Support kubernetes admins based on namespace

- For now, kubernetes admins was based on GitLab administrators
numberly · May 29, 2020 · 150c8ad · 150c8ad
1 parent c210ba2
commit 150c8ad
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -207,17 +207,18 @@ Any admin on GitLab is an admin of the Kubernetes cluster.
 ## Advanced configuration
 `gitlab2rbac` supports multiple environment variables for advanced configuration:
 
-| Flag                                | Description                                                        | Default    |
-|:------------------------------------|:-------------------------------------------------------------------|:-----------|
-|`GITLAB_URL`                         |Configure gitlab API target.                                        |            |
-|`GITLAB_PRIVATE_TOKEN`               |Configure gitlab API token.                                         |            |
-|`GITLAB_TIMEOUT`                     |Timeout for GitLab operations, in seconds.                          |10          |
-|`GITLAB_GROUPS_SEARCH`               |Limit to those groups (separated by commas, empty means all groups).|gitlab2rbac |
-|`GITLAB_NAMESPACE_GRANULARITY`       |Whether to get permissions from GitLab projects or groups.          |project     |
-|`KUBERNETES_AUTO_CREATE`             |Replicate GitLab groups/projects as Kubernetes namespaces.          |False       |
-|`KUBERNETES_TIMEOUT`                 |Timeout for Kubernetes operations, in seconds.                      |10          |
-|`KUBERNETES_LOAD_INCLUSTER_CONFIG`   |Load configuration inside Kubernetes when gitlab2rbac runs as a pod.|False       |
-|`GITLAB2RBAC_FREQUENCY`              |Update interval in seconds.                                         |60          |
+| Flag                                | Description                                                                 | Default    |
+|:------------------------------------|:----------------------------------------------------------------------------|:-----------|
+|`GITLAB_URL`                         |Configure gitlab API target.                                                 |            |
+|`GITLAB_PRIVATE_TOKEN`               |Configure gitlab API token.                                                  |            |
+|`GITLAB_TIMEOUT`                     |Timeout for GitLab operations, in seconds.                                   |10          |
+|`GITLAB_GROUPS_SEARCH`               |Limit to those groups (separated by commas, empty means all groups).         |gitlab2rbac |
+|`GITLAB_GROUPS_ADMIN`                |Base your k8s admins on GitLab namespace (None means GitLab administrators). |None        |
+|`GITLAB_NAMESPACE_GRANULARITY`       |Whether to get permissions from GitLab projects or groups.                   |project     |
+|`KUBERNETES_AUTO_CREATE`             |Replicate GitLab groups/projects as Kubernetes namespaces.                   |False       |
+|`KUBERNETES_TIMEOUT`                 |Timeout for Kubernetes operations, in seconds.                               |10          |
+|`KUBERNETES_LOAD_INCLUSTER_CONFIG`   |Load configuration inside Kubernetes when gitlab2rbac runs as a pod.         |False       |
+|`GITLAB2RBAC_FREQUENCY`              |Update interval in seconds.                                                  |60          |
 
 ## License
 MIT
diff --git a/gitlab2rbac.py b/gitlab2rbac.py
@@ -25,14 +25,15 @@ class GitlabHelper(object):
         50: "maintainer",  # NOTE: owner is only usable when your permissions are based on group.
     }
 
-    def __init__(self, url, token, timeout, groups, namespace_granularity):
+    def __init__(self, url, token, timeout, groups, namespace_granularity, admins_group):
         self.client = None
         self.gitlab_users = []
         self.groups = groups
         self.timeout = timeout
         self.token = token
         self.url = url
         self.namespace_granularity = namespace_granularity
+        self.admins_group = admins_group
         self.namespaces = []
 
     def connect(self):
@@ -90,6 +91,10 @@ def get_admins(self):
             list[dict]: list for success, empty otherwise.
         """
         try:
+            if self.admins_group:
+                ns = self.client.groups.list(search=self.admins_group)
+                return self.get_users(from_namespaces=ns) or []
+
             admins = []
             for user in self.client.users.list(all=True):
                 if user.is_admin:
@@ -107,9 +112,12 @@ def get_admins(self):
             exit(1)
         return []
 
-    def get_users(self):
+    def get_users(self, from_namespaces=None):
         """Returns all users from groups/projects.
 
+        Args:
+          from_namespaces (list): Retrieve users from this namespaces.
+
         e.g. user {
                 'access_level': 'reporter',
                 'email': '[email protected]',
@@ -122,7 +130,8 @@ def get_users(self):
         """
         try:
             users = []
-            for namespace in self.namespaces:
+            namespaces = from_namespaces or self.namespaces
+            for namespace in namespaces:
                 for member in namespace.members.list(all=True):
                     user = self.client.users.get(member.id)
                     users.append(
@@ -487,6 +496,7 @@ def main():
         GITLAB_NAMESPACE_GRANULARITY = environ.get(
             "GITLAB_NAMESPACE_GRANULARITY", "project"
         )
+        GITLAB_ADMINS_GROUP = environ.get("GITLAB_ADMINS_GROUP", None)
 
         KUBERNETES_TIMEOUT = environ.get("KUBERNETES_TIMEOUT", 10)
         KUBERNETES_AUTO_CREATE = eval(
@@ -510,6 +520,7 @@ def main():
                 timeout=GITLAB_TIMEOUT,
                 groups=GITLAB_GROUPS_SEARCH,
                 namespace_granularity=GITLAB_NAMESPACE_GRANULARITY,
+                admins_group=GITLAB_ADMINS_GROUP
             )
             gitlab_helper.connect()