-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrolebinding.go
92 lines (78 loc) · 2.24 KB
/
rolebinding.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package framework
import (
"halkyon.io/api/v1beta1"
authorizv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
var RoleBindingGVK = authorizv1.SchemeGroupVersion.WithKind("RoleBinding")
type NeedsRoleBinding interface {
GetRoleBindingName() string
GetAssociatedRoleName() string
GetServiceAccountName() string
Owner() SerializableResource
}
type RoleBinding struct {
*BaseDependentResource
Delegate NeedsRoleBinding
}
func (res RoleBinding) Fetch() (runtime.Object, error) {
return DefaultFetcher(res)
}
func (res RoleBinding) GetCondition(_ runtime.Object, err error) *v1beta1.DependentCondition {
return DefaultGetConditionFor(res, err)
}
var _ DependentResource = &RoleBinding{}
func (res RoleBinding) Update(toUpdate runtime.Object) (bool, runtime.Object, error) {
// add appropriate subject for owner
rb := toUpdate.(*authorizv1.RoleBinding)
owner := res.Owner()
// check if the binding contains the current owner as subject
namespace := owner.GetNamespace()
name := res.Delegate.GetServiceAccountName()
found := false
for _, subject := range rb.Subjects {
if subject.Name == name && subject.Namespace == namespace {
found = true
break
}
}
if !found {
rb.Subjects = append(rb.Subjects, authorizv1.Subject{
Kind: "ServiceAccount",
Namespace: namespace,
Name: name,
})
}
return !found, toUpdate, nil
}
func NewOwnedRoleBinding(owner NeedsRoleBinding) RoleBinding {
binding := RoleBinding{
BaseDependentResource: NewBaseDependentResource(owner.Owner(), RoleBindingGVK),
Delegate: owner,
}
binding.config.Watched = false
return binding
}
func (res RoleBinding) Name() string {
return res.Delegate.GetRoleBindingName()
}
func (res RoleBinding) Build(empty bool) (runtime.Object, error) {
ser := &authorizv1.RoleBinding{}
if !empty {
c := res.Owner()
namespace := c.GetNamespace()
ser.ObjectMeta = metav1.ObjectMeta{
Name: res.Name(),
Namespace: namespace,
}
ser.RoleRef = authorizv1.RoleRef{
Kind: "Role",
Name: res.Delegate.GetAssociatedRoleName(),
}
ser.Subjects = []authorizv1.Subject{
{Kind: "ServiceAccount", Name: res.Delegate.GetServiceAccountName(), Namespace: namespace},
}
}
return ser, nil
}