def _cluster_role(self): return client.V1ClusterRole( api_version='rbac.authorization.k8s.io/v1', kind='ClusterRole', metadata=metadata( name=self.name, labels=self.labels, ), rules=[ client.V1PolicyRule( api_groups=["", "extensions"], resources=[ "configmaps", "endpoints", "events", "ingresses", "ingresses/status", "services" ], verbs=[ "create", "get", "list", "update", "watch", "patch" ], ), client.V1PolicyRule(api_groups=["", "extensions"], resources=[ "nodes", "pods", "secrets", "services", "namespaces" ], verbs=["get", "list", "watch"]), ])
def _cluster_role(self): return client.V1ClusterRole( api_version='rbac.authorization.k8s.io/v1', kind='ClusterRole', metadata=metadata( name=f'{self.name}-role', ), rules=[ client.V1PolicyRule( api_groups=[""], resources=[ "pods", "nodes", "endpoints", ], verbs=["list", "watch"], ), client.V1PolicyRule( api_groups=["apps"], resources=["replicasets"], verbs=["list", "watch"], ), client.V1PolicyRule( api_groups=["batch"], resources=["jobs"], verbs=["list", "watch"], ), client.V1PolicyRule( api_groups=[""], resources=["nodes/proxy"], verbs=["get"], ), client.V1PolicyRule( api_groups=[""], resources=["nodes/stats", "configmaps", "events"], verbs=["create"], ), client.V1PolicyRule( api_groups=[""], resources=["configmaps"], resource_names=["cwagent-clusterleader"], verbs=["get", "update"], ), ] )
def create_quick_clusterrole_definition(clusterRoleName, rules, annotationsDict={}): crRules = client.V1PolicyRule(api_groups=["*"], resources=["*"], verbs=[ "get", "list", "create", "update", "delete", "deletecollection", "watch" ]) # print("CR Rules: " + str(crRules)) clusterRole = client.V1ClusterRole( api_version="rbac.authorization.k8s.io/v1", kind="ClusterRole", metadata=client.V1ObjectMeta(name=clusterRoleName, annotations=annotationsDict), rules=[crRules]) return clusterRole
def create_cluster_role(): """ Create IBM Spectrum Scale CSI Operator cluster role in Operator namespace Args: None Returns: None Raises: Raises an exception on kubernetes client api failure and asserts """ cluster_role_api_instance = client.RbacAuthorizationV1Api() pretty = True cluster_role_labels = { "app.kubernetes.io/instance": "ibm-spectrum-scale-csi-operator", "app.kubernetes.io/managed-by": "ibm-spectrum-scale-csi-operator", "app.kubernetes.io/name": "ibm-spectrum-scale-csi-operator", "product": "ibm-spectrum-scale-csi", "release": "ibm-spectrum-scale-csi-operator" } cluster_role_metadata = client.V1ObjectMeta( name="ibm-spectrum-scale-csi-operator", labels=cluster_role_labels, namespace=namespace_value) cluster_role_rules = [] cluster_role_rules.append( client.V1PolicyRule(api_groups=["*"], resources=[ 'pods', 'persistentvolumeclaims', 'services', 'endpoints', 'events', 'configmaps', 'secrets', 'secrets/status', 'services/finalizers', 'serviceaccounts', 'securitycontextconstraints' ], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'], resources=['clusterroles', 'clusterrolebindings'], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['apps'], resources=[ 'deployments', 'daemonsets', 'replicasets', 'statefulsets' ], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['monitoring.coreos.com'], resources=['servicemonitors'], verbs=['get', 'create'])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['apps'], resources=['replicasets'], verbs=["get"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['csi.ibm.com'], resources=['*'], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['security.openshift.io'], resources=['securitycontextconstraints'], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['storage.k8s.io'], resources=['volumeattachments', 'storageclasses'], verbs=["*"])) cluster_role_rules.append( client.V1PolicyRule(api_groups=['apps'], resource_names=['ibm-spectrum-scale-csi-operator'], resources=['deployments/finalizers'], verbs=['update'])) body = client.V1ClusterRole(kind='ClusterRole', api_version='rbac.authorization.k8s.io/v1', metadata=cluster_role_metadata, rules=cluster_role_rules) try: LOGGER.info("Creating ibm-spectrum-scale-csi-operator ClusterRole ") cluster_role_api_response = cluster_role_api_instance.create_cluster_role( body, pretty=pretty) LOGGER.debug(str(cluster_role_api_response)) except ApiException as e: LOGGER.error( f"Exception when calling RbacAuthorizationV1Api->create_cluster_role: {e}" ) assert False
def setup_workflow_service_account(namespace: str) -> None: """Setup a workflow controller service-account with required roles. :param namespace: Namespace in which the service-account will be placed. """ service_account_object = k8s.V1ServiceAccount(metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT)) k8s.CoreV1Api().create_namespaced_service_account( namespace=namespace, body=service_account_object) role_object = k8s.V1Role(metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT), rules=[ k8s.V1PolicyRule(api_groups=[''], resources=['*'], verbs=['*']), k8s.V1PolicyRule(api_groups=['apps', 'batch'], resources=['*'], verbs=['*']) ]) k8s.RbacAuthorizationV1Api().create_namespaced_role(namespace=namespace, body=role_object) role_binding_object = k8s.V1RoleBinding( metadata=k8s.V1ObjectMeta(namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT), role_ref=k8s.V1RoleRef(kind='Role', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, api_group='rbac.authorization.k8s.io'), subjects=[ k8s.V1Subject(kind='ServiceAccount', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace) ]) k8s.RbacAuthorizationV1Api().create_namespaced_role_binding( namespace=namespace, body=role_binding_object) if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE): cluster_role_object = k8s.V1ClusterRole( metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE), rules=[ k8s.V1PolicyRule(api_groups=[''], resources=['namespaces'], verbs=['get', 'list']), k8s.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'], resources=['clusterrolebindings'], verbs=['get', 'list']) ]) k8s.RbacAuthorizationV1Api().create_cluster_role( body=cluster_role_object) if not cluster_role_binding_exists( workflow_cluster_role_binding_name(namespace)): cluster_role_binding_object = k8s.V1ClusterRoleBinding( metadata=k8s.V1ObjectMeta( name=workflow_cluster_role_binding_name(namespace), namespace=namespace), role_ref=k8s.V1RoleRef(kind='ClusterRole', name=BODYWORK_WORKFLOW_CLUSTER_ROLE, api_group='rbac.authorization.k8s.io'), subjects=[ k8s.V1Subject(kind='ServiceAccount', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace) ]) k8s.RbacAuthorizationV1Api().create_cluster_role_binding( body=cluster_role_binding_object)
def setup_workflow_service_account(namespace: str) -> None: """Setup a workflow controller service-account with required roles. :param namespace: Namespace in which the service-account will be placed. """ service_account_object = k8s.V1ServiceAccount( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ) ) k8s.CoreV1Api().create_namespaced_service_account( namespace=namespace, body=service_account_object ) role_object = k8s.V1Role( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ), rules=[ k8s.V1PolicyRule(api_groups=[""], resources=["*"], verbs=["*"]), k8s.V1PolicyRule( api_groups=["apps", "batch"], resources=["*"], verbs=["*"] ), k8s.V1PolicyRule( api_groups=["extensions"], resources=["ingresses"], verbs=["*"] ), ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role( namespace=namespace, body=role_object ) role_binding_object = k8s.V1RoleBinding( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ), role_ref=k8s.V1RoleRef( kind="Role", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, api_group="rbac.authorization.k8s.io", ), subjects=[ k8s.V1Subject( kind="ServiceAccount", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace, ) ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role_binding( namespace=namespace, body=role_binding_object ) if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE): cluster_role_object = k8s.V1ClusterRole( metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE), rules=[ k8s.V1PolicyRule( api_groups=[""], resources=["namespaces"], verbs=["get", "list"] ), k8s.V1PolicyRule( api_groups=["rbac.authorization.k8s.io"], resources=["clusterrolebindings"], verbs=["get", "list"], ), ], ) k8s.RbacAuthorizationV1Api().create_cluster_role(body=cluster_role_object) if not cluster_role_binding_exists(workflow_cluster_role_binding_name(namespace)): cluster_role_binding_object = k8s.V1ClusterRoleBinding( metadata=k8s.V1ObjectMeta( name=workflow_cluster_role_binding_name(namespace), namespace=namespace ), role_ref=k8s.V1RoleRef( kind="ClusterRole", name=BODYWORK_WORKFLOW_CLUSTER_ROLE, api_group="rbac.authorization.k8s.io", ), subjects=[ k8s.V1Subject( kind="ServiceAccount", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace, ) ], ) k8s.RbacAuthorizationV1Api().create_cluster_role_binding( body=cluster_role_binding_object )