37 Star 407 Fork 74

GVPrancher/rancher

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
cluster.go 4.75 KB
一键复制 编辑 原始数据 按行查看 历史
Craig Jellick 提交于 2018-04-17 09:01 . Rename package from authz to rbac
package podsecuritypolicy
import (
"fmt"
v12 "github.com/rancher/types/apis/core/v1"
"github.com/rancher/types/apis/extensions/v1beta1"
"github.com/rancher/types/apis/management.cattle.io/v3"
"github.com/rancher/types/apis/rbac.authorization.k8s.io/v1"
"github.com/rancher/types/config"
"github.com/sirupsen/logrus"
v1beta13 "k8s.io/api/extensions/v1beta1"
rbac "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type clusterManager struct {
clusterName string
templateLister v3.PodSecurityPolicyTemplateLister
policyLister v1beta1.PodSecurityPolicyLister
policies v1beta1.PodSecurityPolicyInterface
serviceAccountLister v12.ServiceAccountLister
serviceAccountsController v12.ServiceAccountController
clusterRoleLister v1.ClusterRoleLister
clusterRoles v1.ClusterRoleInterface
clusters v3.ClusterInterface
}
// RegisterCluster updates the pod security policy if the pod security policy template default for this cluster has been
// updated, then resyncs all service accounts in this namespace.
func RegisterCluster(context *config.UserContext) {
logrus.Infof("registering podsecuritypolicy cluster handler for cluster %v", context.ClusterName)
m := &clusterManager{
clusterName: context.ClusterName,
policies: context.Extensions.PodSecurityPolicies(""),
clusters: context.Management.Management.Clusters(""),
templateLister: context.Management.Management.PodSecurityPolicyTemplates("").Controller().Lister(),
policyLister: context.Extensions.PodSecurityPolicies("").Controller().Lister(),
clusterRoleLister: context.RBAC.ClusterRoles("").Controller().Lister(),
clusterRoles: context.RBAC.ClusterRoles(""),
serviceAccountLister: context.Core.ServiceAccounts("").Controller().Lister(),
serviceAccountsController: context.Core.ServiceAccounts("").Controller(),
}
context.Management.Management.Clusters("").AddHandler("ClusterSyncHandler", m.sync)
}
func (m *clusterManager) sync(key string, obj *v3.Cluster) error {
if obj == nil ||
m.clusterName != obj.Name ||
obj.Spec.DefaultPodSecurityPolicyTemplateName == obj.Status.AppliedPodSecurityPolicyTemplateName {
// Nothing to do
return nil
}
if obj.Spec.DefaultPodSecurityPolicyTemplateName != "" {
podSecurityPolicyName := fmt.Sprintf("%v-psp", obj.Spec.DefaultPodSecurityPolicyTemplateName)
_, err := m.policyLister.Get("", podSecurityPolicyName)
if err != nil {
if errors.IsNotFound(err) {
template, err := m.templateLister.Get("", obj.Spec.DefaultPodSecurityPolicyTemplateName)
if err != nil {
return fmt.Errorf("error getting pspt: %v", err)
}
objectMeta := metav1.ObjectMeta{}
objectMeta.Name = podSecurityPolicyName
objectMeta.Annotations = make(map[string]string)
objectMeta.Annotations[podSecurityPolicyTemplateParentAnnotation] = template.Name
objectMeta.Annotations[podSecurityPolicyTemplateVersionAnnotation] = template.ResourceVersion
psp := &v1beta13.PodSecurityPolicy{
TypeMeta: metav1.TypeMeta{
Kind: podSecurityPolicy,
APIVersion: apiVersion,
},
ObjectMeta: objectMeta,
Spec: template.Spec,
}
_, err = m.policies.Create(psp)
if err != nil {
return fmt.Errorf("error creating psp: %v", err)
}
} else {
return fmt.Errorf("error getting policy: %v", err)
}
}
clusterRoleName := fmt.Sprintf("%v-clusterrole", obj.Spec.DefaultPodSecurityPolicyTemplateName)
_, err = m.clusterRoleLister.Get("", clusterRoleName)
if err != nil {
if errors.IsNotFound(err) {
newRole := &rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{},
Name: clusterRoleName,
},
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
},
Rules: []rbac.PolicyRule{
{
APIGroups: []string{"extensions"},
Resources: []string{"podsecuritypolicies"},
Verbs: []string{"use"},
ResourceNames: []string{podSecurityPolicyName},
},
},
}
newRole.Annotations[podSecurityPolicyTemplateParentAnnotation] = obj.Spec.DefaultPodSecurityPolicyTemplateName
_, err := m.clusterRoles.Create(newRole)
if err != nil {
return fmt.Errorf("error creating cluster role: %v", err)
}
} else {
return fmt.Errorf("error getting cluster role: %v", err)
}
}
obj.Status.AppliedPodSecurityPolicyTemplateName = obj.Spec.DefaultPodSecurityPolicyTemplateName
_, err = m.clusters.Update(obj)
if err != nil {
return fmt.Errorf("error updating cluster: %v", err)
}
return resyncServiceAccounts(m.serviceAccountLister, m.serviceAccountsController, "")
}
return nil
}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.1.1-rc3

搜索帮助