-
Notifications
You must be signed in to change notification settings - Fork 187
/
rbac.go
71 lines (65 loc) · 2.67 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package resourcemerge
import (
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/equality"
)
// EnsureClusterRoleBinding ensures that the existing matches the required.
// modified is set to true when existing had to be updated with required.
func EnsureClusterRoleBinding(modified *bool, existing *rbacv1.ClusterRoleBinding, required rbacv1.ClusterRoleBinding) {
EnsureObjectMeta(modified, &existing.ObjectMeta, required.ObjectMeta)
ensureRoleRefDefaultsv1(&required.RoleRef)
if !equality.Semantic.DeepEqual(existing.Subjects, required.Subjects) {
*modified = true
existing.Subjects = required.Subjects
}
if !equality.Semantic.DeepEqual(existing.RoleRef, required.RoleRef) {
*modified = true
existing.RoleRef = required.RoleRef
}
}
// EnsureClusterRole ensures that the existing matches the required.
// modified is set to true when existing had to be updated with required.
func EnsureClusterRole(modified *bool, existing *rbacv1.ClusterRole, required rbacv1.ClusterRole) {
EnsureObjectMeta(modified, &existing.ObjectMeta, required.ObjectMeta)
if !equality.Semantic.DeepEqual(existing.AggregationRule, required.AggregationRule) {
*modified = true
existing.AggregationRule = required.AggregationRule
}
if required.AggregationRule != nil {
// The control plane overwrites any values that are manually specified in the rules field of an aggregate ClusterRole.
// Skip reconciling on Rules field
return
}
if !equality.Semantic.DeepEqual(existing.Rules, required.Rules) {
*modified = true
existing.Rules = required.Rules
}
}
// EnsureRoleBinding ensures that the existing matches the required.
// modified is set to true when existing had to be updated with required.
func EnsureRoleBinding(modified *bool, existing *rbacv1.RoleBinding, required rbacv1.RoleBinding) {
EnsureObjectMeta(modified, &existing.ObjectMeta, required.ObjectMeta)
ensureRoleRefDefaultsv1(&required.RoleRef)
if !equality.Semantic.DeepEqual(existing.Subjects, required.Subjects) {
*modified = true
existing.Subjects = required.Subjects
}
if !equality.Semantic.DeepEqual(existing.RoleRef, required.RoleRef) {
*modified = true
existing.RoleRef = required.RoleRef
}
}
func ensureRoleRefDefaultsv1(roleRef *rbacv1.RoleRef) {
if roleRef.APIGroup == "" {
roleRef.APIGroup = rbacv1.GroupName
}
}
// EnsureRole ensures that the existing matches the required.
// modified is set to true when existing had to be updated with required.
func EnsureRole(modified *bool, existing *rbacv1.Role, required rbacv1.Role) {
EnsureObjectMeta(modified, &existing.ObjectMeta, required.ObjectMeta)
if !equality.Semantic.DeepEqual(existing.Rules, required.Rules) {
*modified = true
existing.Rules = required.Rules
}
}