Add validated namespace members in status (#47)

Xin Li · web-flow · commit 76ab73d930e8 · 2020-11-20T22:02:45.000+08:00
diff --git a/api/v1/namespacescope_types.go b/api/v1/namespacescope_types.go
@@ -50,6 +50,7 @@ type NamespaceScopeSpec struct {
 type NamespaceScopeStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
+	ValidatedMembers []string `json:"validatedMembers,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/bundle-restricted/manifests/operator.ibm.com_namespacescopes.yaml b/bundle-restricted/manifests/operator.ibm.com_namespacescopes.yaml
@@ -48,9 +48,20 @@ spec:
                 type: string
               description: Restart pods with the following labels when the namspace list changes
               type: object
+            serviceAccountMembers:
+              description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
+              items:
+                type: string
+              type: array
           type: object
         status:
           description: NamespaceScopeStatus defines the observed state of NamespaceScope
+          properties:
+            validatedMembers:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+              items:
+                type: string
+              type: array
           type: object
       type: object
   version: v1
diff --git a/bundle/manifests/operator.ibm.com_namespacescopes.yaml b/bundle/manifests/operator.ibm.com_namespacescopes.yaml
@@ -48,9 +48,20 @@ spec:
                 type: string
               description: Restart pods with the following labels when the namspace list changes
               type: object
+            serviceAccountMembers:
+              description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
+              items:
+                type: string
+              type: array
           type: object
         status:
           description: NamespaceScopeStatus defines the observed state of NamespaceScope
+          properties:
+            validatedMembers:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+              items:
+                type: string
+              type: array
           type: object
       type: object
   version: v1
diff --git a/config/crd/bases/operator.ibm.com_namespacescopes.yaml b/config/crd/bases/operator.ibm.com_namespacescopes.yaml
@@ -69,6 +69,14 @@ spec:
           type: object
         status:
           description: NamespaceScopeStatus defines the observed state of NamespaceScope
+          properties:
+            validatedMembers:
+              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                of cluster Important: Run "make" to regenerate code after modifying
+                this file'
+              items:
+                type: string
+              type: array
           type: object
       type: object
   version: v1
diff --git a/controllers/common/util.go b/controllers/common/util.go
@@ -69,6 +69,13 @@ func CheckListDifference(slice1 []string, slice2 []string) bool {
 	return false
 }
 
+//StringSliceContentEqual checks if the contant from two string slice are the same
+func StringSliceContentEqual(slice1, slice2 []string) bool {
+	set1 := MakeSet(slice1)
+	set2 := MakeSet(slice2)
+	return set1.Equal(set2)
+}
+
 func GetOwnerReferenceUIDs(ownerRefs []metav1.OwnerReference) []types.UID {
 	var ownerRefUIDs []types.UID
 	for _, ref := range ownerRefs {
diff --git a/controllers/namespacescope_controller.go b/controllers/namespacescope_controller.go
@@ -93,7 +93,8 @@ func (r *NamespaceScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
 	instance = r.setDefaults(instance)
 
 	klog.Infof("Reconciling NamespaceScope: %s", req.NamespacedName)
-	if err := r.InitConfigMap(instance); err != nil {
+
+	if err := r.UpdateStatus(instance); err != nil {
 		return ctrl.Result{}, err
 	}
 
@@ -123,23 +124,41 @@ func (r *NamespaceScopeReconciler) addFinalizer(nss *operatorv1.NamespaceScope)
 	return nil
 }
 
