def _create_namespaced_account_objects(self):
namespace = self.get_user_namespace()
account = self.service_account
if not account:
self.log.info("No service account defined.")
return (None, None, None)
md = client.V1ObjectMeta(name=account)
svcacct = client.V1ServiceAccount(metadata=md)
rules = [
client.V1PolicyRule(
api_groups=[""],
resources=["pods", "services"],
verbs=["get", "list", "watch", "create", "delete"]),
client.V1PolicyRule(api_groups=[""],
resources=["pods/log"],
verbs=["get", "list"]),
]
role = client.V1Role(rules=rules, metadata=md)
rolebinding = client.V1RoleBinding(
metadata=md,
role_ref=client.V1RoleRef(api_group="rbac.authorization.k8s.io",
kind="Role",
name=account),
subjects=[
client.V1Subject(kind="ServiceAccount",
name=account,
namespace=namespace)
])
return svcacct, role, rolebinding
def _cluster_role(self):
return client.V1ClusterRole(
api_version='rbac.authorization.k8s.io/v1',
kind='ClusterRole',
metadata=metadata(
name=self.name,
labels=self.labels,
),
rules=[
client.V1PolicyRule(
api_groups=["", "extensions"],
resources=[
"configmaps", "endpoints", "events", "ingresses",
"ingresses/status", "services"
],
verbs=[
"create", "get", "list", "update", "watch", "patch"
],
),
client.V1PolicyRule(api_groups=["", "extensions"],
resources=[
"nodes", "pods", "secrets", "services",
"namespaces"
],
verbs=["get", "list", "watch"]),
])
def create_k8s_role(self):
"""Create k8s role for temporary user."""
rules = [
client.V1PolicyRule(
[""],
resources=["*"],
verbs=["*"],
),
client.V1PolicyRule(
["extensions"],
resources=["*"],
verbs=["*"],
),
client.V1PolicyRule(
["apps"],
resources=["*"],
verbs=["*"],
),
client.V1PolicyRule(
["monitoring.coreos.com"],
resources=["*"],
verbs=["*"],
),
client.V1PolicyRule(
["batch"],
resources=["*"],
verbs=["*"],
)
]
role = client.V1Role(rules=rules)
role_name = self.generate_rolename()
label_selector = self.label_selector.split('=')
role.metadata = client.V1ObjectMeta(
namespace=self.namespace,
name=role_name,
labels={label_selector[0]: label_selector[1]},
annotations={
self.expire_annotation: str(int(self.now + self.DAY_AND_NIGHT))
})
self.rbac_api = client.RbacAuthorizationV1Api()
try:
self.rbac_api.create_namespaced_role(self.namespace,
role,
pretty='true')
except ApiException as e:
print(
"Exception when calling RbacAuthorizationV1Api->create_namespaced_role: %s\n"
% e)
return role_name
def create_role(name, id_token):
api_version = 'rbac.authorization.k8s.io/v1'
meta = k8s_client.V1ObjectMeta(name=name, namespace=name)
service_rules = k8s_client.V1PolicyRule(
api_groups=[""],
resources=["services"],
verbs=["create", "list", "get", "delete"])
quotas_rules = k8s_client.V1PolicyRule(
api_groups=[""],
resources=["resourcequotas"],
verbs=["create", "list", "get", "delete"])
ingress_rules = k8s_client.V1PolicyRule(
api_groups=[""],
resources=["ingresses"],
verbs=["create", "list", "get", "delete"])
deployment_rules = k8s_client.V1PolicyRule(
api_groups=[""],
resources=["deployments"],
verbs=["create", "list", "get", "delete"])
server_rules = k8s_client.V1PolicyRule(
api_groups=["ai.intel.com"],
resources=["inference-endpoints"],
verbs=["create", "get", "delete", "patch"])
namespace_rules = k8s_client.V1PolicyRule(api_groups=[""],
resources=["namespaces"],
verbs=["get", "list", "watch"])
ns_status_rules = k8s_client.V1PolicyRule(api_groups=[""],
resources=["namespaces/status"],
verbs=["get", "list", "watch"])
list_pods_rule = k8s_client.V1PolicyRule(api_groups=[""],
resources=["pods"],
verbs=["list"])
deployment_apps_rule = k8s_client.V1PolicyRule(
api_groups=["apps"],
resources=["deployments", "deployments/status"],
verbs=["list", "get"])
role = k8s_client.V1Role(api_version=api_version,
metadata=meta,
rules=[
service_rules, ingress_rules,
deployment_rules, server_rules,
namespace_rules, ns_status_rules,
quotas_rules, list_pods_rule,
deployment_apps_rule
])
rbac_api_instance = get_k8s_rbac_api_client(id_token)
try:
response = rbac_api_instance.create_namespaced_role(name, role)
except ApiException as apiException:
raise KubernetesCreateException('role', apiException)
logger.info("Role {} created".format(name))
return response
def create_namespaced_role_with_api(name,
namespace,
labels,
resources,
verbs,
api_groups=['']):
"""Create namespaced role."""
