Skip to content

Commit

Permalink
Permit turtles controller to access the cluster (#804)
Browse files Browse the repository at this point in the history
Signed-off-by: Danil-Grigorev <[email protected]>
  • Loading branch information
Danil-Grigorev authored Oct 25, 2024
1 parent 81c0082 commit 048e7fb
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 0 deletions.
9 changes: 9 additions & 0 deletions exp/etcdrestore/webhooks/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,10 @@ limitations under the License.
package webhooks

import (
"cmp"
"context"
"fmt"
"os"

authv1 "k8s.io/api/authorization/v1"
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
Expand All @@ -32,6 +34,13 @@ func validateRBAC(ctx context.Context, cl client.Client, clusterName, clusterNam
return fmt.Errorf("failed to get admission request from context: %w", err)
}

namespace := cmp.Or(os.Getenv("POD_NAMESPACE"), "rancher-turtles-system")

turtlesController := fmt.Sprintf("system:serviceaccount:%s:rancher-turtles-etcdsnapshotrestore-manager", namespace)
if admissionRequest.UserInfo.Username == turtlesController {
return nil
}

sar := authv1.SubjectAccessReview{
Spec: authv1.SubjectAccessReviewSpec{
ResourceAttributes: &authv1.ResourceAttributes{
Expand Down
10 changes: 10 additions & 0 deletions exp/etcdrestore/webhooks/rbac_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,4 +103,14 @@ var _ = Describe("RBAC tests", func() {
},
}), cl, "test-cluster", namespace)).ToNot(Succeed())
})

It("should allow turtles controller to access cluster", func() {
Expect(validateRBAC(admission.NewContextWithRequest(ctx, admission.Request{
AdmissionRequest: admissionv1.AdmissionRequest{
UserInfo: authenticationv1.UserInfo{
Username: "system:serviceaccount:rancher-turtles-system:rancher-turtles-etcdsnapshotrestore-manager",
},
},
}), cl, "test-cluster", namespace)).To(Succeed())
})
})

0 comments on commit 048e7fb

Please sign in to comment.