Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Commit

Permalink
Don't assign permissions to projects managed by acorn identity
Browse files Browse the repository at this point in the history 
Signed-off-by: Darren Shepherd <darren@acorn.io>
  • Loading branch information
@ibuildthecloud
ibuildthecloud committed Jul 10, 2023
1 parent be2d30a commit e1c93e4
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 5 deletions.
6 changes: 5 additions & 1 deletion pkg/controller/appdefinition/deploy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -688,7 +688,11 @@ func ToDeployments(req router.Request, appInstance *v1.AppInstance, tag name.Ref
return nil, err
}
if perms := v1.FindPermission(dep.GetName(), appInstance.Spec.GetPermissions()); perms.HasRules() {
result = append(result, toPermissions(perms, dep.GetLabels(), dep.GetAnnotations(), appInstance)...)
perms, err := toPermissions(req.Ctx, req.Client, perms, dep.GetLabels(), dep.GetAnnotations(), appInstance)
if err != nil {
return nil, err
}
result = append(result, perms...)
}
result = append(result, sa, dep, pdb.ToPodDisruptionBudget(dep))
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/controller/appdefinition/jobs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,11 @@ func toJobs(req router.Request, appInstance *v1.AppInstance, pullSecrets *PullSe
return nil, err
}
if perms := v1.FindPermission(job.GetName(), appInstance.Spec.GetPermissions()); perms.HasRules() {
result = append(result, toPermissions(perms, job.GetLabels(), stripPruneAndUpdate(job.GetAnnotations()), appInstance)...)
perms, err := toPermissions(req.Ctx, req.Client, perms, job.GetLabels(), stripPruneAndUpdate(job.GetAnnotations()), appInstance)
if err != nil {
return nil, err
}
result = append(result, perms...)
}
result = append(result, sa, job)
}
Expand Down
17 changes: 15 additions & 2 deletions pkg/controller/appdefinition/permissions.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
package appdefinition

import (
"context"

"github.com/acorn-io/baaah/pkg/router"
"github.com/acorn-io/baaah/pkg/typed"
v1 "github.com/acorn-io/runtime/pkg/apis/internal.acorn.io/v1"
"github.com/acorn-io/runtime/pkg/labels"
"github.com/rancher/wrangler/pkg/name"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kclient "sigs.k8s.io/controller-runtime/pkg/client"
)
Expand Down Expand Up @@ -100,7 +105,15 @@ func toRoleAndRoleBinding(roleName, roleNamespace, serviceAccountName, serviceAc
return
}

func toPermissions(permissions v1.Permissions, labelMap, annotations map[string]string, appInstance *v1.AppInstance) (result []kclient.Object) {
func toPermissions(ctx context.Context, c kclient.Client, permissions v1.Permissions, labelMap, annotations map[string]string, appInstance *v1.AppInstance) (result []kclient.Object, _ error) {
var ns corev1.Namespace
if err := c.Get(ctx, router.Key("", appInstance.Namespace), &ns); err != nil && !apierrors.IsNotFound(err) {
return nil, err
}
if ns.Annotations[labels.AcornIdentityAccountServerURL] != "" {
// Project is managed by acorn identity so don't assume permissions
return nil, nil
}
result = append(result, toClusterPermissions(permissions, labelMap, annotations, appInstance)...)
return result
return result, nil
}
3 changes: 3 additions & 0 deletions pkg/labels/labels.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ const (
ProjectEnforcedQuotaAnnotation = Prefix + "enforced-quota"
AcornPermissions = Prefix + "permissions"

IdentityPrefix = "identity." + Prefix
AcornIdentityAccountServerURL = IdentityPrefix + "account-server-url"

PrometheusScrape = "prometheus.io/scrape"
PrometheusPath = "prometheus.io/path"
PrometheusPort = "prometheus.io/port"
Expand Down
8 changes: 7 additions & 1 deletion pkg/server/registry/apigroups/acorn/containers/exec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ func (c *ContainerExec) execEphemeral(ctx context.Context, container *apiv1.Cont
var (
execName = name.SafeConcatName(containerName, "exec", unique[:8])
volumeMounts []corev1.VolumeMount
envs []corev1.EnvVar
envFroms []corev1.EnvFromSource
)

for _, container := range append(pod.Spec.Containers, pod.Spec.InitContainers...) {
Expand All @@ -161,6 +163,8 @@ func (c *ContainerExec) execEphemeral(ctx context.Context, container *apiv1.Cont
volumeMounts = append(volumeMounts, volumeMount)
}
}
envs = container.Env
envFroms = container.EnvFrom
break
}
}
Expand All @@ -172,7 +176,9 @@ func (c *ContainerExec) execEphemeral(ctx context.Context, container *apiv1.Cont
Command: []string{"sleep"},
Args: []string{"3600"},
VolumeMounts: volumeMounts,
ImagePullPolicy: corev1.PullIfNotPresent,
Env: envs,
EnvFrom: envFroms,
ImagePullPolicy: corev1.PullAlways,
SecurityContext: nil,
Stdin: true,
TTY: execOpts.TTY,
Expand Down

0 comments on commit e1c93e4

Please sign in to comment.