From 11168fa54ad6f9451f1ea911885f09b9497a7585 Mon Sep 17 00:00:00 2001 From: Rokibul Hasan Date: Mon, 12 Aug 2024 18:47:49 +0600 Subject: [PATCH] Extract serviceaccount name and namespace from account.spec.username Signed-off-by: Rokibul Hasan --- .../authentication/account_controller.go | 25 +++++++++++++++---- pkg/utils/util.go | 17 +++++++++++++ 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/pkg/manager/controller/authentication/account_controller.go b/pkg/manager/controller/authentication/account_controller.go index 574133b7..99b7c9d3 100644 --- a/pkg/manager/controller/authentication/account_controller.go +++ b/pkg/manager/controller/authentication/account_controller.go @@ -23,6 +23,7 @@ import ( authenticationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authentication/v1alpha1" "github.com/kluster-manager/cluster-auth/pkg/common" + "github.com/kluster-manager/cluster-auth/pkg/utils" core "k8s.io/api/core/v1" rbac "k8s.io/api/rbac/v1" @@ -138,12 +139,21 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C } if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) { + name, err := utils.ExtractServiceAccountName(acc.Spec.Username) + if err != nil { + return err + } + namespace, err := utils.ExtractServiceAccountNamespace(acc.Spec.Username) + if err != nil { + return err + } + sub = []rbac.Subject{ { APIGroup: "", Kind: "ServiceAccount", - Name: acc.Name, - Namespace: common.AddonAgentInstallNamespace, + Name: name, + Namespace: namespace, }, } } @@ -164,7 +174,7 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C } if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) { - crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Spec.Username) + crb.Name = fmt.Sprintf("ace.%s.proxy", acc.Name) } _, err := cu.CreateOrPatch(ctx, r.Client, &crb, func(obj client.Object, createOp bool) client.Object { @@ -199,9 +209,14 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate( } if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) { + name, err := utils.ExtractServiceAccountName(acc.Spec.Username) + if err != nil { + return err + } + cr = rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("ace.%s.impersonate", acc.Spec.Username), + Name: fmt.Sprintf("ace.%s.impersonate", acc.Name), OwnerReferences: []metav1.OwnerReference{ *metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")), }, @@ -211,7 +226,7 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate( APIGroups: []string{""}, Resources: []string{"serviceaccounts"}, Verbs: []string{"impersonate"}, - ResourceNames: []string{acc.Name}, + ResourceNames: []string{name}, }, }, } diff --git a/pkg/utils/util.go b/pkg/utils/util.go index 2d347204..ae7a3232 100644 --- a/pkg/utils/util.go +++ b/pkg/utils/util.go @@ -17,6 +17,7 @@ limitations under the License. package utils import ( + "errors" "strings" authorizationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authorization/v1alpha1" @@ -40,3 +41,19 @@ func ReplaceColonWithHyphen(input string) string { parts := strings.Split(input, ":") return strings.Join(parts, "-") } + +func ExtractServiceAccountName(name string) (string, error) { + parts := strings.Split(name, ":") + if len(parts) == 4 { + return parts[3], nil + } + return "", errors.New("account username is invalid") +} + +func ExtractServiceAccountNamespace(name string) (string, error) { + parts := strings.Split(name, ":") + if len(parts) == 4 { + return parts[2], nil + } + return "", errors.New("account username is invalid") +}