def grant_access(self, bind: SecretBinding): role, role_binding = bind.to_k8s_resources() try: self.__rbac_api.create_namespaced_role(bind.get_namespace(), role) self.__rbac_api.create_namespaced_role_binding( bind.get_namespace(), role_binding) except kubernetes.client.exceptions.ApiException as e: raise KSCPException(e.status, e.reason)
def revoke_access(self, bind: SecretBinding): try: self.__rbac_api.delete_namespaced_role(bind.get_name(), bind.get_namespace()) except kubernetes.client.ApiException as e: if e.status != 404: raise ESKException(e.status, e.reason) else: logger.debug(f"Role { bind.get_name() } did not exist, skip.") try: self.__rbac_api.delete_namespaced_role_binding( bind.get_name(), bind.get_namespace()) except kubernetes.client.ApiException as e: if e.status != 404: raise ESKException(e.status, e.reason) else: logger.debug( f"Role binding { bind.get_name() } did not exist, skip.")
def __get_backend_policies_map(self, bind: SecretBinding): policies = {} for backend in self.__backends: policies[backend] = [] for s in bind.get_secrets(): secret_backend = self.get_secret_spec( s.get('name'), bind.get_namespace()).get_backend() policies[secret_backend].append( f"{ bind.get_namespace() }-{ s.get('name') }") return policies
def grant_access(self, bind: SecretBinding, policies: list): self.__client.auth.kubernetes.create_role(bind.get_name(), [bind.get_service_account()], [bind.get_namespace()], policies=policies)