def grant_access(self, bind: SecretBinding):
role, role_binding = bind.to_k8s_resources()
try:
self.__rbac_api.create_namespaced_role(bind.get_namespace(), role)
self.__rbac_api.create_namespaced_role_binding(
bind.get_namespace(), role_binding)
except kubernetes.client.exceptions.ApiException as e:
raise KSCPException(e.status, e.reason)
def __get_backend_policies_map(self, bind: SecretBinding):
policies = {}
for backend in self.__backends:
policies[backend] = []
for s in bind.get_secrets():
secret_backend = self.get_secret_spec(
s.get('name'), bind.get_namespace()).get_backend()
policies[secret_backend].append(
f"{ bind.get_namespace() }-{ s.get('name') }")
return policies
def __get_backends_to_revoke_for_bind(self, bind: SecretBinding):
revoke_backends = {}
for s in bind.get_secrets():
secret_backend = self.get_secret_spec(bind).get_backend()
revoke_backends[secret_backend] = True
return list(revoke_backends.keys())
def revoke_access(self, bind: SecretBinding):
try:
self.__rbac_api.delete_namespaced_role(bind.get_name(),
bind.get_namespace())
except kubernetes.client.ApiException as e:
if e.status != 404:
raise ESKException(e.status, e.reason)
else:
logger.debug(f"Role { bind.get_name() } did not exist, skip.")
try:
self.__rbac_api.delete_namespaced_role_binding(
bind.get_name(), bind.get_namespace())
except kubernetes.client.ApiException as e:
if e.status != 404:
raise ESKException(e.status, e.reason)
else:
logger.debug(
f"Role binding { bind.get_name() } did not exist, skip.")
def revoke_access(self, bind: SecretBinding):
self.__client.auth.kubernetes.delete_role(bind.get_name())
def grant_access(self, bind: SecretBinding, policies: list):
self.__client.auth.kubernetes.create_role(bind.get_name(),
[bind.get_service_account()],
[bind.get_namespace()],
policies=policies)
def get_object(cls, name, namespace, spec):
return SecretBinding(name, namespace, spec.get('serviceAccount'),
spec.get('secrets'), spec.get('target'),
spec.get('template'))