refactor(k8s): namespace core logic (#12142)

Co-authored-by: testA113 <aliharriss1995@gmail.com> Co-authored-by: Anthony Lapenna <anthony.lapenna@portainer.io> Co-authored-by: James Carppe <85850129+jamescarppe@users.noreply.github.com> Co-authored-by: Ali <83188384+testA113@users.noreply.github.com>
2025-07-23 15:29:42 +02:00 · 2024-10-01 14:15:51 +13:00 · 2024-10-01 14:15:51 +13:00 · ea228c3d6d
commit ea228c3d6d
parent da010f3d08
276 changed files with 9241 additions and 3361 deletions
--- a/api/kubernetes/cli/role.go
+++ b/api/kubernetes/cli/role.go
@ -3,11 +3,66 @@ package cli
 import (
 	"context"

+	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

+// GetRoles gets all the roles for either at the cluster level or a given namespace in a k8s endpoint.
+// It returns a list of K8sRole objects.
+func (kcl *KubeClient) GetRoles(namespace string) ([]models.K8sRole, error) {
+	if kcl.IsKubeAdmin {
+		return kcl.fetchRoles(namespace)
+	}
+
+	return kcl.fetchRolesForNonAdmin(namespace)
+}
+
+// fetchRolesForNonAdmin gets all the roles for either at the cluster level or a given namespace in a k8s endpoint.
+// the namespace will be coming from NonAdminNamespaces as non-admin users are restricted to certain namespaces.
+// it returns a list of K8sRole objects.
+func (kcl *KubeClient) fetchRolesForNonAdmin(namespace string) ([]models.K8sRole, error) {
+	roles, err := kcl.fetchRoles(namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	nonAdminNamespaceSet := kcl.buildNonAdminNamespacesMap()
+	results := make([]models.K8sRole, 0)
+	for _, role := range roles {
+		if _, ok := nonAdminNamespaceSet[role.Namespace]; ok {
+			results = append(results, role)
+		}
+	}
+
+	return results, nil
+}
+
+// fetchRoles returns a list of all Roles in the specified namespace.
+func (kcl *KubeClient) fetchRoles(namespace string) ([]models.K8sRole, error) {
+	roles, err := kcl.cli.RbacV1().Roles(namespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	results := make([]models.K8sRole, 0)
+	for _, role := range roles.Items {
+		results = append(results, parseRole(role))
+	}
+
+	return results, nil
+}
+
+// parseRole converts a rbacv1.Role object to a models.K8sRole object.
+func parseRole(role rbacv1.Role) models.K8sRole {
+	return models.K8sRole{
+		Name:         role.Name,
+		Namespace:    role.Namespace,
+		CreationDate: role.CreationTimestamp.Time,
+	}
+}
+
 func getPortainerUserDefaultPolicies() []rbacv1.PolicyRule {
 	return []rbacv1.PolicyRule{
 		{