Revert "only copy specific role (#40)" (#41)

Daniel-Fan · web-flow · commit 3fb02373fa71 · 2020-11-12T07:14:42.000+08:00
This reverts commit 576c89d.
diff --git a/api/v1/namespacescope_types.go b/api/v1/namespacescope_types.go
@@ -31,9 +31,6 @@ type NamespaceScopeSpec struct {
 	// Namespaces that are part of this scope
 	NamespaceMembers []string `json:"namespaceMembers,omitempty"`
 
-	// ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
-	ServiceAccountMembers []string `json:"serviceAccountMembers,omitempty"`
-
 	// ConfigMap name that will contain the list of namespaces to be watched
 	ConfigmapName string `json:"configmapName,omitempty"`
 
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/operator.ibm.com_namespacescopes.yaml b/config/crd/bases/operator.ibm.com_namespacescopes.yaml
@@ -60,12 +60,6 @@ spec:
               description: Restart pods with the following labels when the namspace
                 list changes
               type: object
-            serviceAccountMembers:
-              description: ServiceAccountMembers are extra service accounts will be
-                bond the roles from other namespaces
-              items:
-                type: string
-              type: array
           type: object
         status:
           description: NamespaceScopeStatus defines the observed state of NamespaceScope
diff --git a/controllers/constant/constants.go b/controllers/constant/constants.go
@@ -17,11 +17,10 @@
 package constant
 
 const (
-	NamespaceScopeManagedPrefix  = "nss-managed-role-from-"
-	NamespaceScopeConfigmapName  = "namespace-scope"
-	NamespaceScopeFinalizer      = "finalizer.nss.operator.ibm.com"
-	NamespaceScopeLabel          = "managedby-namespace-scope"
-	DefaultRestartLabelsKey      = "intent"
-	DefaultRestartLabelsValue    = "projected"
-	NamespaceScopeServiceAccount = "ibm-namespace-scope-operator"
+	NamespaceScopeManagedPrefix = "nss-managed-role-from-"
+	NamespaceScopeConfigmapName = "namespace-scope"
+	NamespaceScopeFinalizer     = "finalizer.nss.operator.ibm.com"
+	NamespaceScopeLabel         = "managedby-namespace-scope"
+	DefaultRestartLabelsKey     = "intent"
+	DefaultRestartLabelsValue   = "projected"
 )
diff --git a/controllers/namespacescope_controller.go b/controllers/namespacescope_controller.go
@@ -207,10 +207,13 @@ func (r *NamespaceScopeReconciler) UpdateConfigMap(instance *operatorv1.Namespac
 
 func (r *NamespaceScopeReconciler) PushRbacToNamespace(instance *operatorv1.NamespaceScope) error {
 	fromNs := instance.Namespace
-	saNames, err := r.GetServiceAccountFromNamespace(instance, fromNs)
+	saNames, err := r.GetServiceAccountFromNamespace(instance.Spec.RestartLabels, fromNs)
 	if err != nil {
 		return err
 	}
+	labels := map[string]string{
+		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
+	}
 
 	operatorNs, err := util.GetOperatorNamespace()
 	if err != nil {
@@ -222,10 +225,17 @@ func (r *NamespaceScopeReconciler) PushRbacToNamespace(instance *operatorv1.Name
 		if toNs == operatorNs {
 			continue
 		}
-		if err := r.generateRBACForNSS(instance, fromNs, toNs); err != nil {
+
+		if err := r.CreateRole(labels, toNs); err != nil {
+			if errors.IsForbidden(err) {
+				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s", toNs)
+			}
 			return err
 		}
-		if err := r.generateRBACToNamespace(instance, saNames, fromNs, toNs); err != nil {
+		if err := r.CreateUpdateRoleBinding(labels, saNames, fromNs, toNs); err != nil {
+			if errors.IsForbidden(err) {
+				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource rolebindings in API group rbac.authorization.k8s.io in the namespace %s", toNs)
+			}
 			return err
 		}
 	}
@@ -323,26 +333,32 @@ func (r *NamespaceScopeReconciler) DeleteAllRbac(instance *operatorv1.NamespaceS
 	return nil
 }
 
