summarize the runtime permission (#158)

ZhuoxiLi · web-flow · commit b6dc13c765b2 · 2022-04-01T03:05:40.000+08:00
* summarize the runtime permission

* summarize the runtime permission

* format constant.go

* fix lint err

* list role within ns

* format constant.go
diff --git a/controllers/constant/constants.go b/controllers/constant/constants.go
@@ -17,12 +17,14 @@
 package constant
 
 const (
-	NamespaceScopeManagedPrefix  = "nss-managed-role-from-"
-	NamespaceScopeConfigmapName  = "namespace-scope"
-	NamespaceScopeFinalizer      = "finalizer.nss.operator.ibm.com"
-	NamespaceScopeLabel          = "managedby-namespace-scope"
-	DefaultRestartLabelsKey      = "intent"
-	DefaultRestartLabelsValue    = "projected"
-	NamespaceScopeServiceAccount = "ibm-namespace-scope-operator"
-	InjectorMark                 = "nss.operator.ibm.com/managed-operators"
+	NamespaceScopeManagedPrefix     = "nss-managed-role-from-"
+	NamespaceScopeConfigmapName     = "namespace-scope"
+	NamespaceScopeFinalizer         = "finalizer.nss.operator.ibm.com"
+	NamespaceScopeLabel             = "managedby-namespace-scope"
+	DefaultRestartLabelsKey         = "intent"
+	DefaultRestartLabelsValue       = "projected"
+	NamespaceScopeServiceAccount    = "ibm-namespace-scope-operator"
+	InjectorMark                    = "nss.operator.ibm.com/managed-operators"
+	NamespaceScopeConfigmapLabelKey = "namespace-scope-configmap"
+	NamespaceScopeRuntimePrefix     = "nss-runtime-managed-role-from-"
 )
diff --git a/controllers/namespacescope_controller.go b/controllers/namespacescope_controller.go
@@ -128,6 +128,23 @@ func (r *NamespaceScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
 		return ctrl.Result{}, err
 	}
 
+	for _, namespaceMember := range instance.Spec.NamespaceMembers {
+		if rolesList, _ := r.GetRolesFromNamespace(namespaceMember); len(rolesList) != 0 {
+			var summarizedRules []rbacv1.PolicyRule
+			for _, role := range rolesList {
+				if role.Name != constant.NamespaceScopeManagedPrefix+instance.Namespace &&
+					role.Name != constant.NamespaceScopeRuntimePrefix+instance.Namespace {
+					summarizedRules = append(summarizedRules, role.Rules...)
+				}
+			}
+
+			if err := r.CreateRuntimeRoleToNamespace(instance, namespaceMember, summarizedRules); err != nil {
+				klog.Infof("Failed to create runtime role: %v", err)
+				return ctrl.Result{}, nil
+			}
+		}
+	}
+
 	klog.Infof("Finished reconciling NamespaceScope: %s", req.NamespacedName)
 	return ctrl.Result{RequeueAfter: 60 * time.Second}, nil
 }
@@ -255,6 +272,24 @@ func (r *NamespaceScopeReconciler) PushRbacToNamespace(instance *operatorv1.Name
 	return nil
 }
 
