下面列出了io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder#io.fabric8.kubernetes.api.model.rbac.SubjectBuilder 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
public RoleBinding generateRoleBinding(String namespace, String watchedNamespace) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(EntityOperator.entityOperatorServiceAccountName(cluster))
.withNamespace(namespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName(EntityOperator.EO_CLUSTER_ROLE_NAME)
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
RoleBinding rb = new RoleBindingBuilder()
.withNewMetadata()
.withName(roleBindingName(cluster))
.withNamespace(watchedNamespace)
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
return rb;
}
public RoleBinding generateRoleBinding(String namespace, String watchedNamespace) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(EntityOperator.entityOperatorServiceAccountName(cluster))
.withNamespace(namespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName(EntityOperator.EO_CLUSTER_ROLE_NAME)
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
RoleBinding rb = new RoleBindingBuilder()
.withNewMetadata()
.withName(roleBindingName(cluster))
.withNamespace(watchedNamespace)
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
return rb;
}
@Override
protected RoleBinding getOriginal() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account")
.withNamespace("my-namespace")
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(namespace)
.withLabels(singletonMap("state", "new"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
@Override
protected RoleBinding getModified() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account2")
.withNamespace("my-namespace2")
.build();
// RoleRef cannot be changed
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(namespace)
.withLabels(singletonMap("state", "modified"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
@Override
protected RoleBinding resource() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("some-service-account")
.withNamespace(NAMESPACE)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("some-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(NAMESPACE)
.withLabels(singletonMap("foo", "bar"))
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
}
@Override
protected ClusterRoleBinding getOriginal() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account")
.withNamespace("my-namespace")
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withLabels(singletonMap("state", "new"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
@Override
protected ClusterRoleBinding getModified() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account2")
.withNamespace("my-namespace2")
.build();
// RoleRef cannot be changed
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withLabels(singletonMap("state", "modified"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
private RoleBinding createViewRoleBinding() {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-view")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("Role")
.withName("workspace-view")
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
private RoleBinding createExecRoleBinding() {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-exec")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("Role")
.withName("exec")
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
private RoleBinding createCustomRoleBinding(String clusterRoleName) {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-custom")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("ClusterRole")
.withName(clusterRoleName)
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
/**
* Creates the ClusterRoleBinding which is used to bind the Kafka SA to the ClusterRole
* which permissions the Kafka init container to access K8S nodes (necessary for rack-awareness).
*
* @param assemblyNamespace The namespace.
* @return The cluster role binding.
*/
public ClusterRoleBinding generateClusterRoleBinding(String assemblyNamespace) {
if (rack != null || isExposedWithNodePort()) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(initContainerServiceAccountName(cluster))
.withNamespace(assemblyNamespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("strimzi-kafka-broker")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(initContainerClusterRoleBindingName(namespace, cluster))
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
} else {
return null;
}
}
@Test
public void kubernetesRoleBuilderTest() throws Exception {
// given
final String originalJson = Helper.loadJson("/valid-roleBinding.json");
// when
RoleBinding kubernetesRoleBinding = new RoleBindingBuilder()
.withNewMetadata()
.withName("read-jobs")
.withNamespace("default")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("Role")
.withName("job-reader")
.build()
)
.build();
final String serializedJson = mapper.writeValueAsString(kubernetesRoleBinding);
// then
assertThatJson(serializedJson).when(IGNORING_ARRAY_ORDER, TREATING_NULL_AS_ABSENT, IGNORING_EXTRA_FIELDS)
.isEqualTo(originalJson);
}
@Before
public void init() {
// Do not run tests on opeshift 3.6.0 and 3.6.1
assumeFalse(client.getVersion().getMajor().equalsIgnoreCase("1")
&& client.getVersion().getMinor().startsWith("6"));
clusterRoleBinding = new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("read-nodes")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("node-reader")
.build()
)
.build();
client.rbac().clusterRoleBindings().createOrReplace(clusterRoleBinding);
}
@Before
public void init() {
currentNamespace = session.getNamespace();
roleBinding = new RoleBindingBuilder()
.withNewMetadata()
.withName("read-jobs")
.withLabels(Collections.singletonMap("type", "io.fabric8.roleBindingIT"))
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("Role")
.withName("job-reader")
.build()
)
.build();
client.rbac().roleBindings().inNamespace(currentNamespace).createOrReplace(roleBinding);
}
public static List<ClusterRoleBinding> clusterRoleBindingsForAllNamespaces(String namespace) {
LOGGER.info("Creating ClusterRoleBinding that grant cluster-wide access to all OpenShift projects");
List<ClusterRoleBinding> kCRBList = new ArrayList<>();
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-cluster-operator-namespaced")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-cluster-operator-namespaced")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-entity-operator")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-entity-operator")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-topic-operator")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-topic-operator")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
return kCRBList;
}
public static void deployAMQBroker(String namespace, String name, String user, String password, BrokerCertBundle certBundle) throws Exception {
kube.createNamespace(namespace);
kube.getClient().rbac().roles().inNamespace(namespace).createOrReplace(new RoleBuilder()
.withNewMetadata()
.withName(name)
.withNamespace(namespace)
.endMetadata()
.withRules(new PolicyRuleBuilder()
.addToApiGroups("")
.addToResources("secrets")
.addToResourceNames(name)
.addToVerbs("get")
.build())
.build());
kube.getClient().rbac().roleBindings().inNamespace(namespace).createOrReplace(new RoleBindingBuilder()
.withNewMetadata()
.withName(name)
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef("rbac.authorization.k8s.io", "Role", name)
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("address-space-controller")
.withNamespace(kube.getInfraNamespace())
.build())
.build());
kube.createSecret(namespace, getBrokerSecret(name, certBundle, user, password));
kube.createDeploymentFromResource(namespace, getBrokerDeployment(name, user, password), 3, TimeUnit.MINUTES);
ServicePort tlsPort = new ServicePortBuilder()
.withName("amqps")
.withPort(5671)
.withTargetPort(new IntOrString(5671))
.build();
ServicePort mutualTlsPort = new ServicePortBuilder()
.withName("amqpsmutual")
.withPort(55671)
.withTargetPort(new IntOrString(55671))
.build();
Service service = getSystemtestsServiceResource(name, name, new ServicePortBuilder()
.withName("amqp")
.withPort(5672)
.withTargetPort(new IntOrString(5672))
.build(),
tlsPort,
mutualTlsPort);
kube.createServiceFromResource(namespace, service);
kube.createExternalEndpoint(name, namespace, service, tlsPort);
kube.getClient()
.apps().deployments()
.inNamespace(namespace)
.withName(name)
.waitUntilReady(5, TimeUnit.MINUTES);
Thread.sleep(5000);
}
@Test
public void crudTest() {
KubernetesClient client = kubernetesServer.getClient();
ClusterRoleBinding kubernetesClusterRoleBinding = new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("read-nodes")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("node-reader")
.build()
)
.build();
//test of creation
kubernetesClusterRoleBinding = client.rbac().clusterRoleBindings().create(kubernetesClusterRoleBinding);
assertNotNull(kubernetesClusterRoleBinding);
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBinding.getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBinding.getApiVersion());
assertNotNull(kubernetesClusterRoleBinding.getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBinding.getMetadata().getName());
assertNotNull(kubernetesClusterRoleBinding.getSubjects());
assertEquals(1, kubernetesClusterRoleBinding.getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBinding.getSubjects().get(0).getKind());
assertEquals("jane", kubernetesClusterRoleBinding.getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBinding.getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBinding.getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBinding.getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBinding.getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getRoleRef().getApiGroup());
//test of list
ClusterRoleBindingList kubernetesClusterRoleBindingList = client.rbac().clusterRoleBindings().list();
assertNotNull(kubernetesClusterRoleBindingList);
assertNotNull(kubernetesClusterRoleBindingList.getItems());
assertEquals(1, kubernetesClusterRoleBindingList.getItems().size());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0));
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBindingList.getItems().get(0).getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBindingList.getItems().get(0).getApiVersion());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBindingList.getItems().get(0).getMetadata().getName());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getSubjects());
assertEquals(1, kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getKind());
assertEquals("jane", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getApiGroup());
//test of updation
kubernetesClusterRoleBinding = client.rbac().clusterRoleBindings().withName("read-nodes").edit()
.editSubject(0).withName("jane-new").endSubject().done();
assertNotNull(kubernetesClusterRoleBinding);
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBinding.getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBinding.getApiVersion());
assertNotNull(kubernetesClusterRoleBinding.getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBinding.getMetadata().getName());
assertNotNull(kubernetesClusterRoleBinding.getSubjects());
assertEquals(1, kubernetesClusterRoleBinding.getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBinding.getSubjects().get(0).getKind());
assertEquals("jane-new", kubernetesClusterRoleBinding.getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBinding.getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBinding.getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBinding.getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBinding.getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getRoleRef().getApiGroup());
//test of deletion
boolean deleted = client.rbac().clusterRoleBindings().delete();
assertTrue(deleted);
kubernetesClusterRoleBindingList = client.rbac().clusterRoleBindings().list();
assertEquals(0,kubernetesClusterRoleBindingList.getItems().size());
}