def create_role(api: client.RbacAuthorizationV1Api,
configmap: Resource,
cro_spec: ResourceChunk,
ns: str,
name_suffix: str,
psp: client.PolicyV1beta1PodSecurityPolicy = None):
logger = logging.getLogger('kopf.objects')
role_name = cro_spec.get("role", {}).get("name")
if not role_name:
tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml'])
role_name = tpl["metadata"]["name"]
role_name = f"{role_name}-{name_suffix}"
tpl["metadata"]["name"] = role_name
# when a PSP is defined, we add a rule to use that PSP
if psp:
logger.info(
f"Adding pod security policy {psp.metadata.name} use to role")
psp_rule = yaml.safe_load(
configmap.data['chaostoolkit-role-psp-rule.yaml'])
set_rule_psp_name(psp_rule, psp.metadata.name)
tpl["rules"].append(psp_rule)
logger.debug(f"Creating cluster role with template:\n{tpl}")
try:
api.create_cluster_role(body=tpl)
return tpl
except ApiException as e:
if e.status == 409:
logger.info(f"Cluster role '{role_name}' already exists.")
else:
raise kopf.PermanentError(
f"Failed to create cluster role: {str(e)}")
def configure_rbac_with_ap(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization:
"""
Create cluster and binding for AppProtect module.
:param rbac_v1: RbacAuthorizationV1Api
:return: RBACAuthorization
"""
with open(f"{DEPLOYMENTS}/rbac/ap-rbac.yaml") as f:
docs = yaml.safe_load_all(f)
role_name = ""
binding_name = ""
for dep in docs:
if dep["kind"] == "ClusterRole":
print("Create cluster role for AppProtect")
role_name = dep["metadata"]["name"]
rbac_v1.create_cluster_role(dep)
print(f"Created role '{role_name}'")
elif dep["kind"] == "ClusterRoleBinding":
print("Create binding for AppProtect")
binding_name = dep["metadata"]["name"]
rbac_v1.create_cluster_role_binding(dep)
print(f"Created binding '{binding_name}'")
return RBACAuthorization(role_name, binding_name)
def configure_rbac(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization:
"""
Create cluster and binding.
:param rbac_v1: RbacAuthorizationV1Api
:return: RBACAuthorization
"""
with open(f'{DEPLOYMENTS}/rbac/rbac.yaml') as f:
docs = yaml.safe_load_all(f)
role_name = ""
binding_name = ""
for dep in docs:
if dep["kind"] == "ClusterRole":
print("Create cluster role")
role_name = dep['metadata']['name']
rbac_v1.create_cluster_role(dep)
print(f"Created role '{role_name}'")
elif dep["kind"] == "ClusterRoleBinding":
print("Create binding")
binding_name = dep['metadata']['name']
rbac_v1.create_cluster_role_binding(dep)
print(f"Created binding '{binding_name}'")
return RBACAuthorization(role_name, binding_name)