Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(install): Adaptations for namespaced/descoped separation rbacs
Browse files Browse the repository at this point in the history
gansheer committed Dec 11, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent e42677f commit 4e1ec52
Showing 3 changed files with 36 additions and 35 deletions.
4 changes: 2 additions & 2 deletions e2e/support/test_support.go
Original file line number Diff line number Diff line change
@@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) {
// This should ideally be removed from the common RBAC manifest.
customizer = install.RemoveIngressRoleCustomizer
}
err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml")
err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml")
if err != nil {
return err
}
@@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error {
if err != nil {
failTest(err)
}
err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml")
err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml")
if err != nil {
return err
}
12 changes: 12 additions & 0 deletions install/setup/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -19,3 +19,15 @@ kind: Kustomization

resources:
- ../config/rbac

transformers:
- |-
apiVersion: builtin
kind: PatchTransformer
metadata:
name: fix-local-registry-rbac-namespace
patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
target:
group: rbac.authorization.k8s.io
kind: RoleBinding
name: camel-k-operator-local-registry
55 changes: 22 additions & 33 deletions pkg/install/operator.go
Original file line number Diff line number Diff line change
@@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "")
}
}

// Turn Role & RoleBinding into their equivalent cluster types
if r, ok := o.(*rbacv1.Role); ok {
if strings.HasPrefix(r.Name, "camel-k-operator") {
o = &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Namespace: cfg.Namespace,
Name: r.Name,
Labels: map[string]string{
"app": "camel-k",
},
},
Rules: r.Rules,
// Configure subject on ClusterRoleBindings
if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok {
if strings.HasPrefix(crb.Name, "camel-k-operator") {
crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace)
bound := false
for i, subject := range crb.Subjects {
if subject.Name == "camel-k-operator" {
if subject.Namespace == cfg.Namespace {
bound = true
break
} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
crb.Subjects[i].Namespace = cfg.Namespace
bound = true
break
}
}
}
}
}

if rb, ok := o.(*rbacv1.RoleBinding); ok {
if strings.HasPrefix(rb.Name, "camel-k-operator") {
rb.Subjects[0].Namespace = cfg.Namespace

o = &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
if !bound {
crb.Subjects = append(crb.Subjects, rbacv1.Subject{
Kind: "ServiceAccount",
Namespace: cfg.Namespace,
Name: fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace),
Labels: map[string]string{
"app": "camel-k",
},
},
Subjects: rb.Subjects,
RoleRef: rbacv1.RoleRef{
APIGroup: rb.RoleRef.APIGroup,
Kind: "ClusterRole",
Name: rb.RoleRef.Name,
},
Name: "camel-k-operator",
})
}
}
}
@@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection
bound = true

break
} else if subject.Namespace == "" {
} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
target.Subjects[i].Namespace = namespace
bound = true

0 comments on commit 4e1ec52

Please sign in to comment.