-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
reducing complexity in pkg/k8s/rbac/gen.go
* upgrade orderedmap to v2.2.0 to support generic * gofmt to address go report card * new functions for each step in role creation & add tests remove internal pkgs, add GoDS implement role gen, add docs, make and print version rearrange main, use make in build workflow [skip ci] fix gh badge, add pkg.go.dev fix missing resources & failing tests, update CI * new make target for running tests * removed kubeval & added kubeconform. See: instrumenta/kubeval#268 (comment) * use newer conftest install instructions * fix version flag make test & e2e separate, fix workflow attempt to fix ci again path issue merge resources across matching API groups * fixes regression. Necessary for the batch/v1 jobs resource to not be erased. Jobs are the only API resource that do not appear in alpha/beta groups where its companion resource, CronJob, does in fact exist in two groups (up until k8s v1.25). see: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-25 passing test, sort resource names empty commit
- Loading branch information
1 parent
04b2261
commit bd74349
Showing
14 changed files
with
347 additions
and
168 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
SHELL := /bin/bash | ||
|
||
# The name of the executable (default is current directory name) | ||
TARGET := $(shell echo "$${PWD##*/}" ) | ||
MAIN := ./cmd/kube-role-gen | ||
.DEFAULT_GOAL: $(TARGET) | ||
|
||
# These will be provided to the target | ||
VERSION := 0.0.6 | ||
BUILD := `git rev-parse HEAD` | ||
|
||
# Use linker flags to provide version/build settings to the target | ||
LDFLAGS=-ldflags "-X=main.Version=$(VERSION) -X=main.Build=$(BUILD)" | ||
|
||
# go source files, ignore vendor directory | ||
SRC = $(shell find . -type f -name '*.go' -not -path "./vendor/*") | ||
|
||
.PHONY: all build test clean install uninstall fmt simplify check run | ||
|
||
all: check install | ||
|
||
$(TARGET): $(SRC) | ||
@go build $(LDFLAGS) -o $(TARGET) $(MAIN)/main.go | ||
|
||
build: $(TARGET) | ||
@true | ||
|
||
test: | ||
go test ./... | ||
|
||
e2e: test | ||
tests/e2e_tests.sh | ||
|
||
clean: | ||
@rm -f $(TARGET) | ||
|
||
install: | ||
@go install $(LDFLAGS) $(MAIN) | ||
|
||
uninstall: clean | ||
@rm -f $$(which ${TARGET}) | ||
|
||
fmt: | ||
@gofmt -l -w $(SRC) | ||
|
||
simplify: | ||
@gofmt -s -l -w $(SRC) | ||
|
||
check: | ||
@test -z $(shell gofmt -l $(MAIN)/main.go | tee /dev/stderr) || echo "[WARN] Fix formatting issues with 'make fmt'" | ||
@go vet ./... | ||
|
||
run: install | ||
@$(TARGET) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
// Package k8s provides functions to create Kubernetes RBAC roles objects based | ||
// on discovered API resources. It also provides utility functions to setup a | ||
// discovery client for a provided kubeconfig and obtain the list of discovered | ||
// resources for use in this package. | ||
package k8s | ||
|
||
import ( | ||
"github.com/elliotchance/orderedmap/v2" | ||
rbacv1 "k8s.io/api/rbac/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/utils/strings/slices" | ||
"log" | ||
"sort" | ||
"strings" | ||
) | ||
|
||
// CreateGranularRole creates a ClusterRole where each rules entry contains only the specific combination of API group | ||
// and supported verbs for each resource. Resources with matching verbs are grouped together in a single PolicyRule. | ||
// This differs from other implementations such as `kubectl create clusterrole` which will group together resources | ||
