Example #1
0
def clusterrolebindings_from_marker(item, namespace):
    """Create ClusterRoleBindings for the test case if the test case
    is marked with the `pytest.mark.clusterrolebinding` marker.

    Args:
        item (pytest.Item): The pytest test item.
        namespace (str): The namespace of the test case.

    Return:
        list[objects.ClusterRoleBinding]: The ClusterRoleBindings that
            were generated from the test case markers.
    """
    clusterrolebindings = []
    for mark in item.iter_markers(name='clusterrolebinding'):
        name = mark.args[0]
        subj_kind = mark.kwargs.get('subject_kind')
        subj_name = mark.kwargs.get('subject_name')

        subj = get_custom_rbac_subject(namespace, subj_kind, subj_name)
        if not subj:
            subj = get_default_rbac_subjects(namespace)

        clusterrolebindings.append(ClusterRoleBinding(client.V1ClusterRoleBinding(
            metadata=client.V1ObjectMeta(
                name='kubetest:{}'.format(item.name),
            ),
            role_ref=client.V1RoleRef(
                api_group='rbac.authorization.k8s.io',
                kind='ClusterRole',
                name=name,
            ),
            subjects=subj,
        )))

    return clusterrolebindings
Example #2
0
    def create_namespace_rolebinding(self, namespace: str,
                                     metadata: client.V1ObjectMeta,
                                     role_ref: client.V1RoleRef,
                                     subjects: List[client.V1Subject]):
        """
        Create a role binding in a namespace

        Args:
            namespace: namespace name
            metadata: metadata for role binding
            role_ref: Role reference for the binding
            subjects: list of subjects for the binding

        Returns:
            V1ClusterRoleBinding object

        Raises:
            ApiException if something wrong with binding creation

        Examples:
            create_rolebinding(
                metadata = client.V1ObjectMeta(
                    name="role-bind-name",
                    namespace='namespace-name'
                ),
                role_ref = client.V1RoleRef(
                    api_group='rbac.authorization.k8s.io',
                    kind='ClusterRole',
                    name='cluster-admin'
                ),
                subjects = [
                    client.V1Subject(
                        kind='ServiceAccount',
                        name='default',
                        namespace='namespace-name'
                    )
                ]

        """
        body = client.V1ClusterRoleBinding(metadata=metadata,
                                           role_ref=role_ref,
                                           subjects=subjects)
        exception_count = 3
        while True:
            try:
                api_response = self.rbac_v1. \
                    create_namespaced_role_binding(namespace, body)
            except ApiException as e_obj:
                utilprocs.log(
                    ("Exception when calling RbacAuthorizationV1Api->"
                     "create_cluster_role_binding: {}".format(e_obj)))
                exception_count -= 1
                if exception_count <= 0:
                    raise
                continue

            return api_response
def create_cluster_role_binding():
    """
    Create IBM Spectrum Scale CSI Operator ClusterRoleBinding object in Operator namepsace

    Args:
       None

    Returns:
       None

    Raises:
        Raises an exception on kubernetes client api failure and asserts

    """
    cluster_role_binding_api_instance = client.RbacAuthorizationV1Api()
    pretty = True
    cluster_role_binding_labels = {
        "app.kubernetes.io/instance": "ibm-spectrum-scale-csi-operator",
        "app.kubernetes.io/managed-by": "ibm-spectrum-scale-csi-operator",
        "app.kubernetes.io/name": "ibm-spectrum-scale-csi-operator",
        "product": "ibm-spectrum-scale-csi",
        "release": "ibm-spectrum-scale-csi-operator"
    }

    cluster_role_binding_metadata = client.V1ObjectMeta(
        name="ibm-spectrum-scale-csi-operator",
        labels=cluster_role_binding_labels,
        namespace=namespace_value)

    cluster_role_binding_role_ref = client.V1RoleRef(
        api_group="rbac.authorization.k8s.io",
        kind="ClusterRole",
        name="ibm-spectrum-scale-csi-operator")

    cluster_role_binding_subjects = client.V1Subject(
        kind="ServiceAccount",
        name="ibm-spectrum-scale-csi-operator",
        namespace=namespace_value)

    cluster_role_binding_body = client.V1ClusterRoleBinding(
        kind='ClusterRoleBinding',
        api_version='rbac.authorization.k8s.io/v1',
        metadata=cluster_role_binding_metadata,
        role_ref=cluster_role_binding_role_ref,
        subjects=[cluster_role_binding_subjects])

    try:
        LOGGER.info("creating cluster role binding")
        cluster_role_binding_api_response = cluster_role_binding_api_instance.create_cluster_role_binding(
            cluster_role_binding_body, pretty=pretty)
        LOGGER.debug(cluster_role_binding_api_response)
    except ApiException as e:
        LOGGER.error(
            f"Exception when calling RbacAuthorizationV1Api->create_cluster_role_binding: {e}"
        )
        assert False
 def _cluster_role_binding(self):
     return client.V1ClusterRoleBinding(
         api_version='rbac.authorization.k8s.io/v1',
         kind='ClusterRoleBinding',
         metadata=metadata(
             name=self.name,
             labels=self.labels,
         ),
         role_ref=client.V1RoleRef(api_group='rbac.authorization.k8s.io',
                                   kind='ClusterRole',
                                   name=self.name),
         subjects=[
             client.V1Subject(kind='ServiceAccount',
                              name=self.name,
                              namespace=self.namespace)
         ])
def create_quick_clusterrolebinding_definition(clusterRoleBindingName,
                                               clusterRoleName,
                                               serviceAccountName,
                                               saNamespace,
                                               annotationsDict={}):

    clusterrole = client.V1RoleRef(api_group="rbac.authorization.k8s.io",
                                   kind="ClusterRole",
                                   name=clusterRoleName)
    subjectsList = client.V1Subject(kind="ServiceAccount",
                                    name=serviceAccountName,
                                    namespace=saNamespace)
    clusterRoleBinding = client.V1ClusterRoleBinding(
        api_version="rbac.authorization.k8s.io/v1",
        kind="ClusterRoleBinding",
        metadata=client.V1ObjectMeta(name=clusterRoleBindingName,
                                     annotations=annotationsDict),
        role_ref=clusterrole,
        subjects=[subjectsList])
    return clusterRoleBinding
Example #6
0
def get_token():
    config.load_kube_config()
    v1 = client.CoreV1Api()
    rbac_v1 = client.RbacAuthorizationV1Api()
    try:
        v1.read_namespace(name="auto-istio", pretty=True)
    except client.rest.ApiException:
        metadata = {"name": "auto-istio"}
        namespace = client.V1Namespace(api_version="v1",
                                       kind="Namespace",
                                       metadata=metadata)
        v1.create_namespace(namespace)

    try:
        rbac_v1.read_cluster_role_binding(name="auto_istio_binding",
                                          pretty=True)
    except client.rest.ApiException:
        metadata = {"name": "auto_istio_binding"}
        subjects = [{
            "kind": "ServiceAccount",
            "name": "default",
            "namespace": "auto-istio"
        }]
        role_ref = {
            "kind": "ClusterRole",
            "name": "cluster-admin",
            "apiGroup": "rbac.authorization.k8s.io"
        }
        cluster_role_binding = client.V1ClusterRoleBinding(
            api_version="rbac.authorization.k8s.io/v1",
            kind="ClusterRoleBinding",
            metadata=metadata,
            subjects=subjects,
            role_ref=role_ref)
        rbac_v1.create_cluster_role_binding(cluster_role_binding)

    service_account = v1.read_namespaced_service_account(
        namespace="auto-istio", name="default")
    secret = v1.read_namespaced_secret(namespace='auto-istio',
                                       name=service_account.secrets[0].name)
    return base64.b64decode(secret.data['token']).decode("utf-8")
Example #7
0
    def create_cluster_role_binding(self, cluster_role_binding_name, user_name,
                                    cluster_role_name):
        """Create role binding using name=role_binding_name in namespace
        connecting role_name using service_account_name"""
        metadata = client.V1ObjectMeta(name=cluster_role_binding_name)
        role = client.V1RoleRef(kind="ClusterRole",
                                name=cluster_role_name,
                                api_group="rbac.authorization.k8s.io")
        subject = client.V1Subject(kind="User", name=user_name)
        body = client.V1ClusterRoleBinding(subjects=[subject],
                                           metadata=metadata,
                                           role_ref=role)

        try:
            self.rbac_cli.create_cluster_role_binding(body=body)
            logger.info('Created cluster role binding {}'.format(
                cluster_role_binding_name))
            return True
        except client.rest.ApiException as e:
            self.check_create_error_and_response(e, "ClusterRoleBinding",
                                                 cluster_role_binding_name)
            return False
Example #8
0
def clusterrolebindings_from_marker(
        item: pytest.Item, namespace: str) -> List[ClusterRoleBinding]:
    """Create ClusterRoleBindings for the test case if the test case is marked
    with the `pytest.mark.clusterrolebinding` marker.

