Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-19 13:29:41 +02:00
Code Issues Releases Activity
portainer/api/kubernetes/cli/service_account.go
zees-dev 665bf2c887
feat(kubernetes/shell): kubectl web shell and kubeconfig functionality EE-448 (#5229) 
* feat(kubernetes/shell): backport kubectl shell backend functionality EE-849 (#5168)

* backported core backend kubectl shell functionality

* - backported kubectl shell unit tests
- backported k8s cli interface update
- backported k8s client library fake patch

* refactored backend to match EE

* fixed test error typo

* GetServiceAccountName -> GetServiceAccount - making the function reusable in multiple contexts

* feat(kubernetes/shell): backport kubeconfig generation backend functionality EE-1004 (#5213)

* backported core backend kubectl shell functionality

* refactored backend to match EE

* - backported kubernetes backend handler implementation
- backported kubernetes config endpoint
- backported kubeconfig file generation
- backported kubeconfig and yaml unit tests
- backported updates to kubeclient interfaces

* feat(app): kubectl shell ui backport EE-927 (#5221)

* Kubectl UI backport to CE

* fix authentication redirect issue

* comment out redirect function

* fix shell full width & change name of shell

* disable button when terminal connected

* fixed whitespace changes for css

* fixed whitespace changes for html

* linting fixes

Co-authored-by: zees-dev <dev.786zshan@gmail.com>

* feat(kubernetes/shell): backport of kubeconfig export functionality EE-926 (#5228)

* EE backport of kubeconfig UI functionality

* using angularjs constant instead of hardcoded URL

* updated portainer kubectl shell image

* fix kubectl button position issue in ce

* fix pod keep running when switching page

* feat(app): Kubectl shell ui EE-833 EE-1099 (#5271)

* fix kubectl shell css

* fix mini css issue

* fix tech issue for ui changes from review

* delete unuse file

* - refactored variable names
- restored content-wrapper scroll
- created object to store wrapper css

Co-authored-by: zees-dev <dev.786zshan@gmail.com>

* addressing PR issues

* fix required changes from tech reviews (#5319)

* fix required changes from tech reviews

* remove unuse css variable

* component refactor accoridng to PR and style guidelines

Co-authored-by: zees-dev <dev.786zshan@gmail.com>

* removed redundant dockerhub api endpoint variable

* - autoHeight -> terminal-window
- removed redundant try-catch
- saving config.yaml file as config

* fix(kube/shell): show error on failure

* fixed default https bug

* resolved merge conflicts

Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: richard <richard@richards-iMac-Pro.local>
Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
2021-08-05 15:02:06 +12:00

192 lines
5.6 KiB
Go
Raw Blame History

package cli
import (
portainer "github.com/portainer/portainer/api"
v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// GetServiceAccount returns the portainer ServiceAccountName associated to the specified user.
func (kcl *KubeClient) GetServiceAccount(tokenData *portainer.TokenData) (*v1.ServiceAccount, error) {
var portainerServiceAccountName string
if tokenData.Role == portainer.AdministratorRole {
portainerServiceAccountName = portainerClusterAdminServiceAccountName
} else {
portainerServiceAccountName = userServiceAccountName(int(tokenData.ID), kcl.instanceID)
}
// verify name exists as service account resource within portainer namespace
serviceAccount, err := kcl.cli.CoreV1().ServiceAccounts(portainerNamespace).Get(portainerServiceAccountName, metav1.GetOptions{})
if err != nil {
return nil, err
}
return serviceAccount, nil
}
// GetServiceAccountBearerToken returns the ServiceAccountToken associated to the specified user.
func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error) {
serviceAccountName := userServiceAccountName(userID, kcl.instanceID)
return kcl.getServiceAccountToken(serviceAccountName)
}
// SetupUserServiceAccount will make sure that all the required resources are created inside the Kubernetes
// cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user.
//It will also create required default RoleBinding and ClusterRoleBinding rules.
func (kcl *KubeClient) SetupUserServiceAccount(userID int, teamIDs []int, restrictDefaultNamespace bool) error {
serviceAccountName := userServiceAccountName(userID, kcl.instanceID)
err := kcl.ensureRequiredResourcesExist()
if err != nil {
return err
}
err = kcl.createUserServiceAccount(portainerNamespace, serviceAccountName)
if err != nil {
return err
}
err = kcl.createServiceAccountToken(serviceAccountName)
if err != nil {
return err
}
err = kcl.ensureServiceAccountHasPortainerUserClusterRole(serviceAccountName)
if err != nil {
return err
}
return kcl.setupNamespaceAccesses(userID, teamIDs, serviceAccountName, restrictDefaultNamespace)
}
func (kcl *KubeClient) ensureRequiredResourcesExist() error {
return kcl.createPortainerUserClusterRole()
}
func (kcl *KubeClient) createUserServiceAccount(namespace, serviceAccountName string) error {
serviceAccount := &v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName,
},
}
_, err := kcl.cli.CoreV1().ServiceAccounts(namespace).Create(serviceAccount)
if err != nil && !k8serrors.IsAlreadyExists(err) {
return err
}
return nil
}
func (kcl *KubeClient) ensureServiceAccountHasPortainerUserClusterRole(serviceAccountName string) error {
clusterRoleBinding, err := kcl.cli.RbacV1().ClusterRoleBindings().Get(portainerUserCRBName, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
clusterRoleBinding = &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: portainerUserCRBName,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: portainerNamespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: portainerUserCRName,
},
}
_, err := kcl.cli.RbacV1().ClusterRoleBindings().Create(clusterRoleBinding)
return err
} else if err != nil {
return err
}
for _, subject := range clusterRoleBinding.Subjects {
if subject.Name == serviceAccountName {
return nil
}
}
clusterRoleBinding.Subjects = append(clusterRoleBinding.Subjects, rbacv1.Subject{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: portainerNamespace,
})
_, err = kcl.cli.RbacV1().ClusterRoleBindings().Update(clusterRoleBinding)
return err
}
func (kcl *KubeClient) removeNamespaceAccessForServiceAccount(serviceAccountName, namespace string) error {
roleBindingName := namespaceClusterRoleBindingName(namespace, kcl.instanceID)
roleBinding, err := kcl.cli.RbacV1().RoleBindings(namespace).Get(roleBindingName, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
return nil
} else if err != nil {
return err
}
updatedSubjects := roleBinding.Subjects[:0]
for _, subject := range roleBinding.Subjects {
if subject.Name != serviceAccountName {
updatedSubjects = append(updatedSubjects, subject)
}
}
roleBinding.Subjects = updatedSubjects
_, err = kcl.cli.RbacV1().RoleBindings(namespace).Update(roleBinding)
return err
}
func (kcl *KubeClient) ensureNamespaceAccessForServiceAccount(serviceAccountName, namespace string) error {
roleBindingName := namespaceClusterRoleBindingName(namespace, kcl.instanceID)
roleBinding, err := kcl.cli.RbacV1().RoleBindings(namespace).Get(roleBindingName, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
roleBinding = &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: portainerNamespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: "edit",
},
}
_, err = kcl.cli.RbacV1().RoleBindings(namespace).Create(roleBinding)
return err
} else if err != nil {
return err
}
for _, subject := range roleBinding.Subjects {
if subject.Name == serviceAccountName {
return nil
}
}
roleBinding.Subjects = append(roleBinding.Subjects, rbacv1.Subject{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: portainerNamespace,
})
_, err = kcl.cli.RbacV1().RoleBindings(namespace).Update(roleBinding)
return err
}
View git blame Copy permalink