/
handler.go
126 lines (113 loc) · 3.77 KB
/
handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package controller
import (
"context"
"fmt"
"reflect"
v1 "github.com/StatCan/kubeflow-controller/pkg/apis/kubeflowcontroller/v1"
"github.com/prometheus/common/log"
"istio.io/api/security/v1beta1"
typev1beta1 "istio.io/api/type/v1beta1"
istiosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
protectedBBlock = "protected-b-block"
)
func notebookAuthPolicyName(notebook *v1.Notebook) string {
return fmt.Sprintf("%s-%s", notebook.Name, protectedBBlock)
}
func (c *Controller) handleAuthorizationPolicy(notebook *v1.Notebook) error {
ctx := context.Background()
// //Find any authorization policy with the same name
ap, err := c.authorizationPoliciesListers.AuthorizationPolicies(notebook.Namespace).Get(notebookAuthPolicyName(notebook))
if err != nil && !errors.IsNotFound(err) {
return err
}
//Check that we own this authorization policy
if ap != nil {
if !metav1.IsControlledBy(ap, notebook) {
msg := fmt.Sprintf("Authorization Policy \"%s/%s\" already exists and is not managed by the notebook", ap.Namespace, ap.Name)
c.recorder.Event(notebook, corev1.EventTypeWarning, "ErrResourceExists", msg)
return fmt.Errorf("%s", msg)
}
}
//New Authorization Policy
nap, err := c.generateAuthorizationPolicy(notebook)
if err != nil {
return err
}
// If we don't have authorization policy, then let's make one
if ap == nil {
_, err = c.istioClientset.SecurityV1beta1().AuthorizationPolicies(notebook.Namespace).Create(ctx, nap, metav1.CreateOptions{})
if err != nil {
return err
}
} else if !reflect.DeepEqual(ap.Spec, nap.Spec) { //We have an authorization policy, but is it the same
log.Infof("updated authorization Policy \"%s/%s\"", ap.Namespace, ap.Name)
// Copy the new spec
ap.Spec = nap.Spec
_, err = c.istioClientset.SecurityV1beta1().AuthorizationPolicies(notebook.Namespace).Update(ctx, ap, metav1.UpdateOptions{})
if err != nil {
return err
}
}
return nil
}
func (c *Controller) generateAuthorizationPolicy(notebook *v1.Notebook)(*istiosecurityv1beta1.AuthorizationPolicy, error){
ap := &istiosecurityv1beta1.AuthorizationPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: notebookAuthPolicyName(notebook),
Namespace: notebook.Namespace,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(notebook, v1.SchemeGroupVersion.WithKind("Notebook")),
},
},
Spec: v1beta1.AuthorizationPolicy{
Selector: &typev1beta1.WorkloadSelector{
MatchLabels: map[string]string{
"notebook-name": notebook.Name,
"data.statcan.gc.ca/classification": "protected-b",
},
},
Action: v1beta1.AuthorizationPolicy_DENY,
Rules: []*v1beta1.Rule{
{
To: []*v1beta1.Rule_To{
{
//Rstudio upload
Operation: &v1beta1.Operation{
Methods: []string{"POST"},
Paths: []string{fmt.Sprintf("/notebook/%s/%s/rstudio/upload", notebook.Namespace, notebook.Name)},
},
},
{
//Rstudio download
Operation: &v1beta1.Operation{
Methods: []string{"GET"},
Paths: []string{fmt.Sprintf("/notebook/%s/%s/rstudio/export*", notebook.Namespace, notebook.Name)},
},
},
{
//Jupyter download
Operation: &v1beta1.Operation{
Methods: []string{"GET"},
Paths: []string{fmt.Sprintf("/notebook/%s/%s/files*", notebook.Namespace, notebook.Name)},
},
},
{
//Jupyter download - convert as
Operation: &v1beta1.Operation{
Methods: []string{"GET"},
Paths: []string{fmt.Sprintf("/notebook/%s/%s/nbconvert*", notebook.Namespace, notebook.Name)},
},
},
// VS Code download - handled by the image
},
},
},
},
}
return ap, nil
}