feat(k8s): use instance ID to create unique k8s resources (#4196)

2025-07-25 00:09:40 +02:00 · 2020-08-12 17:10:28 +12:00 · 2020-08-12 17:10:28 +12:00 · 2c15dcd1f2
commit 2c15dcd1f2
parent 1bf97426bf
7 changed files with 82 additions and 20 deletions
--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@ -19,20 +19,23 @@ type (
 	ClientFactory struct {
 		reverseTunnelService portainer.ReverseTunnelService
 		signatureService     portainer.DigitalSignatureService
+		instanceID           string
 		endpointClients      cmap.ConcurrentMap
 	}

 	// KubeClient represent a service used to execute Kubernetes operations
 	KubeClient struct {
-		cli *kubernetes.Clientset
+		cli        *kubernetes.Clientset
+		instanceID string
 	}
 )

 // NewClientFactory returns a new instance of a ClientFactory
-func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *ClientFactory {
+func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string) *ClientFactory {
 	return &ClientFactory{
 		signatureService:     signatureService,
 		reverseTunnelService: reverseTunnelService,
+		instanceID:           instanceID,
 		endpointClients:      cmap.New(),
 	}
 }
@ -62,7 +65,8 @@ func (factory *ClientFactory) createKubeClient(endpoint *portainer.Endpoint) (po
 	}

 	kubecli := &KubeClient{
-		cli: cli,
+		cli:        cli,
+		instanceID: factory.instanceID,
 	}

 	return kubecli, nil
--- a/api/kubernetes/cli/naming.go
+++ b/api/kubernetes/cli/naming.go
@ -13,14 +13,14 @@ const (
 	portainerConfigMapAccessPoliciesKey = "NamespaceAccessPolicies"
 )

-func userServiceAccountName(userID int) string {
-	return fmt.Sprintf("%s-%d", portainerUserServiceAccountPrefix, userID)
+func userServiceAccountName(userID int, instanceID string) string {
+	return fmt.Sprintf("%s-%s-%d", portainerUserServiceAccountPrefix, instanceID, userID)
 }

-func userServiceAccountTokenSecretName(serviceAccountName string) string {
-	return fmt.Sprintf("%s-secret", serviceAccountName)
+func userServiceAccountTokenSecretName(serviceAccountName string, instanceID string) string {
+	return fmt.Sprintf("%s-%s-secret", instanceID, serviceAccountName)
 }

-func namespaceClusterRoleBindingName(namespace string) string {
-	return fmt.Sprintf("%s-%s", portainerRBPrefix, namespace)
+func namespaceClusterRoleBindingName(namespace string, instanceID string) string {
+	return fmt.Sprintf("%s-%s-%s", portainerRBPrefix, instanceID, namespace)
 }
--- a/api/kubernetes/cli/secret.go
+++ b/api/kubernetes/cli/secret.go
@ -11,7 +11,7 @@ import (
 )

 func (kcl *KubeClient) createServiceAccountToken(serviceAccountName string) error {
-	serviceAccountSecretName := userServiceAccountTokenSecretName(serviceAccountName)
+	serviceAccountSecretName := userServiceAccountTokenSecretName(serviceAccountName, kcl.instanceID)

 	serviceAccountSecret := &v1.Secret{
 		TypeMeta: metav1.TypeMeta{},
@ -33,7 +33,7 @@ func (kcl *KubeClient) createServiceAccountToken(serviceAccountName string) erro
 }

 func (kcl *KubeClient) getServiceAccountToken(serviceAccountName string) (string, error) {
-	serviceAccountSecretName := userServiceAccountTokenSecretName(serviceAccountName)
+	serviceAccountSecretName := userServiceAccountTokenSecretName(serviceAccountName, kcl.instanceID)

 	secret, err := kcl.cli.CoreV1().Secrets(portainerNamespace).Get(serviceAccountSecretName, metav1.GetOptions{})
 	if err != nil {
--- a/api/kubernetes/cli/service_account.go
+++ b/api/kubernetes/cli/service_account.go
@ -9,7 +9,7 @@ import (

 // GetServiceAccountBearerToken returns the ServiceAccountToken associated to the specified user.
 func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error) {
-	serviceAccountName := userServiceAccountName(userID)
+	serviceAccountName := userServiceAccountName(userID, kcl.instanceID)

 	return kcl.getServiceAccountToken(serviceAccountName)
 }
@ -18,7 +18,7 @@ func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error)
 // cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user.
 //It will also create required default RoleBinding and ClusterRoleBinding rules.
 func (kcl *KubeClient) SetupUserServiceAccount(userID int, teamIDs []int) error {
-	serviceAccountName := userServiceAccountName(userID)
+	serviceAccountName := userServiceAccountName(userID, kcl.instanceID)

 	err := kcl.ensureRequiredResourcesExist()
 	if err != nil {
@ -114,7 +114,7 @@ func (kcl *KubeClient) ensureServiceAccountHasPortainerUserClusterRole(serviceAc
 }

 func (kcl *KubeClient) removeNamespaceAccessForServiceAccount(serviceAccountName, namespace string) error {
-	roleBindingName := namespaceClusterRoleBindingName(namespace)
+	roleBindingName := namespaceClusterRoleBindingName(namespace, kcl.instanceID)

 	roleBinding, err := kcl.cli.RbacV1().RoleBindings(namespace).Get(roleBindingName, metav1.GetOptions{})
 	if k8serrors.IsNotFound(err) {
@ -138,7 +138,7 @@ func (kcl *KubeClient) removeNamespaceAccessForServiceAccount(serviceAccountName
 }

 func (kcl *KubeClient) ensureNamespaceAccessForServiceAccount(serviceAccountName, namespace string) error {
-	roleBindingName := namespaceClusterRoleBindingName(namespace)
+	roleBindingName := namespaceClusterRoleBindingName(namespace, kcl.instanceID)

 	roleBinding, err := kcl.cli.RbacV1().RoleBindings(namespace).Get(roleBindingName, metav1.GetOptions{})
 	if k8serrors.IsNotFound(err) {