-func (r *NamespaceScopeReconciler) InitConfigMap(instance *operatorv1.NamespaceScope) error {
+func (r *NamespaceScopeReconciler) UpdateStatus(instance *operatorv1.NamespaceScope) error {
+	// Get validated namespaces
+	validatedNamespaces, err := r.getValidatedNamespaces(instance)
+	if err != nil {
+		klog.Errorf("Failed to get validated namespaces: %v", err)
+		return err
+	}
+	// Update instance status with the validated namespaces
+	if !util.StringSliceContentEqual(instance.Status.ValidatedMembers, validatedNamespaces) {
+		instance.Status.ValidatedMembers = validatedNamespaces
+		if err := r.Status().Update(ctx, instance); err != nil {
+			klog.Errorf("Failed to update instance %s/%s: %v", instance.Namespace, instance.Name, err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *NamespaceScopeReconciler) UpdateConfigMap(instance *operatorv1.NamespaceScope) error {
 	cm := &corev1.ConfigMap{}
 	cmName := instance.Spec.ConfigmapName
 	cmNamespace := instance.Namespace
+	cmKey := types.NamespacedName{Name: cmName, Namespace: cmNamespace}
+	validatedMembers, err := r.getAllValidatedNamespaceMembers(instance)
+	if err != nil {
+		klog.Errorf("Failed to get all validated namespace members: %v", err)
+		return err
+	}
 
-	if err := r.Get(ctx, types.NamespacedName{Name: cmName, Namespace: cmNamespace}, cm); err != nil {
-		// If ConfigMap does not exist, create it
+	if err := r.Get(ctx, cmKey, cm); err != nil {
 		if errors.IsNotFound(err) {
-			cm.Name = cmName
-			cm.Namespace = cmNamespace
 			cm.Labels = map[string]string{constant.NamespaceScopeLabel: "true"}
 			cm.Data = make(map[string]string)
-			nsMembers, err := r.getNamespaceList(instance)
-			if err != nil {
-				return err
-			}
-			cm.Data["namespaces"] = strings.Join(nsMembers, ",")
+			cm.Data["namespaces"] = strings.Join(validatedMembers, ",")
 			// Set NamespaceScope instance as the owner of the ConfigMap.
 			if err := controllerutil.SetOwnerReference(instance, cm, r.Scheme); err != nil {
 				klog.Errorf("Failed to set owner reference for ConfigMap %s/%s: %v", cmNamespace, cmName, err)
@@ -158,33 +177,13 @@ func (r *NamespaceScopeReconciler) InitConfigMap(instance *operatorv1.NamespaceS
 		return err
 	}
 
-	return nil
-}
-
-func (r *NamespaceScopeReconciler) UpdateConfigMap(instance *operatorv1.NamespaceScope) error {
-	cm := &corev1.ConfigMap{}
-	cmKey := types.NamespacedName{Name: instance.Spec.ConfigmapName, Namespace: instance.Namespace}
-	if err := r.Get(ctx, cmKey, cm); err != nil {
-		if errors.IsNotFound(err) {
-			klog.Infof("ConfigMap %s not found ", cmKey.String())
-			return nil
-		}
-		return err
-	}
-
-	// If NamespaceMembers changed, update ConfigMap
-	nsMembers, err := r.getNamespaceList(instance)
-	if err != nil {
-		return err
-	}
-
 	// Get owner uids
 	ownerRefUIDs := util.GetOwnerReferenceUIDs(cm.GetOwnerReferences())
 
-	if util.CheckListDifference(nsMembers, strings.Split(cm.Data["namespaces"], ",")) || !util.UIDContains(ownerRefUIDs, instance.UID) {
-		restartpod := util.CheckListDifference(nsMembers, strings.Split(cm.Data["namespaces"], ","))
+	if util.CheckListDifference(validatedMembers, strings.Split(cm.Data["namespaces"], ",")) || !util.UIDContains(ownerRefUIDs, instance.UID) {
+		restartpod := util.CheckListDifference(validatedMembers, strings.Split(cm.Data["namespaces"], ","))
 		if restartpod {
-			cm.Data["namespaces"] = strings.Join(nsMembers, ",")
+			cm.Data["namespaces"] = strings.Join(validatedMembers, ",")
 		}
 
 		if err := controllerutil.SetOwnerReference(instance, cm, r.Scheme); err != nil {
@@ -220,7 +219,7 @@ func (r *NamespaceScopeReconciler) PushRbacToNamespace(instance *operatorv1.Name
 		return err
 	}
 
