feat(provider/kubernetes): v2 Add support for RBAC resource kinds (#2419

) Adds support for ClusterRole, ClusterRoleBinding, Role, RoleBinding and ServiceAccount resource kinds. Cluster-level resources like Role, ClusterRoleBinding, PersistentVolume, etc. do belong to any namespace, so we also add support for resource kinds without namespaces. Previously the "namespace" resource kind was the only kind which did not belong to a namespace.
spinnaker · Mar 13, 2018 · 377919f · 377919f
1 parent 79c3e7d
commit 377919f
Show file tree

Hide file tree

Showing 15 changed files with 603 additions and 9 deletions.
diff --git a/...tflix/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesCacheDataConverter.java b/...tflix/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesCacheDataConverter.java
@@ -357,7 +357,7 @@ static void logMalformedManifest(Supplier<String> contextMessage, KubernetesMani
       log.warn("{}: manifest name may not be null, {}", contextMessage.get(), manifest);
     }
 
-    if (StringUtils.isEmpty(manifest.getNamespace()) && manifest.getKind() != KubernetesKind.NAMESPACE) {
+    if (StringUtils.isEmpty(manifest.getNamespace()) && manifest.getKind().isNamespaced()) {
       log.warn("{}: manifest namespace may not be null, {}", contextMessage.get(), manifest);
     }
   }

