/
rbac.go
109 lines (103 loc) · 3.07 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// Copyright 2023 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package scheduler
import (
coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
schedulerv1alpha1 "github.com/gardener/gardener/pkg/scheduler/apis/config/v1alpha1"
)
const (
clusterRoleName = "gardener.cloud:system:scheduler"
clusterRoleBindingName = "gardener.cloud:system:scheduler"
)
func (g *gardenerScheduler) clusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: clusterRoleName,
Labels: GetLabels(),
},
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{"events"},
Verbs: []string{"create", "patch", "update"},
},
{
APIGroups: []string{""},
Resources: []string{"configmaps"},
Verbs: []string{"create", "delete", "get", "list", "watch", "patch", "update"},
},
{
APIGroups: []string{gardencorev1beta1.GroupName},
Resources: []string{
"cloudprofiles",
"seeds",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{gardencorev1beta1.GroupName},
Resources: []string{
"shoots",
"shoots/status",
},
Verbs: []string{"get", "list", "watch", "patch", "update"},
},
{
APIGroups: []string{gardencorev1beta1.GroupName},
Resources: []string{
"shoots/binding",
},
Verbs: []string{"update"},
},
{
APIGroups: []string{coordinationv1beta1.GroupName},
Resources: []string{
"leases",
},
Verbs: []string{"create"},
},
{
APIGroups: []string{coordinationv1beta1.GroupName},
Resources: []string{
"leases",
},
ResourceNames: []string{
schedulerv1alpha1.SchedulerDefaultLockObjectName,
},
Verbs: []string{"get", "watch", "update"},
},
},
}
}
func (g *gardenerScheduler) clusterRoleBinding(serviceAccountName string) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: clusterRoleBindingName,
Labels: GetLabels(),
},
RoleRef: rbacv1.RoleRef{
APIGroup: rbacv1.GroupName,
Kind: "ClusterRole",
Name: clusterRoleName,
},
Subjects: []rbacv1.Subject{{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: metav1.NamespaceSystem,
}},
}
}