Skip to content

Commit

Permalink
Revert deployer permissions to in namespace (#501)
Browse files Browse the repository at this point in the history
  • Loading branch information
@eshiroma
eshiroma authored May 18, 2020
1 parent 189fa0f commit 53089b9
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 126 deletions.
42 changes: 6 additions & 36 deletions marketplace/deployer_util/provision.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -381,63 +381,33 @@ def make_deployer_rolebindings(schema, namespace, app_name, labels, sa_name):
'name': sa_name,
'namespace': namespace,
}]
app_edit_role_name = '{}-deployer-app-edit-r'.format(app_name)
default_role_and_rolebindings = [{
default_rolebinding = {
'apiVersion': 'rbac.authorization.k8s.io/v1',
'kind': 'RoleBinding',
'metadata': {
'name': '{}-deployer-admin-rb'.format(app_name),
'name': '{}-deployer-rb'.format(app_name),
'namespace': namespace,
'labels': labels,
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
'kind': 'ClusterRole',
'name': 'admin',
},
'subjects': subjects,
}, {
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'Role',
'metadata': {
'name': app_edit_role_name,
'namespace': namespace,
'labels': labels,
},
'rules': [{
'apiGroups': ['app.k8s.io'],
'resources': ['applications'],
'verbs': ['*'],
}],
}, {
'apiVersion': 'rbac.authorization.k8s.io/v1',
'kind': 'RoleBinding',
'metadata': {
'name': '{}-deployer-app-edit-rb'.format(app_name),
'namespace': namespace,
'labels': labels,
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
'kind': 'Role',
'name': app_edit_role_name,
'name': 'cluster-admin',
},
'subjects': subjects,
}]
}

if not schema.is_v2(
) or not schema.x_google_marketplace.deployer_service_account:
return default_role_and_rolebindings
return [default_rolebinding]

roles_and_rolebindings = []
deployer_service_account = schema.x_google_marketplace.deployer_service_account

# Set the default rolebinding if no namespace roles are defined
if not deployer_service_account.custom_role_rules(
) and not deployer_service_account.predefined_roles():
roles_and_rolebindings.extend(default_role_and_rolebindings)
roles_and_rolebindings.append(default_rolebinding)

for i, rules in enumerate(deployer_service_account.custom_role_rules()):
role_name = '{}-deployer-r{}'.format(app_name, i)
Expand Down
96 changes: 6 additions & 90 deletions marketplace/deployer_util/provision_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,14 +98,14 @@ def test_make_deployer_rolebindings_no_roles(self):
""")
self.assertEqual(
[
# The default namespace role/rolebindings should be created
# The default namespace rolebinding should be created
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-admin-rb',
'name': 'app-name-1-deployer-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
Expand All @@ -115,49 +115,7 @@ def test_make_deployer_rolebindings_no_roles(self):
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'ClusterRole',
'name': 'admin',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'Role',
'metadata': {
'name': 'app-name-1-deployer-app-edit-r',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'rules': [{
'apiGroups': ['app.k8s.io'],
'resources': ['applications'],
'verbs': ['*'],
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-app-edit-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'Role',
'name': 'app-name-1-deployer-app-edit-r',
'name': 'cluster-admin',
},
'subjects': [{
'kind': 'ServiceAccount',
Expand Down Expand Up @@ -364,14 +322,14 @@ def test_make_deployer_rolebindings_clusterrole_only(self):
""")
self.assertCountEqual(
[
# The default namespace role/rolebindings should also be created
# The default namespace rolebinding should also be created
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-admin-rb',
'name': 'app-name-1-deployer-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
Expand All @@ -381,49 +339,7 @@ def test_make_deployer_rolebindings_clusterrole_only(self):
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'ClusterRole',
'name': 'admin',
},
'subjects': [{
'kind': 'ServiceAccount',
'name': 'app-name-deployer-sa',
'namespace': 'namespace-1',
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'Role',
'metadata': {
'name': 'app-name-1-deployer-app-edit-r',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'rules': [{
'apiGroups': ['app.k8s.io'],
'resources': ['applications'],
'verbs': ['*'],
}],
},
{
'apiVersion':
'rbac.authorization.k8s.io/v1',
'kind':
'RoleBinding',
'metadata': {
'name': 'app-name-1-deployer-app-edit-rb',
'namespace': 'namespace-1',
'labels': {
'some-key': 'some-value'
},
},
'roleRef': {
'apiGroup': 'rbac.authorization.k8s.io',
# Note: predefined ones are actually cluster roles.
'kind': 'Role',
'name': 'app-name-1-deployer-app-edit-r',
'name': 'cluster-admin',
},
'subjects': [{
'kind': 'ServiceAccount',
Expand Down

0 comments on commit 53089b9

Please sign in to comment.