From 9d0a7a78c1f22830e3d440f550d45af78d515f4c Mon Sep 17 00:00:00 2001 From: Dario Tranchitella Date: Sat, 12 Sep 2020 12:14:52 +0200 Subject: [PATCH] Making CR/CRB names conforming to Kubernetes naming requirements (#91) --- README.md | 5 +---- contributing.md | 4 ++-- controllers/rbac/const.go | 4 ++-- controllers/tenant_controller.go | 2 +- e2e/suite_test.go | 2 +- e2e/utils_test.go | 3 ++- use_cases.md | 12 ++++++------ 7 files changed, 15 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index f260009c..d2713a04 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ make deploy Log verbosity of the Capsule controller can be increased by passing the `--zap-log-level` option with a value from `1` to `10` or the [basic keywords](https://godoc.org/go.uber.org/zap/zapcore#Level) although it is suggested to use the `--zap-devel` flag to get also stack traces. -During startup Capsule controller will create additional ClusterRoles `capsule-namespace:deleter`, `capsule-namespace:provisioner` and ClusterRoleBinding `capsule-namespace:provisioner`. These resources are used in order to allow Capsule users to manage their namespaces in tenants. +During startup Capsule controller will create additional ClusterRoles `capsule-namespace-deleter`, `capsule-namespace-provisioner` and ClusterRoleBinding `capsule-namespace-provisioner`. These resources are used in order to allow Capsule users to manage their namespaces in tenants. You can disallow users to create namespaces matching a particular regexp by passing `--protected-namespace-regex` option with a value of regular expression. @@ -125,12 +125,9 @@ make remove # /usr/local/bin/kustomize build config/default | kubectl delete -f - # namespace "capsule-system" deleted # customresourcedefinition.apiextensions.k8s.io "tenants.capsule.clastix.io" deleted -# clusterrole.rbac.authorization.k8s.io "capsule-namespace:deleter" deleted -# clusterrole.rbac.authorization.k8s.io "capsule-namespace:provisioner" deleted # clusterrole.rbac.authorization.k8s.io "capsule-proxy-role" deleted # clusterrole.rbac.authorization.k8s.io "capsule-metrics-reader" deleted # clusterrolebinding.rbac.authorization.k8s.io "capsule-manager-rolebinding" deleted -# clusterrolebinding.rbac.authorization.k8s.io "capsule-namespace:provisioner" deleted # clusterrolebinding.rbac.authorization.k8s.io "capsule-proxy-rolebinding" deleted # secret "capsule-ca" deleted # secret "capsule-tls" deleted diff --git a/contributing.md b/contributing.md index c9fc5358..57a4b99c 100644 --- a/contributing.md +++ b/contributing.md @@ -155,9 +155,9 @@ You can check if Capsule is running tailing the logs: ``` # kubectl -n capsule-system logs --all-containers -f -l control-plane=controller-manager ... -2020-08-03T15:37:44.031Z INFO controllers.Tenant Role Binding sync result: unchanged {"Request.Name": "oil", "name": "namespace:deleter", "namespace": "oil-dev"} +2020-08-03T15:37:44.031Z INFO controllers.Tenant Role Binding sync result: unchanged {"Request.Name": "oil", "name": "namespace-deleter", "namespace": "oil-dev"} 2020-08-03T15:37:44.032Z INFO controllers.Tenant Role Binding sync result: unchanged {"Request.Name": "oil", "name": "namespace:admin", "namespace": "oil-production"} -2020-08-03T15:37:44.032Z INFO controllers.Tenant Role Binding sync result: unchanged {"Request.Name": "oil", "name": "namespace:deleter", "namespace": "oil-production"} +2020-08-03T15:37:44.032Z INFO controllers.Tenant Role Binding sync result: unchanged {"Request.Name": "oil", "name": "namespace-deleter", "namespace": "oil-production"} 2020-08-03T15:37:44.032Z INFO controllers.Tenant Tenant reconciling completed {"Request.Name": "oil"} 2020-08-03T15:37:44.032Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "tenant", "request": "/oil"} 2020-08-03T15:37:46.945Z INFO controllers.Namespace Reconciling Namespace {"Request.Name": "oil-staging"} diff --git a/controllers/rbac/const.go b/controllers/rbac/const.go index 6c02fc29..ccda5d3c 100644 --- a/controllers/rbac/const.go +++ b/controllers/rbac/const.go @@ -22,8 +22,8 @@ import ( ) const ( - ProvisionerRoleName = "capsule-namespace:provisioner" - DeleterRoleName = "capsule-namespace:deleter" + ProvisionerRoleName = "capsule-namespace-provisioner" + DeleterRoleName = "capsule-namespace-deleter" ) var ( diff --git a/controllers/tenant_controller.go b/controllers/tenant_controller.go index 9a764f47..664979c4 100644 --- a/controllers/tenant_controller.go +++ b/controllers/tenant_controller.go @@ -531,7 +531,7 @@ func (r *TenantReconciler) ownerRoleBinding(tenant *capsulev1alpha1.Tenant) erro Kind: "ClusterRole", Name: "admin", } - rbl[types.NamespacedName{Namespace: i, Name: "namespace:deleter"}] = rbacv1.RoleRef{ + rbl[types.NamespacedName{Namespace: i, Name: "namespace-deleter"}] = rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: rbac.DeleterRoleName, diff --git a/e2e/suite_test.go b/e2e/suite_test.go index 46dc4017..8841475c 100644 --- a/e2e/suite_test.go +++ b/e2e/suite_test.go @@ -48,7 +48,7 @@ var ( k8sClient client.Client testEnv *envtest.Environment defaulManagerPodArgs []string - tenantRoleBindingNames = []string{"namespace:admin", "namespace:deleter"} + tenantRoleBindingNames = []string{"namespace:admin", "namespace-deleter"} ) const ( diff --git a/e2e/utils_test.go b/e2e/utils_test.go index 37313c3a..6670e65c 100644 --- a/e2e/utils_test.go +++ b/e2e/utils_test.go @@ -31,6 +31,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "github.com/clastix/capsule/api/v1alpha1" + "github.com/clastix/capsule/controllers/rbac" ) const ( @@ -74,7 +75,7 @@ func CapsuleClusterGroupParamShouldBeUpdated(capsuleClusterGroup string, timeout capsuleCRB := &rbacv1.ClusterRoleBinding{} Eventually(func() string { - Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "capsule-namespace:provisioner"}, capsuleCRB)).Should(Succeed()) + Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: rbac.ProvisionerRoleName}, capsuleCRB)).Should(Succeed()) return capsuleCRB.Subjects[0].Name }, timeout, defaultPollInterval).Should(BeIdenticalTo(capsuleClusterGroup)) diff --git a/use_cases.md b/use_cases.md index 485d6f1d..b8cc045a 100644 --- a/use_cases.md +++ b/use_cases.md @@ -156,7 +156,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: - name: namespace:provisioner + name: namespace-provisioner rules: - apiGroups: [""] resources: ["namespaces"] @@ -165,13 +165,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: namespace:provisioner + name: namespace-provisioner subjects: - kind: Group name: capsule.clastix.io roleRef: kind: ClusterRole - name: namespace:provisioner + name: namespace-provisioner apiGroup: rbac.authorization.k8s.io ``` @@ -250,14 +250,14 @@ roleRef: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: namespace:deleter + name: namespace-deleter namespace: oil-production subjects: - kind: User name: alice roleRef: kind: ClusterRole - name: namespace:deleter + name: namespace-deleter apiGroup: rbac.authorization.k8s.io ``` @@ -293,7 +293,7 @@ Alice is the admin of the namespace: alice@caas# kubectl get rolebindings -n oil-production NAME ROLE AGE namespace:admin ClusterRole/admin 9m5s -namespace:deleter ClusterRole/admin 9m5s +namespace-deleter ClusterRole/admin 9m5s ``` The said Role Binding resources are automatically created by Capsule when Alice creates a namespace in the tenant.