# Using API because of bug https://bugs.launchpad.net/juju/+bug/1896076
logging.info('Creating namespaced role with K8s API')
_load_kube_config()
body = client.V1Role(metadata=client.V1ObjectMeta(name=name,
namespace=namespace,
labels=labels),
rules=[
client.V1PolicyRule(
api_groups=api_groups,
resources=resources,
verbs=verbs,
)
])
with client.ApiClient() as api_client:
api_instance = client.RbacAuthorizationV1Api(api_client)
try:
api_instance.create_namespaced_role(namespace, body, pretty=True)
except ApiException as err:
if err.status == 409:
# ignore "already exists" errors so that we can recover from
# partially failed setups
return
else:
raise
def create_role_binding(self, api_instance, namespace, sa_name):
role_name = hashlib.sha1(
str.encode(sa_name)).hexdigest()[:8] # $ID-role trigger bug! HaHa
binding_name = "{}-binding".format(role_name)
body = client.V1Role(api_version='rbac.authorization.k8s.io/v1',
kind='Role',
metadata=client.V1ObjectMeta(name=role_name,
namespace=namespace),
rules=[
client.V1PolicyRule(api_groups=['*'],
resources=['*'],
verbs=['*'])
])
api_instance.create_namespaced_role(namespace=namespace, body=body)
role_binding = client.V1RoleBinding(
metadata=client.V1ObjectMeta(namespace=namespace,
name=binding_name),
subjects=[
client.V1Subject(name=sa_name,
kind="ServiceAccount",
api_group="")
],
role_ref=client.V1RoleRef(kind="Role",
api_group="rbac.authorization.k8s.io",
name=role_name))
api_instance.create_namespaced_role_binding(namespace=namespace,
body=role_binding)
def __createRole(self):
"""Creates namespace role for ssh tunneling service.
"""
# TODO: create this dynamically according to user who is using the tool
# generate metadata
rules = [
client.V1PolicyRule(api_groups=['policy'],
resources=['podsecuritypolicies'],
verbs=['use'],
resource_names=['gce.privileged'])
]
body = client.V1Role(metadata=client.V1ObjectMeta(
name=self.serviceName, namespace=self.namespace),
rules=rules)
# create roles
try:
self.rbac_instance.create_namespaced_role(namespace=self.namespace,
body=body)
except ApiException as e:
if e.status == 409:
pass
else:
logging.error(e)
raise
def create_namespaced_role_with_api(name,
namespace,
labels,
resources,
verbs,
api_groups=['']):
# Using API because of bug https://github.com/canonical/operator/issues/390
logging.info('Creating namespaced role with K8s API')
_load_kube_config()
with client.ApiClient() as api_client:
api_instance = client.RbacAuthorizationV1Api(api_client)
body = client.V1Role(metadata=client.V1ObjectMeta(name=name,
namespace=namespace,
labels=labels),
rules=[
client.V1PolicyRule(
api_groups=api_groups,
resources=resources,
verbs=verbs,
)
])
try:
api_instance.create_namespaced_role(namespace, body, pretty=True)
return True
except ApiException as err:
logging.exception(
"Exception when calling RbacAuthorizationV1Api->create_namespaced_role."
)
if err.status != 409:
# ignoring 409 (AlreadyExists) errors
return False
else:
return True
def create_namespaced_role_with_api(name,
namespace,
labels,
resources,
verbs,
api_groups=['']):
"""Create namespaced role."""
# Using API because of bug https://bugs.launchpad.net/juju/+bug/1896076
logging.info('Creating namespaced role with K8s API')
_load_kube_config()
body = client.V1Role(metadata=client.V1ObjectMeta(name=name,
namespace=namespace,
labels=labels),
rules=[
client.V1PolicyRule(
api_groups=api_groups,
resources=resources,
verbs=verbs,
)
])
with client.ApiClient() as api_client:
api_instance = client.RbacAuthorizationV1Api(api_client)
try:
api_instance.create_namespaced_role(namespace, body, pretty=True)
except ApiException as err:
logging.exception("Exception when calling RbacAuthorizationV1Api"
"->create_namespaced_role.")
if err.status != 409:
# Hook error except for 409 (AlreadyExists) errors
sys.exit(1)
def setup_job_and_deployment_service_accounts(namespace: str) -> None:
"""Setup a jobs-and-deployments service-account with required roles.
:param namespace: Namespace in which the service-account will be
placed.