+func (r *NamespaceScopeReconciler) CreateRuntimeRoleToNamespace(instance *operatorv1.NamespaceScope, toNs string, summarizedRules []rbacv1.PolicyRule) error {
+	fromNs := instance.Namespace
+
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("get operator namespace failed: ", err)
+		return err
+	}
+	if toNs == operatorNs {
+		return nil
+	}
+	if err := r.generateRuntimeRoleForNSS(instance, summarizedRules, fromNs, toNs); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (r *NamespaceScopeReconciler) DeleteRbacFromUnmanagedNamespace(instance *operatorv1.NamespaceScope) error {
 	cm := &corev1.ConfigMap{}
 	cmKey := types.NamespacedName{Name: instance.Spec.ConfigmapName, Namespace: instance.Namespace}
@@ -365,6 +400,74 @@ func (r *NamespaceScopeReconciler) generateRBACForNSS(instance *operatorv1.Names
 		}
 		return err
 	}
+
+	return nil
+}
+
+func (r *NamespaceScopeReconciler) generateRuntimeRoleForNSS(instance *operatorv1.NamespaceScope, summarizedRules []rbacv1.PolicyRule, fromNs, toNs string) error {
+	labels := map[string]string{
+		"namespace-scope-configmap": instance.Namespace + "-" + instance.Spec.ConfigmapName,
+	}
+
+	if err := r.createRuntimeRoleForNSS(labels, summarizedRules, fromNs, toNs); err != nil {
+		if errors.IsAlreadyExists(err) {
+			if err := r.updateRuntimeRoleForNSS(labels, summarizedRules, fromNs, toNs); err != nil {
+				return err
+			}
+			return nil
+		}
+		if errors.IsForbidden(err) {
+			r.Recorder.Eventf(instance, corev1.EventTypeWarning, "Forbidden", "cannot create resource roles in API group rbac.authorization.k8s.io in the namespace %s. Please authorize service account ibm-namespace-scope-operator namespace admin permission of %s namespace", toNs, toNs)
+		}
+		return err
+	}
+
+	return nil
+}
+
+func (r *NamespaceScopeReconciler) createRuntimeRoleForNSS(labels map[string]string, summarizedRules []rbacv1.PolicyRule, fromNs, toNs string) error {
+	name := constant.NamespaceScopeRuntimePrefix + fromNs
+	namespace := toNs
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Rules: summarizedRules,
+	}
+	if err := r.Create(ctx, role); err != nil {
+		if errors.IsAlreadyExists(err) {
+			return err
+		}
+		klog.Errorf("Failed to create role %s/%s: %v", namespace, name, err)
+		return err
+	}
+
+	klog.Infof("Created role %s/%s", namespace, name)
+	return nil
+}
+
+func (r *NamespaceScopeReconciler) updateRuntimeRoleForNSS(labels map[string]string, summarizedRules []rbacv1.PolicyRule, fromNs, toNs string) error {
+	name := constant.NamespaceScopeRuntimePrefix + fromNs
+	namespace := toNs
+
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+		Rules: summarizedRules,
+	}
+
+	if err := r.Update(ctx, role); err != nil {
+		klog.Errorf("Failed to create role %s/%s: %v", namespace, name, err)
+		return err
+	}
+
+	klog.Infof("Updated role %s/%s", namespace, name)
+
 	return nil
 }
 
@@ -465,6 +568,31 @@ func (r *NamespaceScopeReconciler) generateRBACToNamespace(instance *operatorv1.
 	return nil
 }
 
+func (r *NamespaceScopeReconciler) GetRolesFromNamespace(namespace string) ([]rbacv1.Role, error) {
+	rolesList := &rbacv1.RoleList{}
+
+	opts := []client.ListOption{
+		client.InNamespace(namespace),
+	}
+	if err := r.Reader.List(ctx, rolesList, opts...); err != nil {
+		if errors.IsNotFound(err) {
+			klog.Infof("Roles not found in namespace %s: %v", namespace, err)
+			return nil, nil
+		}
+		klog.Errorf("Cannot list roles in namespace %s: %v", namespace, err)
+		return nil, err
+	}
+
+	roles := []rbacv1.Role{}
+	for _, role := range rolesList.Items {
+		if _, ok := role.Labels[constant.NamespaceScopeConfigmapLabelKey]; ok {
+			roles = append(roles, role)
+		}
+	}
+
+	return roles, nil
+}
+
 func (r *NamespaceScopeReconciler) GetServiceAccountFromNamespace(instance *operatorv1.NamespaceScope, namespace string) ([]string, error) {
 	labels := instance.Spec.RestartLabels
 	pods := &corev1.PodList{}
