...

Source file src/github.com/GoogleCloudPlatform/k8s-config-connector/scripts/generate-cnrm-cluster-roles/main.go

Documentation: github.com/GoogleCloudPlatform/k8s-config-connector/scripts/generate-cnrm-cluster-roles 

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // This program generates the admin and the viewer cluster roles for cnrm api groups.
    16  
    17  package main
    18  
    19  import (
    20  	"io/ioutil"
    21  	"log"
    22  	"os"
    23  	"path"
    24  
    25  	dclmetadata "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/dcl/metadata"
    26  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/gvks/supportedgvks"
    27  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/servicemapping/servicemappingloader"
    28  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/util/repo"
    29  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/util/slice"
    30  
    31  	"github.com/ghodss/yaml"
    32  	rbacv1 "k8s.io/api/rbac/v1"
    33  	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    34  )
    35  
    36  const outputFileMode = 0600
    37  
    38  func main() {
    39  	clusterRolesPath := repo.GetClusterRolesPath()
    40  	if _, err := os.Stat(clusterRolesPath); err != nil {
    41  		if os.IsNotExist(err) {
    42  			log.Fatalf("path %v does not exist probably because the path to cluster roles has changed", clusterRolesPath)
    43  		}
    44  		log.Fatal(err)
    45  	}
    46  	smLoader, err := servicemappingloader.New()
    47  	if err != nil {
    48  		log.Fatalf("error getting new service mapping loader: %v", err)
    49  	}
    50  	serviceMetadataLoader := dclmetadata.New()
    51  	gvks := supportedgvks.All(smLoader, serviceMetadataLoader)
    52  
    53  	apis := make(map[string]bool)
    54  	for _, gvk := range gvks {
    55  		apis[gvk.Group] = true
    56  	}
    57  	apiGroupList := make([]string, 0)
    58  	for api := range apis {
    59  		apiGroupList = slice.IncludeString(apiGroupList, api)
    60  	}
    61  
    62  	viewerRoleFileName := "cnrm_viewer.yaml"
    63  	if err := outputClusterRoleToFile(clusterRolesPath, viewerRoleFileName, viewerRole(apiGroupList)); err != nil {
    64  		log.Fatalf("error generating %v in %v: %v", viewerRoleFileName, clusterRolesPath, err)
    65  	}
    66  
    67  	adminRoleFileName := "cnrm_admin.yaml"
    68  	if err := outputClusterRoleToFile(clusterRolesPath, adminRoleFileName, adminRole(apiGroupList)); err != nil {
    69  		log.Fatalf("error generating %v in %v: %v", adminRoleFileName, clusterRolesPath, err)
    70  	}
    71  }
    72  
    73  func outputClusterRoleToFile(outputDirPath, outputFileName string, r *rbacv1.ClusterRole) error {
    74  	outputPath := path.Join(outputDirPath, outputFileName)
    75  	b, err := yaml.Marshal(r)
    76  	if err != nil {
    77  		return err
    78  	}
    79  	err = ioutil.WriteFile(outputPath, b, outputFileMode)
    80  	if err != nil {
    81  		return err
    82  	}
    83  	return nil
    84  }
    85  
    86  func viewerRole(apiGroupList []string) *rbacv1.ClusterRole {
    87  	viewerRole := &rbacv1.ClusterRole{
    88  		TypeMeta: v1.TypeMeta{
    89  			APIVersion: "rbac.authorization.k8s.io/v1",
    90  			Kind:       "ClusterRole",
    91  		},
    92  		ObjectMeta: v1.ObjectMeta{
    93  			Name: "viewer",
    94  			Labels: map[string]string{
    95  				"rbac.authorization.k8s.io/aggregate-to-view": "true",
    96  			},
    97  		},
    98  	}
    99  	for _, api := range apiGroupList {
   100  		viewerRole.Rules = append(viewerRole.Rules, rbacv1.PolicyRule{
   101  			APIGroups: []string{api},
   102  			Verbs:     []string{"get", "list", "watch"},
   103  			Resources: []string{"*"},
   104  		})
   105  	}
   106  	return viewerRole
   107  }
   108  
   109  func adminRole(apiGroupList []string) *rbacv1.ClusterRole {
   110  	adminRole := &rbacv1.ClusterRole{
   111  		TypeMeta: v1.TypeMeta{
   112  			APIVersion: "rbac.authorization.k8s.io/v1",
   113  			Kind:       "ClusterRole",
   114  		},
   115  		ObjectMeta: v1.ObjectMeta{
   116  			Name: "admin",
   117  			Labels: map[string]string{
   118  				"rbac.authorization.k8s.io/aggregate-to-admin": "true",
   119  				"rbac.authorization.k8s.io/aggregate-to-edit":  "true",
   120  			},
   121  		},
   122  	}
   123  	for _, api := range apiGroupList {
   124  		adminRole.Rules = append(adminRole.Rules, rbacv1.PolicyRule{
   125  			APIGroups: []string{api},
   126  			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
   127  			Resources: []string{"*"},
   128  		})
   129  	}
   130  	return adminRole
   131  }
   132  

View as plain text