github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

re introduce cluster role binding isSystem

pull/12297/head
testA113 2024-10-05 08:30:11 +13:00
parent ae24050224
commit 2214bb38b4
3 changed files with 47 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
api/http/models/kubernetes/cluster_role_bindings.go
View File

@ -1,16 +1,32 @@
package kubernetes package kubernetes
import ( import (
"errors"
"net/http"
"time" "time"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/types"
) )
type ( type (
K8sClusterRoleBinding struct { K8sClusterRoleBinding struct {
Name string `json:"name"` Name string `json:"name"`
UID types.UID `json:"uid"`
RoleRef rbacv1.RoleRef `json:"roleRef"` RoleRef rbacv1.RoleRef `json:"roleRef"`
Subjects []rbacv1.Subject `json:"subjects"` Subjects []rbacv1.Subject `json:"subjects"`
CreationDate time.Time `json:"creationDate"` CreationDate time.Time `json:"creationDate"`
IsSystem bool `json:"isSystem"`
} }
// K8sRoleBindingDeleteRequests slice of cluster role cluster bindings.
K8sClusterRoleBindingDeleteRequests []string
) )
func (r K8sClusterRoleBindingDeleteRequests) Validate(request *http.Request) error {
if len(r) == 0 {
return errors.New("missing deletion request list in payload")
}
return nil
}

30
api/kubernetes/cli/cluster_role_binding.go
View File

@ -3,6 +3,7 @@ package cli
import ( import (
"context" "context"
"fmt" "fmt"
"strings"
models "github.com/portainer/portainer/api/http/models/kubernetes" models "github.com/portainer/portainer/api/http/models/kubernetes"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
@ -38,8 +39,37 @@ func (kcl *KubeClient) fetchClusterRoleBindings() ([]models.K8sClusterRoleBindin
func parseClusterRoleBinding(clusterRoleBinding rbacv1.ClusterRoleBinding) models.K8sClusterRoleBinding { func parseClusterRoleBinding(clusterRoleBinding rbacv1.ClusterRoleBinding) models.K8sClusterRoleBinding {
return models.K8sClusterRoleBinding{ return models.K8sClusterRoleBinding{
Name: clusterRoleBinding.Name, Name: clusterRoleBinding.Name,
UID: clusterRoleBinding.UID,
RoleRef: clusterRoleBinding.RoleRef, RoleRef: clusterRoleBinding.RoleRef,
Subjects: clusterRoleBinding.Subjects, Subjects: clusterRoleBinding.Subjects,
CreationDate: clusterRoleBinding.CreationTimestamp.Time, CreationDate: clusterRoleBinding.CreationTimestamp.Time,
IsSystem: isSystemClusterRoleBinding(&clusterRoleBinding),
} }
} }
func isSystemClusterRoleBinding(binding *rbacv1.ClusterRoleBinding) bool {
if strings.HasPrefix(binding.Name, "system:") {
return true
}
if binding.Labels != nil {
if binding.Labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
return true
}
}
for _, sub := range binding.Subjects {
if strings.HasPrefix(sub.Name, "system:") {
return true
}
if sub.Namespace == "kube-system" ||
sub.Namespace == "kube-public" ||
sub.Namespace == "kube-node-lease" ||
sub.Namespace == "portainer" {
return true
}
}
return false
}

7
app/react/kubernetes/more-resources/ClusterRolesView/ClusterRoleBindingsDatatable/types.ts
View File

@ -14,13 +14,8 @@ export type ClusterRoleSubject = {
export type ClusterRoleBinding = { export type ClusterRoleBinding = {
name: string; name: string;
uid: string; uid: string;
namespace: string;
resourceVersion: string;
creationDate: string;
annotations: Record<string, string> | null;
roleRef: ClusterRoleRef; roleRef: ClusterRoleRef;
subjects: ClusterRoleSubject[] | null; subjects: ClusterRoleSubject[] | null;
creationDate: string;
isSystem: boolean; isSystem: boolean;
}; };