    Args:
        item: The pytest test item.
        namespace: The namespace of the test case.

    Return:
        The ClusterRoleBindings which were generated from the test case markers.
    """
    clusterrolebindings = []
    for mark in item.iter_markers(name="clusterrolebinding"):
        name = mark.args[0]
        subj_kind = mark.kwargs.get("subject_kind")
        subj_name = mark.kwargs.get("subject_name")

        subj = get_custom_rbac_subject(namespace, subj_kind, subj_name)
        if not subj:
            subj = get_default_rbac_subjects(namespace)

        clusterrolebindings.append(
            ClusterRoleBinding(
                client.V1ClusterRoleBinding(
                    metadata=client.V1ObjectMeta(
                        name=f"kubetest:{item.name}", ),
                    role_ref=client.V1RoleRef(
                        api_group="rbac.authorization.k8s.io",
                        kind="ClusterRole",
                        name=name,
                    ),
                    subjects=subj,
                )))

    return clusterrolebindings
Example #9
0
def setup_workflow_service_account(namespace: str) -> None:
    """Setup a workflow controller service-account with required roles.

    :param namespace: Namespace in which the service-account will be
        placed.
    """
    service_account_object = k8s.V1ServiceAccount(metadata=k8s.V1ObjectMeta(
        namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT))
    k8s.CoreV1Api().create_namespaced_service_account(
        namespace=namespace, body=service_account_object)

    role_object = k8s.V1Role(metadata=k8s.V1ObjectMeta(
        namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
                             rules=[
                                 k8s.V1PolicyRule(api_groups=[''],
                                                  resources=['*'],
                                                  verbs=['*']),
                                 k8s.V1PolicyRule(api_groups=['apps', 'batch'],
                                                  resources=['*'],
                                                  verbs=['*'])
                             ])
    k8s.RbacAuthorizationV1Api().create_namespaced_role(namespace=namespace,
                                                        body=role_object)

    role_binding_object = k8s.V1RoleBinding(
        metadata=k8s.V1ObjectMeta(namespace=namespace,
                                  name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT),
        role_ref=k8s.V1RoleRef(kind='Role',
                               name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
                               api_group='rbac.authorization.k8s.io'),
        subjects=[
            k8s.V1Subject(kind='ServiceAccount',
                          name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
                          namespace=namespace)
        ])
    k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
        namespace=namespace, body=role_binding_object)

    if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
        cluster_role_object = k8s.V1ClusterRole(
            metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
            rules=[
                k8s.V1PolicyRule(api_groups=[''],
                                 resources=['namespaces'],
                                 verbs=['get', 'list']),
                k8s.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'],
                                 resources=['clusterrolebindings'],
                                 verbs=['get', 'list'])
            ])
        k8s.RbacAuthorizationV1Api().create_cluster_role(
            body=cluster_role_object)

    if not cluster_role_binding_exists(
            workflow_cluster_role_binding_name(namespace)):
        cluster_role_binding_object = k8s.V1ClusterRoleBinding(
            metadata=k8s.V1ObjectMeta(
                name=workflow_cluster_role_binding_name(namespace),
                namespace=namespace),
            role_ref=k8s.V1RoleRef(kind='ClusterRole',
                                   name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
                                   api_group='rbac.authorization.k8s.io'),
            subjects=[
                k8s.V1Subject(kind='ServiceAccount',
                              name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
                              namespace=namespace)
            ])
        k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
            body=cluster_role_binding_object)
Example #10
0
def setup_workflow_service_account(namespace: str) -> None:
    """Setup a workflow controller service-account with required roles.

    :param namespace: Namespace in which the service-account will be
        placed.
    """
    service_account_object = k8s.V1ServiceAccount(
        metadata=k8s.V1ObjectMeta(
            namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
        )
    )
    k8s.CoreV1Api().create_namespaced_service_account(
        namespace=namespace, body=service_account_object
    )

    role_object = k8s.V1Role(
        metadata=k8s.V1ObjectMeta(
            namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
        ),
        rules=[
            k8s.V1PolicyRule(api_groups=[""], resources=["*"], verbs=["*"]),
            k8s.V1PolicyRule(
                api_groups=["apps", "batch"], resources=["*"], verbs=["*"]
            ),
            k8s.V1PolicyRule(
                api_groups=["extensions"], resources=["ingresses"], verbs=["*"]
            ),
        ],
    )
    k8s.RbacAuthorizationV1Api().create_namespaced_role(
        namespace=namespace, body=role_object
    )

