本文整理汇总了Golang中github.com/openshift/origin/pkg/cmd/admin/policy.NewLocalRoleBindingAccessor函数的典型用法代码示例。如果您正苦于以下问题:Golang NewLocalRoleBindingAccessor函数的具体用法?Golang NewLocalRoleBindingAccessor怎么用?Golang NewLocalRoleBindingAccessor使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewLocalRoleBindingAccessor函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: Run
func (o *NewProjectOptions) Run(useNodeSelector bool) error {
if _, err := o.Client.Projects().Get(o.ProjectName); err != nil {
if !kerrors.IsNotFound(err) {
return err
}
} else {
return fmt.Errorf("project %v already exists", o.ProjectName)
}
project := &projectapi.Project{}
project.Name = o.ProjectName
project.Annotations = make(map[string]string)
project.Annotations[projectapi.ProjectDescription] = o.Description
project.Annotations[projectapi.ProjectDisplayName] = o.DisplayName
if useNodeSelector {
project.Annotations[projectapi.ProjectNodeSelector] = o.NodeSelector
}
project, err := o.Client.Projects().Create(project)
if err != nil {
return err
}
fmt.Printf("Created project %v\n", o.ProjectName)
errs := []error{}
if len(o.AdminUser) != 0 {
adduser := &policy.RoleModificationOptions{
RoleName: o.AdminRole,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(project.Name, o.Client),
Users: []string{o.AdminUser},
}
if err := adduser.AddRole(); err != nil {
fmt.Printf("%v could not be added to the %v role: %v\n", o.AdminUser, o.AdminRole, err)
errs = append(errs, err)
}
}
for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(o.ProjectName) {
addRole := &policy.RoleModificationOptions{
RoleName: binding.RoleRef.Name,
RoleNamespace: binding.RoleRef.Namespace,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(o.ProjectName, o.Client),
Users: binding.Users.List(),
Groups: binding.Groups.List(),
}
if err := addRole.AddRole(); err != nil {
fmt.Printf("Could not add service accounts to the %v role: %v\n", binding.RoleRef.Name, err)
errs = append(errs, err)
}
}
return errorsutil.NewAggregate(errs)
}
示例2: ensureNamespaceServiceAccountRoleBindings
// ensureNamespaceServiceAccountRoleBindings initializes roles for service accounts in the namespace
func (c *MasterConfig) ensureNamespaceServiceAccountRoleBindings(namespace *kapi.Namespace) {
const ServiceAccountRolesInitializedAnnotation = "openshift.io/sa.initialized-roles"
// Short-circuit if we're already initialized
if namespace.Annotations[ServiceAccountRolesInitializedAnnotation] == "true" {
return
}
hasErrors := false
for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(namespace.Name) {
addRole := &policy.RoleModificationOptions{
RoleName: binding.RoleRef.Name,
RoleNamespace: binding.RoleRef.Namespace,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace.Name, c.ServiceAccountRoleBindingClient()),
Subjects: binding.Subjects,
}
if err := addRole.AddRole(); err != nil {
glog.Errorf("Could not add service accounts to the %v role in the %q namespace: %v\n", binding.RoleRef.Name, namespace.Name, err)
hasErrors = true
}
}
// If we had errors, don't register initialization so we can try again
if hasErrors {
return
}
if namespace.Annotations == nil {
namespace.Annotations = map[string]string{}
}
namespace.Annotations[ServiceAccountRolesInitializedAnnotation] = "true"
if _, err := c.KubeClient().Namespaces().Update(namespace); err != nil {
glog.Errorf("Error recording adding service account roles to %q namespace: %v", namespace.Name, err)
}
}
示例3: setupBuildStrategyTest
func setupBuildStrategyTest(t *testing.T) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
namespace := testutil.Namespace()
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
return
}
示例4: ensureDefaultNamespaceServiceAccountRoles
// ensureDefaultNamespaceServiceAccountRoles initializes roles for service accounts in the default namespace
func (c *MasterConfig) ensureDefaultNamespaceServiceAccountRoles() {
const ServiceAccountRolesInitializedAnnotation = "openshift.io/sa.initialized-roles"
// Wait for the default namespace
var defaultNamespace *kapi.Namespace
for i := 0; i < 30; i++ {
ns, err := c.KubeClient().Namespaces().Get(kapi.NamespaceDefault)
if err == nil {
defaultNamespace = ns
break
}
if kapierror.IsNotFound(err) {
time.Sleep(time.Second)
continue
}
glog.Errorf("Error adding service account roles to default namespace: %v", err)
return
}
if defaultNamespace == nil {
glog.Errorf("Default namespace not found, could not initialize default service account roles")
return
}
// Short-circuit if we're already initialized
if defaultNamespace.Annotations[ServiceAccountRolesInitializedAnnotation] == "true" {
return
}
hasErrors := false
for _, binding := range bootstrappolicy.GetBootstrapServiceAccountProjectRoleBindings(kapi.NamespaceDefault) {
addRole := &policy.RoleModificationOptions{
RoleName: binding.RoleRef.Name,
RoleNamespace: binding.RoleRef.Namespace,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(kapi.NamespaceDefault, c.ServiceAccountRoleBindingClient()),
Users: binding.Users.List(),
Groups: binding.Groups.List(),
}
if err := addRole.AddRole(); err != nil {
glog.Errorf("Could not add service accounts to the %v role in the %v namespace: %v\n", binding.RoleRef.Name, kapi.NamespaceDefault, err)
hasErrors = true
}
}
// If we had errors, don't register initialization so we can try again
if !hasErrors {
if defaultNamespace.Annotations == nil {
defaultNamespace.Annotations = map[string]string{}
}
defaultNamespace.Annotations[ServiceAccountRolesInitializedAnnotation] = "true"
if _, err := c.KubeClient().Namespaces().Update(defaultNamespace); err != nil {
glog.Errorf("Error recording adding service account roles to default namespace: %v", err)
}
}
}
示例5: addClusterRoleToUser
// simulates: oadm policy add-cluster-role-to-user roleName userName
func addClusterRoleToUser(c *oclient.Client, f *cmdutil.Factory, roleName string, userName string) error {
namespace, _, err := f.DefaultNamespace()
if err != nil {
util.Info("No namespace!'\n")
return err
}
options := policy.RoleModificationOptions{
RoleName: roleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, c),
Users: []string{userName},
}
return options.AddRole()
}
示例6: AddRoleToServiceAccount
func AddRoleToServiceAccount(osClient client.Interface, role, sa, namespace string) error {
roleBindingAccessor := policy.NewLocalRoleBindingAccessor(namespace, osClient)
addRole := policy.RoleModificationOptions{
RoleName: role,
RoleBindingAccessor: roleBindingAccessor,
Subjects: []kapi.ObjectReference{
{
Namespace: namespace,
Name: sa,
Kind: "ServiceAccount",
},
},
}
return addRole.AddRole()
}
示例7: addRoleToE2EServiceAccounts
func addRoleToE2EServiceAccounts(c *client.Client, namespaces []kapi.Namespace, roleName string) {
err := kclient.RetryOnConflict(kclient.DefaultRetry, func() error {
for _, ns := range namespaces {
if strings.HasPrefix(ns.Name, "e2e-") && ns.Status.Phase != kapi.NamespaceTerminating {
sa := fmt.Sprintf("system:serviceaccount:%s:default", ns.Name)
addRole := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: roleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(ns.Name, c),
Users: []string{sa},
}
if err := addRole.AddRole(); err != nil {
e2e.Logf("Warning: Failed to add role to e2e service account: %v", err)
}
}
}
return nil
})
if err != nil {
FatalErr(err)
}
}
示例8: TestProjectWatch
func TestProjectWatch(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
bobClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "bob")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
w, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-01", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-01", w, t)
// TEST FOR ADD/REMOVE ACCESS
joeClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-02", "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addBob := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("ns-02", joeClient),
Users: []string{"bob"},
}
if err := addBob.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-02", w, t)
if err := addBob.RemoveRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForDelete("ns-02", w, t)
// TEST FOR DELETE PROJECT
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "ns-03", "bob"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-03", w, t)
if err := bobClient.Projects().Delete("ns-03"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// wait for the delete
waitForDelete("ns-03", w, t)
// test the "start from beginning watch"
beginningWatch, err := bobClient.Projects().Watch(kapi.ListOptions{ResourceVersion: "0"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForAdd("ns-01", beginningWatch, t)
fromNowWatch, err := bobClient.Projects().Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
select {
case event := <-fromNowWatch.ResultChan():
t.Fatalf("unexpected event %v", event)
case <-time.After(3 * time.Second):
}
}
示例9: TestAuthorizationSubjectAccessReview
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, _, dannyConfig, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{
User: "danny",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
localInterface: clusterAdminClient.LocalSubjectAccessReviews("default"),
localReview: &authorizationapi.LocalSubjectAccessReview{
User: "danny",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clusterInterface: dannyClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.LocalSubjectAccessReview{
User: "valerie",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
//.........这里部分代码省略.........
