def _cluster_role(self):
return client.V1ClusterRole(
api_version='rbac.authorization.k8s.io/v1',
kind='ClusterRole',
metadata=metadata(
name=self.name,
labels=self.labels,
),
rules=[
client.V1PolicyRule(
api_groups=["", "extensions"],
resources=[
"configmaps", "endpoints", "events", "ingresses",
"ingresses/status", "services"
],
verbs=[
"create", "get", "list", "update", "watch", "patch"
],
),
client.V1PolicyRule(api_groups=["", "extensions"],
resources=[
"nodes", "pods", "secrets", "services",
"namespaces"
],
verbs=["get", "list", "watch"]),
])
def _cluster_role(self):
return client.V1ClusterRole(
api_version='rbac.authorization.k8s.io/v1',
kind='ClusterRole',
metadata=metadata(
name=f'{self.name}-role',
),
rules=[
client.V1PolicyRule(
api_groups=[""],
resources=[
"pods",
"nodes",
"endpoints",
],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=["apps"],
resources=["replicasets"],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=["batch"],
resources=["jobs"],
verbs=["list", "watch"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["nodes/proxy"],
verbs=["get"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["nodes/stats", "configmaps", "events"],
verbs=["create"],
),
client.V1PolicyRule(
api_groups=[""],
resources=["configmaps"],
resource_names=["cwagent-clusterleader"],
verbs=["get", "update"],
),
]
)
def create_quick_clusterrole_definition(clusterRoleName,
rules,
annotationsDict={}):
crRules = client.V1PolicyRule(api_groups=["*"],
resources=["*"],
verbs=[
"get", "list", "create", "update",
"delete", "deletecollection", "watch"
])
# print("CR Rules: " + str(crRules))
clusterRole = client.V1ClusterRole(
api_version="rbac.authorization.k8s.io/v1",
kind="ClusterRole",
metadata=client.V1ObjectMeta(name=clusterRoleName,
annotations=annotationsDict),
rules=[crRules])
return clusterRole
def create_cluster_role():
"""
Create IBM Spectrum Scale CSI Operator cluster role in Operator namespace
Args:
None
Returns:
None
Raises:
Raises an exception on kubernetes client api failure and asserts
"""
cluster_role_api_instance = client.RbacAuthorizationV1Api()
pretty = True
cluster_role_labels = {
"app.kubernetes.io/instance": "ibm-spectrum-scale-csi-operator",
"app.kubernetes.io/managed-by": "ibm-spectrum-scale-csi-operator",
"app.kubernetes.io/name": "ibm-spectrum-scale-csi-operator",
"product": "ibm-spectrum-scale-csi",
"release": "ibm-spectrum-scale-csi-operator"
}
cluster_role_metadata = client.V1ObjectMeta(
name="ibm-spectrum-scale-csi-operator",
labels=cluster_role_labels,
namespace=namespace_value)
cluster_role_rules = []
cluster_role_rules.append(
client.V1PolicyRule(api_groups=["*"],
resources=[
'pods', 'persistentvolumeclaims', 'services',
'endpoints', 'events', 'configmaps', 'secrets',
'secrets/status', 'services/finalizers',
'serviceaccounts', 'securitycontextconstraints'
],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'],
resources=['clusterroles', 'clusterrolebindings'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resources=[
'deployments', 'daemonsets', 'replicasets',
'statefulsets'
],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['monitoring.coreos.com'],
resources=['servicemonitors'],
verbs=['get', 'create']))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resources=['replicasets'],
verbs=["get"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['csi.ibm.com'],
resources=['*'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['security.openshift.io'],
resources=['securitycontextconstraints'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['storage.k8s.io'],
resources=['volumeattachments', 'storageclasses'],
verbs=["*"]))
cluster_role_rules.append(
client.V1PolicyRule(api_groups=['apps'],
resource_names=['ibm-spectrum-scale-csi-operator'],
resources=['deployments/finalizers'],
verbs=['update']))
body = client.V1ClusterRole(kind='ClusterRole',
api_version='rbac.authorization.k8s.io/v1',
metadata=cluster_role_metadata,
rules=cluster_role_rules)
try:
LOGGER.info("Creating ibm-spectrum-scale-csi-operator ClusterRole ")
cluster_role_api_response = cluster_role_api_instance.create_cluster_role(
body, pretty=pretty)
LOGGER.debug(str(cluster_role_api_response))
except ApiException as e:
LOGGER.error(
f"Exception when calling RbacAuthorizationV1Api->create_cluster_role: {e}"
)
assert False
def setup_workflow_service_account(namespace: str) -> None:
"""Setup a workflow controller service-account with required roles.