    role_binding_object = k8s.V1RoleBinding(
        metadata=k8s.V1ObjectMeta(
            namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT
        ),
        role_ref=k8s.V1RoleRef(
            kind="Role",
            name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
            api_group="rbac.authorization.k8s.io",
        ),
        subjects=[
            k8s.V1Subject(
                kind="ServiceAccount",
                name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
                namespace=namespace,
            )
        ],
    )
    k8s.RbacAuthorizationV1Api().create_namespaced_role_binding(
        namespace=namespace, body=role_binding_object
    )

    if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE):
        cluster_role_object = k8s.V1ClusterRole(
            metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE),
            rules=[
                k8s.V1PolicyRule(
                    api_groups=[""], resources=["namespaces"], verbs=["get", "list"]
                ),
                k8s.V1PolicyRule(
                    api_groups=["rbac.authorization.k8s.io"],
                    resources=["clusterrolebindings"],
                    verbs=["get", "list"],
                ),
            ],
        )
        k8s.RbacAuthorizationV1Api().create_cluster_role(body=cluster_role_object)

    if not cluster_role_binding_exists(workflow_cluster_role_binding_name(namespace)):
        cluster_role_binding_object = k8s.V1ClusterRoleBinding(
            metadata=k8s.V1ObjectMeta(
                name=workflow_cluster_role_binding_name(namespace), namespace=namespace
            ),
            role_ref=k8s.V1RoleRef(
                kind="ClusterRole",
                name=BODYWORK_WORKFLOW_CLUSTER_ROLE,
                api_group="rbac.authorization.k8s.io",
            ),
            subjects=[
                k8s.V1Subject(
                    kind="ServiceAccount",
                    name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT,
                    namespace=namespace,
                )
            ],
        )
        k8s.RbacAuthorizationV1Api().create_cluster_role_binding(
            body=cluster_role_binding_object
        )
    def process_admin_rbac(self, username: str) -> None:
        # Let admins read anything
        try:
            _ = self.rbac.create_cluster_role_binding(
                body=client.V1ClusterRoleBinding(
                    api_version="rbac.authorization.k8s.io/v1",
                    kind="ClusterRoleBinding",
                    metadata=client.V1ObjectMeta(
                        name=f"{username}-view-binding"),
                    role_ref=client.V1RoleRef(
                        kind="ClusterRole",
                        name="view",
                        api_group="rbac.authorization.k8s.io",
                    ),
                    subjects=[
                        client.V1Subject(
                            kind="User",
                            name=username,
                            api_group="rbac.authorization.k8s.io",
                        )
                    ],
                ))
        except ApiException as api_ex:
            if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
                logging.info(
                    "ClusterRoleBinding %s-view-binding already exists",
                    username,
                )
                return

            logging.error("Could not create view clusterrolebinding for %s",
                          username)
            raise

        # Also let admins impersonate anything, allowing full sudo access
        try:
            _ = self.rbac.create_cluster_role_binding(
                body=client.V1ClusterRoleBinding(
                    api_version="rbac.authorization.k8s.io/v1",
                    kind="ClusterRoleBinding",
                    metadata=client.V1ObjectMeta(name=f"{username}-binding"),
                    role_ref=client.V1RoleRef(
                        kind="ClusterRole",
                        name="k8s-admin",
                        api_group="rbac.authorization.k8s.io",
                    ),
                    subjects=[
                        client.V1Subject(
                            kind="User",
                            name=username,
                            api_group="rbac.authorization.k8s.io",
                        )
                    ],
                ))
        except ApiException as api_ex:
            if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
                logging.info("ClusterRoleBinding %s-binding already exists",
                             username)
                return

            logging.error("Could not create admin clusterrolebinding for %s",
                          username)
            raise
Example #12
0
def run(namespace,
        tmpVolumeSize,
        outputVolumeSize,
        volumeName,
        storage_class_name=None,
        imagepullsecrets=None,
        ades_namespace=None,
        state=None):
    print(
        f"Preparing {namespace} tmpVolumeSize: {tmpVolumeSize} outputVolumeSize: {outputVolumeSize}  volumeName: {volumeName}"
    )

    apiclient = helpers.get_api_client()
    api_instance = client.RbacAuthorizationV1Api(apiclient)
    v1 = client.CoreV1Api(api_client=apiclient)

    print("####################################")
    print("######### Checking if namespace already exists")
    try:
        v1.read_namespace(namespace, pretty=True)
        print("Namespace already exists")
        return {"status": "success"}
    except ApiException as e:
        if e.status == 404:
            print("Namespace does not exists and will be created")
        else:
            print("Exception when creating namespace: %s\n" % e,
                  file=sys.stderr)
            raise e

