Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
水淹萌龙
kubesphere
提交
a908757c
K
kubesphere
项目概览
水淹萌龙
/
kubesphere
与 Fork 源项目一致
Fork自
KubeSphere / kubesphere
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
kubesphere
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
提交
a908757c
编写于
11月 22, 2018
作者:
H
hongming
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix bug: rolebinding cannot delete
上级
49d40f48
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
97 addition
and
60 deletion
+97
-60
pkg/apis/v1alpha/workspaces/workspaces.go
pkg/apis/v1alpha/workspaces/workspaces.go
+1
-1
pkg/constants/common.go
pkg/constants/common.go
+5
-0
pkg/models/controllers/clusterrole_bindings.go
pkg/models/controllers/clusterrole_bindings.go
+6
-2
pkg/models/controllers/namespaces.go
pkg/models/controllers/namespaces.go
+55
-27
pkg/models/workspaces/workspaces.go
pkg/models/workspaces/workspaces.go
+30
-30
未找到文件。
pkg/apis/v1alpha/workspaces/workspaces.go
浏览文件 @
a908757c
...
...
@@ -55,7 +55,7 @@ func RoleHandler(req *restful.Request, resp *restful.Response) {
workspaceName
:=
req
.
PathParameter
(
"name"
)
roleName
:=
req
.
PathParameter
(
"role"
)
if
!
slice
.
ContainsString
(
workspace
s
.
WorkSpaceRoles
,
roleName
,
nil
)
{
if
!
slice
.
ContainsString
(
constant
s
.
WorkSpaceRoles
,
roleName
,
nil
)
{
resp
.
WriteHeaderAndEntity
(
http
.
StatusNotFound
,
constants
.
MessageResponse
{
Message
:
fmt
.
Sprintf
(
"role %s not found"
,
roleName
)})
return
}
...
...
pkg/constants/common.go
浏览文件 @
a908757c
...
...
@@ -44,6 +44,10 @@ const (
AccountAPIServerEnv
=
"ACCOUNT_API_SERVER"
DevopsProxyTokenEnv
=
"DEVOPS_PROXY_TOKEN"
OpenPitrixProxyTokenEnv
=
"OPENPITRIX_PROXY_TOKEN"
WorkspaceLabelKey
=
"kubesphere.io/workspace"
WorkspaceAdmin
=
"workspace-admin"
WorkspaceRegular
=
"workspace-regular"
WorkspaceViewer
=
"workspace-viewer"
)
var
(
...
...
@@ -51,6 +55,7 @@ var (
AccountAPIServer
=
"ks-account.kubesphere-system.svc"
DevopsProxyToken
=
""
OpenPitrixProxyToken
=
""
WorkSpaceRoles
=
[]
string
{
WorkspaceAdmin
,
WorkspaceRegular
,
WorkspaceViewer
}
)
func
init
()
{
...
...
pkg/models/controllers/clusterrole_bindings.go
浏览文件 @
a908757c
...
...
@@ -22,6 +22,8 @@ import (
"fmt"
"regexp"
"strings"
"github.com/golang/glog"
"github.com/pkg/errors"
rbac
"k8s.io/api/rbac/v1"
...
...
@@ -29,6 +31,8 @@ import (
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/informers"
"k8s.io/client-go/tools/cache"
"kubesphere.io/kubesphere/pkg/constants"
)
func
(
ctl
*
ClusterRoleBindingCtl
)
Name
()
string
{
...
...
@@ -43,14 +47,14 @@ func (ctl *ClusterRoleBindingCtl) sync(stopChan chan struct{}) {
func
(
ctl
*
ClusterRoleBindingCtl
)
total
()
int
{
list
,
err
:=
ctl
.
lister
.
List
(
labels
.
Everything
())
if
err
!=
nil
{
glog
.
Errorf
(
"count %s fa
lied, reason:%s"
,
err
,
ctl
.
Name
()
)
glog
.
Errorf
(
"count %s fa
iled, reason:%s"
,
ctl
.
Name
(),
err
)
return
0
}
return
len
(
list
)
}
func
(
ctl
*
ClusterRoleBindingCtl
)
handleWorkspaceRoleChange
(
clusterRole
*
rbac
.
ClusterRoleBinding
)
{
if
groups
:=
regexp
.
MustCompile
(
`^system:(\S+):(admin|operator|viewer)$`
)
.
FindStringSubmatch
(
clusterRole
.
Name
);
len
(
groups
)
==
3
{
if
groups
:=
regexp
.
MustCompile
(
fmt
.
Sprintf
(
`^system:(\S+):(%s)$`
,
strings
.
Join
(
constants
.
WorkSpaceRoles
,
"|"
))
)
.
FindStringSubmatch
(
clusterRole
.
Name
);
len
(
groups
)
==
3
{
workspace
:=
groups
[
1
]
go
ctl
.
restNamespaceRoleBinding
(
workspace
)
}
...
...
pkg/models/controllers/namespaces.go
浏览文件 @
a908757c
...
...
@@ -46,7 +46,7 @@ import (
const
(
provider
=
"kubernetes"
admin
=
"admin"
editor
=
"operator"
operator
=
"operator"
viewer
=
"viewer"
kubectlNamespace
=
constants
.
KubeSphereControlNamespace
kubectlConfigKey
=
"config"
...
...
@@ -133,13 +133,10 @@ func (ctl *NamespaceCtl) createOpRuntime(namespace string) ([]byte, error) {
return
makeHttpRequest
(
"POST"
,
url
,
string
(
body
))
}
func
(
ctl
*
NamespaceCtl
)
createDefaultRoleBinding
(
namespace
*
v1
.
Namespace
)
error
{
func
(
ctl
*
NamespaceCtl
)
updateSystemRoleBindings
(
namespace
*
v1
.
Namespace
)
error
{
workspace
:=
""
creator
:=
""
if
namespace
.
Annotations
!=
nil
{
creator
=
namespace
.
Annotations
[
creatorAnnotateKey
]
}
if
namespace
.
Labels
!=
nil
{
workspace
=
namespace
.
Labels
[
workspaceLabelKey
]
}
...
...
@@ -159,12 +156,8 @@ func (ctl *NamespaceCtl) createDefaultRoleBinding(namespace *v1.Namespace) error
adminBinding
.
Subjects
=
make
([]
rbac
.
Subject
,
0
)
if
creator
!=
""
{
adminBinding
.
Subjects
=
append
(
adminBinding
.
Subjects
,
rbac
.
Subject
{
Name
:
creator
,
Kind
:
rbac
.
UserKind
})
}
if
workspace
!=
""
{
workspaceAdmin
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:
admin"
,
workspace
),
metaV1
.
GetOptions
{})
workspaceAdmin
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:
%s"
,
workspace
,
constants
.
WorkspaceAdmin
),
metaV1
.
GetOptions
{})
if
err
!=
nil
{
return
err
}
...
...
@@ -197,7 +190,7 @@ func (ctl *NamespaceCtl) createDefaultRoleBinding(namespace *v1.Namespace) error
viewerBinding
.
Subjects
=
make
([]
rbac
.
Subject
,
0
)
if
workspace
!=
""
{
workspaceViewer
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:
viewer"
,
workspace
),
metaV1
.
GetOptions
{})
workspaceViewer
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:
%s"
,
workspace
,
constants
.
WorkspaceViewer
),
metaV1
.
GetOptions
{})
if
err
!=
nil
{
return
err
}
...
...
@@ -217,24 +210,64 @@ func (ctl *NamespaceCtl) createDefaultRoleBinding(namespace *v1.Namespace) error
return
nil
}
func
(
ctl
*
NamespaceCtl
)
createDefaultRole
(
ns
string
)
error
{
adminRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
admin
,
Namespace
:
ns
,
Annotations
:
map
[
string
]
string
{
"creator"
:
"system"
}},
Rules
:
adminRules
}
editorRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
editor
,
Namespace
:
ns
,
Annotations
:
map
[
string
]
string
{
"creator"
:
"system"
}},
Rules
:
editorRules
}
viewerRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
viewer
,
Namespace
:
ns
,
Annotations
:
map
[
string
]
string
{
"creator"
:
"system"
}},
Rules
:
viewerRules
}
func
(
ctl
*
NamespaceCtl
)
createDefaultRoleBinding
(
namespace
*
v1
.
Namespace
)
error
{
creator
:=
""
if
namespace
.
Annotations
!=
nil
{
creator
=
namespace
.
Annotations
[
creatorAnnotateKey
]
}
// create once
if
creator
!=
""
{
creatorBindingName
:=
fmt
.
