Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
KubeSphere
kubesphere
提交
02b0d924
K
kubesphere
项目概览
KubeSphere
/
kubesphere
通知
144
Star
32
Fork
5
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
2
Wiki
分析
仓库
DevOps
项目成员
Pages
K
kubesphere
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
2
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
02b0d924
编写于
1月 12, 2021
作者:
R
Roland.Ma
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
add serviceaccount contorller
Signed-off-by:
N
Roland.Ma
<
rolandma@yunify.com
>
上级
35f7e46c
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
331 addition
and
1 deletion
+331
-1
cmd/controller-manager/app/server.go
cmd/controller-manager/app/server.go
+9
-1
pkg/apis/iam/v1alpha2/types.go
pkg/apis/iam/v1alpha2/types.go
+1
-0
pkg/controller/serviceaccount/serviceaccount_controller.go
pkg/controller/serviceaccount/serviceaccount_controller.go
+134
-0
pkg/controller/serviceaccount/serviceaccount_controller_suite_test.go
...er/serviceaccount/serviceaccount_controller_suite_test.go
+101
-0
pkg/controller/serviceaccount/serviceaccount_controller_test.go
...ntroller/serviceaccount/serviceaccount_controller_test.go
+83
-0
pkg/controller/utils/controller/basecontroller.go
pkg/controller/utils/controller/basecontroller.go
+3
-0
未找到文件。
cmd/controller-manager/app/server.go
浏览文件 @
02b0d924
...
...
@@ -18,6 +18,8 @@ package app
import
(
"fmt"
"os"
"github.com/spf13/cobra"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
cliflag
"k8s.io/component-base/cli/flag"
...
...
@@ -29,6 +31,7 @@ import (
appcontroller
"kubesphere.io/kubesphere/pkg/controller/application"
"kubesphere.io/kubesphere/pkg/controller/namespace"
"kubesphere.io/kubesphere/pkg/controller/network/webhooks"
"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
"kubesphere.io/kubesphere/pkg/controller/user"
"kubesphere.io/kubesphere/pkg/controller/workspace"
"kubesphere.io/kubesphere/pkg/controller/workspacerole"
...
...
@@ -43,7 +46,6 @@ import (
"kubesphere.io/kubesphere/pkg/simple/client/s3"
"kubesphere.io/kubesphere/pkg/utils/metrics"
"kubesphere.io/kubesphere/pkg/utils/term"
"os"
application
"sigs.k8s.io/application/controllers"
ctrl
"sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/manager"
...
...
@@ -231,6 +233,12 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
klog
.
Fatal
(
"Unable to create application controller"
)
}
saReconciler
:=
&
serviceaccount
.
Reconciler
{}
if
err
=
saReconciler
.
SetupWithManager
(
mgr
);
err
!=
nil
{
klog
.
Fatal
(
"Unable to create ServiceAccount controller"
)
}
// TODO(jeff): refactor config with CRD
servicemeshEnabled
:=
s
.
ServiceMeshOptions
!=
nil
&&
len
(
s
.
ServiceMeshOptions
.
IstioPilotHost
)
!=
0
if
err
=
addControllers
(
mgr
,
...
...
pkg/apis/iam/v1alpha2/types.go
浏览文件 @
02b0d924
...
...
@@ -65,6 +65,7 @@ const (
UserReferenceLabel
=
"iam.kubesphere.io/user-ref"
IdentifyProviderLabel
=
"iam.kubesphere.io/identify-provider"
OriginUIDLabel
=
"iam.kubesphere.io/origin-uid"
ServiceAccountReferenceLabel
=
"iam.kubesphere.io/serviceaccount-ref"
FieldEmail
=
"email"
ExtraEmail
=
FieldEmail
ExtraIdentityProvider
=
"idp"
...
