def create_role(api: client.RbacAuthorizationV1Api, configmap: Resource, cro_spec: ResourceChunk, ns: str, name_suffix: str, psp: client.PolicyV1beta1PodSecurityPolicy = None): logger = logging.getLogger('kopf.objects') role_name = cro_spec.get("role", {}).get("name") if not role_name: tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml']) role_name = tpl["metadata"]["name"] role_name = f"{role_name}-{name_suffix}" tpl["metadata"]["name"] = role_name # when a PSP is defined, we add a rule to use that PSP if psp: logger.info( f"Adding pod security policy {psp.metadata.name} use to role") psp_rule = yaml.safe_load( configmap.data['chaostoolkit-role-psp-rule.yaml']) set_rule_psp_name(psp_rule, psp.metadata.name) tpl["rules"].append(psp_rule) logger.debug(f"Creating cluster role with template:\n{tpl}") try: api.create_cluster_role(body=tpl) return tpl except ApiException as e: if e.status == 409: logger.info(f"Cluster role '{role_name}' already exists.") else: raise kopf.PermanentError( f"Failed to create cluster role: {str(e)}")
def configure_rbac_with_ap(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization: """ Create cluster and binding for AppProtect module. :param rbac_v1: RbacAuthorizationV1Api :return: RBACAuthorization """ with open(f"{DEPLOYMENTS}/rbac/ap-rbac.yaml") as f: docs = yaml.safe_load_all(f) role_name = "" binding_name = "" for dep in docs: if dep["kind"] == "ClusterRole": print("Create cluster role for AppProtect") role_name = dep["metadata"]["name"] rbac_v1.create_cluster_role(dep) print(f"Created role '{role_name}'") elif dep["kind"] == "ClusterRoleBinding": print("Create binding for AppProtect") binding_name = dep["metadata"]["name"] rbac_v1.create_cluster_role_binding(dep) print(f"Created binding '{binding_name}'") return RBACAuthorization(role_name, binding_name)
def configure_rbac(rbac_v1: RbacAuthorizationV1Api) -> RBACAuthorization: """ Create cluster and binding. :param rbac_v1: RbacAuthorizationV1Api :return: RBACAuthorization """ with open(f'{DEPLOYMENTS}/rbac/rbac.yaml') as f: docs = yaml.safe_load_all(f) role_name = "" binding_name = "" for dep in docs: if dep["kind"] == "ClusterRole": print("Create cluster role") role_name = dep['metadata']['name'] rbac_v1.create_cluster_role(dep) print(f"Created role '{role_name}'") elif dep["kind"] == "ClusterRoleBinding": print("Create binding") binding_name = dep['metadata']['name'] rbac_v1.create_cluster_role_binding(dep) print(f"Created binding '{binding_name}'") return RBACAuthorization(role_name, binding_name)