def create_role_binding(self, api_instance, namespace, sa_name): role_name = hashlib.sha1( str.encode(sa_name)).hexdigest()[:8] # $ID-role trigger bug! HaHa binding_name = "{}-binding".format(role_name) body = client.V1Role(api_version='rbac.authorization.k8s.io/v1', kind='Role', metadata=client.V1ObjectMeta(name=role_name, namespace=namespace), rules=[ client.V1PolicyRule(api_groups=['*'], resources=['*'], verbs=['*']) ]) api_instance.create_namespaced_role(namespace=namespace, body=body) role_binding = client.V1RoleBinding( metadata=client.V1ObjectMeta(namespace=namespace, name=binding_name), subjects=[ client.V1Subject(name=sa_name, kind="ServiceAccount", api_group="") ], role_ref=client.V1RoleRef(kind="Role", api_group="rbac.authorization.k8s.io", name=role_name)) api_instance.create_namespaced_role_binding(namespace=namespace, body=role_binding)
def _create_namespaced_account_objects(self): namespace = self.get_user_namespace() account = self.service_account if not account: self.log.info("No service account defined.") return (None, None, None) md = client.V1ObjectMeta(name=account) svcacct = client.V1ServiceAccount(metadata=md) rules = [ client.V1PolicyRule( api_groups=[""], resources=["pods", "services"], verbs=["get", "list", "watch", "create", "delete"]), client.V1PolicyRule(api_groups=[""], resources=["pods/log"], verbs=["get", "list"]), ] role = client.V1Role(rules=rules, metadata=md) rolebinding = client.V1RoleBinding( metadata=md, role_ref=client.V1RoleRef(api_group="rbac.authorization.k8s.io", kind="Role", name=account), subjects=[ client.V1Subject(kind="ServiceAccount", name=account, namespace=namespace) ]) return svcacct, role, rolebinding
def create_namespaced_role_with_api(name, namespace, labels, resources, verbs, api_groups=['']): """Create namespaced role.""" # Using API because of bug https://bugs.launchpad.net/juju/+bug/1896076 logging.info('Creating namespaced role with K8s API') _load_kube_config() body = client.V1Role(metadata=client.V1ObjectMeta(name=name, namespace=namespace, labels=labels), rules=[ client.V1PolicyRule( api_groups=api_groups, resources=resources, verbs=verbs, ) ]) with client.ApiClient() as api_client: api_instance = client.RbacAuthorizationV1Api(api_client) try: api_instance.create_namespaced_role(namespace, body, pretty=True) except ApiException as err: logging.exception("Exception when calling RbacAuthorizationV1Api" "->create_namespaced_role.") if err.status != 409: # Hook error except for 409 (AlreadyExists) errors sys.exit(1)
def create_namespaced_role_with_api(name, namespace, labels, resources, verbs, api_groups=['']): # Using API because of bug https://github.com/canonical/operator/issues/390 logging.info('Creating namespaced role with K8s API') _load_kube_config() with client.ApiClient() as api_client: api_instance = client.RbacAuthorizationV1Api(api_client) body = client.V1Role(metadata=client.V1ObjectMeta(name=name, namespace=namespace, labels=labels), rules=[ client.V1PolicyRule( api_groups=api_groups, resources=resources, verbs=verbs, ) ]) try: api_instance.create_namespaced_role(namespace, body, pretty=True) return True except ApiException as err: logging.exception( "Exception when calling RbacAuthorizationV1Api->create_namespaced_role." ) if err.status != 409: # ignoring 409 (AlreadyExists) errors return False else: return True
def __createRole(self): """Creates namespace role for ssh tunneling service. """ # TODO: create this dynamically according to user who is using the tool # generate metadata rules = [ client.V1PolicyRule(api_groups=['policy'], resources=['podsecuritypolicies'], verbs=['use'], resource_names=['gce.privileged']) ] body = client.V1Role(metadata=client.V1ObjectMeta( name=self.serviceName, namespace=self.namespace), rules=rules) # create roles try: self.rbac_instance.create_namespaced_role(namespace=self.namespace, body=body) except ApiException as e: if e.status == 409: pass else: logging.error(e) raise