"""
service_account_object = k8s.V1ServiceAccount(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT
)
)
k8s.CoreV1Api().create_namespaced_service_account(
namespace=namespace, body=service_account_object
)
role_object = k8s.V1Role(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT
),
rules=[
k8s.V1PolicyRule(
api_groups=[""],
resources=["secrets", "configmaps"],
verbs=["get", "list"],
)
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role(
namespace=namespace, body=role_object
)
role_binding_object = k8s.V1RoleBinding(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT
),
role_ref=k8s.V1RoleRef(
kind="Role",
name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT,
api_group="rbac.authorization.k8s.io",
),
subjects=[
k8s.V1Subject(
kind="ServiceAccount",
name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT,
namespace=namespace,
)
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
namespace=namespace, body=role_binding_object
)
def _cluster_role(self):
return client.V1beta1ClusterRole(
api_version='rbac.authorization.k8s.io/v1beta1',
kind='ClusterRole',
metadata=metadata(name=self.name),
rules=[
client.V1PolicyRule(
api_groups=[""],
resources=["services", "endpoints", "pods"],
verbs=["get", "watch", "list"]
),
client.V1PolicyRule(
api_groups=["extensions"],
resources=["ingresses"],
verbs=["get", "watch", "list"]
),
client.V1PolicyRule(
api_groups=[""],
resources=["nodes"],
verbs=["list", "watch"]
),
]
)
def create_quick_clusterrole_definition(clusterRoleName,
rules,
annotationsDict={}):
crRules = client.V1PolicyRule(api_groups=["*"],
resources=["*"],
verbs=[
"get", "list", "create", "update",
"delete", "deletecollection", "watch"
])
# print("CR Rules: " + str(crRules))
clusterRole = client.V1ClusterRole(
api_version="rbac.authorization.k8s.io/v1",
kind="ClusterRole",
metadata=client.V1ObjectMeta(name=clusterRoleName,
annotations=annotationsDict),
rules=[crRules])
return clusterRole
def _cluster_role(self):
return client.V1ClusterRole(
api_version='rbac.authorization.k8s.io/v1',
kind='ClusterRole',
metadata=metadata(
name=f'{self.name}-role',
),
rules=[
client.V1PolicyRule(
api_groups=[""],
resources=[
"pods",
"nodes",
"endpoints",
],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=["apps"],
resources=["replicasets"],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=["batch"],
resources=["jobs"],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["nodes/proxy"],
verbs=["get"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["nodes/stats", "configmaps", "events"],
verbs=["create"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["configmaps"],
resource_names=["cwagent-clusterleader"],
verbs=["get", "update"],
),
]
)
def run(namespace,
tmpVolumeSize,
outputVolumeSize,
volumeName,
storage_class_name=None,
imagepullsecrets=None,
ades_namespace=None,
state=None):
print(
f"Preparing {namespace} tmpVolumeSize: {tmpVolumeSize} outputVolumeSize: {outputVolumeSize} volumeName: {volumeName}"
)
apiclient = helpers.get_api_client()
api_instance = client.RbacAuthorizationV1Api(apiclient)
v1 = client.CoreV1Api(api_client=apiclient)
print("####################################")
print("######### Checking if namespace already exists")
try:
v1.read_namespace(namespace, pretty=True)
print("Namespace already exists")
return {"status": "success"}
except ApiException as e:
if e.status == 404:
print("Namespace does not exists and will be created")
else:
print("Exception when creating namespace: %s\n" % e,
file=sys.stderr)
raise e
### Creating namespace
print("####################################")
print("######### Creating namespace")
try:
body = client.V1Namespace(metadata=client.V1ObjectMeta(name=namespace))
namespace_json = v1.create_namespace(body=body, async_req=False)
print(str(namespace_json))
except ApiException as e:
print("Exception when creating namespace: %s\n" % e, file=sys.stderr)
raise e
#### Creating pod manager role
print("####################################")
print("######### Creating pod_manager_role")
metadata = client.V1ObjectMeta(name='pod-manager-role',
namespace=namespace)
rule = client.V1PolicyRule(
api_groups=['*'],
resources=['pods', 'pods/log'],
verbs=['create', 'patch', 'delete', 'list', 'watch'])
rules = []
rules.append(rule)
body = client.V1Role(metadata=metadata, rules=rules)
pretty = True
try:
api_response = api_instance.create_namespaced_role(namespace,
body,
pretty=pretty)
pprint(api_response)
except ApiException as e:
print("Exception when creating pod-manager-role: %s\n" % e,
file=sys.stderr)
raise e
#### Creating log-reader-role
print("####################################")
print("######### Creating log-reader-role")
metadata = client.V1ObjectMeta(name='log-reader-role', namespace=namespace)
rule = client.V1PolicyRule(
api_groups=['*'],
resources=['pods', 'pods/log'],
verbs=['create', 'patch', 'delete', 'list', 'watch'])
# verbs=['get', 'list'])
rules = []
rules.append(rule)
body = client.V1Role(metadata=metadata, rules=rules)
pretty = True
try:
api_response = api_instance.create_namespaced_role(namespace,
body,
pretty=pretty)
pprint(api_response)
except ApiException as e:
print("Exception when creating pod-manager-role: %s\n" % e,
file=sys.stderr)
raise e
print("####################################")
print("######### Creating pod-manager-default-binding")
metadata = client.V1ObjectMeta(name='pod-manager-default-binding',
namespace=namespace)
role_ref = client.V1RoleRef(api_group='',
kind='Role',
name='pod-manager-role')
subject = client.models.V1Subject(api_group='',
kind='ServiceAccount',
name='default',
namespace=namespace)
subjects = []
subjects.append(subject)
body = client.V1RoleBinding(metadata=metadata,
role_ref=role_ref,
subjects=subjects)
pretty = True
try:
api_response = api_instance.create_namespaced_role_binding(
namespace, body, pretty=pretty)
pprint(api_response)
except ApiException as e:
print("Exception when creating pod-manager-default-binding: %s\n" % e,
file=sys.stderr)
raise e
print("####################################")
print("######### Creating log-reader-default-binding")
metadata = client.V1ObjectMeta(name='log-reader-default-binding',
namespace=namespace)
role_ref = client.V1RoleRef(api_group='',
kind='Role',
name='log-reader-role')
subject = client.models.V1Subject(api_group='',
kind='ServiceAccount',
name='default',
namespace=namespace)
subjects = []
subjects.append(subject)
body = client.V1RoleBinding(metadata=metadata,
role_ref=role_ref,
subjects=subjects)
pretty = True
try:
api_response = api_instance.create_namespaced_role_binding(
namespace, body, pretty=pretty)
pprint(api_response)
except ApiException as e:
print("Exception when creating log-reader-default-binding: %s\n" % e,
file=sys.stderr)
raise e
print("####################################")
print("######### Creating cluster-role-binding")
metadata = client.V1ObjectMeta(name=f"{namespace}-rbac",
namespace=namespace)
role_ref = client.V1RoleRef(api_group='rbac.authorization.k8s.io',
kind='ClusterRole',
name='cluster-admin')
subject = client.models.V1Subject(api_group='',
kind='ServiceAccount',
name='default',
namespace=namespace)
subjects = []
subjects.append(subject)
body = client.V1ClusterRoleBinding(metadata=metadata,
role_ref=role_ref,
subjects=subjects)
pretty = True
try:
api_response = api_instance.create_cluster_role_binding(body=body,
pretty=pretty)
pprint(api_response)
except ApiException as e:
if e.status == 409:
print(
f"cluster-role-binding {namespace}-rbac has already been installed"
)
else:
print("Exception when creating cluster-role-binding: %s\n" % e,
file=sys.stderr)
raise e
print("####################################")
print("######### Creating Persistent Volume Claims")
# metadata1 = client.V1ObjectMeta(name=f"{volumeName}-input-data", namespace=namespace)
# spec1 = client.V1PersistentVolumeClaimSpec(
# # must be ReadWriteOnce for EBS
# # access_modes=["ReadWriteOnce", "ReadOnlyMany"],
# access_modes=["ReadWriteMany"],
# resources=client.V1ResourceRequirements(
# requests={"storage": inputVolumeSize}
# )
# )
#
# if storage_class_name:
# spec1.storage_class_name = storage_class_name
#
# body1 = client.V1PersistentVolumeClaim(metadata=metadata1, spec=spec1)
metadata2 = client.V1ObjectMeta(name=f"{volumeName}-tmpout",
namespace=namespace)
spec2 = client.V1PersistentVolumeClaimSpec(
access_modes=["ReadWriteMany"],
resources=client.V1ResourceRequirements(
requests={"storage": tmpVolumeSize}))
if storage_class_name:
spec2.storage_class_name = storage_class_name
body2 = client.V1PersistentVolumeClaim(metadata=metadata2, spec=spec2)
metadata3 = client.V1ObjectMeta(name=f"{volumeName}-output-data",
namespace=namespace)
spec3 = client.V1PersistentVolumeClaimSpec(
access_modes=["ReadWriteMany"],
resources=client.V1ResourceRequirements(
requests={"storage": outputVolumeSize}))
if storage_class_name:
spec3.storage_class_name = storage_class_name
body3 = client.V1PersistentVolumeClaim(metadata=metadata3, spec=spec3)
pretty = True
try:
# api_response1 = v1.create_namespaced_persistent_volume_claim(namespace, body1, pretty=pretty)
api_response2 = v1.create_namespaced_persistent_volume_claim(
namespace, body2, pretty=pretty)
api_response3 = v1.create_namespaced_persistent_volume_claim(
namespace, body3, pretty=pretty)
# pprint(api_response1)
pprint(api_response2)
pprint(api_response3)
except ApiException as e:
print("Exception when creating persistent_volume_claim: %s\n" % e,
file=sys.stderr)
raise e
# we copy the secret from ades namespace to the new job namespace
if imagepullsecrets is not None and ades_namespace is not None:
for imagepullsecret in imagepullsecrets:
# Create an instance of the API class
secretname = imagepullsecret["name"]
pretty = True # str | If 'true', then the output is pretty printed. (optional)
exact = False # bool | Should the export be exact. Exact export maintains cluster-specific fields like 'Namespace'. Deprecated. Planned for removal in 1.18. (optional)
export = True # bool | Should this value be exported. Export strips fields that a user can not specify. Deprecated. Planned for removal in 1.18. (optional)
secret_export = None
try:
secret_export = v1.read_namespaced_secret(secretname,
ades_namespace,
pretty=pretty,
exact=exact,
export=export)
except ApiException as e:
print(
"Exception when retrieving image pull secret from eoepca: %s\n"
% e)
time.sleep(5)
try:
api_response = v1.create_namespaced_secret(namespace,
secret_export,
pretty=pretty)
except ApiException as e:
print("Exception when creating image pull secret: %s\n" % e)
time.sleep(5)
name = 'default'
try:
service_account_body = v1.read_namespaced_service_account(
name, namespace, pretty=True)
pprint(service_account_body)
time.sleep(5)
if service_account_body.secrets is None:
service_account_body.secrets = []
if service_account_body.image_pull_secrets is None:
service_account_body.image_pull_secrets = []
service_account_body.secrets.append({"name": secretname})
service_account_body.image_pull_secrets.append(
{"name": secretname})
api_response = v1.patch_namespaced_service_account(
name, namespace, service_account_body, pretty=True)
pprint(api_response)
except ApiException as e:
print(
"Exception when calling CoreV1Api->patch_namespaced_service_account: %s\n"
% e)
return {"status": "success"}
def create_cluster_role():
"""
Create IBM Spectrum Scale CSI Operator cluster role in Operator namespace
Args:
None
Returns:
None
Raises:
Raises an exception on kubernetes client api failure and asserts
"""
cluster_role_api_instance = client.RbacAuthorizationV1Api()
pretty = True
cluster_role_labels = {
"app.kubernetes.io/instance": "ibm-spectrum-scale-csi-operator",
"app.kubernetes.io/managed-by": "ibm-spectrum-scale-csi-operator",
"app.kubernetes.io/name": "ibm-spectrum-scale-csi-operator",
"product": "ibm-spectrum-scale-csi",
"release": "ibm-spectrum-scale-csi-operator"
}
cluster_role_metadata = client.V1ObjectMeta(
name="ibm-spectrum-scale-csi-operator",
labels=cluster_role_labels,
namespace=namespace_value)
cluster_role_rules = []
cluster_role_rules.append(
client.V1PolicyRule(api_groups=["*"],
resources=[
'pods', 'persistentvolumeclaims', 'services',
'endpoints', 'events', 'configmaps', 'secrets',
'secrets/status', 'services/finalizers',
'serviceaccounts', 'securitycontextconstraints'
],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'],
resources=['clusterroles', 'clusterrolebindings'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resources=[
'deployments', 'daemonsets', 'replicasets',
'statefulsets'
],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['monitoring.coreos.com'],
resources=['servicemonitors'],
verbs=['get', 'create']))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resources=['replicasets'],
verbs=["get"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['csi.ibm.com'],
resources=['*'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['security.openshift.io'],
resources=['securitycontextconstraints'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['storage.k8s.io'],
resources=['volumeattachments', 'storageclasses'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resource_names=['ibm-spectrum-scale-csi-operator'],
resources=['deployments/finalizers'],
verbs=['update']))
body = client.V1ClusterRole(kind='ClusterRole',
api_version='rbac.authorization.k8s.io/v1',
metadata=cluster_role_metadata,
rules=cluster_role_rules)
try:
LOGGER.info("Creating ibm-spectrum-scale-csi-operator ClusterRole ")
cluster_role_api_response = cluster_role_api_instance.create_cluster_role(
body, pretty=pretty)
LOGGER.debug(str(cluster_role_api_response))
except ApiException as e:
LOGGER.error(
f"Exception when calling RbacAuthorizationV1Api->create_cluster_role: {e}"
)
assert False
def def_namespaced_account_objects(self):
"""Define K8s objects for things we need in the namespace."""
with start_action(action_type="define_namespaced_account_objects"):
namespace = self.namespace
username = self.parent.user.escaped_name
cfg = self.parent.config
psnm = cfg.pull_secret_name
pull_secret = get_pull_secret(pull_secret_name=psnm,
api=self.parent.api,
log=self.log)
pull_secret_ref = get_pull_secret_reflist(pull_secret_name=psnm)
account = "{}-svcacct".format(username)
self.service_account = account
acd = "argocd.argoproj.io/"
md = client.V1ObjectMeta(
name=account,
labels={acd + "instance": "nublado-users"},
annotations={
acd + "compare-options": "IgnoreExtraneous",
acd + "sync-options": "Prune=false",
},
)
svcacct = client.V1ServiceAccount(
metadata=md, image_pull_secrets=pull_secret_ref)
# These rules let us manipulate Dask pods, Argo Workflows, and
# Multus CNI interfaces
rules = [
client.V1PolicyRule(
api_groups=["argoproj.io"],
resources=["workflows", "workflows/finalizers"],
verbs=[
"get",
"list",
"watch",
"update",
"patch",
"create",
"delete",
],
),
client.V1PolicyRule(
api_groups=["argoproj.io"],
resources=[
"workflowtemplates",
"workflowtemplates/finalizers",
],
verbs=["get", "list", "watch"],
),
client.V1PolicyRule(api_groups=[""],
resources=["secrets"],
verbs=["get"]),
client.V1PolicyRule(
api_groups=[""],
resources=["pods", "pods/exec", "services", "configmaps"],
verbs=[
"get",
"list",
"watch",
"create",
"delete",
"update",
"patch",
],
),
client.V1PolicyRule(
api_groups=[""],
resources=["pods/log", "serviceaccounts"],
verbs=["get", "list", "watch"],
),
]
role = client.V1Role(rules=rules, metadata=md)
rbstr = "rbac.authorization.k8s.io"
rolebinding = client.V1RoleBinding(
metadata=md,
role_ref=client.V1RoleRef(api_group=rbstr,
kind="Role",
name=account),
subjects=[
client.V1Subject(
kind="ServiceAccount",
name=account,
namespace=namespace,
)
],
)
return pull_secret, svcacct, role, rolebinding
# get Quota
resource_quota = v1.read_namespaced_resource_quota("user-quota", namespace)
# Update Quota
resource_quota.spec.hard['cpu'] = 20
# replace_namespaced_resource_quota(name, namespace, body)
ret = v1.replace_namespaced_resource_quota("user-quota", namespace,
resource_quota)
get_quota = v1.read_namespaced_resource_quota("user-quota", namespace)
print("%s\t%s\t%s" %
(get_quota.metadata.namespace, get_quota.metadata.name, get_quota.spec))
# create ns Role
rules = [client.V1PolicyRule(
["*"],
resources=["*"],
verbs=["*"],
)]
role = client.V1Role(rules=rules)
role.metadata = client.V1ObjectMeta(namespace=namespace, name="user-role")
rbac = client.RbacAuthorizationV1Api()
rbac.create_namespaced_role(namespace, role)
print("Create Role : " + namespace + "/user-role")
# delete NS Role
rbac.delete_namespaced_role("user-role", namespace)
print("Delete Role : " + namespace + "/user-role")
# create ns RoleBinding
role_binding = client.V1RoleBinding(metadata=client.V1ObjectMeta(
namespace=namespace, name="dev-role-binding"),
from kubernetes import client, config
from kubernetes.client.rest import ApiException
from pprint import pprint
config.load_kube_config()
metadata = client.V1ObjectMeta(name='developer', namespace='spark')
rule = client.V1PolicyRule(api_groups=['*'], resources=['*'], verbs=['get'])
rules = []
rules.append(rule)
body = client.V1Role(metadata=metadata, rules=rules)
api_instance = client.RbacAuthorizationV1Api()
try:
api_response = api_instance.create_namespaced_role('spark', body)
pprint(api_response)
except ApiException as e:
print("Exception when calling RbacAuthorizationV1Api->create_namespaced_role: %s\n" % e)
def process_rbac(self, user_name):
try:
_ = self.rbac.create_namespaced_role(
namespace="tool-{}".format(user_name),
body=client.V1Role(
api_version="rbac.authorization.k8s.io/v1",
kind="Role",
metadata=client.V1ObjectMeta(
name="tool-{}-psp".format(user_name),
namespace="tool-{}".format(user_name),
),
rules=[
client.V1PolicyRule(
api_groups=["policy"],
resource_names=["tool-{}-psp".format(user_name)],
resources=["podsecuritypolicies"],
verbs=["use"],
)
],
),
)
except ApiException as api_ex:
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
logging.info("Role tool-%s-psp already exists", user_name)
return
logging.error("Could not create psp role for %s", user_name)
raise
try:
_ = self.rbac.create_namespaced_role_binding(
namespace="tool-{}".format(user_name),
body=client.V1RoleBinding(
api_version="rbac.authorization.k8s.io/v1",
kind="RoleBinding",
metadata=client.V1ObjectMeta(
name="tool-{}-psp-binding".format(user_name),
namespace="tool-{}".format(user_name),
),
role_ref=client.V1RoleRef(
kind="Role",
name="tool-{}-psp".format(user_name),
api_group="rbac.authorization.k8s.io",
),
subjects=[
client.V1Subject(
kind="User",
name=user_name,
api_group="rbac.authorization.k8s.io",
)
],
),
)
except ApiException as api_ex:
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
logging.info("RoleBinding tool-%s-psp-binding already exists",
user_name)
return
logging.error("Could not create psp rolebinding for %s", user_name)
raise
try:
_ = self.rbac.create_namespaced_role_binding(
namespace="tool-{}".format(user_name),
body=client.V1RoleBinding(
api_version="rbac.authorization.k8s.io/v1",
kind="RoleBinding",
metadata=client.V1ObjectMeta(
name="default-{}-psp-binding".format(user_name),
namespace="tool-{}".format(user_name),
),
role_ref=client.V1RoleRef(
kind="Role",
name="tool-{}-psp".format(user_name),
api_group="rbac.authorization.k8s.io",
),
subjects=[
client.V1Subject(
kind="ServiceAccount",
name="default",
namespace="tool-{}".format(user_name),
)
],
),
)
except ApiException as api_ex:
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
logging.info(
"RoleBinding default-%s-psp-binding already exists",
user_name,
)
return
logging.error(
("Could not create psp rolebinding for tool-%s:default "
"serviceaccount"),
user_name,
)
raise
try:
_ = self.rbac.create_namespaced_role_binding(
namespace="tool-{}".format(user_name),
body=client.V1RoleBinding(
api_version="rbac.authorization.k8s.io/v1",
kind="RoleBinding",
metadata=client.V1ObjectMeta(
name="{}-tool-binding".format(user_name),
namespace="tool-{}".format(user_name),
),
role_ref=client.V1RoleRef(
kind="ClusterRole",
name="tools-user",
api_group="rbac.authorization.k8s.io",
),
subjects=[
client.V1Subject(
kind="User",
name=user_name,
api_group="rbac.authorization.k8s.io",
)
],
),
)
except ApiException as api_ex:
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
logging.info("RoleBinding %s-tool-binding already exists",
user_name)
return
logging.error("Could not create rolebinding for %s", user_name)
raise
def def_namespaced_account_objects(self):
'''Define K8s objects for things we need in the namespace.
'''
with start_action(action_type="define_namespaced_account_objects"):
namespace = self.namespace
username = self.parent.user.escaped_name
account = "{}-svcacct".format(username)
self.service_account = account
acd = 'argocd.argoproj.io/'
md = client.V1ObjectMeta(
name=account,
labels={acd + 'instance': 'nublado-users'},
annotations={
acd + 'compare-options': 'IgnoreExtraneous',
acd + 'sync-options': 'Prune=false',
})
svcacct = client.V1ServiceAccount(metadata=md)
# These rules let us manipulate Dask pods, Argo Workflows, and
# Multus CNI interfaces
rules = [
client.V1PolicyRule(
api_groups=["argoproj.io"],
resources=["workflows", "workflows/finalizers"],
verbs=[
"get", "list", "watch", "update", "patch", "create",
"delete"
]),
client.V1PolicyRule(
api_groups=["argoproj.io"],
resources=[
"workflowtemplates", "workflowtemplates/finalizers"
],
verbs=["get", "list", "watch"],
),
client.V1PolicyRule(api_groups=[""],
resources=["secrets"],
verbs=["get"]),
client.V1PolicyRule(
api_groups=[""],
resources=["pods", "pods/exec", "services", "configmaps"],
verbs=[
"get", "list", "watch", "create", "delete", "update",
"patch"
]),
client.V1PolicyRule(api_groups=[""],
resources=["pods/log", "serviceaccounts"],
verbs=["get", "list", "watch"]),
]
role = client.V1Role(rules=rules, metadata=md)
rbstr = 'rbac.authorization.k8s.io'
rolebinding = client.V1RoleBinding(
metadata=md,
role_ref=client.V1RoleRef(api_group=rbstr,
kind="Role",
name=account),
subjects=[
client.V1Subject(kind="ServiceAccount",
name=account,
namespace=namespace)
])
return svcacct, role, rolebinding
def setup_workflow_service_account(namespace: str) -> None:
"""Setup a workflow controller service-account with required roles.
:param namespace: Namespace in which the service-account will be
placed.
"""
service_account_object = k8s.V1ServiceAccount(metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT))
k8s.CoreV1Api().create_namespaced_service_account(
namespace=namespace, body=service_account_object)
role_object = k8s.V1Role(metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
rules=[
k8s.V1PolicyRule(api_groups=[''],
resources=['*'],
verbs=['*']),
k8s.V1PolicyRule(api_groups=['apps', 'batch'],
resources=['*'],
verbs=['*'])
])
k8s.RbacAuthorizationV1Api().create_namespaced_role(namespace=namespace,
body=role_object)
role_binding_object = k8s.V1RoleBinding(
metadata=k8s.V1ObjectMeta(namespace=namespace,
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
role_ref=k8s.V1RoleRef(kind='Role',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
api_group='rbac.authorization.k8s.io'),
subjects=[
k8s.V1Subject(kind='ServiceAccount',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace)
])
k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
namespace=namespace, body=role_binding_object)
if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
cluster_role_object = k8s.V1ClusterRole(
metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
rules=[
k8s.V1PolicyRule(api_groups=[''],
resources=['namespaces'],
verbs=['get', 'list']),
k8s.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'],
resources=['clusterrolebindings'],
verbs=['get', 'list'])
])
k8s.RbacAuthorizationV1Api().create_cluster_role(
body=cluster_role_object)
if not cluster_role_binding_exists(
workflow_cluster_role_binding_name(namespace)):
cluster_role_binding_object = k8s.V1ClusterRoleBinding(
metadata=k8s.V1ObjectMeta(
name=workflow_cluster_role_binding_name(namespace),
namespace=namespace),
role_ref=k8s.V1RoleRef(kind='ClusterRole',
name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
api_group='rbac.authorization.k8s.io'),
subjects=[
k8s.V1Subject(kind='ServiceAccount',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace)
])
k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
body=cluster_role_binding_object)
import kubernetes.client as k8c
def get_sa_name(username):
return "u-{}".format(username)
def get_rb_name(role_name, sa_name):
return "{}~{}".format(role_name, sa_name)
# role = namedtuple("role", ["name", "rule"])
# NS_BASE_ROLE_NAME = "r-base"
# NS_BASE_ROLE = role(name="r-base", rule="")
# meta = k8c.V1ObjectMeta(name="r-base")
# rule = [
# k8c.V1PolicyRule(api_groups=["*"], resources=["*"], verbs=["*"]),
# ]
NS_BASE_ROLE = k8c.V1Role(
api_version="rbac.authorization.k8s.io/v1",
kind="Role",
metadata=k8c.V1ObjectMeta(name="r-base"),
rules=[
k8c.V1PolicyRule(api_groups=["*"], resources=["*"], verbs=["*"]),
],
)
def setup_workflow_service_account(namespace: str) -> None:
"""Setup a workflow controller service-account with required roles.
:param namespace: Namespace in which the service-account will be
placed.
"""
service_account_object = k8s.V1ServiceAccount(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
)
)
k8s.CoreV1Api().create_namespaced_service_account(
namespace=namespace, body=service_account_object
)
role_object = k8s.V1Role(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
),
rules=[
k8s.V1PolicyRule(api_groups=[""], resources=["*"], verbs=["*"]),
k8s.V1PolicyRule(
api_groups=["apps", "batch"], resources=["*"], verbs=["*"]
),
k8s.V1PolicyRule(
api_groups=["extensions"], resources=["ingresses"], verbs=["*"]
),
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role(
namespace=namespace, body=role_object
)
role_binding_object = k8s.V1RoleBinding(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
),
role_ref=k8s.V1RoleRef(
kind="Role",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
api_group="rbac.authorization.k8s.io",
),
subjects=[
k8s.V1Subject(
kind="ServiceAccount",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace,
)
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
namespace=namespace, body=role_binding_object
)
if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
cluster_role_object = k8s.V1ClusterRole(
metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
rules=[
k8s.V1PolicyRule(
api_groups=[""], resources=["namespaces"], verbs=["get", "list"]
),
k8s.V1PolicyRule(
api_groups=["rbac.authorization.k8s.io"],
resources=["clusterrolebindings"],
verbs=["get", "list"],
),
],
)
k8s.RbacAuthorizationV1Api().create_cluster_role(body=cluster_role_object)
if not cluster_role_binding_exists(workflow_cluster_role_binding_name(namespace)):
cluster_role_binding_object = k8s.V1ClusterRoleBinding(
metadata=k8s.V1ObjectMeta(
name=workflow_cluster_role_binding_name(namespace), namespace=namespace
),
role_ref=k8s.V1RoleRef(
kind="ClusterRole",
name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
api_group="rbac.authorization.k8s.io",
),
subjects=[
k8s.V1Subject(
kind="ServiceAccount",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace,
)
],
)
k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
body=cluster_role_binding_object
)