// with verbs that are not applicable or supported. | ||
// | ||
// All PolicyRules in the ClusterRole this function returns represents a "matrix" of all resources available on the API | ||
// and contains only the list of the supported verbs that resource handles. | ||
func CreateGranularRole(apiResourceList []*metav1.APIResourceList, name string, verbose bool) *rbacv1.ClusterRole { | ||
oMap := orderedmap.NewOrderedMap[string, map[string][]string]() | ||
for _, resourceList := range apiResourceList { | ||
if verbose { | ||
log.Printf("Group %s contains %d resources", resourceList.GroupVersion, len(resourceList.APIResources)) | ||
} | ||
groupName := extractGroupFromVersion(resourceList.GroupVersion) | ||
if slices.Contains(oMap.Keys(), groupName) { | ||
left, _ := oMap.Get(groupName) | ||
right := convertToVerbMap(resourceList.APIResources, verbose) | ||
oMap.Set(groupName, mergeVerbMaps(left, right)) | ||
} else { | ||
oMap.Set(groupName, convertToVerbMap(resourceList.APIResources, verbose)) | ||
} | ||
} | ||
policyRules := policyRuleByOrderedMap(*oMap) | ||
return &rbacv1.ClusterRole{ | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "ClusterRole", | ||
APIVersion: "rbac.authorization.k8s.io/v1", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: name, | ||
}, | ||
Rules: policyRules, | ||
} | ||
} | ||
|
||
func extractGroupFromVersion(groupVersion string) string { | ||
if groupVersion == "v1" { | ||
return "" | ||
} | ||
return strings.Split(groupVersion, "/")[0] | ||
} | ||
|
||
func convertToVerbMap(resList []metav1.APIResource, verbose bool) map[string][]string { | ||
verbMap := make(map[string][]string) | ||
for _, res := range resList { | ||
if verbose { | ||
log.Printf("Resource: %s - Verbs: %s", | ||
res.Name, | ||
res.Verbs.String()) | ||
} | ||
verbs := make([]string, len(res.Verbs)) | ||
copy(verbs, res.Verbs) | ||
sort.Strings(verbs) | ||
verbKey := strings.Join(verbs, ",") | ||
if val, ok := verbMap[verbKey]; ok { | ||
verbMap[verbKey] = append(val, res.Name) | ||
} else { | ||
verbMap[verbKey] = []string{res.Name} | ||
} | ||
} | ||
for k := range verbMap { | ||
sort.Strings(verbMap[k]) | ||
} | ||
return verbMap | ||
} | ||
|
||
func mergeVerbMaps(left map[string][]string, right map[string][]string) map[string][]string { | ||
merged := make(map[string][]string) | ||
for k := range left { | ||
merged[k] = left[k] | ||
} | ||
for k := range right { | ||
if val, ok := merged[k]; ok { | ||
set := make(map[string]bool) | ||
for _, v := range right[k] { | ||
set[v] = true | ||
} | ||
for _, v := range val { | ||
set[v] = true | ||
} | ||
merged[k] = mapToSet(set) | ||
} else { | ||
merged[k] = right[k] | ||
} | ||
} | ||
return merged | ||
} | ||
|
||
func policyRuleByOrderedMap(oMap orderedmap.OrderedMap[string, map[string][]string]) []rbacv1.PolicyRule { | ||
policyRules := make([]rbacv1.PolicyRule, 0) | ||
for _, group := range oMap.Keys() { | ||
verbMap, _ := oMap.Get(group) | ||
for verbStr := range verbMap { | ||
verbs := strings.Split(verbStr, ",") | ||
groupName := group | ||
pr := &rbacv1.PolicyRule{ | ||
APIGroups: []string{groupName}, | ||
Verbs: verbs, | ||
Resources: verbMap[verbStr], | ||
} | ||
policyRules = append(policyRules, *pr) | ||
} | ||
} | ||
return policyRules | ||
} | ||
|
||
func mapToSet(m map[string]bool) []string { | ||
s := make([]string, 0) | ||
for k := range m { | ||
s = append(s, k) | ||
} | ||
return s | ||
} |
Oops, something went wrong.