473,7 +477,7 @@ func (r *NamespaceScopeReconciler) RestartPods(labels map[string]string, namespa
473
477
return nil
474
478
}
475
479
476
- func setDefaults (instance * operatorv1.NamespaceScope ) * operatorv1.NamespaceScope {
480
+ func ( r * NamespaceScopeReconciler ) setDefaults (instance * operatorv1.NamespaceScope ) * operatorv1.NamespaceScope {
477
481
if instance .Spec .ConfigmapName == "" {
478
482
instance .Spec .ConfigmapName = constant .NamespaceScopeConfigmapName
479
483
}
@@ -482,6 +486,13 @@ func setDefaults(instance *operatorv1.NamespaceScope) *operatorv1.NamespaceScope
482
486
constant .DefaultRestartLabelsKey : constant .DefaultRestartLabelsValue ,
483
487
}
484
488
}
489
+ if r .checkGetNSAuth () {
490
+ if validatedNs , err := r .getValidatedNamespaces (instance ); err != nil {
491
+ klog .Errorf ("Failed to validate namespace: %v" , err )
492
+ } else {
493
+ instance .Spec .NamespaceMembers = validatedNs
494
+ }
495
+ }
485
496
486
497
return instance
487
498
}
@@ -495,7 +506,7 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
495
506
return nil , err
496
507
}
497
508
for i := range crList .Items {
498
- cr := setDefaults (& crList .Items [i ])
509
+ cr := r . setDefaults (& crList .Items [i ])
499
510
if ! cr .GetDeletionTimestamp ().IsZero () {
500
511
continue
501
512
}
@@ -508,6 +519,43 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
508
519
return util .ToStringSlice (namespaceMembersList ), nil
509
520
}
510
521
522
+ func (r * NamespaceScopeReconciler ) checkGetNSAuth () bool {
523
+ // List the instance using the same configmap
524
+ sar := & authorizationv1.SelfSubjectAccessReview {
525
+ Spec : authorizationv1.SelfSubjectAccessReviewSpec {
526
+ ResourceAttributes : & authorizationv1.ResourceAttributes {
527
+ Verb : "get" ,
528
+ Group : "" ,
529
+ Resource : "namespaces" ,
530
+ },
531
+ },
532
+ }
533
+
534
+ if err := r .Create (ctx , sar ); err != nil {
535
+ klog .Errorf ("Failed to check if operator has permission to get namespace: %v" , err )
536
+ return false
537
+ }
538
+ return sar .Status .Allowed
539
+ }
540
+
541
+ func (r * NamespaceScopeReconciler ) getValidatedNamespaces (instance * operatorv1.NamespaceScope ) ([]string , error ) {
542
+ var validatedNs []string
543
+ for _ , nsMem := range instance .Spec .NamespaceMembers {
544
+ ns := & corev1.Namespace {}
545
+ key := types.NamespacedName {Name : nsMem }
546
+ if err := r .Get (ctx , key , ns ); err != nil {
547
+ if errors .IsNotFound (err ) {
548
+ klog .Infof ("Namespace %s does not exist and will be ignored" , nsMem )
549
+ continue
550
+ } else {
551
+ return nil , err
552
+ }
553
+ }
554
+ validatedNs = append (validatedNs , nsMem )
555
+ }
556
+ return validatedNs , nil
557
+ }
558
+
511
559
func (r * NamespaceScopeReconciler ) SetupWithManager (mgr ctrl.Manager ) error {
512
560
return ctrl .NewControllerManagedBy (mgr ).
513
561
Owns (& corev1.ConfigMap {}).
0 commit comments