-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathprovider.go
111 lines (94 loc) · 3.6 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package kubernetes
import (
"fmt"
"strings"
"k8s.io/kubectl/pkg/util/slice"
)
var (
clusterScopedKinds = map[string]struct{}{
"apiservice": struct{}{},
"clusterrole": struct{}{},
"clusterrolebinding": struct{}{},
"customresourcedefinition": struct{}{},
"mutatingwebhookconfiguration": struct{}{},
"namespace": struct{}{},
"persistentvolume": struct{}{},
"podsecuritypolicy": struct{}{},
"storageclass": struct{}{},
"validatingwebhookconfiguration": struct{}{},
}
)
type Provider struct {
Name string `json:"name" gorm:"primary_key"`
Host string `json:"host"`
CAData string `json:"caData" gorm:"type:text"`
BearerToken string `json:"bearerToken,omitempty" gorm:"size:2048"`
TokenProvider string `json:"tokenProvider,omitempty" gorm:"size:128;not null;default:'google'"`
Namespace *string `json:"namespace,omitempty" gorm:"size:253"`
Namespaces []string `json:"namespaces,omitempty" gorm:"-"`
Permissions ProviderPermissions `json:"permissions" gorm:"-"`
// Providers can hold instances of clients.
Client Client `json:"-" gorm:"-"`
Clientset Clientset `json:"-" gorm:"-"`
}
type ProviderPermissions struct {
Read []string `json:"read" gorm:"-"`
Write []string `json:"write" gorm:"-"`
}
func (Provider) TableName() string {
return "kubernetes_providers"
}
type ProviderNamespaces struct {
//ID string `json:"-" gorm:"primary_key"`
AccountName string `json:"accountName"`
Namespace string `json:"namespace,omitempty"`
}
func (ProviderNamespaces) TableName() string {
return "kubernetes_providers_namespaces"
}
// ValidateKindStatus verifies that this provider can access the given kind.
// This begins to support `omitKinds`, but only in the context of namespace-scoped
// providers.
//
// When a provider is limited to namespace, then it cannot access these kinds:
// - apiService
// - clusterRole
// - clusterRoleBinding
// - customResourceDefinition
// - mutatingWebhookConfiguration
// - namespace
// - persistentVolume
// - podSecurityPolicy
// - storageClass
// - validatingWebhookConfiguration
//
// See https://github.com/spinnaker/clouddriver/blob/58ab154b0ec0d62772201b5b319af349498a4e3f/clouddriver-kubernetes/src/main/java/com/netflix/spinnaker/clouddriver/kubernetes/description/manifest/KubernetesKindProperties.java#L31
// for clouddriver OSS namespace-scoped kinds.
func (p *Provider) ValidateKindStatus(kind string) error {
if p.Namespace == nil && len(p.Namespaces) == 0 {
return nil
}
if _, clusterScoped := clusterScopedKinds[strings.ToLower(kind)]; clusterScoped {
return fmt.Errorf("namespace-scoped account not allowed to access cluster-scoped kind: '%s'", kind)
}
return nil
}
// ValidateNamespaceAccess verifies that this provider can access the given namespace
func (p *Provider) ValidateNamespaceAccess(namespace string) error {
namespace = strings.TrimSpace(namespace)
if namespace == "" {
namespace = "default"
}
if len(p.Namespaces) > 0 && !slice.ContainsString(p.Namespaces, namespace, nil) {
return fmt.Errorf("namespace-scoped account not allowed to access forbidden namespace: '%s'", namespace)
}
return nil
}
// WithClient sets the kubernetes client for this provider.
func (p *Provider) WithClient(client Client) {
p.Client = client
}
// WithClientset sets the kubernetes clientset for this provider.
func (p *Provider) WithClientset(clientset Clientset) {
p.Clientset = clientset
}