Skip to content

Commit 3891aa0

Browse files
authored
Update name of role and rolebinding (#36)
check ns if it has permission
1 parent 02d9da5 commit 3891aa0

File tree

2 files changed

+61
-14
lines changed

2 files changed

+61
-14
lines changed

controllers/constant/constants.go

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,10 @@
1717
package constant
1818

1919
const (
20-
NamespaceScopeManagedRoleName = "namespacescope-managed-role-from-"
21-
NamespaceScopeManagedRoleBindingName = "namespacescope-managed-rolebinding-from-"
22-
NamespaceScopeConfigmapName = "namespace-scope"
23-
NamespaceScopeFinalizer = "finalizer.nss.operator.ibm.com"
24-
NamespaceScopeLabel = "managedby-namespace-scope"
25-
DefaultRestartLabelsKey = "intent"
26-
DefaultRestartLabelsValue = "projected"
20+
NamespaceScopeManagedPrefix = "nss-managed-role-from-"
21+
NamespaceScopeConfigmapName = "namespace-scope"
22+
NamespaceScopeFinalizer = "finalizer.nss.operator.ibm.com"
23+
NamespaceScopeLabel = "managedby-namespace-scope"
24+
DefaultRestartLabelsKey = "intent"
25+
DefaultRestartLabelsValue = "projected"
2726
)

controllers/namespacescope_controller.go

Lines changed: 55 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"strings"
2222
"time"
2323

24+
authorizationv1 "k8s.io/api/authorization/v1"
2425
corev1 "k8s.io/api/core/v1"
2526
rbacv1 "k8s.io/api/rbac/v1"
2627
"k8s.io/apimachinery/pkg/api/errors"
@@ -87,7 +88,7 @@ func (r *NamespaceScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
8788
}
8889
}
8990

90-
instance = setDefaults(instance)
91+
instance = r.setDefaults(instance)
9192

9293
klog.Infof("Reconciling NamespaceScope: %s", req.NamespacedName)
9394
if err := r.InitConfigMap(instance); err != nil {
@@ -147,6 +148,9 @@ func (r *NamespaceScopeReconciler) InitConfigMap(instance *operatorv1.NamespaceS
147148
return err
148149
}
149150
klog.Infof("Created ConfigMap %s in namespace %s", cmName, cmNamespace)
151+
if err := r.RestartPods(instance.Spec.RestartLabels, instance.Namespace); err != nil {
152+
return err
153+
}
150154
return nil
151155
}
152156
return err
@@ -290,7 +294,7 @@ func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *op
290294

291295
// When delete NamespaceScope instance, cleanup all RBAC resources
292296
func (r *NamespaceScopeReconciler) DeleteAllRbac(instance *operatorv1.NamespaceScope) error {
293-
instance = setDefaults(instance)
297+
instance = r.setDefaults(instance)
294298
labels := map[string]string{
295299
"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
296300
}
@@ -349,7 +353,7 @@ func (r *NamespaceScopeReconciler) GetServiceAccountFromNamespace(labels map[str
349353
}
350354

351355
func (r *NamespaceScopeReconciler) CreateRole(labels map[string]string, toNs string) error {
352-
name := constant.NamespaceScopeManagedRoleName + labels["namespace-scope-configmap"]
356+
name := constant.NamespaceScopeManagedPrefix + labels["namespace-scope-configmap"]
353357
namespace := toNs
354358
role := &rbacv1.Role{
355359
ObjectMeta: metav1.ObjectMeta{
@@ -390,7 +394,7 @@ func (r *NamespaceScopeReconciler) DeleteRole(labels map[string]string, toNs str
390394
}
391395

392396
func (r *NamespaceScopeReconciler) CreateUpdateRoleBinding(labels map[string]string, saNames []string, fromNs, toNs string) error {
393-
name := constant.NamespaceScopeManagedRoleBindingName + labels["namespace-scope-configmap"]
397+
name := constant.NamespaceScopeManagedPrefix + labels["namespace-scope-configmap"]
394398
namespace := toNs
395399
subjects := []rbacv1.Subject{}
396400
for _, saName := range saNames {
@@ -410,7 +414,7 @@ func (r *NamespaceScopeReconciler) CreateUpdateRoleBinding(labels map[string]str
410414
Subjects: subjects,
411415
RoleRef: rbacv1.RoleRef{
412416
Kind: "Role",
413-
Name: constant.NamespaceScopeManagedRoleName + labels["namespace-scope-configmap"],
417+
Name: constant.NamespaceScopeManagedPrefix + labels["namespace-scope-configmap"],
414418
APIGroup: "rbac.authorization.k8s.io",
415419
},
416420
}
@@ -473,7 +477,7 @@ func (r *NamespaceScopeReconciler) RestartPods(labels map[string]string, namespa
473477
return nil
474478
}
475479

476-
func setDefaults(instance *operatorv1.NamespaceScope) *operatorv1.NamespaceScope {
480+
func (r *NamespaceScopeReconciler) setDefaults(instance *operatorv1.NamespaceScope) *operatorv1.NamespaceScope {
477481
if instance.Spec.ConfigmapName == "" {
478482
instance.Spec.ConfigmapName = constant.NamespaceScopeConfigmapName
479483
}
@@ -482,6 +486,13 @@ func setDefaults(instance *operatorv1.NamespaceScope) *operatorv1.NamespaceScope
482486
constant.DefaultRestartLabelsKey: constant.DefaultRestartLabelsValue,
483487
}
484488
}
489+
if r.checkGetNSAuth() {
490+
if validatedNs, err := r.getValidatedNamespaces(instance); err != nil {
491+
klog.Errorf("Failed to validate namespace: %v", err)
492+
} else {
493+
instance.Spec.NamespaceMembers = validatedNs
494+
}
495+
}
485496

486497
return instance
487498
}
@@ -495,7 +506,7 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
495506
return nil, err
496507
}
497508
for i := range crList.Items {
498-
cr := setDefaults(&crList.Items[i])
509+
cr := r.setDefaults(&crList.Items[i])
499510
if !cr.GetDeletionTimestamp().IsZero() {
500511
continue
501512
}
@@ -508,6 +519,43 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
508519
return util.ToStringSlice(namespaceMembersList), nil
509520
}
510521

522+
func (r *NamespaceScopeReconciler) checkGetNSAuth() bool {
523+
// List the instance using the same configmap
524+
sar := &authorizationv1.SelfSubjectAccessReview{
525+
Spec: authorizationv1.SelfSubjectAccessReviewSpec{
526+
ResourceAttributes: &authorizationv1.ResourceAttributes{
527+
Verb: "get",
528+
Group: "",
529+
Resource: "namespaces",
530+
},
531+
},
532+
}
533+
534+
if err := r.Create(ctx, sar); err != nil {
535+
klog.Errorf("Failed to check if operator has permission to get namespace: %v", err)
536+
return false
537+
}
538+
return sar.Status.Allowed
539+
}
540+
541+
func (r *NamespaceScopeReconciler) getValidatedNamespaces(instance *operatorv1.NamespaceScope) ([]string, error) {
542+
var validatedNs []string
543+
for _, nsMem := range instance.Spec.NamespaceMembers {
544+
ns := &corev1.Namespace{}
545+
key := types.NamespacedName{Name: nsMem}
546+
if err := r.Get(ctx, key, ns); err != nil {
547+
if errors.IsNotFound(err) {
548+
klog.Infof("Namespace %s does not exist and will be ignored", nsMem)
549+
continue
550+
} else {
551+
return nil, err
552+
}
553+
}
554+
validatedNs = append(validatedNs, nsMem)
555+
}
556+
return validatedNs, nil
557+
}
558+
511559
func (r *NamespaceScopeReconciler) SetupWithManager(mgr ctrl.Manager) error {
512560
return ctrl.NewControllerManagedBy(mgr).
513561
Owns(&corev1.ConfigMap{}).

0 commit comments

Comments
 (0)