-	for _, toNs := range instance.Spec.NamespaceMembers {
+	for _, toNs := range instance.Status.ValidatedMembers {
 		if toNs == operatorNs {
 			continue
 		}
@@ -246,7 +245,7 @@ func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *op
 	if cm.Data["namespaces"] != "" {
 		nsInCm = strings.Split(cm.Data["namespaces"], ",")
 	}
-	nsInCr, err := r.getNamespaceList(instance)
+	nsInCr, err := r.getAllValidatedNamespaceMembers(instance)
 	if err != nil {
 		return err
 	}
@@ -286,7 +285,6 @@ func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *op
 
 // When delete NamespaceScope instance, cleanup all RBAC resources
 func (r *NamespaceScopeReconciler) DeleteAllRbac(instance *operatorv1.NamespaceScope) error {
-	instance = r.setDefaults(instance)
 	labels := map[string]string{
 		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
 	}
@@ -297,7 +295,7 @@ func (r *NamespaceScopeReconciler) DeleteAllRbac(instance *operatorv1.NamespaceS
 		return err
 	}
 
-	usingMembers, err := r.getNamespaceList(instance)
+	usingMembers, err := r.getAllValidatedNamespaceMembers(instance)
 	if err != nil {
 		return err
 	}
@@ -618,21 +616,13 @@ func (r *NamespaceScopeReconciler) setDefaults(instance *operatorv1.NamespaceSco
 			constant.DefaultRestartLabelsKey: constant.DefaultRestartLabelsValue,
 		}
 	}
-	if r.checkGetNSAuth() {
-		if validatedNs, err := r.getValidatedNamespaces(instance); err != nil {
-			klog.Errorf("Failed to validate namespace: %v", err)
-		} else {
-			instance.Spec.NamespaceMembers = validatedNs
-		}
-	}
-
 	return instance
 }
 
-func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.NamespaceScope) ([]string, error) {
+func (r *NamespaceScopeReconciler) getAllValidatedNamespaceMembers(instance *operatorv1.NamespaceScope) ([]string, error) {
 	// List the instance using the same configmap
 	crList := &operatorv1.NamespaceScopeList{}
-	namespaceMembersList := util.MakeSet([]string{})
+	namespaceMembers := []string{}
 	if err := r.List(ctx, crList, &client.ListOptions{Namespace: instance.Namespace}); err != nil {
 		klog.Errorf("Cannot list namespacescope with in namespace %s: %v", instance.Namespace, err)
 		return nil, err
@@ -643,16 +633,13 @@ func (r *NamespaceScopeReconciler) getNamespaceList(instance *operatorv1.Namespa
 			continue
 		}
 		if instance.Spec.ConfigmapName == cr.Spec.ConfigmapName {
-			for _, ns := range cr.Spec.NamespaceMembers {
-				namespaceMembersList.Add(ns)
-			}
+			namespaceMembers = append(namespaceMembers, cr.Status.ValidatedMembers...)
 		}
 	}
-	return util.ToStringSlice(namespaceMembersList), nil
+	return util.ToStringSlice(util.MakeSet(namespaceMembers)), nil
 }
 
 func (r *NamespaceScopeReconciler) checkGetNSAuth() bool {
-	// List the instance using the same configmap
 	sar := &authorizationv1.SelfSubjectAccessReview{
 		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationv1.ResourceAttributes{
@@ -667,27 +654,59 @@ func (r *NamespaceScopeReconciler) checkGetNSAuth() bool {
 		klog.Errorf("Failed to check if operator has permission to get namespace: %v", err)
 		return false
 	}
+	klog.V(2).Infof("Get Namespace permission, Allowed: %t, Denied: %t, Reason: %s", sar.Status.Allowed, sar.Status.Denied, sar.Status.Reason)
+	return sar.Status.Allowed
+}
+
+// Check if operator has namespace admin permission
+func (r *NamespaceScopeReconciler) checkNamespaceAdminAuth(namespace string) bool {
+	sar := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Namespace: namespace,
+				Verb:      "*",
+				Group:     "*",
+				Resource:  "*",
+			},
+		},
+	}
+
+	if err := r.Create(ctx, sar); err != nil {
+		klog.Errorf("Failed to check operator namespace admin permission: %v", err)
+		return false
+	}
+
+	klog.V(2).Infof("Namespace admin permission in namesapce %s, Allowed: %t, Denied: %t, Reason: %s", namespace, sar.Status.Allowed, sar.Status.Denied, sar.Status.Reason)
 	return sar.Status.Allowed
 }
 
