fix(install): Check permission to create OpenShift ConsoleCLIDownload…

… resource
apache · Feb 4, 2020 · 91fb165 · 91fb165
1 parent 653228c
commit 91fb165
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/pkg/install/openshift.go b/pkg/install/openshift.go
@@ -22,6 +22,9 @@ import (
 	"fmt"
 	"reflect"
 
+	"github.com/Masterminds/semver"
+
+	authorization "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -30,8 +33,6 @@ import (
 
 	"github.com/apache/camel-k/pkg/client"
 	"github.com/apache/camel-k/pkg/util/defaults"
-
-	"github.com/Masterminds/semver"
 )
 
 const (
@@ -49,6 +50,29 @@ func installOpenShiftConsoleDownloadLink(ctx context.Context, c client.Client) e
 		return nil
 	}
 
+	// Check for permission to create the ConsoleCLIDownload resource
+	sar := &authorization.SelfSubjectAccessReview{
+		Spec: authorization.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorization.ResourceAttributes{
+				Group:    "console.openshift.io",
+				Resource: "consoleclidownloads",
+				Name:     kamelCliDownloadName,
+				Verb:     "create",
+			},
+		},
+	}
+
+	sar, err = c.AuthorizationV1().SelfSubjectAccessReviews().Create(sar)
+	if err != nil {
+		if errors.IsForbidden(err) {
+			// Let's just skip the ConsoleCLIDownload resource creation
+			return nil
+		}
+		return err
+	} else if !sar.Status.Allowed {
+		return nil
+	}
+
 	// Check for an existing ConsoleCLIDownload resource
 	existing := &console.ConsoleCLIDownload{}
 	err = c.Get(ctx, types.NamespacedName{Name: kamelCliDownloadName}, existing)
@@ -77,6 +101,10 @@ func installOpenShiftConsoleDownloadLink(ctx context.Context, c client.Client) e
 			// Else delete the older version
 			err = c.Delete(ctx, existing)
 			if err != nil {
+				if errors.IsForbidden(err) {
+					// Let's just skip the ConsoleCLIDownload resource creation
+					return nil
+				}
 				return err
 			}
 		}