don't create rbac in master namespace (#34)

chenzhiwei · web-flow · commit 5cef425daf9e · 2020-11-09T21:02:41.000+08:00
diff --git a/controllers/common/util.go b/controllers/common/util.go
@@ -17,11 +17,16 @@
 package common
 
 import (
+	"fmt"
+	"io/ioutil"
+	"os"
 	"sort"
+	"strings"
 
 	gset "github.com/deckarep/golang-set"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog"
 )
 
 func MakeSet(strs []string) gset.Set {
@@ -97,3 +102,23 @@ func Reverse(original []string) []string {
 	}
 	return reversed
 }
+
+// GetOperatorNamespace returns the namespace the operator should be running in.
+func GetOperatorNamespace() (string, error) {
+	ns, found := os.LookupEnv("OPERATOR_NAMESPACE")
+	if !found {
+		nsBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+		if err != nil {
+			if os.IsNotExist(err) {
+				return "", fmt.Errorf("namespace not found for current environment")
+			}
+			return "", err
+		}
+		ns = strings.TrimSpace(string(nsBytes))
+	}
+	if len(ns) == 0 {
+		return "", fmt.Errorf("operator namespace is empty")
+	}
+	klog.V(1).Info("Found namespace", "Namespace", ns)
+	return ns, nil
+}
diff --git a/controllers/namespacescope_controller.go b/controllers/namespacescope_controller.go
@@ -211,7 +211,17 @@ func (r *NamespaceScopeReconciler) PushRbacToNamespace(instance *operatorv1.Name
 		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
 	}
 
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("get operator namespace failed: ", err)
+		return err
+	}
+
 	for _, toNs := range instance.Spec.NamespaceMembers {
+		if toNs == operatorNs {
+			continue
+		}
+
 		if err := r.CreateRole(labels, toNs); err != nil {
 			if errors.IsForbidden(err) {
 				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s", toNs)
@@ -248,7 +258,18 @@ func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *op
 	labels := map[string]string{
 		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
 	}
+
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("get operator namespace failed: ", err)
+		return err
+	}
+
 	for _, toNs := range unmanagedNss {
+		if toNs == operatorNs {
+			continue
+		}
+
 		if err := r.DeleteRoleBinding(labels, toNs); err != nil {
 			if errors.IsForbidden(err) {
 				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot delete resource rolebindings in API group rbac.authorization.k8s.io in the namespace %s", toNs)
@@ -273,7 +294,17 @@ func (r *NamespaceScopeReconciler) DeleteAllRbac(instance *operatorv1.NamespaceS
 	labels := map[string]string{
 		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
 	}
+
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("get operator namespace failed: ", err)
+		return err
+	}
+
 	for _, toNs := range instance.Spec.NamespaceMembers {
+		if toNs == operatorNs {
+			continue
+		}
 		if err := r.DeleteRoleBinding(labels, toNs); err != nil {
 			if errors.IsForbidden(err) {
 				r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot delete resource rolebindings in API group rbac.authorization.k8s.io in the namespace %s", toNs)
@@ -463,8 +494,8 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
 		klog.Errorf("Cannot list namespacescope with in namespace %s: %v", instance.Namespace, err)
 		return nil, err
 	}
-	for _, cr := range crList.Items {
-		cr := setDefaults(&cr)
+	for i := range crList.Items {
+		cr := setDefaults(&crList.Items[i])
 		if !cr.GetDeletionTimestamp().IsZero() {
 			continue
 		}
diff --git a/main.go b/main.go
@@ -34,6 +34,7 @@ import (
 
 	operatorv1 "github.com/IBM/ibm-namespace-scope-operator/api/v1"
 	"github.com/IBM/ibm-namespace-scope-operator/controllers"
+	util "github.com/IBM/ibm-namespace-scope-operator/controllers/common"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -65,10 +66,16 @@ func main() {
 		rbacv1.SchemeGroupVersion.WithKind("RoleBinding"): {LabelSelector: "namespace-scope-configmap"},
 	}
 
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("Failed to get operator namespace: ", err)
+		os.Exit(1)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
-		Namespace:          os.Getenv("OPERATOR_NAMESPACE"),
+		Namespace:          operatorNs,
 		Port:               9443,
 		LeaderElection:     enableLeaderElection,
 		LeaderElectionID:   "6a4a72f9.ibm.com",
