add security menu and BE teaser

2023-03-03 14:18:43 +13:00 · 2023-03-03 14:18:43 +13:00 · c002d460c8
parent ac47649631
commit c002d460c8
7 changed files with 87 additions and 38 deletions
--- a/app/kubernetes/__module.js
+++ b/app/kubernetes/__module.js
@ -374,8 +374,8 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
    };

    const endpointKubernetesSecurityConstraint = {
-      name: 'kubernetes.cluster.securityConstraint',
-      url: '/securityConstraint',
+      name: 'kubernetes.security',
+      url: '/security',
      views: {
        'content@': {
          templateUrl: '../kubernetes/views/security-constraint/constraint.html',
--- a/app/kubernetes/views/security-constraint/constraint.html
+++ b/app/kubernetes/views/security-constraint/constraint.html
@ -1,10 +1,10 @@
 <page-header
  ng-if="state.viewReady"
-  title="'Kubernetes security constraints'"
+  title="'Security'"
  breadcrumbs="[
 { label:'Environments', link:'portainer.endpoints' }, 
 { label:endpoint.Name, link:'portainer.endpoints.endpoint', linkParams:{id: endpoint.Id} }, 
-'Security constraints'
+'Security'
 ]"
  reload="true"
 ></page-header>
@ -12,29 +12,73 @@
 <kubernetes-view-loading view-ready="state.viewReady"></kubernetes-view-loading>

 <div ng-if="state.viewReady">
-  <div class="row">
-    <div class="col-sm-12">
-      <rd-widget>
-        <rd-widget-header icon="shield" title-text="Pod security constraints"></rd-widget-header>
-        <rd-widget-body>
-          <form class="form-horizontal" name="kubernetesSecurityConstraintForm">
-            <!--  main toggle  -->
-            <div class="form-group">
-              <div class="col-sm-12">
-                <por-switch-field
-                  checked="formValues.enabled"
-                  name="'disableSysctlSettingForRegularUsers'"
-                  label="'Enable pod security constraints'"
-                  feature-id="limitedFeaturePodSecurityPolicy"
-                  label-class="'col-sm-3 col-lg-2 px-0'"
-                  switch-class="'col-sm-8'"
+  <div class="be-indicator-container limited-be">
+    <div class="overlay">
+      <div class="limited-be-link vertical-center"
+        ><be-feature-indicator feature="limitedFeatureAccessControl"></be-feature-indicator
+        ><portainer-tooltip message="'This feature is currently limited to Business Edition users only. '"></portainer-tooltip
+      ></div>
+      <div class="limited-be-content">
+        <rd-widget>
+          <rd-widget-header icon="user" title-text="Access Control"></rd-widget-header>
+          <rd-widget-body>
+            <div class="inline-flex">
+              <div class="mr-2 inline"><pr-icon icon="'info'" mode="'primary'"></pr-icon></div>
+              <div class="inline">
+                <div>
+                  <a class="hyperlink" href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/" target="_blank">Kubernetes authorization</a> generally uses
+                  <a class="hyperlink" href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/" target="_blank">role based access control</a> (RBAC) to determine if a
+                  user or process has the permissions to access or perform certain actions within the cluster.
+                </div>
+                <br />
+                <div
+                  >The <b>Cluster Roles</b> and <b>Roles</b> screens (under this Security sub-menu) list the resources where permissions are defined in your cluster, and the
+                  Bindings that grant those permissions to subjects (Users, Groups and Service Accounts). The <b>Service Accounts</b> screens lists existing identities (typically
+                  for a Pod or set of Pods).</div
                >
-                </por-switch-field>
              </div>
            </div>
-          </form>
-        </rd-widget-body>
-      </rd-widget>
+          </rd-widget-body>
+        </rd-widget>
+      </div>
+    </div>
+  </div>
+
+  <div class="be-indicator-container limited-be">
+    <div class="overlay">
+      <div class="limited-be-link vertical-center"
+        ><be-feature-indicator feature="limitedFeaturePodSecurityPolicy"></be-feature-indicator
+        ><portainer-tooltip message="'This feature is currently limited to Business Edition users only. '"></portainer-tooltip
+      ></div>
+      <div class="limited-be-content">
+        <rd-widget>
+          <rd-widget-header icon="shield" title-text="Pod security constraints"></rd-widget-header>
+          <rd-widget-body>
+            <form class="form-horizontal" name="kubernetesSecurityConstraintForm">
+              <!--  main toggle  -->
+              <div class="form-group">
+                <div class="col-sm-12">
+                  <p class="text-muted small vertical-center">
+                    <pr-icon icon="'info'" class-name="'icon icon-sm icon-primary'"></pr-icon>
+                    You may configure privilege and access control settings for Pods in your cluster.
+                  </p>
+                </div>
+                <div class="col-sm-12">
+                  <por-switch-field
+                    checked="formValues.enabled"
+                    name="'disableSysctlSettingForRegularUsers'"
+                    label="'Enable pod security constraints'"
+                    feature-id="limitedFeaturePodSecurityPolicy"
+                    label-class="'col-sm-3 col-lg-2 px-0'"
+                    switch-class="'col-sm-8'"
+                  >
+                  </por-switch-field>
+                </div>
+              </div>
+            </form>
+          </rd-widget-body>
+        </rd-widget>
+      </div>
    </div>
  </div>
 </div>
--- a/app/kubernetes/views/security-constraint/constraintController.js
+++ b/app/kubernetes/views/security-constraint/constraintController.js
@ -7,6 +7,7 @@ angular.module('portainer.kubernetes').controller('KubernetesSecurityConstraintC
  'EndpointService',
  function ($scope, EndpointProvider, EndpointService) {
    $scope.limitedFeaturePodSecurityPolicy = FeatureId.POD_SECURITY_POLICY_CONSTRAINT;
+    $scope.limitedFeatureAccessControl = FeatureId.K8S_ACCESS_CONTROL;
    $scope.state = {
      viewReady: false,
      actionInProgress: false,
--- a/app/react/portainer/feature-flags/enums.ts
+++ b/app/react/portainer/feature-flags/enums.ts
@ -39,4 +39,5 @@ export enum FeatureId {
  K8S_ADM_ONLY_USR_INGRESS_DEPLY = 'k8s-admin-only-ingress-deploy',
  K8S_ROLLING_RESTART = 'k8s-rolling-restart',
  K8S_ANNOTATIONS = 'k8s-annotations',
+  K8S_ACCESS_CONTROL = 'k8s-security',
 }
--- a/app/react/portainer/feature-flags/feature-flags.service.ts
+++ b/app/react/portainer/feature-flags/feature-flags.service.ts
@ -44,6 +44,7 @@ export async function init(edition: Edition) {
    [FeatureId.K8S_ADM_ONLY_USR_INGRESS_DEPLY]: Edition.BE,
    [FeatureId.K8S_ROLLING_RESTART]: Edition.BE,
    [FeatureId.K8S_ANNOTATIONS]: Edition.BE,
+    [FeatureId.K8S_ACCESS_CONTROL]: Edition.BE,
  };

