Skip to content

Commit

Permalink
Merge pull request #60 from appuio/feat/ns-editor-clusterrole
Browse files Browse the repository at this point in the history 
Change namespace-owner config to use a ClusterRole
  • Loading branch information
@simu
simu authored Jan 26, 2022
2 parents aff279f + faf0a9d commit e7972dc
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 64 deletions.
2 changes: 1 addition & 1 deletion class/defaults.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ parameters:
bindingName: admin
clusterRoleName: admin

generatedNamespaceOwnerRole:
generatedNamespaceOwnerClusterRole:
name: namespace-owner

maxNamespaceQuota: 25
Expand Down
74 changes: 41 additions & 33 deletions component/generated-rolebindings.jsonnet
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,44 @@
local common = import 'common.libsonnet';
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local kyverno = import 'lib/kyverno.libsonnet';
local inv = kap.inventory();
// The hiera parameters for the component
local params = inv.parameters.appuio_cloud;

local roleName =
if std.objectHas(params, 'generatedNamespaceOwnerRole') then
std.trace(
(
'\nParameter `generatedNamespaceOwnerRole` is deprecated.\n' +
'Please update your config to use `generatedNamespaceOwnerClusterRole` instead.'
),
params.generatedNamespaceOwnerRole.name
)
else
params.generatedNamespaceOwnerClusterRole.name;

local namespaceEditorClusterRole =
kube.ClusterRole(roleName) {
rules: [
{
apiGroups: [
'',
],
resources: [
'namespaces',
],
verbs: [
'get',
'watch',
'edit',
'patch',
'delete',
],
},
],
};

/**
* This policy will:
* - Generate a RoleBinding to ClusterRole 'admin' for the organization defined in a label of a namespace.
Expand Down Expand Up @@ -92,48 +126,19 @@ local generateDefaultRolebindingInNsPolicy = kyverno.ClusterPolicy('default-role
},

},
{
name: 'namespace-edit-role',
match: common.MatchOrgNamespaces,
generate: {
kind: 'Role',
synchronize: false,
name: params.generatedNamespaceOwnerRole.name,
namespace: '{{request.object.metadata.name}}',
data: {
rules: [
{
apiGroups: [
'',
],
resources: [
'namespaces',
],
verbs: [
'get',
'watch',
'edit',
'patch',
'delete',
],
},
],
},
},
},
{
name: 'namespace-edit-rolebinding',
match: common.MatchOrgNamespaces,
generate: {
kind: 'RoleBinding',
synchronize: false,
name: params.generatedNamespaceOwnerRole.name,
name: namespaceEditorClusterRole.metadata.name,
namespace: '{{request.object.metadata.name}}',
data: {
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: params.generatedNamespaceOwnerRole.name,
kind: 'ClusterRole',
name: namespaceEditorClusterRole.metadata.name,
},
subjects: [
{
Expand All @@ -150,5 +155,8 @@ local generateDefaultRolebindingInNsPolicy = kyverno.ClusterPolicy('default-role

// Define outputs below
{
'10_generate_default_rolebinding_in_ns': generateDefaultRolebindingInNsPolicy + common.DefaultLabels,
'10_namespace_editor_clusterrole':
namespaceEditorClusterRole + common.DefaultLabels,
'10_generate_default_rolebinding_in_ns':
generateDefaultRolebindingInNsPolicy + common.DefaultLabels,
}
4 changes: 2 additions & 2 deletions docs/modules/ROOT/pages/references/parameters.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,13 +128,13 @@ default:: `organization-admin`
The `metadata.name` of the `RoleBinding` that gets generated in the new `Namespace` created by the user.
The role binding is only created upon Namespace creation, it doesn't get synchronized.

== `generatedNamespaceOwnerRole.name`
== `generatedNamespaceOwnerClusterRole.name`

[horizontal]
type:: string
default:: `namespace-owner`

The `Role` and `RoleBinding` name for the role that allows users to edit the new `Namespace`
The `ClusterRole` and `RoleBinding` name for the cluster role that allows users to edit the new `Namespace`

== `generatedResourceQuota`

Expand Down
29 changes: 1 addition & 28 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/10_generate_default_rolebinding_in_ns.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,38 +55,11 @@ spec:
\n \"kind\": \"Group\"\n \"name\": \"{{organization}}\"\n- \"op\"\
: \"remove\"\n \"path\": \"/metadata/labels/appuio.io~1uninitialized\""
name: patch-uninitialized-default-rolebinding
- generate:
data:
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- watch
- edit
- patch
- delete
kind: Role
name: namespace-owner
namespace: '{{request.object.metadata.name}}'
synchronize: false
match:
all:
- resources:
kinds:
- Namespace
selector:
matchExpressions:
- key: appuio.io/organization
operator: Exists
name: namespace-edit-role
- generate:
data:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
kind: ClusterRole
name: namespace-owner
subjects:
- kind: Group
Expand Down
21 changes: 21 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/10_namespace_editor_clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: {}
labels:
app.kubernetes.io/component: appuio-cloud
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: appuio-cloud
name: namespace-owner
name: namespace-owner
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- watch
- edit
- patch
- delete

0 comments on commit e7972dc

Please sign in to comment.