Skip to content

Commit e4bb772

Browse files
froz42froz42
committed
fix(auth): fix role binding management namespace handling
1 parent b935287 commit e4bb772

File tree

2 files changed

+49
-9
lines changed

2 files changed

+49
-9
lines changed

internal/services/auth/auth.service.go

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66

77
"github.com/danielgtaylor/huma/v2"
88
envsvc "github.com/froz42/kerbernetes/internal/services/env"
9+
k8ssvc "github.com/froz42/kerbernetes/internal/services/k8s"
910
ldapgroupbindingssvc "github.com/froz42/kerbernetes/internal/services/k8s/ldapgroupbindings"
1011
k8smodels "github.com/froz42/kerbernetes/internal/services/k8s/models"
1112
serviceaccountssvc "github.com/froz42/kerbernetes/internal/services/k8s/serviceaccounts"
@@ -22,6 +23,7 @@ type AuthService interface {
2223

2324
type authService struct {
2425
env envsvc.Env
26+
k8sSvc k8ssvc.K8sService
2527
serviceAccountsSvc serviceaccountssvc.ServiceAccountsService
2628
ldapGroupBindingsSvc ldapgroupbindingssvc.LdapGroupBindingService
2729
ldapSvc ldapsvc.LDAPSvc
@@ -378,6 +380,8 @@ func (s *authService) ensureRoleBinding(
378380
Name: binding.Name,
379381
}
380382

383+
saNamespace := s.k8sSvc.GetNamespace()
384+
381385
if !exists {
382386
newBinding, err := s.serviceAccountsSvc.CreateRoleBinding(
383387
ctx,
@@ -402,7 +406,19 @@ func (s *authService) ensureRoleBinding(
402406
"bindingName", newBinding.Name,
403407
)
404408
} else {
405-
if existing.RoleRef.Name != binding.Name ||
409+
subjectDiffer := false
410+
if len(existing.Subjects) != 1 {
411+
subjectDiffer = true
412+
} else {
413+
subject := existing.Subjects[0]
414+
if subject.Kind != "ServiceAccount" ||
415+
subject.Name != saName ||
416+
subject.Namespace != saNamespace {
417+
subjectDiffer = true
418+
}
419+
}
420+
if subjectDiffer ||
421+
existing.RoleRef.Name != binding.Name ||
406422
existing.RoleRef.Kind != binding.Kind ||
407423
existing.RoleRef.APIGroup != binding.ApiGroup {
408424
_, err := s.serviceAccountsSvc.UpdateRoleBinding(

internal/services/k8s/serviceaccounts/serviceaccounts.service.go

Lines changed: 32 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -317,11 +317,12 @@ func (svc *serviceAccountsService) GetRoleBindings(
317317
func (svc *serviceAccountsService) CreateRoleBinding(
318318
ctx context.Context,
319319
username string,
320-
namespace string,
320+
roleBindingNamespace string,
321321
ldapGroundBindingName string,
322322
roleRef rbacv1.RoleRef,
323323
) (*rbacv1.RoleBinding, error) {
324324
name := GenBindingName(username, roleRef.Name, ldapGroundBindingName)
325+
saNamespace := svc.namespace
325326
binding := &rbacv1.RoleBinding{
326327
ObjectMeta: metav1.ObjectMeta{
327328
Name: name,
@@ -333,51 +334,74 @@ func (svc *serviceAccountsService) CreateRoleBinding(
333334
{
334335
Kind: "ServiceAccount",
335336
Name: username,
336-
Namespace: namespace,
337+
Namespace: saNamespace,
337338
},
338339
},
339340
RoleRef: roleRef,
340341
}
341342

342343
binding, err := svc.clientset.RbacV1().
343-
RoleBindings(namespace).
344+
RoleBindings(roleBindingNamespace).
344345
Create(ctx, binding, metav1.CreateOptions{})
345346
if err != nil {
346347
svc.logger.Error("Failed to create role binding", "error", err)
347348
return nil, err
348349
}
349350

350-
svc.logger.Info("Created role binding", "name", binding.Name, "namespace", namespace)
351+
svc.logger.Info(
352+
"Created role binding",
353+
"name",
354+
binding.Name,
355+
"roleBindingNamespace",
356+
roleBindingNamespace,
357+
"saNamespace",
358+
saNamespace,
359+
)
351360
return binding, nil
352361
}
353362

354363
// UpdateRoleBinding updates an existing role binding for the service account.
355364
func (svc *serviceAccountsService) UpdateRoleBinding(
356365
ctx context.Context,
357366
username string,
358-
namespace string,
367+
roleBindingNamespace string,
359368
roleRef rbacv1.RoleRef,
360369
ldapGroundBindingName string,
361370
) (*rbacv1.RoleBinding, error) {
362371
name := GenBindingName(username, roleRef.Name, ldapGroundBindingName)
363372
binding, err := svc.clientset.RbacV1().
364-
RoleBindings(namespace).
373+
RoleBindings(roleBindingNamespace).
365374
Get(ctx, name, metav1.GetOptions{})
366375
if err != nil {
367376
svc.logger.Error("Failed to get role binding", "error", err)
368377
return nil, err
369378
}
370379

371380
binding.RoleRef = roleRef
381+
binding.Subjects = []rbacv1.Subject{
382+
{
383+
Kind: "ServiceAccount",
384+
Name: username,
385+
Namespace: svc.namespace,
386+
},
387+
}
372388
binding, err = svc.clientset.RbacV1().
373-
RoleBindings(namespace).
389+
RoleBindings(roleBindingNamespace).
374390
Update(ctx, binding, metav1.UpdateOptions{})
375391
if err != nil {
376392
svc.logger.Error("Failed to update role binding", "error", err)
377393
return nil, err
378394
}
379395

380-
svc.logger.Info("Updated role binding", "name", binding.Name, "namespace", namespace)
396+
svc.logger.Info(
397+
"Updated role binding",
398+
"name",
399+
binding.Name,
400+
"roleBindingNamespace",
401+
roleBindingNamespace,
402+
"saNamespace",
403+
svc.namespace,
404+
)
381405
return binding, nil
382406
}
383407

0 commit comments

Comments
 (0)