Sprintf
(
"%s-admin"
,
creator
)
creatorBinding
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
RoleBindings
(
namespace
.
Name
)
.
Get
(
creatorBindingName
,
metaV1
.
GetOptions
{})
if
err
!=
nil
{
if
errors
.
IsNotFound
(
err
)
{
creatorBinding
=
new
(
rbac
.
RoleBinding
)
creatorBinding
.
Name
=
creatorBindingName
creatorBinding
.
Namespace
=
namespace
.
Name
creatorBinding
.
RoleRef
=
rbac
.
RoleRef
{
Kind
:
"Role"
,
Name
:
admin
}
}
else
{
return
err
}
}
creatorBinding
.
Subjects
=
[]
rbac
.
Subject
{{
Kind
:
rbac
.
UserKind
,
Name
:
creator
}}
if
creatorBinding
.
ResourceVersion
==
""
{
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
RoleBindings
(
namespace
.
Name
)
.
Create
(
creatorBinding
)
}
else
{
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
RoleBindings
(
namespace
.
Name
)
.
Update
(
creatorBinding
)
}
_
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
ns
)
.
Create
(
adminRole
)
if
err
!=
nil
{
return
err
}
}
return
nil
}
func
(
ctl
*
NamespaceCtl
)
CreateDefaultRoleAndRoleBinding
(
namespace
*
v1
.
Namespace
)
error
{
adminRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
admin
,
Namespace
:
namespace
.
Name
,
Annotations
:
map
[
string
]
string
{
creatorAnnotateKey
:
"system"
}},
Rules
:
adminRules
}
operatorRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
operator
,
Namespace
:
namespace
.
Name
,
Annotations
:
map
[
string
]
string
{
creatorAnnotateKey
:
"system"
}},
Rules
:
editorRules
}
viewerRole
:=
&
rbac
.
Role
{
ObjectMeta
:
metaV1
.
ObjectMeta
{
Name
:
viewer
,
Namespace
:
namespace
.
Name
,
Annotations
:
map
[
string
]
string
{
creatorAnnotateKey
:
"system"
}},
Rules
:
viewerRules
}
_
,
err
:=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
namespace
.
Name
)
.
Create
(
adminRole
)
if
err
!=
nil
&&
!
errors
.
IsAlreadyExists
(
err
)
{
return
err
}
else
if
err
==
nil
{
if
err
:=
ctl
.
createDefaultRoleBinding
(
namespace
);
err
!=
nil
{
glog
.
Warning
(
"default role binding create failed"
,
namespace
.
Name
)
}
}
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
n
s
)
.
Create
(
edi
torRole
)
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
n
amespace
.
Name
)
.
Create
(
opera
torRole
)
if
err
!=
nil
&&
!
errors
.
IsAlreadyExists
(
err
)
{
return
err
}
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
n
s
)
.
Create
(
viewerRole
)
_
,
err
=
ctl
.
K8sClient
.
RbacV1
()
.
Roles
(
n
amespace
.
Name
)
.
Create
(
viewerRole
)
if
err
!=
nil
&&
!
errors
.
IsAlreadyExists
(
err
)
{
return
err
...
...
@@ -254,27 +287,22 @@ func (ctl *NamespaceCtl) createRoleAndRuntime(namespace *v1.Namespace) {
componentsNamespaces
:=
[]
string
{
constants
.
KubeSystemNamespace
,
constants
.
OpenPitrixNamespace
,
constants
.
IstioNamespace
,
constants
.
KubeSphereNamespace
}
if
runtime
==
""
&&
!
slice
.
ContainsString
(
componentsNamespaces
,
namespace
.
Name
,
nil
)
{
glog
.
Infoln
(
"create runtime:"
,
namespace
.
Name
)
_
,
runtimeCreateError
:=
ctl
.
createOpRuntime
(
namespace
.
Name
)
if
runtimeCreateError
!=
nil
{
glog
.
Error
(
"runtime create error:"
,
runtimeCreateError
)
}
}
if
initTime
==
""
{
err
:=
ctl
.
createDefaultRole
(
namespace
.
Name
)
glog
.
Infoln
(
"create default role:"
,
namespace
.
Name
)
err
:=
ctl
.
