Skip to content

Commit

Permalink
feat(install): Adaptations for namespaced/descoped separation rbacs
Browse files Browse the repository at this point in the history
  • Loading branch information
gansheer committed Dec 11, 2023
1 parent e42677f commit 4e1ec52
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 35 deletions.
4 changes: 2 additions & 2 deletions e2e/support/test_support.go
Original file line number Diff line number Diff line change
Expand Up @@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) {
// This should ideally be removed from the common RBAC manifest.
customizer = install.RemoveIngressRoleCustomizer
}
err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml")
err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml")
if err != nil {
return err
}
Expand All @@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error {
if err != nil {
failTest(err)
}
err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml")
err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml")
if err != nil {
return err
}
Expand Down
12 changes: 12 additions & 0 deletions install/setup/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,15 @@ kind: Kustomization

resources:
- ../config/rbac

transformers:
- |-
apiVersion: builtin
kind: PatchTransformer
metadata:
name: fix-local-registry-rbac-namespace
patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
target:
group: rbac.authorization.k8s.io
kind: RoleBinding
name: camel-k-operator-local-registry
55 changes: 22 additions & 33 deletions pkg/install/operator.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "")
}
}

// Turn Role & RoleBinding into their equivalent cluster types
if r, ok := o.(*rbacv1.Role); ok {
if strings.HasPrefix(r.Name, "camel-k-operator") {
o = &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Namespace: cfg.Namespace,
Name: r.Name,
Labels: map[string]string{
"app": "camel-k",
},
},
Rules: r.Rules,
// Configure subject on ClusterRoleBindings
if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok {
if strings.HasPrefix(crb.Name, "camel-k-operator") {
crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace)
bound := false
for i, subject := range crb.Subjects {
if subject.Name == "camel-k-operator" {
if subject.Namespace == cfg.Namespace {
bound = true
break
} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
crb.Subjects[i].Namespace = cfg.Namespace
bound = true
break
}
}
}
}
}

if rb, ok := o.(*rbacv1.RoleBinding); ok {
if strings.HasPrefix(rb.Name, "camel-k-operator") {
rb.Subjects[0].Namespace = cfg.Namespace

o = &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
if !bound {
crb.Subjects = append(crb.Subjects, rbacv1.Subject{
Kind: "ServiceAccount",
Namespace: cfg.Namespace,
Name: fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace),
Labels: map[string]string{
"app": "camel-k",
},
},
Subjects: rb.Subjects,
RoleRef: rbacv1.RoleRef{
APIGroup: rb.RoleRef.APIGroup,
Kind: "ClusterRole",
Name: rb.RoleRef.Name,
},
Name: "camel-k-operator",
})
}
}
}
Expand Down Expand Up @@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection
bound = true

break
} else if subject.Namespace == "" {
} else if subject.Namespace == "" || subject.Namespace == "placeholder" {
target.Subjects[i].Namespace = namespace
bound = true

Expand Down

0 comments on commit 4e1ec52

Please sign in to comment.