-
Notifications
You must be signed in to change notification settings - Fork 83
/
service_rolebinding.go
106 lines (93 loc) · 3.84 KB
/
service_rolebinding.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package roles
import (
"github.com/redhat-developer/kam/pkg/pipelines/meta"
corev1 "k8s.io/api/core/v1"
v1rbac "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/types"
)
var (
roleTypeMeta = meta.TypeMeta("Role", "rbac.authorization.k8s.io/v1")
roleBindingTypeMeta = meta.TypeMeta("RoleBinding", "rbac.authorization.k8s.io/v1")
clusterRoleBindingTypeMeta = meta.TypeMeta("ClusterRoleBinding", "rbac.authorization.k8s.io/v1")
serviceAccountTypeMeta = meta.TypeMeta("ServiceAccount", "v1")
clusterRoleTypeMeta = meta.TypeMeta("ClusterRole", "rbac.authorization.k8s.io/v1")
)
const (
// ClusterRoleName is the name of the ClusterRole created to allow the
// servie account to deploy into different environments.
ClusterRoleName = "pipelines-clusterrole"
)
// CreateServiceAccount creates and returns a new ServiceAccount in the provided
// namespace.
func CreateServiceAccount(name types.NamespacedName) *corev1.ServiceAccount {
return &corev1.ServiceAccount{
TypeMeta: serviceAccountTypeMeta,
ObjectMeta: meta.ObjectMeta(name),
Secrets: []corev1.ObjectReference{},
}
}
// AddSecretToSA grants the provided ServiceAccount access to the named secret.
func AddSecretToSA(sa *corev1.ServiceAccount, secretName string) *corev1.ServiceAccount {
sa.Secrets = append(sa.Secrets, corev1.ObjectReference{Name: secretName})
return sa
}
// CreateRoleBinding creates and returns a new RoleBinding given name, sa,
// roleKind, and roleName.
func CreateRoleBinding(name types.NamespacedName, sa *corev1.ServiceAccount, roleKind, roleName string) *v1rbac.RoleBinding {
return CreateRoleBindingForSubjects(name, roleKind, roleName, []v1rbac.Subject{{Kind: sa.Kind, Name: sa.Name, Namespace: sa.Namespace}})
}
// CreateClusterRoleBinding creates and returns a new ClusterRoleBinding
// associating the service account with a role.
func CreateClusterRoleBinding(name types.NamespacedName, sa *corev1.ServiceAccount, roleKind, roleName string) *v1rbac.ClusterRoleBinding {
return ClusterRoleBindingForSubjects(name, roleKind, roleName, []v1rbac.Subject{{Kind: sa.Kind, Name: sa.Name, Namespace: sa.Namespace}})
}
// CreateRoleBindingForSubjects creates and returns a RoleBinding with multiple
// subjects.
func CreateRoleBindingForSubjects(name types.NamespacedName, roleKind, roleName string, subjects []v1rbac.Subject) *v1rbac.RoleBinding {
return &v1rbac.RoleBinding{
TypeMeta: roleBindingTypeMeta,
ObjectMeta: meta.ObjectMeta(name),
Subjects: subjects,
RoleRef: v1rbac.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: roleKind,
Name: roleName,
},
}
}
// ClusterRoleBindingForSubjects creates and returns a ClusterRoleBinding
// associating the subjects with the specified role.
func ClusterRoleBindingForSubjects(name types.NamespacedName, roleKind, roleName string, subjects []v1rbac.Subject) *v1rbac.ClusterRoleBinding {
return &v1rbac.ClusterRoleBinding{
TypeMeta: clusterRoleBindingTypeMeta,
ObjectMeta: meta.ObjectMeta(name),
Subjects: subjects,
RoleRef: v1rbac.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: roleKind,
Name: roleName,
},
}
}
// CreateRole creates and returns a Role given a name and policyRules.
func CreateRole(name types.NamespacedName, policyRules []v1rbac.PolicyRule) *v1rbac.Role {
return &v1rbac.Role{
TypeMeta: roleTypeMeta,
ObjectMeta: meta.ObjectMeta(name),
Rules: policyRules,
}
}
type clusterRoleOpts func(*v1rbac.ClusterRole)
// CreateClusterRole creates and returns a ClusterRole given a name and policy
// rules.
func CreateClusterRole(name types.NamespacedName, policyRules []v1rbac.PolicyRule, opts ...clusterRoleOpts) *v1rbac.ClusterRole {
clusterRole := &v1rbac.ClusterRole{
TypeMeta: clusterRoleTypeMeta,
ObjectMeta: meta.ObjectMeta(name),
Rules: policyRules,
}
for _, opt := range opts {
opt(clusterRole)
}
return clusterRole
}