github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity
portainer/api/kubernetes/cli/cluster_role_binding.go

112 lines
3.6 KiB
Go
Raw Blame History

package cli
import (
"context"
"errors"
"strings"
models "github.com/portainer/portainer/api/http/models/kubernetes"
"github.com/portainer/portainer/api/internal/errorlist"
"github.com/rs/zerolog/log"
rbacv1 "k8s.io/api/rbac/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// GetClusterRoleBindings gets all the clusterRoleBindings for at the cluster level in a k8s endpoint.
// It returns a list of K8sClusterRoleBinding objects.
func (kcl *KubeClient) GetClusterRoleBindings() ([]models.K8sClusterRoleBinding, error) {
if kcl.IsKubeAdmin {
return kcl.fetchClusterRoleBindings()
}
return []models.K8sClusterRoleBinding{}, errors.New("non-admin users are not allowed to access cluster role bindings")
}
// fetchClusterRoleBindings returns a list of all cluster roles in the cluster.
func (kcl *KubeClient) fetchClusterRoleBindings() ([]models.K8sClusterRoleBinding, error) {
clusterRoleBindings, err := kcl.cli.RbacV1().ClusterRoleBindings().List(context.TODO(), metav1.ListOptions{})
if err != nil {
return nil, err
}
results := make([]models.K8sClusterRoleBinding, 0)
for _, clusterRoleBinding := range clusterRoleBindings.Items {
results = append(results, parseClusterRoleBinding(clusterRoleBinding))
}
return results, nil
}
// parseClusterRoleBinding converts a rbacv1.ClusterRoleBinding object to a models.K8sClusterRoleBinding object.
func parseClusterRoleBinding(clusterRoleBinding rbacv1.ClusterRoleBinding) models.K8sClusterRoleBinding {
return models.K8sClusterRoleBinding{
Name: clusterRoleBinding.Name,
UID: clusterRoleBinding.UID,
Namespace: clusterRoleBinding.Namespace,
RoleRef: clusterRoleBinding.RoleRef,
Subjects: clusterRoleBinding.Subjects,
CreationDate: clusterRoleBinding.CreationTimestamp.Time,
IsSystem: isSystemClusterRoleBinding(&clusterRoleBinding),
}
}
// DeleteClusterRoleBindings processes a K8sClusterRoleBindingDeleteRequest
// by deleting each cluster role binding in its given namespace. If deleting a specific cluster role binding
// fails, the error is logged and we continue to delete the remaining cluster role bindings.
func (kcl *KubeClient) DeleteClusterRoleBindings(reqs models.K8sClusterRoleBindingDeleteRequests) error {
var errors []error
for _, name := range reqs {
client := kcl.cli.RbacV1().ClusterRoleBindings()
clusterRoleBinding, err := client.Get(context.Background(), name, metav1.GetOptions{})
if err != nil {
if k8serrors.IsNotFound(err) {
continue
}
// This is a more serious error to do with the client so we return right away
return err
}
if isSystemClusterRoleBinding(clusterRoleBinding) {
log.Warn().Str("role_name", name).Msg("ignoring delete of 'system' cluster role binding, not allowed")
}
if err := client.Delete(context.Background(), name, metav1.DeleteOptions{}); err != nil {
log.Err(err).Str("role_name", name).Msg("unable to delete the cluster role binding")
errors = append(errors, err)
}
}
return errorlist.Combine(errors)
}
func isSystemClusterRoleBinding(binding *rbacv1.ClusterRoleBinding) bool {
if strings.HasPrefix(binding.Name, "system:") {
return true
}
if binding.Labels != nil {
if binding.Labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
return true
}
}
for _, sub := range binding.Subjects {
if strings.HasPrefix(sub.Name, "system:") {
return true
}
if sub.Namespace == "kube-system" ||
sub.Namespace == "kube-public" ||
sub.Namespace == "kube-node-lease" ||
sub.Namespace == "portainer" {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink