feat: check sa before start a job (#2024)

jiuker · guozhi.li · web-flow · commit baccdf626369 · 2024-03-08T12:05:26.000-05:00
* check sa before start a job

check sa before start a job

* import

* apply suggestion

---------

Co-authored-by: guozhi.li &lt;guozhi.li@daocloud.io&gt;
diff --git a/pkg/controller/job-controller.go b/pkg/controller/job-controller.go
@@ -11,6 +11,7 @@ import (
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/operator/pkg/apis/job.min.io/v1alpha1"
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+	stsv1alpha1 "github.com/minio/operator/pkg/apis/sts.min.io/v1alpha1"
 	clientset "github.com/minio/operator/pkg/client/clientset/versioned"
 	jobinformers "github.com/minio/operator/pkg/client/informers/externalversions/job.min.io/v1alpha1"
 	joblisters "github.com/minio/operator/pkg/client/listers/job.min.io/v1alpha1"
@@ -179,7 +180,24 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
 	if tenant.Status.HealthStatus != miniov2.HealthStatusGreen {
 		return WrapResult(Result{RequeueAfter: time.Second * 5}, nil)
 	}
-	fmt.Println("will do somthing next")
+	// check sa
+	pbs := &stsv1alpha1.PolicyBindingList{}
+	err = c.k8sClient.List(ctx, pbs, client.InNamespace(namespace))
+	if err != nil {
+		return WrapResult(Result{}, err)
+	}
+	if len(pbs.Items) == 0 {
+		return WrapResult(Result{}, fmt.Errorf("no policybinding found"))
+	}
+	saFound := false
+	for _, pb := range pbs.Items {
+		if pb.Spec.Application.Namespace == namespace && pb.Spec.Application.ServiceAccount == jobCR.Spec.ServiceAccountName {
+			saFound = true
+		}
+	}
+	if !saFound {
+		return WrapResult(Result{}, fmt.Errorf("no serviceaccount found"))
+	}
 	// Loop through the different supported operations.
 	for _, val := range jobCR.Spec.Commands {
 		operation := val.Operation
