37 Star 411 Fork 76

GVPrancher/rancher

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
globalrolebinding_handler.go 4.17 KB
一键复制 编辑 原始数据 按行查看 历史
package auth
import (
"reflect"
"github.com/pkg/errors"
"github.com/rancher/types/apis/management.cattle.io/v3"
rbacv1 "github.com/rancher/types/apis/rbac.authorization.k8s.io/v1"
"github.com/rancher/types/config"
"github.com/sirupsen/logrus"
"k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var (
globalRoleBindingLabel = map[string]string{"authz.management.cattle.io/globalrolebinding": "true"}
crbNameAnnotation = "authz.management.cattle.io/crb-name"
crbNamePrefix = "cattle-globalrolebinding-"
grbController = "mgmt-auth-grb-controller"
)
func newGlobalRoleBindingLifecycle(management *config.ManagementContext) *globalRoleBindingLifecycle {
return &globalRoleBindingLifecycle{
crbLister: management.RBAC.ClusterRoleBindings("").Controller().Lister(),
crbClient: management.RBAC.ClusterRoleBindings(""),
grLister: management.Management.GlobalRoles("").Controller().Lister(),
}
}
type globalRoleBindingLifecycle struct {
crbLister rbacv1.ClusterRoleBindingLister
grLister v3.GlobalRoleLister
crbClient rbacv1.ClusterRoleBindingInterface
}
func (grb *globalRoleBindingLifecycle) Create(obj *v3.GlobalRoleBinding) (*v3.GlobalRoleBinding, error) {
err := grb.reconcileGlobalRoleBinding(obj)
return obj, err
}
func (grb *globalRoleBindingLifecycle) Updated(obj *v3.GlobalRoleBinding) (*v3.GlobalRoleBinding, error) {
err := grb.reconcileGlobalRoleBinding(obj)
return nil, err
}
func (grb *globalRoleBindingLifecycle) Remove(obj *v3.GlobalRoleBinding) (*v3.GlobalRoleBinding, error) {
// Don't need to delete the created ClusterRole because owner reference will take care of that
return nil, nil
}
func (grb *globalRoleBindingLifecycle) reconcileGlobalRoleBinding(globalRoleBinding *v3.GlobalRoleBinding) error {
crbName, ok := globalRoleBinding.Annotations[crbNameAnnotation]
if !ok {
crbName = crbNamePrefix + globalRoleBinding.Name
}
subject := v1.Subject{
Kind: "User",
Name: globalRoleBinding.UserName,
APIGroup: rbacv1.GroupName,
}
crb, _ := grb.crbLister.Get("", crbName)
if crb != nil {
subjects := []v1.Subject{subject}
updateSubject := !reflect.DeepEqual(subjects, crb.Subjects)
updateRoleRef := false
var roleRef v1.RoleRef
gr, _ := grb.grLister.Get("", globalRoleBinding.GlobalRoleName)
if gr != nil {
crNameFromGR := getCRName(gr)
if crNameFromGR != crb.RoleRef.Name {
updateRoleRef = true
roleRef = v1.RoleRef{
Name: crNameFromGR,
Kind: clusterRoleKind,
}
}
}
if updateSubject || updateRoleRef {
crb = crb.DeepCopy()
if updateRoleRef {
crb.RoleRef = roleRef
}
crb.Subjects = subjects
logrus.Infof("[%v] Updating clusterRoleBinding %v for globalRoleBinding %v user %v", grbController, crb.Name, globalRoleBinding.Name, globalRoleBinding.UserName)
if _, err := grb.crbClient.Update(crb); err != nil {
return errors.Wrapf(err, "couldn't update ClusterRoleBinding %v", crb.Name)
}
}
return nil
}
logrus.Infof("Creating new GlobalRoleBinding for GlobalRoleBinding %v", globalRoleBinding.Name)
gr, _ := grb.grLister.Get("", globalRoleBinding.GlobalRoleName)
var crName string
if gr != nil {
crName = getCRName(gr)
} else {
crName = generateCRName(globalRoleBinding.GlobalRoleName)
}
logrus.Infof("[%v] Creating clusterRoleBinding for globalRoleBinding %v for user %v with role %v", grbController, globalRoleBinding.Name, globalRoleBinding.UserName, crName)
_, err := grb.crbClient.Create(&v1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: crbName,
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: globalRoleBinding.TypeMeta.APIVersion,
Kind: globalRoleBinding.TypeMeta.Kind,
Name: globalRoleBinding.Name,
UID: globalRoleBinding.UID,
},
},
Labels: globalRoleBindingLabel,
},
Subjects: []v1.Subject{subject},
RoleRef: v1.RoleRef{
Name: crName,
Kind: clusterRoleKind,
},
})
if err != nil {
return err
}
// Add an annotation to the globalrole indicating the name we used for future updates
if globalRoleBinding.Annotations == nil {
globalRoleBinding.Annotations = map[string]string{}
}
globalRoleBinding.Annotations[crbNameAnnotation] = crbName
return nil
}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.0.9

搜索帮助

0d507c66 1850385 C8b1a773 1850385