    ### Creating namespace
    print("####################################")
    print("######### Creating namespace")
    try:
        body = client.V1Namespace(metadata=client.V1ObjectMeta(name=namespace))
        namespace_json = v1.create_namespace(body=body, async_req=False)
        print(str(namespace_json))
    except ApiException as e:
        print("Exception when creating namespace: %s\n" % e, file=sys.stderr)
        raise e

    #### Creating pod manager role
    print("####################################")
    print("######### Creating pod_manager_role")
    metadata = client.V1ObjectMeta(name='pod-manager-role',
                                   namespace=namespace)
    rule = client.V1PolicyRule(
        api_groups=['*'],
        resources=['pods', 'pods/log'],
        verbs=['create', 'patch', 'delete', 'list', 'watch'])
    rules = []
    rules.append(rule)
    body = client.V1Role(metadata=metadata, rules=rules)
    pretty = True

    try:
        api_response = api_instance.create_namespaced_role(namespace,
                                                           body,
                                                           pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        print("Exception when creating pod-manager-role: %s\n" % e,
              file=sys.stderr)
        raise e

    #### Creating log-reader-role
    print("####################################")
    print("######### Creating log-reader-role")
    metadata = client.V1ObjectMeta(name='log-reader-role', namespace=namespace)
    rule = client.V1PolicyRule(
        api_groups=['*'],
        resources=['pods', 'pods/log'],
        verbs=['create', 'patch', 'delete', 'list', 'watch'])
    # verbs=['get', 'list'])
    rules = []
    rules.append(rule)
    body = client.V1Role(metadata=metadata, rules=rules)
    pretty = True

    try:
        api_response = api_instance.create_namespaced_role(namespace,
                                                           body,
                                                           pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        print("Exception when creating pod-manager-role: %s\n" % e,
              file=sys.stderr)
        raise e

    print("####################################")
    print("######### Creating pod-manager-default-binding")
    metadata = client.V1ObjectMeta(name='pod-manager-default-binding',
                                   namespace=namespace)

    role_ref = client.V1RoleRef(api_group='',
                                kind='Role',
                                name='pod-manager-role')

    subject = client.models.V1Subject(api_group='',
                                      kind='ServiceAccount',
                                      name='default',
                                      namespace=namespace)
    subjects = []
    subjects.append(subject)

    body = client.V1RoleBinding(metadata=metadata,
                                role_ref=role_ref,
                                subjects=subjects)
    pretty = True
    try:
        api_response = api_instance.create_namespaced_role_binding(
            namespace, body, pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        print("Exception when creating pod-manager-default-binding: %s\n" % e,
              file=sys.stderr)
        raise e

    print("####################################")
    print("######### Creating log-reader-default-binding")
    metadata = client.V1ObjectMeta(name='log-reader-default-binding',
                                   namespace=namespace)

    role_ref = client.V1RoleRef(api_group='',
                                kind='Role',
                                name='log-reader-role')

    subject = client.models.V1Subject(api_group='',
                                      kind='ServiceAccount',
                                      name='default',
                                      namespace=namespace)
    subjects = []
    subjects.append(subject)

    body = client.V1RoleBinding(metadata=metadata,
                                role_ref=role_ref,
                                subjects=subjects)
    pretty = True
    try:
        api_response = api_instance.create_namespaced_role_binding(
            namespace, body, pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        print("Exception when creating log-reader-default-binding: %s\n" % e,
              file=sys.stderr)
        raise e

    print("####################################")
    print("######### Creating cluster-role-binding")
    metadata = client.V1ObjectMeta(name=f"{namespace}-rbac",
                                   namespace=namespace)

    role_ref = client.V1RoleRef(api_group='rbac.authorization.k8s.io',
                                kind='ClusterRole',
                                name='cluster-admin')

    subject = client.models.V1Subject(api_group='',
                                      kind='ServiceAccount',
                                      name='default',
                                      namespace=namespace)
    subjects = []
    subjects.append(subject)

    body = client.V1ClusterRoleBinding(metadata=metadata,
                                       role_ref=role_ref,
                                       subjects=subjects)
    pretty = True
    try:
        api_response = api_instance.create_cluster_role_binding(body=body,
                                                                pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        if e.status == 409:
            print(
                f"cluster-role-binding {namespace}-rbac has already been installed"
            )
        else:
            print("Exception when creating cluster-role-binding: %s\n" % e,
                  file=sys.stderr)
            raise e

    print("####################################")
    print("######### Creating Persistent Volume Claims")

