create rolebinding within namespace to guarantee permission

kubeflow · Apr 19, 2018 · 8fea151 · 8fea151
1 parent ffc8919
commit 8fea151
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/bootstrap/cmd/bootstrap/app/server.go b/bootstrap/cmd/bootstrap/app/server.go
@@ -40,6 +40,8 @@ import (
 	k8sVersion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	"os/exec"
+	"errors"
 )
 
 // RecommendedConfigPathEnvVar is a environment variable for path configuration
@@ -54,6 +56,8 @@ const DefaultNamespace = "kubeflow"
 // Assume gcloud is on the path.
 const GcloudPath = "gcloud"
 
+const Kubectl = "/usr/local/bin/kubectl"
+
 // TODO(jlewi): If we use the same userid and groupid when running in a container then
 // we shoiuld be able to map in a user's home directory which could be useful e.g for
 // avoiding the oauth flow.
@@ -201,6 +205,19 @@ func Run(opt *options.ServerOption) error {
 		return err
 	}
 
+	log.Infof("create rolebinding kubeflow-admin for role permission")
+	user, err := exec.Command("gcloud", "config", "get-value", "account").Output()
+	if err != nil {
+		return err
+	}
+	username := strings.Trim(string(user), "\t\n ")
+	roleBindingCmd := exec.Command(Kubectl,  "create", "rolebinding", "kubeflow-admin",
+		"--clusterrole=cluster-admin", "--user=" + username, "--namespace=" + namespace)
+	_, err = roleBindingCmd.Output()
+	if err != nil {
+		return errors.New("User is not cluster owner: please upgrade permission.")
+	}
+
 	clusterVersion, err := kubeClient.DiscoveryClient.ServerVersion()
 
 	if err != nil {