CreateDefaultRoleAndRoleBinding
(
namespace
)
if
err
==
nil
{
err
=
ctl
.
createDefaultRoleBinding
(
namespace
)
glog
.
Infoln
(
"create default role binding:"
,
namespace
.
Name
)
err
=
ctl
.
updateSystemRoleBindings
(
namespace
)
if
err
!=
nil
{
glog
.
Error
(
"
default role binding cre
ate error:"
,
err
)
glog
.
Error
(
"
role binding upd
ate error:"
,
err
)
}
}
else
{
glog
.
Error
(
"default role create error:"
,
err
)
}
if
err
==
nil
{
pathJson
:=
fmt
.
Sprintf
(
`{"metadata":{"annotations":{"%s":"%s"}}}`
,
initTimeAnnotateKey
,
time
.
Now
()
.
UTC
()
.
Format
(
"2006-01-02T15:04:05Z"
))
_
,
err
=
ctl
.
K8sClient
.
CoreV1
()
.
Namespaces
()
.
Patch
(
namespace
.
Name
,
"application/strategic-merge-patch+json"
,
[]
byte
(
pathJson
))
...
...
pkg/models/workspaces/workspaces.go
浏览文件 @
a908757c
...
...
@@ -35,12 +35,6 @@ import (
ksErr
"kubesphere.io/kubesphere/pkg/util/errors"
)
const
(
WorkspaceKey
=
"kubesphere.io/workspace"
)
var
WorkSpaceRoles
=
[]
string
{
"admin"
,
"operator"
,
"viewer"
}
func
UnBindDevopsProject
(
workspace
string
,
devops
string
)
error
{
db
:=
client
.
NewSharedDBClient
()
defer
db
.
Close
()
...
...
@@ -283,7 +277,7 @@ func DeleteNamespace(workspace string, namespaceName string) error {
return
err
}
if
namespace
.
Labels
!=
nil
&&
namespace
.
Labels
[
"kubesphere.io/workspace"
]
==
workspace
{
deletePolicy
:=
meta_v1
.
DeletePropagation
Back
ground
deletePolicy
:=
meta_v1
.
DeletePropagation
Fore
ground
return
client
.
NewK8sClient
()
.
CoreV1
()
.
Namespaces
()
.
Delete
(
namespaceName
,
&
meta_v1
.
DeleteOptions
{
PropagationPolicy
:
&
deletePolicy
})
}
else
{
return
errors
.
New
(
"resource not found"
)
...
...
@@ -347,7 +341,7 @@ func workspaceRoleRelease(workspace string) error {
k8sClient
:=
client
.
NewK8sClient
()
deletePolicy
:=
meta_v1
.
DeletePropagationForeground
for
_
,
role
:=
range
WorkSpaceRoles
{
for
_
,
role
:=
range
constants
.
WorkSpaceRoles
{
err
:=
k8sClient
.
RbacV1
()
.
ClusterRoles
()
.
Delete
(
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
,
role
),
&
meta_v1
.
DeleteOptions
{
PropagationPolicy
:
&
deletePolicy
})
if
err
!=
nil
&&
!
apierrors
.
IsNotFound
(
err
)
{
...
...
@@ -355,7 +349,7 @@ func workspaceRoleRelease(workspace string) error {
}
}
for
_
,
role
:=
range
WorkSpaceRoles
{
for
_
,
role
:=
range
constants
.
WorkSpaceRoles
{
err
:=
k8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Delete
(
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
,
role
),
&
meta_v1
.
DeleteOptions
{
PropagationPolicy
:
&
deletePolicy
})
if
err
!=
nil
&&
!
apierrors
.
IsNotFound
(
err
)
{
...
...
@@ -516,7 +510,7 @@ func ListWorkspaceByUser(username string, keyword string) ([]*Workspace, error)
}
else
{
workspaceNames
:=
make
([]
string
,
0
)
for
_
,
clusterRole
:=
range
clusterRoles
{
if
groups
:=
regexp
.
MustCompile
(
`^system:(\S+):(admin|operator|viewer)$`
)
.
FindStringSubmatch
(
clusterRole
.
Name
);
len
(
groups
)
==
3
{
if
groups
:=
regexp
.
MustCompile
(
fmt
.
Sprintf
(
`^system:(\S+):(%s)$`
,
strings
.
Join
(
constants
.
WorkSpaceRoles
,
"|"
))
)
.