def create_namespaced_role_with_api(name, namespace, labels, resources, verbs, api_groups=['']): """Create namespaced role.""" # Using API because of bug https://bugs.launchpad.net/juju/+bug/1896076 logging.info('Creating namespaced role with K8s API') _load_kube_config() body = client.V1Role(metadata=client.V1ObjectMeta(name=name, namespace=namespace, labels=labels), rules=[ client.V1PolicyRule( api_groups=api_groups, resources=resources, verbs=verbs, ) ]) with client.ApiClient() as api_client: api_instance = client.RbacAuthorizationV1Api(api_client) try: api_instance.create_namespaced_role(namespace, body, pretty=True) except ApiException as err: if err.status == 409: # ignore "already exists" errors so that we can recover from # partially failed setups return else: raise
def create_k8s_role(self): """Create k8s role for temporary user.""" rules = [ client.V1PolicyRule( [""], resources=["*"], verbs=["*"], ), client.V1PolicyRule( ["extensions"], resources=["*"], verbs=["*"], ), client.V1PolicyRule( ["apps"], resources=["*"], verbs=["*"], ), client.V1PolicyRule( ["monitoring.coreos.com"], resources=["*"], verbs=["*"], ), client.V1PolicyRule( ["batch"], resources=["*"], verbs=["*"], ) ] role = client.V1Role(rules=rules) role_name = self.generate_rolename() label_selector = self.label_selector.split('=') role.metadata = client.V1ObjectMeta( namespace=self.namespace, name=role_name, labels={label_selector[0]: label_selector[1]}, annotations={ self.expire_annotation: str(int(self.now + self.DAY_AND_NIGHT)) }) self.rbac_api = client.RbacAuthorizationV1Api() try: self.rbac_api.create_namespaced_role(self.namespace, role, pretty='true') except ApiException as e: print( "Exception when calling RbacAuthorizationV1Api->create_namespaced_role: %s\n" % e) return role_name
def create_role(name, id_token): api_version = 'rbac.authorization.k8s.io/v1' meta = k8s_client.V1ObjectMeta(name=name, namespace=name) service_rules = k8s_client.V1PolicyRule( api_groups=[""], resources=["services"], verbs=["create", "list", "get", "delete"]) quotas_rules = k8s_client.V1PolicyRule( api_groups=[""], resources=["resourcequotas"], verbs=["create", "list", "get", "delete"]) ingress_rules = k8s_client.V1PolicyRule( api_groups=[""], resources=["ingresses"], verbs=["create", "list", "get", "delete"]) deployment_rules = k8s_client.V1PolicyRule( api_groups=[""], resources=["deployments"], verbs=["create", "list", "get", "delete"]) server_rules = k8s_client.V1PolicyRule( api_groups=["ai.intel.com"], resources=["inference-endpoints"], verbs=["create", "get", "delete", "patch"]) namespace_rules = k8s_client.V1PolicyRule(api_groups=[""], resources=["namespaces"], verbs=["get", "list", "watch"]) ns_status_rules = k8s_client.V1PolicyRule(api_groups=[""], resources=["namespaces/status"], verbs=["get", "list", "watch"]) list_pods_rule = k8s_client.V1PolicyRule(api_groups=[""], resources=["pods"], verbs=["list"]) deployment_apps_rule = k8s_client.V1PolicyRule( api_groups=["apps"], resources=["deployments", "deployments/status"], verbs=["list", "get"]) role = k8s_client.V1Role(api_version=api_version, metadata=meta, rules=[ service_rules, ingress_rules, deployment_rules, server_rules, namespace_rules, ns_status_rules, quotas_rules, list_pods_rule, deployment_apps_rule ]) rbac_api_instance = get_k8s_rbac_api_client(id_token) try: response = rbac_api_instance.create_namespaced_role(name, role) except ApiException as apiException: raise KubernetesCreateException('role', apiException) logger.info("Role {} created".format(name)) return response
def setup_job_and_deployment_service_accounts(namespace: str) -> None: """Setup a jobs-and-deployments service-account with required roles. :param namespace: Namespace in which the service-account will be placed. """ service_account_object = k8s.V1ServiceAccount( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT ) ) k8s.CoreV1Api().create_namespaced_service_account( namespace=namespace, body=service_account_object ) role_object = k8s.V1Role( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT ), rules=[ k8s.V1PolicyRule( api_groups=[""], resources=["secrets", "configmaps"], verbs=["get", "list"], ) ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role( namespace=namespace, body=role_object ) role_binding_object = k8s.V1RoleBinding( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT ), role_ref=k8s.V1RoleRef( kind="Role", name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT, api_group="rbac.authorization.k8s.io", ), subjects=[ k8s.V1Subject( kind="ServiceAccount", name=BODYWORK_JOBS_DEPLOYMENTS_SERVICE_ACCOUNT, namespace=namespace, ) ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role_binding( namespace=namespace, body=role_binding_object )
def setup_workflow_service_account(namespace: str) -> None: """Setup a workflow controller service-account with required roles. :param namespace: Namespace in which the service-account will be placed. """ service_account_object = k8s.V1ServiceAccount( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ) ) k8s.CoreV1Api().create_namespaced_service_account( namespace=namespace, body=service_account_object ) role_object = k8s.V1Role( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ), rules=[ k8s.V1PolicyRule(api_groups=[""], resources=["*"], verbs=["*"]), k8s.V1PolicyRule( api_groups=["apps", "batch"], resources=["*"], verbs=["*"] ), k8s.V1PolicyRule( api_groups=["extensions"], resources=["ingresses"], verbs=["*"] ), ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role( namespace=namespace, body=role_object ) role_binding_object = k8s.V1RoleBinding( metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT ), role_ref=k8s.V1RoleRef( kind="Role", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, api_group="rbac.authorization.k8s.io", ), subjects=[ k8s.V1Subject( kind="ServiceAccount", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace, ) ], ) k8s.RbacAuthorizationV1Api().create_namespaced_role_binding( namespace=namespace, body=role_binding_object ) if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE): cluster_role_object = k8s.V1ClusterRole( metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE), rules=[ k8s.V1PolicyRule( api_groups=[""], resources=["namespaces"], verbs=["get", "list"] ), k8s.V1PolicyRule( api_groups=["rbac.authorization.k8s.io"], resources=["clusterrolebindings"], verbs=["get", "list"], ), ], ) k8s.RbacAuthorizationV1Api().create_cluster_role(body=cluster_role_object) if not cluster_role_binding_exists(workflow_cluster_role_binding_name(namespace)): cluster_role_binding_object = k8s.V1ClusterRoleBinding( metadata=k8s.V1ObjectMeta( name=workflow_cluster_role_binding_name(namespace), namespace=namespace ), role_ref=k8s.V1RoleRef( kind="ClusterRole", name=BODYWORK_WORKFLOW_CLUSTER_ROLE, api_group="rbac.authorization.k8s.io", ), subjects=[ k8s.V1Subject( kind="ServiceAccount", name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace, ) ], ) k8s.RbacAuthorizationV1Api().create_cluster_role_binding( body=cluster_role_binding_object )
def def_namespaced_account_objects(self): """Define K8s objects for things we need in the namespace.""" with start_action(action_type="define_namespaced_account_objects"): namespace = self.namespace username = self.parent.user.escaped_name cfg = self.parent.config psnm = cfg.pull_secret_name pull_secret = get_pull_secret(pull_secret_name=psnm, api=self.parent.api, log=self.log) pull_secret_ref = get_pull_secret_reflist(pull_secret_name=psnm) account = "{}-svcacct".format(username) self.service_account = account acd = "argocd.argoproj.io/" md = client.V1ObjectMeta( name=account, labels={acd + "instance": "nublado-users"}, annotations={ acd + "compare-options": "IgnoreExtraneous", acd + "sync-options": "Prune=false", }, ) svcacct = client.V1ServiceAccount( metadata=md, image_pull_secrets=pull_secret_ref) # These rules let us manipulate Dask pods, Argo Workflows, and # Multus CNI interfaces rules = [ client.V1PolicyRule( api_groups=["argoproj.io"], resources=["workflows", "workflows/finalizers"], verbs=[ "get", "list", "watch", "update", "patch", "create", "delete", ], ), client.V1PolicyRule( api_groups=["argoproj.io"], resources=[ "workflowtemplates", "workflowtemplates/finalizers", ], verbs=["get", "list", "watch"], ), client.V1PolicyRule(api_groups=[""], resources=["secrets"], verbs=["get"]), client.V1PolicyRule( api_groups=[""], resources=["pods", "pods/exec", "services", "configmaps"], verbs=[ "get", "list", "watch", "create", "delete", "update", "patch", ], ), client.V1PolicyRule( api_groups=[""], resources=["pods/log", "serviceaccounts"], verbs=["get", "list", "watch"], ), ] role = client.V1Role(rules=rules, metadata=md) rbstr = "rbac.authorization.k8s.io" rolebinding = client.V1RoleBinding( metadata=md, role_ref=client.V1RoleRef(api_group=rbstr, kind="Role", name=account), subjects=[ client.V1Subject( kind="ServiceAccount", name=account, namespace=namespace, ) ], ) return pull_secret, svcacct, role, rolebinding
def def_namespaced_account_objects(self): '''Define K8s objects for things we need in the namespace. ''' with start_action(action_type="define_namespaced_account_objects"): namespace = self.namespace username = self.parent.user.escaped_name account = "{}-svcacct".format(username) self.service_account = account acd = 'argocd.argoproj.io/' md = client.V1ObjectMeta( name=account, labels={acd + 'instance': 'nublado-users'}, annotations={ acd + 'compare-options': 'IgnoreExtraneous', acd + 'sync-options': 'Prune=false', }) svcacct = client.V1ServiceAccount(metadata=md) # These rules let us manipulate Dask pods, Argo Workflows, and # Multus CNI interfaces rules = [ client.V1PolicyRule( api_groups=["argoproj.io"], resources=["workflows", "workflows/finalizers"], verbs=[ "get", "list", "watch", "update", "patch", "create", "delete" ]), client.V1PolicyRule( api_groups=["argoproj.io"], resources=[ "workflowtemplates", "workflowtemplates/finalizers" ], verbs=["get", "list", "watch"], ), client.V1PolicyRule(api_groups=[""], resources=["secrets"], verbs=["get"]), client.V1PolicyRule( api_groups=[""], resources=["pods", "pods/exec", "services", "configmaps"], verbs=[ "get", "list", "watch", "create", "delete", "update", "patch" ]), client.V1PolicyRule(api_groups=[""], resources=["pods/log", "serviceaccounts"], verbs=["get", "list", "watch"]), ] role = client.V1Role(rules=rules, metadata=md) rbstr = 'rbac.authorization.k8s.io' rolebinding = client.V1RoleBinding( metadata=md, role_ref=client.V1RoleRef(api_group=rbstr, kind="Role", name=account), subjects=[ client.V1Subject(kind="ServiceAccount", name=account, namespace=namespace) ]) return svcacct, role, rolebinding
import kubernetes.client as k8c def get_sa_name(username): return "u-{}".format(username) def get_rb_name(role_name, sa_name): return "{}~{}".format(role_name, sa_name) # role = namedtuple("role", ["name", "rule"]) # NS_BASE_ROLE_NAME = "r-base" # NS_BASE_ROLE = role(name="r-base", rule="") # meta = k8c.V1ObjectMeta(name="r-base") # rule = [ # k8c.V1PolicyRule(api_groups=["*"], resources=["*"], verbs=["*"]), # ] NS_BASE_ROLE = k8c.V1Role( api_version="rbac.authorization.k8s.io/v1", kind="Role", metadata=k8c.V1ObjectMeta(name="r-base"), rules=[ k8c.V1PolicyRule(api_groups=["*"], resources=["*"], verbs=["*"]), ], )
def run(namespace, tmpVolumeSize, outputVolumeSize, volumeName, storage_class_name=None, imagepullsecrets=None, ades_namespace=None, state=None): print( f"Preparing {namespace} tmpVolumeSize: {tmpVolumeSize} outputVolumeSize: {outputVolumeSize} volumeName: {volumeName}" ) apiclient = helpers.get_api_client() api_instance = client.RbacAuthorizationV1Api(apiclient) v1 = client.CoreV1Api(api_client=apiclient) print("####################################") print("######### Checking if namespace already exists") try: v1.read_namespace(namespace, pretty=True) print("Namespace already exists") return {"status": "success"} except ApiException as e: if e.status == 404: print("Namespace does not exists and will be created") else: print("Exception when creating namespace: %s\n" % e, file=sys.stderr) raise e ### Creating namespace print("####################################") print("######### Creating namespace") try: body = client.V1Namespace(metadata=client.V1ObjectMeta(name=namespace)) namespace_json = v1.create_namespace(body=body, async_req=False) print(str(namespace_json)) except ApiException as e: print("Exception when creating namespace: %s\n" % e, file=sys.stderr) raise e #### Creating pod manager role print("####################################") print("######### Creating pod_manager_role") metadata = client.V1ObjectMeta(name='pod-manager-role', namespace=namespace) rule = client.V1PolicyRule( api_groups=['*'], resources=['pods', 'pods/log'], verbs=['create', 'patch', 'delete', 'list', 'watch']) rules = [] rules.append(rule) body = client.V1Role(metadata=metadata, rules=rules) pretty = True try: api_response = api_instance.create_namespaced_role(namespace, body, pretty=pretty) pprint(api_response) except ApiException as e: print("Exception when creating pod-manager-role: %s\n" % e, file=sys.stderr) raise e #### Creating log-reader-role print("####################################") print("######### Creating log-reader-role") metadata = client.V1ObjectMeta(name='log-reader-role', namespace=namespace) rule = client.V1PolicyRule( api_groups=['*'], resources=['pods', 'pods/log'], verbs=['create', 'patch', 'delete', 'list', 'watch']) # verbs=['get', 'list']) rules = [] rules.append(rule) body = client.V1Role(metadata=metadata, rules=rules) pretty = True try: api_response = api_instance.create_namespaced_role(namespace, body, pretty=pretty) pprint(api_response) except ApiException as e: print("Exception when creating pod-manager-role: %s\n" % e, file=sys.stderr) raise e print("####################################") print("######### Creating pod-manager-default-binding") metadata = client.V1ObjectMeta(name='pod-manager-default-binding', namespace=namespace) role_ref = client.V1RoleRef(api_group='', kind='Role', name='pod-manager-role') subject = client.models.V1Subject(api_group='', kind='ServiceAccount', name='default', namespace=namespace) subjects = [] subjects.append(subject) body = client.V1RoleBinding(metadata=metadata, role_ref=role_ref, subjects=subjects) pretty = True try: api_response = api_instance.create_namespaced_role_binding( namespace, body, pretty=pretty) pprint(api_response) except ApiException as e: print("Exception when creating pod-manager-default-binding: %s\n" % e, file=sys.stderr) raise e print("####################################") print("######### Creating log-reader-default-binding") metadata = client.V1ObjectMeta(name='log-reader-default-binding', namespace=namespace) role_ref = client.V1RoleRef(api_group='', kind='Role', name='log-reader-role') subject = client.models.V1Subject(api_group='', kind='ServiceAccount', name='default', namespace=namespace) subjects = [] subjects.append(subject) body = client.V1RoleBinding(metadata=metadata, role_ref=role_ref, subjects=subjects) pretty = True try: api_response = api_instance.create_namespaced_role_binding( namespace, body, pretty=pretty) pprint(api_response) except ApiException as e: print("Exception when creating log-reader-default-binding: %s\n" % e, file=sys.stderr) raise e print("####################################") print("######### Creating cluster-role-binding") metadata = client.V1ObjectMeta(name=f"{namespace}-rbac", namespace=namespace) role_ref = client.V1RoleRef(api_group='rbac.authorization.k8s.io', kind='ClusterRole', name='cluster-admin') subject = client.models.V1Subject(api_group='', kind='ServiceAccount', name='default', namespace=namespace) subjects = [] subjects.append(subject) body = client.V1ClusterRoleBinding(metadata=metadata, role_ref=role_ref, subjects=subjects) pretty = True try: api_response = api_instance.create_cluster_role_binding(body=body, pretty=pretty) pprint(api_response) except ApiException as e: if e.status == 409: print( f"cluster-role-binding {namespace}-rbac has already been installed" ) else: print("Exception when creating cluster-role-binding: %s\n" % e, file=sys.stderr) raise e print("####################################") print("######### Creating Persistent Volume Claims") # metadata1 = client.V1ObjectMeta(name=f"{volumeName}-input-data", namespace=namespace) # spec1 = client.V1PersistentVolumeClaimSpec( # # must be ReadWriteOnce for EBS # # access_modes=["ReadWriteOnce", "ReadOnlyMany"], # access_modes=["ReadWriteMany"], # resources=client.V1ResourceRequirements( # requests={"storage": inputVolumeSize} # ) # ) # # if storage_class_name: # spec1.storage_class_name = storage_class_name # # body1 = client.V1PersistentVolumeClaim(metadata=metadata1, spec=spec1) metadata2 = client.V1ObjectMeta(name=f"{volumeName}-tmpout", namespace=namespace) spec2 = client.V1PersistentVolumeClaimSpec( access_modes=["ReadWriteMany"], resources=client.V1ResourceRequirements( requests={"storage": tmpVolumeSize})) if storage_class_name: spec2.storage_class_name = storage_class_name body2 = client.V1PersistentVolumeClaim(metadata=metadata2, spec=spec2) metadata3 = client.V1ObjectMeta(name=f"{volumeName}-output-data", namespace=namespace) spec3 = client.V1PersistentVolumeClaimSpec( access_modes=["ReadWriteMany"], resources=client.V1ResourceRequirements( requests={"storage": outputVolumeSize})) if storage_class_name: spec3.storage_class_name = storage_class_name body3 = client.V1PersistentVolumeClaim(metadata=metadata3, spec=spec3) pretty = True try: # api_response1 = v1.create_namespaced_persistent_volume_claim(namespace, body1, pretty=pretty) api_response2 = v1.create_namespaced_persistent_volume_claim( namespace, body2, pretty=pretty) api_response3 = v1.create_namespaced_persistent_volume_claim( namespace, body3, pretty=pretty) # pprint(api_response1) pprint(api_response2) pprint(api_response3) except ApiException as e: print("Exception when creating persistent_volume_claim: %s\n" % e, file=sys.stderr) raise e # we copy the secret from ades namespace to the new job namespace if imagepullsecrets is not None and ades_namespace is not None: for imagepullsecret in imagepullsecrets: # Create an instance of the API class secretname = imagepullsecret["name"] pretty = True # str | If 'true', then the output is pretty printed. (optional) exact = False # bool | Should the export be exact. Exact export maintains cluster-specific fields like 'Namespace'. Deprecated. Planned for removal in 1.18. (optional) export = True # bool | Should this value be exported. Export strips fields that a user can not specify. Deprecated. Planned for removal in 1.18. (optional) secret_export = None try: secret_export = v1.read_namespaced_secret(secretname, ades_namespace, pretty=pretty, exact=exact, export=export) except ApiException as e: print( "Exception when retrieving image pull secret from eoepca: %s\n" % e) time.sleep(5) try: api_response = v1.create_namespaced_secret(namespace, secret_export, pretty=pretty) except ApiException as e: print("Exception when creating image pull secret: %s\n" % e) time.sleep(5) name = 'default' try: service_account_body = v1.read_namespaced_service_account( name, namespace, pretty=True) pprint(service_account_body) time.sleep(5) if service_account_body.secrets is None: service_account_body.secrets = [] if service_account_body.image_pull_secrets is None: service_account_body.image_pull_secrets = [] service_account_body.secrets.append({"name": secretname}) service_account_body.image_pull_secrets.append( {"name": secretname}) api_response = v1.patch_namespaced_service_account( name, namespace, service_account_body, pretty=True) pprint(api_response) except ApiException as e: print( "Exception when calling CoreV1Api->patch_namespaced_service_account: %s\n" % e) return {"status": "success"}
def setup_workflow_service_account(namespace: str) -> None: """Setup a workflow controller service-account with required roles. :param namespace: Namespace in which the service-account will be placed. """ service_account_object = k8s.V1ServiceAccount(metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT)) k8s.CoreV1Api().create_namespaced_service_account( namespace=namespace, body=service_account_object) role_object = k8s.V1Role(metadata=k8s.V1ObjectMeta( namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT), rules=[ k8s.V1PolicyRule(api_groups=[''], resources=['*'], verbs=['*']), k8s.V1PolicyRule(api_groups=['apps', 'batch'], resources=['*'], verbs=['*']) ]) k8s.RbacAuthorizationV1Api().create_namespaced_role(namespace=namespace, body=role_object) role_binding_object = k8s.V1RoleBinding( metadata=k8s.V1ObjectMeta(namespace=namespace, name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT), role_ref=k8s.V1RoleRef(kind='Role', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, api_group='rbac.authorization.k8s.io'), subjects=[ k8s.V1Subject(kind='ServiceAccount', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace) ]) k8s.RbacAuthorizationV1Api().create_namespaced_role_binding( namespace=namespace, body=role_binding_object) if not cluster_role_exists(BODYWORK_WORKFLOW_CLUSTER_ROLE): cluster_role_object = k8s.V1ClusterRole( metadata=k8s.V1ObjectMeta(name=BODYWORK_WORKFLOW_CLUSTER_ROLE), rules=[ k8s.V1PolicyRule(api_groups=[''], resources=['namespaces'], verbs=['get', 'list']), k8s.V1PolicyRule(api_groups=['rbac.authorization.k8s.io'], resources=['clusterrolebindings'], verbs=['get', 'list']) ]) k8s.RbacAuthorizationV1Api().create_cluster_role( body=cluster_role_object) if not cluster_role_binding_exists( workflow_cluster_role_binding_name(namespace)): cluster_role_binding_object = k8s.V1ClusterRoleBinding( metadata=k8s.V1ObjectMeta( name=workflow_cluster_role_binding_name(namespace), namespace=namespace), role_ref=k8s.V1RoleRef(kind='ClusterRole', name=BODYWORK_WORKFLOW_CLUSTER_ROLE, api_group='rbac.authorization.k8s.io'), subjects=[ k8s.V1Subject(kind='ServiceAccount', name=BODYWORK_WORKFLOW_SERVICE_ACCOUNT, namespace=namespace) ]) k8s.RbacAuthorizationV1Api().create_cluster_role_binding( body=cluster_role_binding_object)
from kubernetes import client, config from kubernetes.client.rest import ApiException from pprint import pprint config.load_kube_config() metadata = client.V1ObjectMeta(name='developer', namespace='spark') rule = client.V1PolicyRule(api_groups=['*'], resources=['*'], verbs=['get']) rules = [] rules.append(rule) body = client.V1Role(metadata=metadata, rules=rules) api_instance = client.RbacAuthorizationV1Api() try: api_response = api_instance.create_namespaced_role('spark', body) pprint(api_response) except ApiException as e: print("Exception when calling RbacAuthorizationV1Api->create_namespaced_role: %s\n" % e)
# Update Quota resource_quota.spec.hard['cpu'] = 20 # replace_namespaced_resource_quota(name, namespace, body) ret = v1.replace_namespaced_resource_quota("user-quota", namespace, resource_quota) get_quota = v1.read_namespaced_resource_quota("user-quota", namespace) print("%s\t%s\t%s" % (get_quota.metadata.namespace, get_quota.metadata.name, get_quota.spec)) # create ns Role rules = [client.V1PolicyRule( ["*"], resources=["*"], verbs=["*"], )] role = client.V1Role(rules=rules) role.metadata = client.V1ObjectMeta(namespace=namespace, name="user-role") rbac = client.RbacAuthorizationV1Api() rbac.create_namespaced_role(namespace, role) print("Create Role : " + namespace + "/user-role") # delete NS Role rbac.delete_namespaced_role("user-role", namespace) print("Delete Role : " + namespace + "/user-role") # create ns RoleBinding role_binding = client.V1RoleBinding(metadata=client.V1ObjectMeta( namespace=namespace, name="dev-role-binding"), subjects=[ client.V1Subject(namespace="account", name="dev",
def process_rbac(self, user_name): try: _ = self.rbac.create_namespaced_role( namespace="tool-{}".format(user_name), body=client.V1Role( api_version="rbac.authorization.k8s.io/v1", kind="Role", metadata=client.V1ObjectMeta( name="tool-{}-psp".format(user_name), namespace="tool-{}".format(user_name), ), rules=[ client.V1PolicyRule( api_groups=["policy"], resource_names=["tool-{}-psp".format(user_name)], resources=["podsecuritypolicies"], verbs=["use"], ) ], ), ) except ApiException as api_ex: if api_ex.status == 409 and "AlreadyExists" in api_ex.body: logging.info("Role tool-%s-psp already exists", user_name) return logging.error("Could not create psp role for %s", user_name) raise try: _ = self.rbac.create_namespaced_role_binding( namespace="tool-{}".format(user_name), body=client.V1RoleBinding( api_version="rbac.authorization.k8s.io/v1", kind="RoleBinding", metadata=client.V1ObjectMeta( name="tool-{}-psp-binding".format(user_name), namespace="tool-{}".format(user_name), ), role_ref=client.V1RoleRef( kind="Role", name="tool-{}-psp".format(user_name), api_group="rbac.authorization.k8s.io", ), subjects=[ client.V1Subject( kind="User", name=user_name, api_group="rbac.authorization.k8s.io", ) ], ), ) except ApiException as api_ex: if api_ex.status == 409 and "AlreadyExists" in api_ex.body: logging.info("RoleBinding tool-%s-psp-binding already exists", user_name) return logging.error("Could not create psp rolebinding for %s", user_name) raise try: _ = self.rbac.create_namespaced_role_binding( namespace="tool-{}".format(user_name), body=client.V1RoleBinding( api_version="rbac.authorization.k8s.io/v1", kind="RoleBinding", metadata=client.V1ObjectMeta( name="default-{}-psp-binding".format(user_name), namespace="tool-{}".format(user_name), ), role_ref=client.V1RoleRef( kind="Role", name="tool-{}-psp".format(user_name), api_group="rbac.authorization.k8s.io", ), subjects=[ client.V1Subject( kind="ServiceAccount", name="default", namespace="tool-{}".format(user_name), ) ], ), ) except ApiException as api_ex: if api_ex.status == 409 and "AlreadyExists" in api_ex.body: logging.info( "RoleBinding default-%s-psp-binding already exists", user_name, ) return logging.error( ("Could not create psp rolebinding for tool-%s:default " "serviceaccount"), user_name, ) raise try: _ = self.rbac.create_namespaced_role_binding( namespace="tool-{}".format(user_name), body=client.V1RoleBinding( api_version="rbac.authorization.k8s.io/v1", kind="RoleBinding", metadata=client.V1ObjectMeta( name="{}-tool-binding".format(user_name), namespace="tool-{}".format(user_name), ), role_ref=client.V1RoleRef( kind="ClusterRole", name="tools-user", api_group="rbac.authorization.k8s.io", ), subjects=[ client.V1Subject( kind="User", name=user_name, api_group="rbac.authorization.k8s.io", ) ], ), ) except ApiException as api_ex: if api_ex.status == 409 and "AlreadyExists" in api_ex.body: logging.info("RoleBinding %s-tool-binding already exists", user_name) return logging.error("Could not create rolebinding for %s", user_name) raise