From bb074a974730c00ea8bb0c8360045de27701ebf6 Mon Sep 17 00:00:00 2001 From: Bigli <9610820+TheBigLee@users.noreply.github.com> Date: Thu, 23 Feb 2023 10:58:30 -0800 Subject: [PATCH] Add support for omitting RBAC rules on organization namespaces (#54) * Add support for omitting RBAC rules on organization namespaces --------- Signed-off-by: Nicolas Bigler Co-authored-by: Simon Gerber --- controllers/org_rbac_controller.go | 19 +++++++++++++++++++ controllers/org_rbac_controller_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/controllers/org_rbac_controller.go b/controllers/org_rbac_controller.go index fd7defd..ff61587 100644 --- a/controllers/org_rbac_controller.go +++ b/controllers/org_rbac_controller.go @@ -33,6 +33,10 @@ type OrganizationRBACReconciler struct { // In that case the controller will update it to bind to the organization. const LabelRoleBindingUninitialized = "appuio.io/uninitialized" +// LabelNamespaceNoRBAC is used to speficy if RBAC rules should be created for a namespace. +// If not specified it defaults to `admin` privileges on the namespace owned by the organization +const LabelNamespaceNoRBAC = "appuio.io/no-rbac-creation" + //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;patch;update //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch @@ -56,6 +60,10 @@ func (r *OrganizationRBACReconciler) Reconcile(ctx context.Context, req ctrl.Req return ctrl.Result{}, nil } + if r.skipRBACManagement(ns) { + return ctrl.Result{}, nil + } + var errs []error for rb, cr := range r.DefaultClusterRoles { if err := r.putRoleBinding(ctx, ns, rb, cr, org); err != nil { @@ -64,6 +72,7 @@ func (r *OrganizationRBACReconciler) Reconcile(ctx context.Context, req ctrl.Req errs = append(errs, err) } } + return ctrl.Result{}, multierr.Combine(errs...) } @@ -76,6 +85,16 @@ func (r *OrganizationRBACReconciler) getOrganization(ns corev1.Namespace) string return org } +func (r *OrganizationRBACReconciler) skipRBACManagement(ns corev1.Namespace) bool { + label := "" + nsLabels := ns.Labels + if nsLabels != nil { + label = nsLabels[LabelNamespaceNoRBAC] + } + result, err := strconv.ParseBool(label) + return err == nil && result +} + func (r *OrganizationRBACReconciler) putRoleBinding(ctx context.Context, ns corev1.Namespace, name string, clusterRole string, group string) error { rb := &rbacv1.RoleBinding{ diff --git a/controllers/org_rbac_controller_test.go b/controllers/org_rbac_controller_test.go index 408297f..7094a8e 100644 --- a/controllers/org_rbac_controller_test.go +++ b/controllers/org_rbac_controller_test.go @@ -74,6 +74,30 @@ func TestOrganizationRBACReconciler(t *testing.T) { orgLabel: "", }, }, + "NoAccessOrgNs": { + clusterRoles: defaultCRs, + namespace: "buzz", + nsLabels: map[string]string{ + "appuio.io/no-rbac-creation": "true", + orgLabel: "foo", + }, + }, + "NoRbacCreationFalseOrgNs_CreateRole": { + clusterRoles: defaultCRs, + namespace: "buzz", + nsLabels: map[string]string{ + "appuio.io/no-rbac-creation": "false", + orgLabel: "foo", + }, + + expected: []rb{ + { + name: "admin", + roleRef: "admin", + groups: []string{"foo"}, + }, + }, + }, "OrgNs_CreateRole": { clusterRoles: defaultCRs,