FindStringSubmatch
(
clusterRole
.
Name
);
len
(
groups
)
==
3
{
if
!
slice
.
ContainsString
(
workspaceNames
,
groups
[
1
],
nil
)
{
workspaceNames
=
append
(
workspaceNames
,
groups
[
1
])
}
...
...
@@ -721,12 +715,18 @@ func CreateNamespace(namespace *core.Namespace) (*core.Namespace, error) {
return
nil
,
err
}
if
ctl
,
ok
:=
controllers
.
ResourceControllers
.
Controllers
[
controllers
.
Namespaces
];
ok
{
if
nsCtl
,
ok
:=
ctl
.
(
*
controllers
.
NamespaceCtl
);
ok
{
nsCtl
.
CreateDefaultRoleAndRoleBinding
(
ns
)
}
}
return
ns
,
nil
}
func
Invite
(
workspaceName
string
,
users
[]
UserInvite
)
error
{
for
_
,
user
:=
range
users
{
if
!
slice
.
ContainsString
(
WorkSpaceRoles
,
user
.
Role
,
nil
)
{
if
!
slice
.
ContainsString
(
constants
.
WorkSpaceRoles
,
user
.
Role
,
nil
)
{
return
fmt
.
Errorf
(
"role %s not exist"
,
user
.
Role
)
}
}
...
...
@@ -807,7 +807,7 @@ func Roles(workspace *Workspace) ([]*v1.ClusterRole, error) {
k8sClient
:=
client
.
NewK8sClient
()
for
_
,
name
:=
range
WorkSpaceRoles
{
for
_
,
name
:=
range
constants
.
WorkSpaceRoles
{
role
,
err
:=
k8sClient
.
RbacV1
()
.
ClusterRoles
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
.
Name
,
name
),
meta_v1
.
GetOptions
{})
if
err
!=
nil
{
...
...
@@ -859,7 +859,7 @@ func WorkspaceRoleInit(workspace *Workspace) error {
k8sClient
:=
client
.
NewK8sClient
()
admin
:=
new
(
v1
.
ClusterRole
)
admin
.
Name
=
fmt
.
Sprintf
(
"system:%s:
admin"
,
workspace
.
Name
)
admin
.
Name
=
fmt
.
Sprintf
(
"system:%s:
%s"
,
workspace
.
Name
,
constants
.
WorkspaceAdmin
)
admin
.
Kind
=
iam
.
ClusterRoleKind
admin
.
Rules
=
[]
v1
.
PolicyRule
{
{
...
...
@@ -899,10 +899,10 @@ func WorkspaceRoleInit(workspace *Workspace) error {
admin
.
Labels
=
map
[
string
]
string
{
"creator"
:
"system"
}
operato
r
:=
new
(
v1
.
ClusterRole
)
operator
.
Name
=
fmt
.
Sprintf
(
"system:%s:operator"
,
workspace
.
Name
)
operato
r
.
Kind
=
iam
.
ClusterRoleKind
operato
r
.
Rules
=
[]
v1
.
PolicyRule
{
regula
r
:=
new
(
v1
.
ClusterRole
)
regular
.
Name
=
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
.
Name
,
constants
.
WorkspaceRegular
)
regula
r
.
Kind
=
iam
.
ClusterRoleKind
regula
r
.
Rules
=
[]
v1
.
PolicyRule
{
{
Verbs
:
[]
string
{
"get"
},
APIGroups
:
[]
string
{
"kubesphere.io"
},
...
...
@@ -948,10 +948,10 @@ func WorkspaceRoleInit(workspace *Workspace) error {
},
}
operato
r
.
Labels
=
map
[
string
]
string
{
"creator"
:
"system"
}
regula
r
.
Labels
=
map
[
string
]
string
{
"creator"
:
"system"
}
viewer
:=
new
(
v1
.
ClusterRole
)
viewer
.
Name
=
fmt
.
Sprintf
(
"system:%s:
viewer"
,
workspace
.
Name
)
viewer
.
Name
=
fmt
.
Sprintf
(
"system:%s:
%s"
,
workspace
.
Name
,
constants
.
WorkspaceViewer
)
viewer
.
Kind
=
iam
.
ClusterRoleKind
viewer
.
Rules
=
[]
v1
.
PolicyRule
{
{
...
...