...
pkg/controller/serviceaccount/serviceaccount_controller.go
0 → 100644
浏览文件 @
02b0d924
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
serviceaccount
import
(
"context"
"fmt"
"github.com/go-logr/logr"
corev1
"k8s.io/api/core/v1"
rbacv1
"k8s.io/api/rbac/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/record"
iamv1alpha2
"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
controllerutils
"kubesphere.io/kubesphere/pkg/controller/utils/controller"
ctrl
"sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)
const
(
controllerName
=
"serviceaccount-controller"
)
// Reconciler reconciles a ServiceAccount object
type
Reconciler
struct
{
client
.
Client
logger
logr
.
Logger
recorder
record
.
EventRecorder
scheme
*
runtime
.
Scheme
}
func
(
r
*
Reconciler
)
SetupWithManager
(
mgr
ctrl
.
Manager
)
error
{
if
r
.
Client
==
nil
{
r
.
Client
=
mgr
.
GetClient
()
}
if
r
.
logger
==
nil
{
r
.
logger
=
ctrl
.
Log
.
WithName
(
"controllers"
)
.
WithName
(
controllerName
)
}
if
r
.
scheme
==
nil
{
r
.
scheme
=
mgr
.
GetScheme
()
}
if
r
.
recorder
==
nil
{
r
.
recorder
=
mgr
.
GetEventRecorderFor
(
controllerName
)
}
return
ctrl
.
NewControllerManagedBy
(
mgr
)
.
Named
(
controllerName
)
.
For
(
&
corev1
.
ServiceAccount
{})
.
Complete
(
r
)
}
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
func
(
r
*
Reconciler
)
Reconcile
(
req
ctrl
.
Request
)
(
ctrl
.
Result
,
error
)
{
logger
:=
r
.
logger
.
WithValues
(
"serivceaccount"
,
req
.
NamespacedName
)
ctx
:=
context
.
Background
()
sa
:=
&
corev1
.
ServiceAccount
{}
if
err
:=
r
.
Get
(
ctx
,
req
.
NamespacedName
,
sa
);
err
!=
nil
{
return
ctrl
.
Result
{},
client
.
IgnoreNotFound
(
err
)
}
if
_
,
ok
:=
sa
.
Annotations
[
iamv1alpha2
.
RoleAnnotation
];
ok
&&
sa
.
ObjectMeta
.
DeletionTimestamp
.
IsZero
()
{
if
err
:=
r
.
CreateOrUpdateRoleBinding
(
ctx
,
logger
,
sa
);
err
!=
nil
{
r
.
recorder
.
Event
(
sa
,
corev1
.
EventTypeWarning
,
controllerutils
.
FailedSynced
,
err
.
Error
())
return
ctrl
.
Result
{},
err
}
r
.
recorder
.
Event
(
sa
,
corev1
.
EventTypeNormal
,
controllerutils
.
SuccessSynced
,
controllerutils
.
MessageResourceSynced
)
}
return
ctrl
.
Result
{},
nil
}
func
(
r
*
Reconciler
)
CreateOrUpdateRoleBinding
(
ctx
context
.
Context
,
logger
logr
.
Logger
,
sa
*
corev1
.
ServiceAccount
)
error
{
roleName
:=
sa
.
Annotations
[
iamv1alpha2
.
RoleAnnotation
]
if
roleName
==
""
{
return
nil
}
var
role
rbacv1
.
Role
if
err
:=
r
.
Get
(
ctx
,
types
.
NamespacedName
{
Name
:
roleName
,
Namespace
:
sa
.
Namespace
},
&
role
);
err
!=
nil
{
return
err
}
// Delete existing rolebindings.
saRoleBinding
:=
&
rbacv1
.
RoleBinding
{}
_
=
r
.
Client
.
DeleteAllOf
(
ctx
,
saRoleBinding
,
client
.
InNamespace
(
sa
.
Namespace
),
client
.
MatchingLabels
{
iamv1alpha2
.
ServiceAccountReferenceLabel
:
sa
.
Name
})
saRoleBinding
=
&
rbacv1
.
RoleBinding
{
ObjectMeta
:
metav1
.
ObjectMeta
{
GenerateName
:
fmt
.
Sprintf
(
"%s-%s-"
,
sa
.
Name
,
roleName
),
Labels
:
map
[
string
]
string
{
iamv1alpha2
.
ServiceAccountReferenceLabel
:
sa
.
Name
},
Namespace
:
sa
.
Namespace
,
},
RoleRef
:
rbacv1
.
RoleRef
{
APIGroup
:
rbacv1
.
GroupName
,
Kind
:
iamv1alpha2
.
ResourceKindRole
,
Name
:
roleName
,
},
Subjects
:
[]
rbacv1
.
Subject
{
{
Name
:
sa
.
Name
,
Kind
:
rbacv1
.
ServiceAccountKind
,
Namespace
:
sa
.
Namespace
,
},
},
}
if
err
:=
controllerutil
.
SetControllerReference
(
sa
,
saRoleBinding
,
r
.
scheme
);
err
!=
nil
{
logger
.
Error
(
err
,
"set controller reference failed"
)
return
err
}
logger
.
V
(
4
)
.
Info
(
"create ServiceAccount rolebinding"
,
"ServiceAccount"
,
sa
.
Name
)
if
err
:=
r
.
Client
.
Create
(
ctx
,
saRoleBinding
);
err
!=
nil
{
logger
.
Error
(
err
,
"create rolebinding failed"
)
return
err
}
return
nil
}
pkg/controller/serviceaccount/serviceaccount_controller_suite_test.go
0 → 100644
浏览文件 @
02b0d924
/*
Copyright 2019 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
serviceaccount
import
(
"os"
"path/filepath"
"testing"
"time"
"github.com/onsi/gomega/gexec"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/klog/klogr"
"kubesphere.io/kubesphere/pkg/apis"
ctrl
"sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
logf
"sigs.k8s.io/controller-runtime/pkg/log"
.
"github.com/onsi/ginkgo"
.
"github.com/onsi/gomega"
"sigs.k8s.io/controller-runtime/pkg/envtest"
"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
)
// These tests use Ginkgo (BDD-style Go testing framework). Refer to
// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
var
k8sClient
client
.
Client
var
k8sManager
ctrl
.
Manager
var
testEnv
*
envtest
.
Environment
func
TestMain
(
t
*
testing
.
T
)
{
RegisterFailHandler
(
Fail
)
RunSpecsWithDefaultAndCustomReporters
(
t
,
"ServiceAccount Controller Test Suite"
,
[]
Reporter
{
printer
.
NewlineReporter
{}})
}
var
_
=
BeforeSuite
(
func
(
done
Done
)
{
logf
.
SetLogger
(
klogr
.
New
())
By
(
"bootstrapping test environment"
)
t
:=
true
if
os
.
Getenv
(
"TEST_USE_EXISTING_CLUSTER"
)
==
"true"
{
testEnv
=
&
envtest
.
Environment
{
UseExistingCluster
:
&
t
,
}
}
else
{
testEnv
=
&
envtest
.
Environment
{
CRDDirectoryPaths
:
[]
string
{
filepath
.
Join
(
".."
,
".."
,
".."
,
"config"
,
"crds"
)},
AttachControlPlaneOutput
:
false
,
}
}
cfg
,
err
:=
testEnv
.
Start
()
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
Expect
(
cfg
)
.
ToNot
(
BeNil
())
err
=
apis
.
AddToScheme
(
scheme
.
Scheme
)
Expect
(
err
)
.
NotTo
(
HaveOccurred
())
k8sManager
,
err
=
ctrl
.
NewManager
(
cfg
,
ctrl
.
Options
{
Scheme
:
scheme
.
Scheme
,
MetricsBindAddress
:
"0"
,
})
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
err
=
(
&
Reconciler
{})
.
SetupWithManager
(
k8sManager
)
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
go
func
()
{
err
=
k8sManager
.
Start
(
ctrl
.
SetupSignalHandler
())
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
}()
k8sClient
=
k8sManager
.
GetClient
()
Expect
(
k8sClient
)
.
ToNot
(
BeNil
())
close
(
done
)
},
160
)
var
_
=
AfterSuite
(
func
()
{
By
(
"tearing down the test environment"
)
gexec
.
KillAndWait
(
5
*
time
.
Second
)
err
:=
testEnv
.
Stop
()
Expect
(
err
)
.
ToNot
(
HaveOccurred
())
})
pkg/controller/serviceaccount/serviceaccount_controller_test.go
0 → 100644
浏览文件 @
02b0d924
/*
Copyright 2019 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
serviceaccount
import
(
"context"
"time"
.
"github.com/onsi/ginkgo"
.
"github.com/onsi/gomega"
corev1
"k8s.io/api/core/v1"
rbacv1
"k8s.io/api/rbac/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
iamv1alpha2
"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
"sigs.k8s.io/controller-runtime/pkg/client"
)
var
_
=
Describe
(
"ServiceAccount"
,
func
()
{
const
(
saName
=
"test-serviceaccount"
saNamespace
=
"default"
saRole
=
"test-role"
timeout
=
time
.
Second
*
30
interval
=
time
.
Second
*
1
)
role
:=
&
rbacv1
.
Role
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
saRole
,
Namespace
:
saNamespace
,
},
}
BeforeEach
(
func
()
{
// Create workspace
Expect
(
k8sClient
.
Create
(
context
.
Background
(),
role
))
.
Should
(
Succeed
())
})
// Add Tests for OpenAPI validation (or additonal CRD features) specified in
// your API definition.
// Avoid adding tests for vanilla CRUD operations because they would
// test Kubernetes API server, which isn't the goal here.
Context
(
"ServiceAccount Controller"
,
func
()
{
It
(
"Should create successfully"
,
func
()
{
ctx
:=
context
.
Background
()
sa
:=
&
corev1
.
ServiceAccount
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
saName
,
Namespace
:
saNamespace
,
Annotations
:
map
[
string
]
string
{
iamv1alpha2
.
RoleAnnotation
:
saRole
},
},
}
By
(
"Expecting to create serviceaccount successfully"
)
Expect
(
k8sClient
.
Create
(
ctx
,
sa
))
.
Should
(
Succeed
())
expectedSa
:=
&
corev1
.
ServiceAccount
{}
Eventually
(
func
()
bool
{
k8sClient
.
Get
(
ctx
,
types
.
NamespacedName
{
Name
:
sa
.
Name
,
Namespace
:
sa
.
Namespace
},
expectedSa
)
return
!
expectedSa
.
CreationTimestamp
.
IsZero
()
},
timeout
,
interval
)
.
Should
(
BeTrue
())
By
(
"Expecting to bind role successfully"
)
rolebindings
:=
&
rbacv1
.
RoleBindingList
{}
Eventually
(
func
()
bool
{
k8sClient
.
List
(
ctx
,
rolebindings
,
client
.
InNamespace
(
sa
.
Namespace
),
client
.
MatchingLabels
{
iamv1alpha2
.
ServiceAccountReferenceLabel
:
sa
.
Name
})
return
len
(
rolebindings
.
Items
)
==
1
},
timeout
,
interval
)
.
Should
(
BeTrue
())
})
})
})
pkg/controller/utils/controller/basecontroller.go
浏览文件 @
02b0d924
...
...
@@ -30,6 +30,9 @@ import (
const
(
// SuccessSynced is used as part of the Event 'reason' when a Foo is synced
SuccessSynced
=
"Synced"
// FailedSynced is used as part of the Event 'reason' when a Foo is not synced
FailedSynced
=
"FailedSync"
// is synced successfully
MessageResourceSynced
=
"Synced successfully"
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录