def create_role_binding(api: client.RbacAuthorizationV1Api,
configmap: Resource, cro_spec: ResourceChunk, ns: str,
name_suffix: str, logger: logging.Logger):
role_bind_name = cro_spec.get("role", {}).get("bind")
if not role_bind_name:
tpl = yaml.safe_load(configmap.data['chaostoolkit-role-binding.yaml'])
role_binding_name = tpl["metadata"]["name"]
role_binding_name = f"{role_binding_name}-{name_suffix}"
tpl["metadata"]["name"] = role_binding_name
# change sa subject name
sa_name = tpl["subjects"][0]["name"]
sa_name = f"{sa_name}-{name_suffix}"
tpl["subjects"][0]["name"] = sa_name
# change role name
role_name = tpl["roleRef"]["name"]
role_name = f"{role_name}-{name_suffix}"
tpl["roleRef"]["name"] = role_name
set_ns(tpl, ns)
try:
api.create_namespaced_role_binding(body=tpl, namespace=ns)
return tpl
except ApiException as e:
if e.status == 409:
logger.info(
f"Role binding '{role_binding_name}' already exists.")
else:
raise kopf.PermanentError(
f"Failed to bind to role: {str(e)}")
def create_role_binding(api: client.RbacAuthorizationV1Api,
configmap: Resource, cro_spec: ResourceChunk, ns: str,
name_suffix: str):
logger = logging.getLogger('kopf.objects')
role_bind_name = cro_spec.get("role", {}).get("bind")
cluster_role_bind_namespaces = cro_spec.get("clusterRoleBindNamespaces",
[])
if not role_bind_name:
tpl = yaml.safe_load(configmap.data['chaostoolkit-role-binding.yaml'])
role_binding_name = tpl["metadata"]["name"]
role_binding_name = f"{role_binding_name}-{name_suffix}"
tpl["metadata"]["name"] = role_binding_name
# change sa subject name
sa_name = tpl["subjects"][0]["name"]
sa_name = f"{sa_name}-{name_suffix}"
tpl["subjects"][0]["name"] = sa_name
# change sa subject namespace
tpl["subjects"][0]["namespace"] = ns
# change role name
role_name = tpl["roleRef"]["name"]
role_name = f"{role_name}-{name_suffix}"
tpl["roleRef"]["name"] = role_name
logger.debug(f"Creating role binding with template:\n{tpl}")
if len(cluster_role_bind_namespaces) > 0:
cluster_tpl = tpl
for namespace in cluster_role_bind_namespaces:
set_ns(cluster_tpl, namespace)
try:
api.create_namespaced_role_binding(body=cluster_tpl,
namespace=namespace)
except ApiException as e:
if e.status == 409:
logger.info(f"Role binding '{role_binding_name}' \
already exists in {namespace}.")
else:
raise kopf.PermanentError(
f"Failed to bind to role: {str(e)}")
set_ns(tpl, ns)
try:
api.create_namespaced_role_binding(body=tpl, namespace=ns)
return tpl
except ApiException as e:
if e.status == 409:
logger.info(
f"Role binding '{role_binding_name}' already exists.")
else:
raise kopf.PermanentError(f"Failed to bind to role: {str(e)}")