x/stackube
Code Issues Proposed changes
4dd67bf6ab
stackube/pkg/auth-controller/rbacmanager/rbac/rbac.go
Pengfei Ni 50322401cd Add kube-dns 
Adds kube-dns deployments for each tenant. And also adds loadbalancer
for cluster DNS in each namespace.

Implements: blueprint dns
Change-Id: I2ee00806431cc4a3dfdf4c3c49b54892d4c2c98b
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2017-08-04 08:56:27 +08:00

139 lines
3.5 KiB
Go
Raw Blame History

/*
Copyright (c) 2017 OpenStack Foundation.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package rbac
import (
"k8s.io/api/rbac/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func GenerateRoleByNamespace(namespace string) *v1beta1.Role {
policyRule := v1beta1.PolicyRule{
Verbs: []string{v1beta1.VerbAll},
APIGroups: []string{v1beta1.APIGroupAll},
Resources: []string{v1beta1.ResourceAll},
}
role := &v1beta1.Role{
TypeMeta: metav1.TypeMeta{
Kind: "Role",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "default-role",
Namespace: namespace,
},
Rules: []v1beta1.PolicyRule{policyRule},
}
return role
}
func GenerateRoleBinding(namespace, tenant string) *v1beta1.RoleBinding {
subject := v1beta1.Subject{
Kind: "Group",
Name: tenant,
}
roleRef := v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: "default-role",
}
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: tenant + "-rolebinding",
Namespace: namespace,
},
Subjects: []v1beta1.Subject{subject},
RoleRef: roleRef,
}
return roleBinding
}
func GenerateServiceAccountRoleBinding(namespace, tenant string) *v1beta1.RoleBinding {
subject := v1beta1.Subject{
Kind: "ServiceAccount",
Name: "default",
Namespace: namespace,
}
roleRef := v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: "default-role",
}
roleBinding := &v1beta1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: tenant + "-rolebinding-sa",
Namespace: namespace,
},
Subjects: []v1beta1.Subject{subject},
RoleRef: roleRef,
}
return roleBinding
}
func GenerateClusterRole() *v1beta1.ClusterRole {
policyRule := v1beta1.PolicyRule{
Verbs: []string{v1beta1.VerbAll},
APIGroups: []string{v1beta1.APIGroupAll},
Resources: []string{"namespaces"},
}
clusterRole := &v1beta1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "namespace-creater",
},
Rules: []v1beta1.PolicyRule{policyRule},
}
return clusterRole
}
func GenerateClusterRoleBindingByTenant(tenant string) *v1beta1.ClusterRoleBinding {
subject := v1beta1.Subject{
Kind: "Group",
Name: tenant,
}
roleRef := v1beta1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "namespace-creater",
}
clusterRoleBinding := &v1beta1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: tenant + "-namespace-creater",
},
Subjects: []v1beta1.Subject{subject},
RoleRef: roleRef,
}
return clusterRoleBinding
}
View Git Blame Copy Permalink