-
Notifications
You must be signed in to change notification settings - Fork 0
/
cache.go
116 lines (104 loc) · 2.67 KB
/
cache.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package main
import (
"context"
"fmt"
"log/slog"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
)
type Cache struct {
client.Reader
authorizer *rbac.RBACAuthorizer
l *slog.Logger
}
func NewCache(ctx context.Context, l *slog.Logger) (*Cache, error) {
cfg := ctrl.GetConfigOrDie()
s := runtime.NewScheme()
if err := corev1.AddToScheme(s); err != nil {
return nil, err
}
if err := rbacv1.AddToScheme(s); err != nil {
return nil, err
}
oo := []client.Object{
&corev1.Namespace{},
&rbacv1.RoleBinding{},
&rbacv1.ClusterRole{},
&rbacv1.ClusterRoleBinding{},
&rbacv1.Role{},
}
c, err := cache.New(cfg, cache.Options{
Scheme: s,
ByObject: map[client.Object]cache.ByObject{
&corev1.Namespace{}: {},
&rbacv1.RoleBinding{}: {},
&rbacv1.ClusterRole{}: {},
&rbacv1.ClusterRoleBinding{}: {},
&rbacv1.Role{}: {},
},
})
if err != nil {
return nil, err
}
for _, o := range oo {
_, err := c.GetInformer(ctx, o)
if err != nil {
return nil, fmt.Errorf("error starting cache: getting informer for %s: %w", o.GetObjectKind().GroupVersionKind().String(), err)
}
}
go func() {
if err := c.Start(ctx); err != nil {
panic(err)
}
}()
if !c.WaitForCacheSync(ctx) {
return nil, fmt.Errorf("error starting the cache")
}
return &Cache{
Reader: c,
authorizer: NewAuthorizer(ctx, c, l),
l: l,
}, nil
}
func (c *Cache) ListNamespaces(ctx context.Context, username string) (*corev1.NamespaceList, error) {
// list role bindings
nn := corev1.NamespaceList{
TypeMeta: metav1.TypeMeta{
Kind: "NamespaceList",
APIVersion: "",
},
}
if err := c.List(ctx, &nn); err != nil {
return nil, err
}
rnn := []corev1.Namespace{}
for _, ns := range nn.Items {
d, _, err := c.authorizer.Authorize(ctx, authorizer.AttributesRecord{
User: &user.DefaultInfo{Name: username},
Verb: "get",
Resource: "namespaces",
APIGroup: "",
APIVersion: "v1",
Name: ns.Name,
Namespace: ns.Name,
ResourceRequest: true,
})
if err != nil {
return nil, err
}
c.l.Info("evaluated user access to namespace", "namespace", ns.Name, "user", username, "decision", d)
if d == authorizer.DecisionAllow {
rnn = append(rnn, ns)
}
}
nn.Items = rnn
return &nn, nil
}