b95dd6a380
Change-Id: Ifa8cc0e4abb798c63c9d4ac9297e3e32443125e4 Implements: blueprint auth-controller-framework Signed-off-by: mozhuli <21621232@zju.edu.cn>
97 lines
2.3 KiB
Go
97 lines
2.3 KiB
Go
package rbac
|
|
|
|
import (
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/pkg/apis/rbac/v1beta1"
|
|
)
|
|
|
|
func GenerateRoleByNamespace(namespace string) *v1beta1.Role {
|
|
policyRule := v1beta1.PolicyRule{
|
|
Verbs: []string{v1beta1.VerbAll},
|
|
APIGroups: []string{v1beta1.APIGroupAll},
|
|
Resources: []string{v1beta1.ResourceAll},
|
|
}
|
|
role := &v1beta1.Role{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "Role",
|
|
APIVersion: "rbac.authorization.k8s.io/v1beta1",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "default-role",
|
|
Namespace: namespace,
|
|
},
|
|
Rules: []v1beta1.PolicyRule{policyRule},
|
|
}
|
|
return role
|
|
}
|
|
|
|
func GenerateRoleBinding(namespace, tenant string) *v1beta1.RoleBinding {
|
|
subject := v1beta1.Subject{
|
|
Kind: "Group",
|
|
Name: tenant,
|
|
}
|
|
roleRef := v1beta1.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "Role",
|
|
Name: "default-role",
|
|
}
|
|
roleBinding := &v1beta1.RoleBinding{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "RoleBinding",
|
|
APIVersion: "rbac.authorization.k8s.io/v1beta1",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: tenant + "-rolebinding",
|
|
Namespace: namespace,
|
|
},
|
|
Subjects: []v1beta1.Subject{subject},
|
|
RoleRef: roleRef,
|
|
}
|
|
return roleBinding
|
|
}
|
|
|
|
func GenerateClusterRole() *v1beta1.ClusterRole {
|
|
policyRule := v1beta1.PolicyRule{
|
|
Verbs: []string{v1beta1.VerbAll},
|
|
APIGroups: []string{v1beta1.APIGroupAll},
|
|
Resources: []string{"namespaces"},
|
|
}
|
|
|
|
clusterRole := &v1beta1.ClusterRole{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ClusterRole",
|
|
APIVersion: "rbac.authorization.k8s.io/v1beta1",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "namespace-creater",
|
|
},
|
|
Rules: []v1beta1.PolicyRule{policyRule},
|
|
}
|
|
return clusterRole
|
|
}
|
|
|
|
func GenerateClusterRoleBindingByTenant(tenant string) *v1beta1.ClusterRoleBinding {
|
|
subject := v1beta1.Subject{
|
|
Kind: "Group",
|
|
Name: tenant,
|
|
}
|
|
roleRef := v1beta1.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "ClusterRole",
|
|
Name: "namespace-creater",
|
|
}
|
|
|
|
clusterRoleBinding := &v1beta1.ClusterRoleBinding{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ClusterRoleBinding",
|
|
APIVersion: "rbac.authorization.k8s.io/v1beta1",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: tenant + "-namespace-creater",
|
|
},
|
|
Subjects: []v1beta1.Subject{subject},
|
|
RoleRef: roleRef,
|
|
}
|
|
return clusterRoleBinding
|
|
}
|