:param namespace: Namespace in which the service-account will be
placed.
"""
service_account_object = k8s.V1ServiceAccount(metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT))
k8s.CoreV1Api().create_namespaced_service_account(
namespace=namespace, body=service_account_object)
role_object = k8s.V1Role(metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
rules=[
k8s.V1PolicyRule(api_groups=[''],
resources=['*'],
verbs=['*']),
k8s.V1PolicyRule(api_groups=['apps', 'batch'],
resources=['*'],
verbs=['*'])
])
k8s.RbacAuthorizationV1Api().create_namespaced_role(namespace=namespace,
body=role_object)
role_binding_object = k8s.V1RoleBinding(
metadata=k8s.V1ObjectMeta(namespace=namespace,
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
role_ref=k8s.V1RoleRef(kind='Role',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
api_group='rbac.authorization.k8s.io'),
subjects=[
k8s.V1Subject(kind='ServiceAccount',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace)
])
k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
namespace=namespace, body=role_binding_object)
if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
cluster_role_object = k8s.V1ClusterRole(
metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
rules=[
k8s.V1PolicyRule(api_groups=[''],
resources=['namespaces'],
verbs=['get', 'list']),
k8s.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'],
resources=['clusterrolebindings'],
verbs=['get', 'list'])
])
k8s.RbacAuthorizationV1Api().create_cluster_role(
body=cluster_role_object)
if not cluster_role_binding_exists(
workflow_cluster_role_binding_name(namespace)):
cluster_role_binding_object = k8s.V1ClusterRoleBinding(
metadata=k8s.V1ObjectMeta(
name=workflow_cluster_role_binding_name(namespace),
namespace=namespace),
role_ref=k8s.V1RoleRef(kind='ClusterRole',
name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
api_group='rbac.authorization.k8s.io'),
subjects=[
k8s.V1Subject(kind='ServiceAccount',
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace)
])
k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
body=cluster_role_binding_object)
def setup_workflow_service_account(namespace: str) -> None:
"""Setup a workflow controller service-account with required roles.
:param namespace: Namespace in which the service-account will be
placed.
"""
service_account_object = k8s.V1ServiceAccount(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
)
)
k8s.CoreV1Api().create_namespaced_service_account(
namespace=namespace, body=service_account_object
)
role_object = k8s.V1Role(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
),
rules=[
k8s.V1PolicyRule(api_groups=[""], resources=["*"], verbs=["*"]),
k8s.V1PolicyRule(
api_groups=["apps", "batch"], resources=["*"], verbs=["*"]
),
k8s.V1PolicyRule(
api_groups=["extensions"], resources=["ingresses"], verbs=["*"]
),
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role(
namespace=namespace, body=role_object
)
role_binding_object = k8s.V1RoleBinding(
metadata=k8s.V1ObjectMeta(
namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
),
role_ref=k8s.V1RoleRef(
kind="Role",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
api_group="rbac.authorization.k8s.io",
),
subjects=[
k8s.V1Subject(
kind="ServiceAccount",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace,
)
],
)
k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
namespace=namespace, body=role_binding_object
)
if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
cluster_role_object = k8s.V1ClusterRole(
metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
rules=[
k8s.V1PolicyRule(
api_groups=[""], resources=["namespaces"], verbs=["get", "list"]
),
k8s.V1PolicyRule(
api_groups=["rbac.authorization.k8s.io"],
resources=["clusterrolebindings"],
verbs=["get", "list"],
),
],
)
k8s.RbacAuthorizationV1Api().create_cluster_role(body=cluster_role_object)
if not cluster_role_binding_exists(workflow_cluster_role_binding_name(namespace)):
cluster_role_binding_object = k8s.V1ClusterRoleBinding(
metadata=k8s.V1ObjectMeta(
name=workflow_cluster_role_binding_name(namespace), namespace=namespace
),
role_ref=k8s.V1RoleRef(
kind="ClusterRole",
name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
api_group="rbac.authorization.k8s.io",
),
subjects=[
k8s.V1Subject(
kind="ServiceAccount",
name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
namespace=namespace,
)
],
)
k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
body=cluster_role_binding_object
)