karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2911 from yanfeng1992/fixbug_impersonation_subject_deduplicate 

generate PolicyRules from given subjects for impersonation deduplicate
This commit is contained in:
karmada-bot 2022-12-08 11:36:18 +08:00 committed by GitHub
parent 60a9a649ed 1e1506332e
commit 8af17ca382
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/util/rbac.go
View File

@ -7,6 +7,7 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeclient "k8s.io/client-go/kubernetes"
stringslices "k8s.io/utils/strings/slices"
)
// IsClusterRoleExist tells if specific ClusterRole already exists.
@ -136,11 +137,17 @@ func GenerateImpersonationRules(allSubjects []rbacv1.Subject) []rbacv1.PolicyRul
for _, subject := range allSubjects {
switch subject.Kind {
case rbacv1.UserKind:
users = append(users, subject.Name)
if !stringslices.Contains(users, subject.Name) {
users = append(users, subject.Name)
}
case rbacv1.ServiceAccountKind:
serviceAccounts = append(serviceAccounts, subject.Name)
if !stringslices.Contains(serviceAccounts, subject.Name) {
serviceAccounts = append(serviceAccounts, subject.Name)
}
case rbacv1.GroupKind:
groups = append(groups, subject.Name)
if !stringslices.Contains(groups, subject.Name) {
groups = append(groups, subject.Name)
}
}
}

18
pkg/util/rbac_test.go
View File

@ -237,6 +237,24 @@ func TestGenerateImpersonationRules(t *testing.T) {
{Verbs: []string{"impersonate"}, Resources: []string{"groups"}, APIGroups: []string{""}, ResourceNames: []string{"group1", "group2"}},
},
},
{
name: "generate and deduplicate subject success",
args: args{
allSubjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "user1"},
{Kind: rbacv1.UserKind, Name: "user1"},
{Kind: rbacv1.ServiceAccountKind, Name: "sa1"},
{Kind: rbacv1.ServiceAccountKind, Name: "sa1"},
{Kind: rbacv1.GroupKind, Name: "group1"},
{Kind: rbacv1.GroupKind, Name: "group1"},
},
},
want: []rbacv1.PolicyRule{
{Verbs: []string{"impersonate"}, Resources: []string{"users"}, APIGroups: []string{""}, ResourceNames: []string{"user1"}},
{Verbs: []string{"impersonate"}, Resources: []string{"serviceaccounts"}, APIGroups: []string{""}, ResourceNames: []string{"sa1"}},
{Verbs: []string{"impersonate"}, Resources: []string{"groups"}, APIGroups: []string{""}, ResourceNames: []string{"group1"}},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {