def create_role(api: client.RbacAuthorizationV1Api, configmap: Resource,
cro_spec: ResourceChunk, ns: str, name_suffix: str,
psp: client.PolicyV1beta1PodSecurityPolicy = None):
logger = logging.getLogger('kopf.objects')
role_name = cro_spec.get("role", {}).get("name")
if not role_name:
tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml'])
role_name = tpl["metadata"]["name"]
role_name = f"{role_name}-{name_suffix}"
tpl["metadata"]["name"] = role_name
set_ns(tpl, ns)
# when a PSP is defined, we add a rule to use that PSP
if psp:
logger.info(
f"Adding pod security policy {psp.metadata.name} use to role")
psp_rule = yaml.safe_load(
configmap.data['chaostoolkit-role-psp-rule.yaml'])
set_rule_psp_name(psp_rule, psp.metadata.name)
tpl["rules"].append(psp_rule)
logger.debug(f"Creating role with template:\n{tpl}")
try:
api.create_namespaced_role(body=tpl, namespace=ns)
return tpl
except ApiException as e:
if e.status == 409:
logger.info(f"Role '{role_name}' already exists.")
else:
raise kopf.PermanentError(
f"Failed to create role: {str(e)}")
def create_role(api: client.RbacAuthorizationV1Api, configmap: Resource,
cro_spec: ResourceChunk, ns: str, name_suffix: str,
logger: logging.Logger):
role_name = cro_spec.get("role", {}).get("name")
if not role_name:
tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml'])
role_name = tpl["metadata"]["name"]
role_name = f"{role_name}-{name_suffix}"
tpl["metadata"]["name"] = role_name
set_ns(tpl, ns)
try:
api.create_namespaced_role(body=tpl, namespace=ns)
return tpl
except ApiException as e:
if e.status == 409:
logger.info(f"Role '{role_name}' already exists.")
else:
raise kopf.PermanentError(
f"Failed to create role: {str(e)}")