-func (r *NamespaceScopeReconciler) generateRBACForNSS(instance *operatorv1.NamespaceScope, fromNs, toNs string) error {
-	labels := map[string]string{
-		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
+func (r *NamespaceScopeReconciler) GetServiceAccountFromNamespace(labels map[string]string, namespace string) ([]string, error) {
+	pods := &corev1.PodList{}
+	opts := []client.ListOption{
+		client.MatchingLabels(labels),
+		client.InNamespace(namespace),
 	}
-	if err := r.createRoleForNSS(labels, toNs); err != nil {
-		if errors.IsForbidden(err) {
-			r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s", toNs)
-		}
-		return err
+
+	if err := r.List(ctx, pods, opts...); err != nil {
+		klog.Errorf("Cannot list pods with labels %v in namespace %s: %v", labels, namespace, err)
+		return nil, err
 	}
-	if err := r.createRoleBindingForNSS(labels, fromNs, toNs); err != nil {
-		if errors.IsForbidden(err) {
-			r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource rolebindings in API group rbac.authorization.k8s.io in the namespace %s", toNs)
+
+	// By default, set ibm-namespace-scope-operator service account
+	var saNames = []string{"ibm-namespace-scope-operator"}
+
+	for _, pod := range pods.Items {
+		if len(pod.Spec.ServiceAccountName) != 0 {
+			saNames = append(saNames, pod.Spec.ServiceAccountName)
 		}
-		return err
 	}
-	return nil
+	saNames = util.ToStringSlice(util.MakeSet(saNames))
+
+	return saNames, nil
 }
 
-func (r *NamespaceScopeReconciler) createRoleForNSS(labels map[string]string, toNs string) error {
+func (r *NamespaceScopeReconciler) CreateRole(labels map[string]string, toNs string) error {
 	name := constant.NamespaceScopeManagedPrefix + labels["namespace-scope-configmap"]
 	namespace := toNs
 	role := &rbacv1.Role{
@@ -370,16 +386,31 @@ func (r *NamespaceScopeReconciler) createRoleForNSS(labels map[string]string, to
 	return nil
 }
 
-func (r *NamespaceScopeReconciler) createRoleBindingForNSS(labels map[string]string, fromNs, toNs string) error {
+func (r *NamespaceScopeReconciler) DeleteRole(labels map[string]string, toNs string) error {
+	opts := []client.DeleteAllOfOption{
+		client.MatchingLabels(labels),
+		client.InNamespace(toNs),
+	}
+	if err := r.DeleteAllOf(ctx, &rbacv1.Role{}, opts...); err != nil {
+		klog.Errorf("Failed to delete role with labels %v in namespace %s: %v", labels, toNs, err)
+		return err
+	}
+	klog.Infof("Deleted role with labels %v in namespace %s", labels, toNs)
+	return nil
+}
+
+func (r *NamespaceScopeReconciler) CreateUpdateRoleBinding(labels map[string]string, saNames []string, fromNs, toNs string) error {
 	name := constant.NamespaceScopeManagedPrefix + labels["namespace-scope-configmap"]
 	namespace := toNs
 	subjects := []rbacv1.Subject{}
-	subject := rbacv1.Subject{
-		Kind:      "ServiceAccount",
-		Name:      constant.NamespaceScopeServiceAccount,
-		Namespace: fromNs,
+	for _, saName := range saNames {
+		subject := rbacv1.Subject{
+			Kind:      "ServiceAccount",
+			Name:      saName,
+			Namespace: fromNs,
+		}
+		subjects = append(subjects, subject)
 	}
-	subjects = append(subjects, subject)
 	roleBinding := &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -396,6 +427,9 @@ func (r *NamespaceScopeReconciler) createRoleBindingForNSS(labels map[string]str
 
 	if err := r.Create(ctx, roleBinding); err != nil {
 		if errors.IsAlreadyExists(err) {
+			if err := r.UpdateRoleBinding(roleBinding); err != nil {
+				return err
+			}
 			return nil
 		}
 		klog.Errorf("Failed to create rolebinding %s/%s: %v", namespace, name, err)
@@ -405,172 +439,19 @@ func (r *NamespaceScopeReconciler) createRoleBindingForNSS(labels map[string]str
 	return nil
 }
 
