forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
policy.go
64 lines (58 loc) · 2.16 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package util
import (
"time"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/wait"
authorizationtypedclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
"k8s.io/kubernetes/pkg/apis/authorization"
)
const (
PolicyCachePollInterval = 100 * time.Millisecond
PolicyCachePollTimeout = 5 * time.Second
)
// WaitForPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForPolicyUpdate(c authorizationtypedclient.SelfSubjectAccessReviewsGetter, namespace, verb string, resource schema.GroupResource, allowed bool) error {
review := &authorization.SelfSubjectAccessReview{
Spec: authorization.SelfSubjectAccessReviewSpec{
ResourceAttributes: &authorization.ResourceAttributes{
Namespace: namespace,
Verb: verb,
Group: resource.Group,
Resource: resource.Resource,
},
},
}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.SelfSubjectAccessReviews().Create(review)
if err != nil {
return false, err
}
return response.Status.Allowed == allowed, nil
})
return err
}
// WaitForClusterPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForClusterPolicyUpdate(c authorizationtypedclient.SelfSubjectAccessReviewsGetter, verb string, resource schema.GroupResource, allowed bool) error {
review := &authorization.SelfSubjectAccessReview{
Spec: authorization.SelfSubjectAccessReviewSpec{
ResourceAttributes: &authorization.ResourceAttributes{
Verb: verb,
Group: resource.Group,
Resource: resource.Resource,
},
},
}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.SelfSubjectAccessReviews().Create(review)
if err != nil {
return false, err
}
if response.Status.Allowed != allowed {
return false, nil
}
return true, nil
})
return err
}