 func (r *NamespaceScopeReconciler) getValidatedNamespaces(instance *operatorv1.NamespaceScope) ([]string, error) {
 	var validatedNs []string
 	for _, nsMem := range instance.Spec.NamespaceMembers {
-		ns := &corev1.Namespace{}
-		key := types.NamespacedName{Name: nsMem}
-		if err := r.Get(ctx, key, ns); err != nil {
-			if errors.IsNotFound(err) {
-				klog.Infof("Namespace %s does not exist and will be ignored", nsMem)
-				continue
-			} else {
-				return nil, err
+		// Check if operator has target namespace admin permission
+		if r.checkNamespaceAdminAuth(nsMem) {
+			// Check if operator has permission to get namespace resource
+			if r.checkGetNSAuth() {
+				ns := &corev1.Namespace{}
+				key := types.NamespacedName{Name: nsMem}
+				if err := r.Get(ctx, key, ns); err != nil {
+					if errors.IsNotFound(err) {
+						klog.Infof("Namespace %s does not exist and will be ignored", nsMem)
+						continue
+					} else {
+						return nil, err
+					}
+				}
+				if ns.Status.Phase == corev1.NamespaceTerminating {
+					klog.Infof("Namespace %s is terminating. Ignore this namespace ", nsMem)
+					continue
+				}
 			}
+			validatedNs = append(validatedNs, nsMem)
+		} else {
+			klog.Infof("ibm-namespace-scope-operator has not admin permission in namespace %s", nsMem)
+			r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "ibm-namespace-scope-operator has not admin permission in namespace %s", nsMem)
 		}
-		if ns.Status.Phase == corev1.NamespaceTerminating {
-			klog.Infof("Namespace %s is terminating. Ignore this namespace ", nsMem)
-			continue
-		}
-		validatedNs = append(validatedNs, nsMem)
 	}
 	return validatedNs, nil
 }
diff --git a/scripts/authorize-namespace.sh b/scripts/authorize-namespace.sh
@@ -130,11 +130,11 @@ fi
 #
 # Define a role for service accounts
 #
-cat <<EOF | oc apply -n $TARGETNS -f -
+cat <<EOF | oc apply -n $TONS -f -
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: nss-managed-role-from-$TONS
+  name: nss-managed-role-from-$TARGETNS
 rules:
 - apiGroups:
   - "*"
@@ -147,17 +147,17 @@ EOF
 #
 # Bind the service account in the TO namespace to the Role in the target namespace
 #
-cat <<EOF | oc apply -n $TARGETNS -f -
+cat <<EOF | oc apply -n $TONS -f -
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: nss-managed-role-from-$TONS
+  name: nss-managed-rolebinding-from-$TARGETNS
 subjects:
 - kind: ServiceAccount
   name: ibm-namespace-scope-operator
-  namespace: $TONS
+  namespace: $TARGETNS
 roleRef:
   kind: Role
-  name: nss-managed-role-from-$TONS
+  name: nss-managed-role-from-$TARGETNS
   apiGroup: rbac.authorization.k8s.io
-EOF
+EOF

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ type NamespaceScopeSpec struct {`
`50`	`50`	`type NamespaceScopeStatus struct {`
`51`	`51`	`// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster`
`52`	`52`	`// Important: Run "make" to regenerate code after modifying this file`
	`53`	+ ValidatedMembers []string `json:"validatedMembers,omitempty"`
`53`	`54`	`}`
`54`	`55`
`55`	`56`	`// +kubebuilder:object:root=true`