mirror of https://github.com/portainer/portainer
re introduce cluster role binding isSystem
testA113
parent
ae24050224
commit
2214bb38b4
|
|
@ -1,16 +1,32 @@
|
|||
package kubernetes
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
||||
type (
|
||||
K8sClusterRoleBinding struct {
|
||||
Name string `json:"name"`
|
||||
UID types.UID `json:"uid"`
|
||||
RoleRef rbacv1.RoleRef `json:"roleRef"`
|
||||
Subjects []rbacv1.Subject `json:"subjects"`
|
||||
CreationDate time.Time `json:"creationDate"`
|
||||
IsSystem bool `json:"isSystem"`
|
||||
}
|
||||
|
||||
// K8sRoleBindingDeleteRequests slice of cluster role cluster bindings.
|
||||
K8sClusterRoleBindingDeleteRequests []string
|
||||
)
|
||||
|
||||
func (r K8sClusterRoleBindingDeleteRequests) Validate(request *http.Request) error {
|
||||
if len(r) == 0 {
|
||||
return errors.New("missing deletion request list in payload")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package cli
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
models "github.com/portainer/portainer/api/http/models/kubernetes"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
|
|
@ -38,8 +39,37 @@ func (kcl *KubeClient) fetchClusterRoleBindings() ([]models.K8sClusterRoleBindin
|
|||
func parseClusterRoleBinding(clusterRoleBinding rbacv1.ClusterRoleBinding) models.K8sClusterRoleBinding {
|
||||
return models.K8sClusterRoleBinding{
|
||||
Name: clusterRoleBinding.Name,
|
||||
UID: clusterRoleBinding.UID,
|
||||
RoleRef: clusterRoleBinding.RoleRef,
|
||||
Subjects: clusterRoleBinding.Subjects,
|
||||
CreationDate: clusterRoleBinding.CreationTimestamp.Time,
|
||||
IsSystem: isSystemClusterRoleBinding(&clusterRoleBinding),
|
||||
}
|
||||
}
|
||||
|
||||
func isSystemClusterRoleBinding(binding *rbacv1.ClusterRoleBinding) bool {
|
||||
if strings.HasPrefix(binding.Name, "system:") {
|
||||
return true
|
||||
}
|
||||
|
||||
if binding.Labels != nil {
|
||||
if binding.Labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
for _, sub := range binding.Subjects {
|
||||
if strings.HasPrefix(sub.Name, "system:") {
|
||||
return true
|
||||
}
|
||||
|
||||
if sub.Namespace == "kube-system" ||
|
||||
sub.Namespace == "kube-public" ||
|
||||
sub.Namespace == "kube-node-lease" ||
|
||||
sub.Namespace == "portainer" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,13 +14,8 @@ export type ClusterRoleSubject = {
|
|||
export type ClusterRoleBinding = {
|
||||
name: string;
|
||||
uid: string;
|
||||
namespace: string;
|
||||
resourceVersion: string;
|
||||
creationDate: string;
|
||||
annotations: Record<string, string> | null;
|
||||
|
||||
roleRef: ClusterRoleRef;
|
||||
subjects: ClusterRoleSubject[] | null;
|
||||
|
||||
creationDate: string;
|
||||
isSystem: boolean;
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue