def ensure_space_role_bindings(api, organization: k8spin_common.Organization,
tenant: k8spin_common.Tenant, space_name: str):
space = get_space(space_name=space_name,
tenant_name=tenant.name,
organization_name=organization.name)
namespace = space.space_namespace
roles = space.roles
rolebindings_names = list()
# Space level permissions
for role in roles:
# Cluster role to assign
name = role.get('name')
target_kind = "ServiceAccount"
targets = role.get('serviceAccounts', None)
if not targets:
target_kind = "Group"
targets = role.get('groups', None)
if not targets:
target_kind = "User"
targets = role.get('users', list())
for target in targets:
target_namespace = target.split(
":")[0] if target_kind == "ServiceAccount" else None
target = target.split(
":")[1] if target_kind == "ServiceAccount" else target
rolebinding_name = f"{space_name}-{name}-{target_kind.lower()}-{target.lower()}"
labels = {
"k8spin.cloud/type": "role",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant.name,
"k8spin.cloud/space": space_name
}
role_binding = create_role_binding(rolebinding_name,
namespace.name, labels, name,
target_kind, target,
target_namespace)
ensure(role_binding, space)
rolebindings_names.append(rolebinding_name)
# Create required binding to allow user query namespaces
cluster_rolebinding_name = f"{space_name}-{name}-{target_kind.lower()}-{target.lower()}"
cluster_role_binding = create_cluster_role_binding(
cluster_rolebinding_name, labels, "namespace-viewer",
target_kind, target, target_namespace)
ensure(cluster_role_binding, space)
# Finally, cleanup
_clean_space_roles(organization, tenant, space, rolebindings_names)
def ensure_organization_namespace(api, organization_name: str):
org_namespace_name = organization_namespacename_generator(
organization_name=organization_name)
labels = {
"k8spin.cloud/type": "organization",
"k8spin.cloud/org": organization_name
}
owner = get_organization(organization_name)
org_namespace = create_namespace(org_namespace_name, labels)
org_namespace = ensure(org_namespace, owner)
return org_namespace
def ensure_tenant_namespace(api, organization: k8spin_common.Organization, tenant_name: str):
tenant_namespace_name = tenant_namespacename_generator(
organization_name=organization.name, tenant_name=tenant_name)
labels = {
"k8spin.cloud/type": "tenant",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant_name
}
owner = get_tenant(tenant_name, organization.name)
tenant_namespace = create_namespace(tenant_namespace_name, labels)
tenant_namespace = ensure(tenant_namespace, owner)
return tenant_namespace
def ensure_space_limit_range(api, organization: k8spin_common.Organization,
tenant: k8spin_common.Tenant, space_name: str):
space = get_space(space_name, tenant.name, organization.name)
space_namespace = space.space_namespace
labels = {
"k8spin.cloud/type": "defaults",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant.name,
"k8spin.cloud/space": space_name
}
cpu = space.default_container_resources.get("cpu")
memory = space.default_container_resources.get("memory")
space_limit_range = create_limit_range("defaults", space_namespace.name,
labels, cpu, memory)
space_limit_range = ensure(space_limit_range, space)
return space_limit_range
def ensure_space_resource_quota(api, organization: k8spin_common.Organization,
tenant: k8spin_common.Tenant, space_name: str):
space = get_space(space_name, tenant.name, organization.name)
space_namespace = space.space_namespace
labels = {
"k8spin.cloud/type": "quotas",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant.name,
"k8spin.cloud/space": space_name
}
cpu = space.resources.get("cpu")
memory = space.resources.get("memory")
space_resource_quota = create_resource_quota("quotas",
space_namespace.name, labels,
cpu, memory)
space_resource_quota = ensure(space_resource_quota, space)
return space_resource_quota
def ensure_space_namespace(api, organization: k8spin_common.Organization,
tenant: k8spin_common.Tenant, space_name: str):
space_namespace_name = space_namespacename_generator(
space_name=space_name,
tenant_name=tenant.name,
organization_name=organization.name)
labels = {
"k8spin.cloud/type": "space",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant.name,
"k8spin.cloud/space": space_name,
"k8spin.cloud/name": space_namespace_name
}
owner = get_space(space_name, tenant.name, organization.name)
space_namespace = create_namespace(space_namespace_name, labels)
space_namespace = ensure(space_namespace, owner)
return space_namespace
def ensure_space_network_policies(api,
organization: k8spin_common.Organization,
tenant: k8spin_common.Tenant,
space_name: str):
space = get_space(space_name, tenant.name, organization.name)
space_namespace = space.space_namespace
labels = {
"k8spin.cloud/type": "defaults",
"k8spin.cloud/org": organization.name,
"k8spin.cloud/tenant": tenant.name,
"k8spin.cloud/space": space_name
}
allow_incoming_network = space.get_allow_incoming_network
space_network_policy = create_network_policy("defaults",
space_namespace.name, labels,
allow_incoming_network)
space_network_policy = ensure(space_network_policy, space)
return space_network_policy