-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathservicerole.go
121 lines (106 loc) · 3.18 KB
/
servicerole.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package resourcecreator
import (
"fmt"
nais "github.com/nais/naiserator/pkg/apis/nais.io/v1alpha1"
istio_crd "github.com/nais/naiserator/pkg/apis/rbac.istio.io/v1alpha1"
k8s_meta "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func getServiceRoleBindingSubjects(rules []nais.AccessPolicyRule, appNamespace string) (subjects []*istio_crd.Subject) {
for _, rule := range rules {
namespace := appNamespace
if rule.Namespace != "" {
namespace = rule.Namespace
}
subjects = append(subjects, &istio_crd.Subject{User: fmt.Sprintf("cluster.local/ns/%s/sa/%s", namespace, rule.Application)})
}
return
}
func ServiceRoleBinding(app *nais.Application) *istio_crd.ServiceRoleBinding {
rules := app.Spec.AccessPolicy.Inbound.Rules
if len(app.Spec.Ingresses) > 0 {
rules = append(rules, nais.AccessPolicyRule{
Namespace: IstioNamespace,
Application: IstioIngressGatewayServiceAccount,
})
}
return &istio_crd.ServiceRoleBinding{
TypeMeta: k8s_meta.TypeMeta{
Kind: "ServiceRoleBinding",
APIVersion: IstioRBACAPIVersion,
},
ObjectMeta: app.CreateObjectMeta(),
Spec: istio_crd.ServiceRoleBindingSpec{
Subjects: getServiceRoleBindingSubjects(rules, app.Namespace),
RoleRef: &istio_crd.RoleRef{
Kind: "ServiceRole",
Name: app.Name,
},
},
}
}
func ServiceRoleBindingPrometheus(app *nais.Application) (serviceRoleBindingPrometheus *istio_crd.ServiceRoleBinding) {
name := fmt.Sprintf("%s-prometheus", app.Name)
return &istio_crd.ServiceRoleBinding{
TypeMeta: k8s_meta.TypeMeta{
Kind: "ServiceRoleBinding",
APIVersion: IstioRBACAPIVersion,
},
ObjectMeta: app.CreateObjectMetaWithName(name),
Spec: istio_crd.ServiceRoleBindingSpec{
Subjects: []*istio_crd.Subject{
{
User: fmt.Sprintf("cluster.local/ns/%s/sa/%s", IstioNamespace, IstioPrometheusServiceAccount),
},
},
RoleRef: &istio_crd.RoleRef{
Kind: "ServiceRole",
Name: name,
},
},
}
}
func ServiceRole(app *nais.Application) *istio_crd.ServiceRole {
if len(app.Spec.AccessPolicy.Inbound.Rules) == 0 && len(app.Spec.Ingresses) == 0 {
return nil
}
servicePath := fmt.Sprintf("%s.%s.svc.cluster.local", app.Name, app.Namespace)
return &istio_crd.ServiceRole{
TypeMeta: k8s_meta.TypeMeta{
Kind: "ServiceRole",
APIVersion: IstioRBACAPIVersion,
},
ObjectMeta: app.CreateObjectMeta(),
Spec: istio_crd.ServiceRoleSpec{
Rules: []*istio_crd.AccessRule{
{
Methods: []string{"*"},
Services: []string{servicePath},
Paths: []string{"*"},
},
},
},
}
}
func ServiceRolePrometheus(app *nais.Application) (serviceRolePrometheus *istio_crd.ServiceRole) {
if app.Spec.Prometheus.Path == "" {
return nil
}
name := fmt.Sprintf("%s-prometheus", app.Name)
servicePath := fmt.Sprintf("%s.%s.svc.cluster.local", app.Name, app.Namespace)
return &istio_crd.ServiceRole{
TypeMeta: k8s_meta.TypeMeta{
Kind: "ServiceRole",
APIVersion: IstioRBACAPIVersion,
},
ObjectMeta: app.CreateObjectMetaWithName(name),
Spec: istio_crd.ServiceRoleSpec{
Rules: []*istio_crd.AccessRule{
{
Methods: []string{"GET"},
Services: []string{servicePath},
Paths: []string{app.Spec.Prometheus.Path},
},
},
},
}
}