-func (r *NamespaceScopeReconciler) generateRBACToNamespace(instance *operatorv1.NamespaceScope, saNames []string, fromNs, toNs string) error {
-	labels := map[string]string{
-		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
-	}
-	for _, sa := range saNames {
-		roleList, err := r.GetRolesFromServiceAccount(sa, fromNs)
-		if err != nil {
-			return err
-		}
-
-		if err := r.CreateRole(roleList, labels, fromNs, toNs); err != nil {
-			if errors.IsForbidden(err) {
-				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s", toNs)
-			}
-			return err
-		}
-		if err := r.CreateRoleBinding(roleList, labels, sa, fromNs, toNs); err != nil {
-			if errors.IsForbidden(err) {
-				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource rolebindings in API group rbac.authorization.k8s.io in the namespace %s", toNs)
-			}
-			return err
-		}
-	}
-	return nil
-}
-
-func (r *NamespaceScopeReconciler) GetServiceAccountFromNamespace(instance *operatorv1.NamespaceScope, namespace string) ([]string, error) {
-	labels := instance.Spec.RestartLabels
-	pods := &corev1.PodList{}
-	opts := []client.ListOption{
-		client.MatchingLabels(labels),
-		client.InNamespace(namespace),
-	}
-
-	if err := r.List(ctx, pods, opts...); err != nil {
-		klog.Errorf("Cannot list pods with labels %v in namespace %s: %v", labels, namespace, err)
-		return nil, err
-	}
-
-	// By default, set ibm-namespace-scope-operator service account
-	var saNames = []string{"ibm-namespace-scope-operator"}
-
-	for _, pod := range pods.Items {
-		if len(pod.Spec.ServiceAccountName) != 0 {
-			saNames = append(saNames, pod.Spec.ServiceAccountName)
-		}
-	}
-
-	if len(instance.Spec.ServiceAccountMembers) != 0 {
-		for _, sa := range instance.Spec.ServiceAccountMembers {
-			serviceaccount := &corev1.ServiceAccount{}
-			if err := r.Get(ctx, types.NamespacedName{Namespace: namespace, Name: sa}, serviceaccount); err != nil {
-				klog.Errorf("Failed to get service account %s in namespace %s", sa, namespace)
-				continue
-			}
-			saNames = append(saNames, sa)
-		}
-	}
-
-	saNames = util.ToStringSlice(util.MakeSet(saNames))
-
-	return saNames, nil
-}
-
-func (r *NamespaceScopeReconciler) GetRolesFromServiceAccount(sa string, namespace string) ([]string, error) {
-	roleBindings := &rbacv1.RoleBindingList{}
-	opts := []client.ListOption{
-		client.InNamespace(namespace),
-	}
-
-	if err := r.List(ctx, roleBindings, opts...); err != nil {
-		klog.Errorf("Cannot list rolebindings with in namespace %s: %v", namespace, err)
-		return nil, err
-	}
-
-	var roleNameList []string
-	for _, roleBinding := range roleBindings.Items {
-		for _, subject := range roleBinding.Subjects {
-			if subject.Name == sa && subject.Kind == "ServiceAccount" {
-				roleNameList = append(roleNameList, roleBinding.RoleRef.Name)
-			}
-		}
-	}
-
-	return util.ToStringSlice(util.MakeSet(roleNameList)), nil
-}
-
-func (r *NamespaceScopeReconciler) CreateRole(roleNames []string, labels map[string]string, fromNs string, toNs string) error {
-	for _, roleName := range roleNames {
-		originalRole := &rbacv1.Role{}
-		if err := r.Get(ctx, types.NamespacedName{Name: roleName, Namespace: fromNs}, originalRole); err != nil {
-			klog.Errorf("Failed to get role %s in namespace %s: %v", roleName, fromNs, err)
-			return err
-		}
-		name := strings.Split(roleName, ".")[0] + "-" + labels["namespace-scope-configmap"]
-		namespace := toNs
-		role := &rbacv1.Role{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: namespace,
-				Labels:    labels,
-			},
-			Rules: originalRole.Rules,
-		}
-		if err := r.Create(ctx, role); err != nil {
-			if errors.IsAlreadyExists(err) {
-				if err := r.Update(ctx, role); err != nil {
-					klog.Errorf("Failed to update role %s/%s: %v", namespace, name, err)
-					return err
-				}
-				return nil
-			}
-			klog.Errorf("Failed to create role %s/%s: %v", namespace, name, err)
-			return err
-		}
-		klog.Infof("Created role %s/%s", namespace, name)
-	}
-	return nil
-}
-
-func (r *NamespaceScopeReconciler) DeleteRole(labels map[string]string, toNs string) error {
-	opts := []client.DeleteAllOfOption{
-		client.MatchingLabels(labels),
-		client.InNamespace(toNs),
+func (r *NamespaceScopeReconciler) UpdateRoleBinding(newRoleBinding *rbacv1.RoleBinding) error {
+	currentRoleBinding := &rbacv1.RoleBinding{}
+	currentRoleBindingKey := types.NamespacedName{Name: newRoleBinding.Name, Namespace: newRoleBinding.Namespace}
+	if err := r.Get(ctx, currentRoleBindingKey, currentRoleBinding); err != nil {
+		klog.Errorf("Cannot get rolebinding %s: %v", currentRoleBindingKey.String(), err)
 	}
-	if err := r.DeleteAllOf(ctx, &rbacv1.Role{}, opts...); err != nil {
-		klog.Errorf("Failed to delete role with labels %v in namespace %s: %v", labels, toNs, err)
-		return err
-	}
-	klog.Infof("Deleted role with labels %v in namespace %s", labels, toNs)
-	return nil
-}
-
-func (r *NamespaceScopeReconciler) CreateRoleBinding(roleNames []string, labels map[string]string, saName, fromNs, toNs string) error {
-	for _, roleName := range roleNames {
-		name := strings.Split(roleName, ".")[0] + "-" + labels["namespace-scope-configmap"]
-		namespace := toNs
-		subjects := []rbacv1.Subject{}
-		subject := rbacv1.Subject{
-			Kind:      "ServiceAccount",
-			Name:      saName,
-			Namespace: fromNs,
-		}
-		subjects = append(subjects, subject)
-		roleBinding := &rbacv1.RoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: namespace,
-				Labels:    labels,
-			},
-			Subjects: subjects,
-			RoleRef: rbacv1.RoleRef{
-				Kind:     "Role",
-				Name:     name,
-				APIGroup: "rbac.authorization.k8s.io",
-			},
-		}
-
-		if err := r.Create(ctx, roleBinding); err != nil {
-			if errors.IsAlreadyExists(err) {
-				return nil
-			}
-			klog.Errorf("Failed to create rolebinding %s/%s: %v", namespace, name, err)
+	if len(newRoleBinding.Subjects) != len(currentRoleBinding.Subjects) {
+		if err := r.Update(ctx, newRoleBinding); err != nil {
+			klog.Errorf("Failed to update rolebinding %s: %v", currentRoleBindingKey.String(), err)
 			return err
 		}
-		klog.Infof("Created rolebinding %s/%s", namespace, name)
+		klog.Infof("Updated rolebinding %s", currentRoleBindingKey.String())
+		return nil
 	}
 	return nil
 }