@@ -1011,7 +1011,7 @@ func WorkspaceRoleInit(workspace *Workspace) error {
}
}
_
,
err
=
k8sClient
.
RbacV1
()
.
ClusterRoles
()
.
Create
(
operato
r
)
_
,
err
=
k8sClient
.
RbacV1
()
.
ClusterRoles
()
.
Create
(
regula
r
)
if
err
!=
nil
{
if
!
apierrors
.
IsAlreadyExists
(
err
)
{
log
.
Println
(
"cluster role create failed"
,
viewer
.
Name
,
err
)
...
...
@@ -1019,14 +1019,14 @@ func WorkspaceRoleInit(workspace *Workspace) error {
}
}
operato
rRoleBinding
:=
new
(
v1
.
ClusterRoleBinding
)
operatorRoleBinding
.
Name
=
operato
r
.
Name
operatorRoleBinding
.
RoleRef
=
v1
.
RoleRef
{
Kind
:
"ClusterRole"
,
Name
:
operato
r
.
Name
}
operato
rRoleBinding
.
Subjects
=
make
([]
v1
.
Subject
,
0
)
_
,
err
=
k8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Create
(
operato
rRoleBinding
)
regula
rRoleBinding
:=
new
(
v1
.
ClusterRoleBinding
)
regularRoleBinding
.
Name
=
regula
r
.
Name
regularRoleBinding
.
RoleRef
=
v1
.
RoleRef
{
Kind
:
"ClusterRole"
,
Name
:
regula
r
.
Name
}
regula
rRoleBinding
.
Subjects
=
make
([]
v1
.
Subject
,
0
)
_
,
err
=
k8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Create
(
regula
rRoleBinding
)
if
err
!=
nil
{
if
!
apierrors
.
IsAlreadyExists
(
err
)
{
log
.
Println
(
"cluster rolebinding create failed"
,
operato
rRoleBinding
.
Name
,
err
)
log
.
Println
(
"cluster rolebinding create failed"
,
regula
rRoleBinding
.
Name
,
err
)
return
err
}
}
...
...
@@ -1057,7 +1057,7 @@ func WorkspaceRoleInit(workspace *Workspace) error {
func
unbindWorkspaceRole
(
workspace
string
,
users
[]
string
)
error
{
k8sClient
:=
client
.
NewK8sClient
()
for
_
,
name
:=
range
WorkSpaceRoles
{
for
_
,
name
:=
range
constants
.
WorkSpaceRoles
{
roleBinding
,
err
:=
k8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
,
name
),
meta_v1
.
GetOptions
{})
if
err
!=
nil
{
...
...
@@ -1137,7 +1137,7 @@ func CreateWorkspaceRoleBinding(workspace *Workspace, username string, role stri
k8sClient
:=
client
.
NewK8sClient
()
for
_
,
roleName
:=
range
WorkSpaceRoles
{
for
_
,
roleName
:=
range
constants
.
WorkSpaceRoles
{
roleBinding
,
err
:=
k8sClient
.
RbacV1
()
.
ClusterRoleBindings
()
.
Get
(
fmt
.
Sprintf
(
"system:%s:%s"
,
workspace
.
Name
,
roleName
),
meta_v1
.
GetOptions
{})
if
err
!=
nil
{
...
...
@@ -1215,7 +1215,7 @@ func GetOrgMembers(workspace string) ([]string, error) {
}
func
GetOrgRoles
(
name
string
)
([]
string
,
error
)
{
return
[]
string
{
"admin"
,
"operator"
,
"user"
}
,
nil
return
constants
.
WorkSpaceRoles
,
nil
}
func
WorkspaceNamespaces
(
workspaceName
string
)
([]
string
,
error
)
{
...
...
@@ -1348,7 +1348,7 @@ func GetAllOrgAndProjList() (map[string][]string, map[string]string, error) {
var
namespaceWorkspaceMap
=
make
(
map
[
string
]
string
)
for
_
,
item
:=
range
nsList
.
Items
{
ws
,
exist
:=
item
.
Labels
[
Workspace
Key
]
ws
,
exist
:=
item
.
Labels
[
constants
.
WorkspaceLabel
Key
]
ns
:=
item
.
Name
if
exist
{
if
nsArray
,
exist
:=
workspaceNamespaceMap
[
ws
];
exist
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录