forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
project_policy.go
51 lines (42 loc) · 1.94 KB
/
project_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package bootstrappolicy
import (
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
oapi "github.com/openshift/origin/pkg/api"
)
func GetBootstrapServiceAccountProjectRoleBindings(namespace string) []rbacv1.RoleBinding {
imagePuller := newOriginRoleBindingForClusterRole(ImagePullerRoleBindingName, ImagePullerRoleName, namespace).
Groups(serviceaccount.MakeNamespaceGroupName(namespace)).
BindingOrDie()
if imagePuller.Annotations == nil {
imagePuller.Annotations = map[string]string{}
}
imagePuller.Annotations[oapi.OpenShiftDescription] = "Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable."
imageBuilder := newOriginRoleBindingForClusterRole(ImageBuilderRoleBindingName, ImageBuilderRoleName, namespace).
SAs(namespace, BuilderServiceAccountName).
BindingOrDie()
if imageBuilder.Annotations == nil {
imageBuilder.Annotations = map[string]string{}
}
imageBuilder.Annotations[oapi.OpenShiftDescription] = "Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable."
deployer := newOriginRoleBindingForClusterRole(DeployerRoleBindingName, DeployerRoleName, namespace).
SAs(namespace, DeployerServiceAccountName).
BindingOrDie()
if deployer.Annotations == nil {
deployer.Annotations = map[string]string{}
}
deployer.Annotations[oapi.OpenShiftDescription] = "Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disable."
return []rbacv1.RoleBinding{
imagePuller,
imageBuilder,
deployer,
}
}
func GetBootstrapServiceAccountProjectRoleBindingNames() sets.String {
names := sets.NewString()
for _, roleBinding := range GetBootstrapServiceAccountProjectRoleBindings("default") {
names.Insert(roleBinding.Name)
}
return names
}