diff --git a/...ker/clouddriver/kubernetes/v2/caching/agent/KubernetesClusterRoleBindingCachingAgent.java b/...ker/clouddriver/kubernetes/v2/caching/agent/KubernetesClusterRoleBindingCachingAgent.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2018 Joel Wilsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spectator.api.Registry;
+import com.netflix.spinnaker.cats.agent.AgentDataType;
+import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.Keys;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.manifest.KubernetesKind;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
+import lombok.Getter;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.AUTHORITATIVE;
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.INFORMATIVE;
+
+public class KubernetesClusterRoleBindingCachingAgent extends KubernetesV2OnDemandCachingAgent {
+  KubernetesClusterRoleBindingCachingAgent(KubernetesNamedAccountCredentials<KubernetesV2Credentials> namedAccountCredentials,
+                                           ObjectMapper objectMapper,
+                                           Registry registry,
+                                           int agentIndex,
+                                           int agentCount) {
+    super(namedAccountCredentials, objectMapper, registry, agentIndex, agentCount);
+  }
+
+  @Getter
+  final private Collection<AgentDataType> providedDataTypes = Collections.unmodifiableSet(
+      new HashSet<>(Arrays.asList(
+          AUTHORITATIVE.forType(KubernetesKind.CLUSTER_ROLE_BINDING.toString())
+      ))
+  );
+
+  @Override
+  protected boolean hasClusterRelationship() {
+    return false;
+  }
+
+  @Override
+  protected KubernetesKind primaryKind() {
+    return KubernetesKind.CLUSTER_ROLE_BINDING;
+  }
+}
diff --git a/.../spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesClusterRoleCachingAgent.java b/.../spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesClusterRoleCachingAgent.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2018 Joel Wilsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spectator.api.Registry;
+import com.netflix.spinnaker.cats.agent.AgentDataType;
+import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.Keys;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.manifest.KubernetesKind;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
+import lombok.Getter;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.AUTHORITATIVE;
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.INFORMATIVE;
+
+public class KubernetesClusterRoleCachingAgent extends KubernetesV2OnDemandCachingAgent {
+  KubernetesClusterRoleCachingAgent(KubernetesNamedAccountCredentials<KubernetesV2Credentials> namedAccountCredentials,
+                                    ObjectMapper objectMapper,
+                                    Registry registry,
+                                    int agentIndex,
+                                    int agentCount) {
+    super(namedAccountCredentials, objectMapper, registry, agentIndex, agentCount);
+  }
+
+  @Getter
+  final private Collection<AgentDataType> providedDataTypes = Collections.unmodifiableSet(
+      new HashSet<>(Arrays.asList(
+          AUTHORITATIVE.forType(KubernetesKind.CLUSTER_ROLE.toString())
+      ))
+  );
+
+  @Override
+  protected boolean hasClusterRelationship() {
+    return false;
+  }
+
+  @Override
+  protected KubernetesKind primaryKind() {
+    return KubernetesKind.CLUSTER_ROLE;
+  }
+}
diff --git a/.../spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesRoleBindingCachingAgent.java b/.../spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesRoleBindingCachingAgent.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2018 Joel Wilsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spectator.api.Registry;
+import com.netflix.spinnaker.cats.agent.AgentDataType;
+import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.Keys;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.manifest.KubernetesKind;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
+import lombok.Getter;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.AUTHORITATIVE;
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.INFORMATIVE;
+
+public class KubernetesRoleBindingCachingAgent extends KubernetesV2OnDemandCachingAgent {
+  KubernetesRoleBindingCachingAgent(KubernetesNamedAccountCredentials<KubernetesV2Credentials> namedAccountCredentials,
+                                    ObjectMapper objectMapper,
+                                    Registry registry,
+                                    int agentIndex,
+                                    int agentCount) {
+    super(namedAccountCredentials, objectMapper, registry, agentIndex, agentCount);
+  }
+
+  @Getter
+  final private Collection<AgentDataType> providedDataTypes = Collections.unmodifiableSet(
+      new HashSet<>(Arrays.asList(
+          AUTHORITATIVE.forType(KubernetesKind.ROLE_BINDING.toString())
+      ))
+  );
+
+  @Override
+  protected boolean hasClusterRelationship() {
+    return false;
+  }
+
+  @Override
+  protected KubernetesKind primaryKind() {
+    return KubernetesKind.ROLE_BINDING;
+  }
+}
diff --git a/...netflix/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesRoleCachingAgent.java b/...netflix/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesRoleCachingAgent.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2018 Joel Wilsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spectator.api.Registry;
+import com.netflix.spinnaker.cats.agent.AgentDataType;
+import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.Keys;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.manifest.KubernetesKind;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
+import lombok.Getter;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.AUTHORITATIVE;
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.INFORMATIVE;
+
+public class KubernetesRoleCachingAgent extends KubernetesV2OnDemandCachingAgent {
+  KubernetesRoleCachingAgent(KubernetesNamedAccountCredentials<KubernetesV2Credentials> namedAccountCredentials,
+                             ObjectMapper objectMapper,
+                             Registry registry,
+                             int agentIndex,
+                             int agentCount) {
+    super(namedAccountCredentials, objectMapper, registry, agentIndex, agentCount);
+  }
+
+  @Getter
+  final private Collection<AgentDataType> providedDataTypes = Collections.unmodifiableSet(
+      new HashSet<>(Arrays.asList(
+          AUTHORITATIVE.forType(KubernetesKind.ROLE.toString())
+      ))
+  );
+
+  @Override
+  protected boolean hasClusterRelationship() {
+    return false;
+  }
+
+  @Override
+  protected KubernetesKind primaryKind() {
+    return KubernetesKind.ROLE;
+  }
+}
diff --git a/...innaker/clouddriver/kubernetes/v2/caching/agent/KubernetesServiceAccountCachingAgent.java b/...innaker/clouddriver/kubernetes/v2/caching/agent/KubernetesServiceAccountCachingAgent.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2018 Joel Wilsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.agent;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.netflix.spectator.api.Registry;
+import com.netflix.spinnaker.cats.agent.AgentDataType;
+import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.caching.Keys;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.manifest.KubernetesKind;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
+import lombok.Getter;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.AUTHORITATIVE;
+import static com.netflix.spinnaker.cats.agent.AgentDataType.Authority.INFORMATIVE;
+
+public class KubernetesServiceAccountCachingAgent extends KubernetesV2OnDemandCachingAgent {
+  KubernetesServiceAccountCachingAgent(KubernetesNamedAccountCredentials<KubernetesV2Credentials> namedAccountCredentials,
+                                       ObjectMapper objectMapper,
+                                       Registry registry,
+                                       int agentIndex,
+                                       int agentCount) {
+    super(namedAccountCredentials, objectMapper, registry, agentIndex, agentCount);
+  }
+
+  @Getter
+  final private Collection<AgentDataType> providedDataTypes = Collections.unmodifiableSet(
+      new HashSet<>(Arrays.asList(
+          AUTHORITATIVE.forType(KubernetesKind.SERVICE_ACCOUNT.toString())
+      ))
+  );
+
+  @Override
+  protected boolean hasClusterRelationship() {
+    return false;
+  }
+
+  @Override
+  protected KubernetesKind primaryKind() {
+    return KubernetesKind.SERVICE_ACCOUNT;
+  }
+}
diff --git a/...x/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesV2OnDemandCachingAgent.java b/...x/spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesV2OnDemandCachingAgent.java
@@ -250,8 +250,7 @@ public OnDemandAgent.OnDemandResult handle(ProviderCache providerCache, Map<Stri
     reloadNamespaces();
     if (StringUtils.isEmpty(account)
         || StringUtils.isEmpty(name)
-        || StringUtils.isEmpty(namespace)
-        || !namespaces.contains(namespace)) {
+        || (!StringUtils.isEmpty(namespace) && !namespaces.contains(namespace))) {
       return null;
     }
 
@@ -292,7 +291,7 @@ public Collection<Map> pendingOnDemandRequests(ProviderCache providerCache) {
 
     List<String> matchingKeys = infraKeys.stream()
         .filter(i -> i.getAccount().equals(getAccountName())
-            && namespaces.contains(i.getNamespace())
+            && (StringUtils.isEmpty(i.getNamespace())) || namespaces.contains(i.getNamespace())
             && i.getKubernetesKind().equals(primaryKind()))
         .map(Keys.InfrastructureCacheKey::toString)
         .collect(Collectors.toList());