  state.currentEdition = currentEdition;
--- a/app/react/portainer/feature-flags/feature-ids.js
+++ b/app/react/portainer/feature-flags/feature-ids.js
@ -16,3 +16,4 @@ export const STACK_PULL_IMAGE = 'stack-pull-image';
 export const STACK_WEBHOOK = 'stack-webhook';
 export const CONTAINER_WEBHOOK = 'container-webhook';
 export const K8S_ANNOTATIONS = 'k8s-annotations';
+export const K8S_ACCESS_CONTROL = 'k8s-security';
--- a/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx
+++ b/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx
@ -1,4 +1,4 @@
-import { Box, Edit, Layers, Lock, Server, Shuffle } from 'lucide-react';
+import { Box, Edit, Layers, Lock, Server, Shuffle, Shield } from 'lucide-react';

 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { Authorized } from '@/react/hooks/useUser';
@ -100,6 +100,20 @@ export function KubernetesSidebar({ environmentId }: Props) {
        data-cy="k8sSidebar-volumes"
      />

+      <Authorized
+        authorizations="K8sClusterSetupRW"
+        adminOnlyCE
+        environmentId={environmentId}
+      >
+        <SidebarItem
+          to="kubernetes.security"
+          params={{ endpointId: environmentId }}
+          label="Security"
+          data-cy="k8sSidebar-security"
+          icon={Shield}
+        />
+      </Authorized>
+
      <SidebarItem
        label="Cluster"
        to="kubernetes.cluster"
@ -120,19 +134,6 @@ export function KubernetesSidebar({ environmentId }: Props) {
          />
        </Authorized>

-        <Authorized
-          authorizations="K8sClusterSetupRW"
-          adminOnlyCE
-          environmentId={environmentId}
-        >
-          <SidebarItem
-            to="kubernetes.cluster.securityConstraint"
-            params={{ endpointId: environmentId }}
-            label="Security constraints"
-            data-cy="k8sSidebar-securityConstraints"
-          />
-        </Authorized>
-
        <SidebarItem
          to="kubernetes.registries"
          params={{ endpointId: environmentId }}