示例10: setupBuildStrategyTest
func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
testutil.RequireEtcd(t)
namespace := testutil.Namespace()
var clusterAdminKubeConfig string
var err error
if includeControllers {
_, clusterAdminKubeConfig, err = testserver.StartTestMaster()
} else {
_, clusterAdminKubeConfig, err = testserver.StartTestMasterAPI()
}
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", buildapi.Resource(authorizationapi.DockerBuildResource), true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
template, err := testutil.GetTemplateFixture("../../examples/jenkins/jenkins-ephemeral-template.json")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
template.Name = "jenkins"
template.Namespace = "openshift"
_, err = clusterAdminClient.Templates("openshift").Create(template)
if err != nil {
t.Fatalf("Couldn't create jenkins template: %v", err)
}
return
}
示例11: TestAuthorizationResourceAccessReview
func TestAuthorizationResourceAccessReview(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestWhoCanViewDeploymentConfigs := &authorizationapi.ResourceAccessReview{
Action: authorizationapi.Action{Verb: "get", Resource: "deploymentconfigs"},
}
localRequestWhoCanViewDeploymentConfigs := &authorizationapi.LocalResourceAccessReview{
Action: authorizationapi.Action{Verb: "get", Resource: "deploymentconfigs"},
}
{
test := localResourceAccessReviewTest{
description: "who can view deploymentconfigs in hammer by harold",
clientInterface: haroldClient.LocalResourceAccessReviews("hammer-project"),
review: localRequestWhoCanViewDeploymentConfigs,
response: authorizationapi.ResourceAccessReviewResponse{
Users: sets.NewString("harold", "valerie"),
Groups: sets.NewString(),
Namespace: "hammer-project",
},
}
test.response.Users.Insert(globalClusterReaderUsers.List()...)
test.response.Groups.Insert(globalClusterReaderGroups.List()...)
test.run(t)
}
{
test := localResourceAccessReviewTest{
description: "who can view deploymentconfigs in mallet by mark",
clientInterface: markClient.LocalResourceAccessReviews("mallet-project"),
review: localRequestWhoCanViewDeploymentConfigs,
response: authorizationapi.ResourceAccessReviewResponse{
Users: sets.NewString("mark", "edgar"),
Groups: sets.NewString(),
Namespace: "mallet-project",
},
}
test.response.Users.Insert(globalClusterReaderUsers.List()...)
test.response.Groups.Insert(globalClusterReaderGroups.List()...)
test.run(t)
}
// mark should not be able to make global access review requests
{
test := resourceAccessReviewTest{
description: "who can view deploymentconfigs in all by mark",
clientInterface: markClient.ResourceAccessReviews(),
review: requestWhoCanViewDeploymentConfigs,
err: "cannot ",
}
test.run(t)
}
// a cluster-admin should be able to make global access review requests
//.........这里部分代码省略.........
示例12: setupBuildStrategyTest
func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
testutil.RequireEtcd(t)
namespace := testutil.Namespace()
var clusterAdminKubeConfig string
var err error
if includeControllers {
_, clusterAdminKubeConfig, err = testserver.StartTestMaster()
} else {
_, clusterAdminKubeConfig, err = testserver.StartTestMasterAPI()
}
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", buildapi.Resource(authorizationapi.DockerBuildResource), true); err != nil {
t.Fatalf(err.Error())
}
// we need a template that doesn't create service accounts or rolebindings so editors can create
// pipeline buildconfig's successfully, so we're not using the standard jenkins template.
// but we do need a template that creates a service named jenkins.
template, err := testutil.GetTemplateFixture("../../examples/jenkins/master-slave/jenkins-master-template.json")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// pipeline defaults expect to find a template named jenkins-ephemeral
// in the openshift namespace.
template.Name = "jenkins-ephemeral"
template.Namespace = "openshift"
_, err = clusterAdminClient.Templates("openshift").Create(template)
if err != nil {
t.Fatalf("Couldn't create jenkins template: %v", err)
}
return
}
示例13: TestPolicyBasedRestrictionOfBuildStrategies
func TestPolicyBasedRestrictionOfBuildStrategies(t *testing.T) {
const namespace = "hammer"
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
joeClient, err := testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, haroldClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(joeClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Error(err)
}
// by default admins and editors can create all type of builds
_, err = createDockerBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createDockerBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createSourceBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createSourceBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createCustomBuild(t, haroldClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, err = createCustomBuild(t, joeClient.Builds(namespace))
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// remove resources from role so that certain build strategies are forbidden
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.EditRoleName)
if err := testutil.WaitForPolicyUpdate(joeClient, namespace, "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.AdminRoleName)
if err := testutil.WaitForPolicyUpdate(haroldClient, namespace, "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
// make sure builds are rejected
if _, err = createDockerBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createDockerBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createSourceBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createSourceBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createCustomBuild(t, haroldClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
if _, err = createCustomBuild(t, joeClient.Builds(namespace)); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
}
示例14: InstallMetrics
// InstallMetrics checks whether metrics is installed and installs it if not already installed
func (h *Helper) InstallMetrics(f *clientcmd.Factory, hostName, imagePrefix, imageVersion string) error {
osClient, kubeClient, err := f.Clients()
if err != nil {
return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
}
_, err = kubeClient.Services(infraNamespace).Get(svcMetrics)
if err == nil {
// If there's no error, the metrics service already exists
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving metrics service").WithCause(err).WithDetails(h.OriginLog())
}
// Create metrics deployer service account
routerSA := &kapi.ServiceAccount{}
routerSA.Name = metricsDeployerSA
_, err = kubeClient.ServiceAccounts(infraNamespace).Create(routerSA)
if err != nil {
return errors.NewError("cannot create metrics deployer service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add edit role to deployer service account
roleBindingAccessor := policy.NewLocalRoleBindingAccessor(infraNamespace, osClient)
addEditRole := policy.RoleModificationOptions{
RoleName: "edit",
RoleBindingAccessor: roleBindingAccessor,
Subjects: []kapi.ObjectReference{
{
Namespace: infraNamespace,
Name: metricsDeployerSA,
Kind: "ServiceAccount",
},
},
}
if err = addEditRole.AddRole(); err != nil {
return errors.NewError("cannot add edit role to metrics deployer service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add cluster reader role to heapster service account
clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(osClient)
addClusterReaderRole := policy.RoleModificationOptions{
RoleName: "cluster-reader",
RoleBindingAccessor: clusterRoleBindingAccessor,
Users: []string{"system:serviceaccount:openshift-infra:heapster"},
}
if err = addClusterReaderRole.AddRole(); err != nil {
return errors.NewError("cannot add cluster reader role to heapster service account").WithCause(err).WithDetails(h.OriginLog())
}
// Create metrics deployer secret
deployerSecret := &kapi.Secret{}
deployerSecret.Name = metricsDeployerSecret
deployerSecret.Data = map[string][]byte{"nothing": []byte("/dev/null")}
if _, err = kubeClient.Secrets(infraNamespace).Create(deployerSecret); err != nil {
return errors.NewError("cannot create metrics deployer secret").WithCause(err).WithDetails(h.OriginLog())
}
// Create deployer Pod
deployerPod := metricsDeployerPod(hostName, imagePrefix, imageVersion)
if _, err = kubeClient.Pods(infraNamespace).Create(deployerPod); err != nil {
return errors.NewError("cannot create metrics deployer pod").WithCause(err).WithDetails(h.OriginLog())
}
return nil
}
示例15: TestAuthorizationResourceAccessReview
func TestAuthorizationResourceAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestWhoCanViewDeployments := &authorizationapi.ResourceAccessReview{Verb: "get", Resource: "deployments"}
{
test := resourceAccessReviewTest{
clientInterface: haroldClient.ResourceAccessReviews("hammer-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("harold", "valerie"),
Groups: globalClusterAdminGroups,
Namespace: "hammer-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
{
test := resourceAccessReviewTest{
clientInterface: markClient.ResourceAccessReviews("mallet-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("mark", "edgar"),
Groups: globalClusterAdminGroups,
Namespace: "mallet-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
// mark should not be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: markClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
err: "cannot ",
}
test.run(t)
}
// a cluster-admin should be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: clusterAdminClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: globalClusterAdminUsers,
Groups: globalClusterAdminGroups,
},
}
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
//.........这里部分代码省略.........