-
Notifications
You must be signed in to change notification settings - Fork 829
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3953 from Vacant2333/add_rbac_task_when_karmada_o…
…perator_init Feat: Add rbac task when karmada operator init
- Loading branch information
Showing
7 changed files
with
249 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
package rbac | ||
|
||
const ( | ||
// KarmadaResourceViewClusterRole clusterrole for view karmada resources | ||
KarmadaResourceViewClusterRole = ` | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
annotations: | ||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation | ||
# and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
labels: | ||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings | ||
kubernetes.io/bootstrapping: rbac-defaults | ||
# used to aggregate rules to view clusterrole | ||
rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
name: karmada-view | ||
rules: | ||
- apiGroups: | ||
- "autoscaling.karmada.io" | ||
resources: | ||
- cronfederatedhpas | ||
- cronfederatedhpas/status | ||
- federatedhpas | ||
- federatedhpas/status | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "multicluster.x-k8s.io" | ||
resources: | ||
- serviceexports | ||
- serviceexports/status | ||
- serviceimports | ||
- serviceimports/status | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "networking.karmada.io" | ||
resources: | ||
- multiclusteringresses | ||
- multiclusteringresses/status | ||
- multiclusterservices | ||
- multiclusterservices/status | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "policy.karmada.io" | ||
resources: | ||
- overridepolicies | ||
- propagationpolicies | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "work.karmada.io" | ||
resources: | ||
- resourcebindings | ||
- resourcebindings/status | ||
- works | ||
- works/status | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
` | ||
// KarmadaResourceEditClusterRole clusterrole for edit karmada resources | ||
KarmadaResourceEditClusterRole = ` | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
annotations: | ||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation | ||
# and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile | ||
rbac.authorization.kubernetes.io/autoupdate: "true" | ||
labels: | ||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings | ||
kubernetes.io/bootstrapping: rbac-defaults | ||
# used to aggregate rules to view clusterrole | ||
rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
name: karmada-edit | ||
rules: | ||
- apiGroups: | ||
- "autoscaling.karmada.io" | ||
resources: | ||
- cronfederatedhpas | ||
- cronfederatedhpas/status | ||
- federatedhpas | ||
- federatedhpas/status | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "multicluster.x-k8s.io" | ||
resources: | ||
- serviceexports | ||
- serviceexports/status | ||
- serviceimports | ||
- serviceimports/status | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "networking.karmada.io" | ||
resources: | ||
- multiclusteringresses | ||
- multiclusteringresses/status | ||
- multiclusterservices | ||
- multiclusterservices/status | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "policy.karmada.io" | ||
resources: | ||
- overridepolicies | ||
- propagationpolicies | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "work.karmada.io" | ||
resources: | ||
- resourcebindings | ||
- resourcebindings/status | ||
- works | ||
- works/status | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
` | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package rbac | ||
|
||
import ( | ||
"fmt" | ||
|
||
rbacv1 "k8s.io/api/rbac/v1" | ||
kuberuntime "k8s.io/apimachinery/pkg/runtime" | ||
clientset "k8s.io/client-go/kubernetes" | ||
clientsetscheme "k8s.io/client-go/kubernetes/scheme" | ||
|
||
"github.com/karmada-io/karmada/operator/pkg/util/apiclient" | ||
) | ||
|
||
// EnsureKarmadaRBAC create karmada resource view and edit clusterrole | ||
func EnsureKarmadaRBAC(client clientset.Interface) error { | ||
if err := grantKarmadaResourceViewClusterrole(client); err != nil { | ||
return err | ||
} | ||
return grantKarmadaResourceEditClusterrole(client) | ||
} | ||
|
||
func grantKarmadaResourceViewClusterrole(client clientset.Interface) error { | ||
viewClusterrole := &rbacv1.ClusterRole{} | ||
if err := kuberuntime.DecodeInto(clientsetscheme.Codecs.UniversalDecoder(), []byte(KarmadaResourceViewClusterRole), viewClusterrole); err != nil { | ||
return fmt.Errorf("err when decoding Karmada view Clusterrole: %w", err) | ||
} | ||
return apiclient.CreateOrUpdateClusterRole(client, viewClusterrole) | ||
} | ||
|
||
func grantKarmadaResourceEditClusterrole(client clientset.Interface) error { | ||
editClusterrole := &rbacv1.ClusterRole{} | ||
if err := kuberuntime.DecodeInto(clientsetscheme.Codecs.UniversalDecoder(), []byte(KarmadaResourceEditClusterRole), editClusterrole); err != nil { | ||
return fmt.Errorf("err when decoding Karmada edit Clusterrole: %w", err) | ||
} | ||
return apiclient.CreateOrUpdateClusterRole(client, editClusterrole) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package tasks | ||
|
||
import ( | ||
"errors" | ||
|
||
"k8s.io/klog/v2" | ||
|
||
"github.com/karmada-io/karmada/operator/pkg/karmadaresource/rbac" | ||
"github.com/karmada-io/karmada/operator/pkg/workflow" | ||
) | ||
|
||
// NewRBACTask init a RBAC task, it will create clusterrole for view/edit karmada resources | ||
func NewRBACTask() workflow.Task { | ||
return workflow.Task{ | ||
Name: "rbac", | ||
Run: runRBAC, | ||
} | ||
} | ||
|
||
func runRBAC(r workflow.RunData) error { | ||
data, ok := r.(InitData) | ||
if !ok { | ||
return errors.New("RBAC task invoked with an invalid data struct") | ||
} | ||
|
||
klog.V(4).InfoS("[RBAC] Running rbac task", "karmada", klog.KObj(data)) | ||
|
||
return rbac.EnsureKarmadaRBAC(data.KarmadaClient()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters