initial role differentiation of DevOps project and namespace

Signed-off-by: Nhongming <talonwan@yunify.com>

pkg/apis/iam/v1alpha2/types.go

@@ -60,6 +60,7 @@ const (
 	ClusterRoleAnnotation                 = "iam.kubesphere.io/clusterrole"
 	RoleAnnotation                        = "iam.kubesphere.io/role"
 	RoleTemplateLabel                     = "iam.kubesphere.io/role-template"
+	ScopeLabelFormat                      = "scope.kubesphere.io/%s"
 	UserReferenceLabel                    = "iam.kubesphere.io/user-ref"
 	IdentifyProviderLabel                 = "iam.kubesphere.io/identify-provider"
 	PasswordEncryptedAnnotation           = "iam.kubesphere.io/password-encrypted"
@@ -68,6 +69,7 @@ const (
 	ScopeWorkspace                        = "workspace"
 	ScopeCluster                          = "cluster"
 	ScopeNamespace                        = "namespace"
+	ScopeDevOps                           = "devops"
 	PlatformAdmin                         = "platform-admin"
 	NamespaceAdmin                        = "admin"
 	WorkspaceAdminFormat                  = "%s-admin"

pkg/controller/namespace/namespace_controller.go

@@ -25,6 +25,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/yaml"
@@ -206,7 +207,6 @@ func (r *ReconcileNamespace) bindWorkspace(namespace *corev1.Namespace) error {
 
 func (r *ReconcileNamespace) deleteRouter(namespace string) error {
 	routerName := constants.IngressControllerPrefix + namespace
-
 	// delete service first
 	found := corev1.Service{}
 	err := r.Get(context.TODO(), types.NamespacedName{Namespace: constants.IngressControllerNamespace, Name: routerName}, &found)
@@ -246,7 +246,16 @@ func (r *ReconcileNamespace) deleteRouter(namespace string) error {
 func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
 	var roleBases iamv1alpha2.RoleBaseList
 
-	err := r.List(context.Background(), &roleBases)
+	var labelKey string
+	// filtering initial roles by label
+	if namespace.Labels[constants.DevOpsProjectLabelKey] != "" {
+		// scope.kubesphere.io/devops: ""
+		labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeDevOps)
+	} else {
+		// scope.kubesphere.io/namespace: ""
+		labelKey = fmt.Sprintf(iamv1alpha2.ScopeLabelFormat, iamv1alpha2.ScopeNamespace)
+	}
+	err := r.List(context.Background(), &roleBases, client.MatchingLabelsSelector{Selector: labels.SelectorFromSet(labels.Set{labelKey: ""})})
 	if err != nil {
 		klog.Error(err)
 		return err
@@ -254,7 +263,6 @@ func (r *ReconcileNamespace) initRoles(namespace *corev1.Namespace) error {
 
 	for _, roleBase := range roleBases.Items {
 		var role rbacv1.Role
-
 		if err = yaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(roleBase.Role.Raw), 1024).Decode(&role); err == nil && role.Kind == iamv1alpha2.ResourceKindRole {
 			var old rbacv1.Role
 			err := r.Client.Get(context.Background(), types.NamespacedName{Namespace: namespace.Name, Name: role.Name}, &old)

pkg/models/resources/v1alpha3/role/roles.go

@@ -105,18 +105,16 @@ func (d *rolesGetter) fetchAggregationRoles(namespace, name string) ([]*rbacv1.R
 	if annotation := obj.(*rbacv1.Role).Annotations[iamv1alpha2.AggregationRolesAnnotation]; annotation != "" {
 		var roleNames []string
 		if err = json.Unmarshal([]byte(annotation), &roleNames); err == nil {
-
 			for _, roleName := range roleNames {
 				role, err := d.Get(namespace, roleName)
-
 				if err != nil {
 					if errors.IsNotFound(err) {
-						klog.Warningf("invalid aggregation role found: %s, %s", name, roleName)
+						klog.V(6).Infof("invalid aggregation role found: %s, %s", name, roleName)
 						continue
 					}
+					klog.Error(err)
 					return nil, err
 				}
-
 				roles = append(roles, role.(*rbacv1.Role))
 			}
 		}