/
clusterrolebinding.go
89 lines (77 loc) · 3.04 KB
/
clusterrolebinding.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/*
Copyright 2020 The Kubermatic Kubernetes Platform contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package metricsserver
import (
"k8c.io/kubermatic/v2/pkg/resources"
"k8c.io/reconciler/pkg/reconciling"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// ClusterRoleBindingResourceReaderReconciler returns the ClusterRoleBinding required for the metrics server to read all required resources.
func ClusterRoleBindingResourceReaderReconciler(isKonnectivityEnabled bool) reconciling.NamedClusterRoleBindingReconcilerFactory {
return func() (string, reconciling.ClusterRoleBindingReconciler) {
return resources.MetricsServerResourceReaderClusterRoleBindingName, func(crb *rbacv1.ClusterRoleBinding) (*rbacv1.ClusterRoleBinding, error) {
crb.Labels = resources.BaseAppLabels(Name, nil)
crb.RoleRef = rbacv1.RoleRef{
Name: resources.MetricsServerClusterRoleName,
Kind: "ClusterRole",
APIGroup: rbacv1.GroupName,
}
if isKonnectivityEnabled {
// metrics server running in the user cluster - ServiceAccount
crb.Subjects = []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: resources.MetricsServerServiceAccountName,
Namespace: metav1.NamespaceSystem,
},
}
} else {
// metrics server running in the seed cluster - User
crb.Subjects = []rbacv1.Subject{
{
Kind: rbacv1.UserKind,
Name: resources.MetricsServerCertUsername,
APIGroup: rbacv1.GroupName,
},
}
}
return crb, nil
}
}
}
// ClusterRoleBindingAuthDelegatorReconciler returns the ClusterRoleBinding required for the metrics server to create token review requests.
func ClusterRoleBindingAuthDelegatorReconciler(isKonnectivityEnabled bool) reconciling.NamedClusterRoleBindingReconcilerFactory {
if !isKonnectivityEnabled {
// metrics server running in the seed cluster
return resources.ClusterRoleBindingAuthDelegatorReconciler(resources.MetricsServerCertUsername)
}
return func() (string, reconciling.ClusterRoleBindingReconciler) {
// metrics server running in the user cluster
return "metrics-server:system:auth-delegator", func(crb *rbacv1.ClusterRoleBinding) (*rbacv1.ClusterRoleBinding, error) {
crb.RoleRef = rbacv1.RoleRef{
Name: "system:auth-delegator",
Kind: "ClusterRole",
APIGroup: rbacv1.GroupName,
}
crb.Subjects = []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: resources.MetricsServerServiceAccountName,
Namespace: metav1.NamespaceSystem,
},
}
return crb, nil
}
}
}