    # metadata1 = client.V1ObjectMeta(name=f"{volumeName}-input-data", namespace=namespace)
    # spec1 = client.V1PersistentVolumeClaimSpec(
    #     # must be ReadWriteOnce for EBS
    #     # access_modes=["ReadWriteOnce", "ReadOnlyMany"],
    #     access_modes=["ReadWriteMany"],
    #     resources=client.V1ResourceRequirements(
    #         requests={"storage": inputVolumeSize}
    #     )
    # )
    #
    # if storage_class_name:
    #     spec1.storage_class_name = storage_class_name
    #
    # body1 = client.V1PersistentVolumeClaim(metadata=metadata1, spec=spec1)

    metadata2 = client.V1ObjectMeta(name=f"{volumeName}-tmpout",
                                    namespace=namespace)
    spec2 = client.V1PersistentVolumeClaimSpec(
        access_modes=["ReadWriteMany"],
        resources=client.V1ResourceRequirements(
            requests={"storage": tmpVolumeSize}))
    if storage_class_name:
        spec2.storage_class_name = storage_class_name

    body2 = client.V1PersistentVolumeClaim(metadata=metadata2, spec=spec2)

    metadata3 = client.V1ObjectMeta(name=f"{volumeName}-output-data",
                                    namespace=namespace)
    spec3 = client.V1PersistentVolumeClaimSpec(
        access_modes=["ReadWriteMany"],
        resources=client.V1ResourceRequirements(
            requests={"storage": outputVolumeSize}))
    if storage_class_name:
        spec3.storage_class_name = storage_class_name

    body3 = client.V1PersistentVolumeClaim(metadata=metadata3, spec=spec3)

    pretty = True
    try:
        #    api_response1 = v1.create_namespaced_persistent_volume_claim(namespace, body1, pretty=pretty)
        api_response2 = v1.create_namespaced_persistent_volume_claim(
            namespace, body2, pretty=pretty)
        api_response3 = v1.create_namespaced_persistent_volume_claim(
            namespace, body3, pretty=pretty)
        #    pprint(api_response1)
        pprint(api_response2)
        pprint(api_response3)
    except ApiException as e:
        print("Exception when creating persistent_volume_claim: %s\n" % e,
              file=sys.stderr)
        raise e

    # we copy the secret from ades namespace to the new job namespace
    if imagepullsecrets is not None and ades_namespace is not None:
        for imagepullsecret in imagepullsecrets:
            # Create an instance of the API class
            secretname = imagepullsecret["name"]
            pretty = True  # str | If 'true', then the output is pretty printed. (optional)
            exact = False  # bool | Should the export be exact.  Exact export maintains cluster-specific fields like 'Namespace'. Deprecated. Planned for removal in 1.18. (optional)
            export = True  # bool | Should this value be exported.  Export strips fields that a user can not specify. Deprecated. Planned for removal in 1.18. (optional)

            secret_export = None
            try:
                secret_export = v1.read_namespaced_secret(secretname,
                                                          ades_namespace,
                                                          pretty=pretty,
                                                          exact=exact,
                                                          export=export)
            except ApiException as e:
                print(
                    "Exception when retrieving image pull secret from eoepca: %s\n"
                    % e)

            time.sleep(5)
            try:
                api_response = v1.create_namespaced_secret(namespace,
                                                           secret_export,
                                                           pretty=pretty)
            except ApiException as e:
                print("Exception when creating image pull secret: %s\n" % e)

            time.sleep(5)

            name = 'default'
            try:
                service_account_body = v1.read_namespaced_service_account(
                    name, namespace, pretty=True)
                pprint(service_account_body)
                time.sleep(5)

                if service_account_body.secrets is None:
                    service_account_body.secrets = []

                if service_account_body.image_pull_secrets is None:
                    service_account_body.image_pull_secrets = []

                service_account_body.secrets.append({"name": secretname})
                service_account_body.image_pull_secrets.append(
                    {"name": secretname})

                api_response = v1.patch_namespaced_service_account(
                    name, namespace, service_account_body, pretty=True)
                pprint(api_response)
            except ApiException as e:
                print(
                    "Exception when calling CoreV1Api->patch_namespaced_service_account: %s\n"
                    % e)

    return {"status": "success"}