diff --git a/Readme.md b/Readme.md index b8ff72b3..d15e5d5c 100755 --- a/Readme.md +++ b/Readme.md @@ -92,6 +92,7 @@ For specific exceptions, add another network policy. | **LOCATOR** | *Locator: must be internet or extranet* | `"intranet" ` | `no ` | intranet | | **PROVISIONING_NETWORK_POLICIES** | *Enable or disable NetPol Mgmt* | `true `| `no ` | yes | | **CUSTOM_LABELS** | *Add custom labels to namespaces* | `quota=managed,monitoring=true` | `no ` | - | +| **DEFAULT_PERMISSION** | *ClusterRole associated with default service account* | `view` | `no ` | - | # Client diff --git a/internal/services/provisionner.go b/internal/services/provisionner.go index 6fbca1f0..da9cf4a7 100644 --- a/internal/services/provisionner.go +++ b/internal/services/provisionner.go @@ -251,6 +251,54 @@ func GenerateAppRoleBinding(namespace string) { } +func GenerateDefaultRoleBinding(namespace string) { + kconfig, err := rest.InClusterConfig() + clientSet, err := kubernetes.NewForConfig(kconfig) + api := clientSet.RbacV1() + + _, errRB := api.RoleBindings(namespace).Get(utils.KubiRoleBindingDefaultName, metav1.GetOptions{}) + + newRoleBinding := v1.RoleBinding{ + RoleRef: v1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: utils.Config.DefaultPermission, + }, + Subjects: []v1.Subject{ + { + Kind: "ServiceAccount", + Name: utils.KubiServiceAccountDefaultName, + Namespace: namespace, + }, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: utils.KubiRoleBindingDefaultName, + Namespace: namespace, + Labels: map[string]string{ + "name": utils.KubiRoleBindingDefaultName, + "creator": "kubi", + "version": "v3", + }, + }, + } + + if errRB != nil { + _, err = api.RoleBindings(namespace).Create(&newRoleBinding) + utils.Log.Info().Msgf("Rolebinding %v has been created for namespace %v", utils.KubiServiceAccountAppName, namespace) + utils.RoleBindingsCreation.WithLabelValues("created", namespace, utils.KubiServiceAccountAppName).Inc() + } else { + _, err = api.RoleBindings(namespace).Update(&newRoleBinding) + utils.Log.Info().Msgf("Rolebinding %v has been update for namespace %v", utils.KubiServiceAccountAppName, namespace) + utils.RoleBindingsCreation.WithLabelValues("updated", namespace, utils.KubiServiceAccountAppName).Inc() + } + + if err != nil { + utils.Log.Error().Msg(err.Error()) + utils.RoleBindingsCreation.WithLabelValues("error", namespace, utils.KubiServiceAccountAppName).Inc() + } + +} + // Generate func GenerateAppServiceAccount(namespace string) { kconfig, err := rest.InClusterConfig() @@ -396,6 +444,9 @@ func projectUpdate(old interface{}, new interface{}) { GenerateUserRoleBinding(newProject.Name, "admin") GenerateAppServiceAccount(newProject.Name) GenerateAppRoleBinding(newProject.Name) + if !strings.EqualFold(utils.Config.DefaultPermission, "") { + GenerateDefaultRoleBinding(newProject.Name) + } } @@ -411,6 +462,9 @@ func projectCreated(obj interface{}) { GenerateUserRoleBinding(project.Name, "admin") GenerateAppServiceAccount(project.Name) GenerateAppRoleBinding(project.Name) + if !strings.EqualFold(utils.Config.DefaultPermission, "") { + GenerateDefaultRoleBinding(project.Name) + } } diff --git a/internal/utils/config.go b/internal/utils/config.go index 7e4a73a7..9a7e988a 100644 --- a/internal/utils/config.go +++ b/internal/utils/config.go @@ -121,6 +121,7 @@ func MakeConfig() (*types.Config, error) { Locator: getEnv("LOCATOR", KubiLocatorIntranet), NetworkPolicy: networkpolicyEnabled, CustomLabels: customLabels, + DefaultPermission: getEnv("DEFAULT_PERMISSION", ""), } err := validation.ValidateStruct(config, diff --git a/internal/utils/constants.go b/internal/utils/constants.go index c1ffe31b..bfa5b815 100644 --- a/internal/utils/constants.go +++ b/internal/utils/constants.go @@ -24,6 +24,9 @@ const ( KubiRoleBindingAppName = "namespaced-service-binding" KubiServiceAccountAppName = "service" + KubiRoleBindingDefaultName = "default-sa" + KubiServiceAccountDefaultName = "default" + AuthenticatedGroup = "system:authenticated" AdminGroup = "system:masters" ApplicationMaster = "application:masters" diff --git a/pkg/types/types.go b/pkg/types/types.go index 047b1df3..fb4074ef 100644 --- a/pkg/types/types.go +++ b/pkg/types/types.go @@ -38,6 +38,7 @@ type Config struct { Locator string NetworkPolicy bool CustomLabels map[string]string + DefaultPermission string } // Note: struct fields must be public in order for unmarshal to