CoCalc -- role.go

GitHub Repository: gitpod-io/gitpod
Path: blob/main/install/installer/pkg/components/ws-manager-mk2/role.go
²⁵⁰¹ views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License-AGPL.txt in the project root for license information.
4

5
package wsmanagermk2
6

7
import (
8
	"github.com/gitpod-io/gitpod/installer/pkg/common"
9

10
	rbacv1 "k8s.io/api/rbac/v1"
11
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
12
	"k8s.io/apimachinery/pkg/runtime"
13
)
14

15
var controllerRules = []rbacv1.PolicyRule{
16
	{
17
		APIGroups: []string{""},
18
		Resources: []string{"pods"},
19
		Verbs: []string{
20
			"create",
21
			"delete",
22
			"get",
23
			"list",
24
			"patch",
25
			"update",
26
			"watch",
27
		},
28
	},
29
	{
30
		Verbs:     []string{"get"},
31
		APIGroups: []string{""},
32
		Resources: []string{"pod/status"},
33
	},
34
	{
35
		APIGroups: []string{"workspace.gitpod.io"},
36
		Resources: []string{"workspaces"},
37
		Verbs: []string{
38
			"create",
39
			"delete",
40
			"get",
41
			"list",
42
			"patch",
43
			"update",
44
			"watch",
45
		},
46
	},
47
	{
48
		Verbs:     []string{"update"},
49
		APIGroups: []string{"workspace.gitpod.io"},
50
		Resources: []string{"workspaces/finalizers"},
51
	},
52
	{
53
		APIGroups: []string{"workspace.gitpod.io"},
54
		Resources: []string{"workspaces/status"},
55
		Verbs: []string{
56
			"get",
57
			"patch",
58
			"update",
59
		},
60
	},
61
	{
62
		APIGroups: []string{"workspace.gitpod.io"},
63
		Resources: []string{"snapshots"},
64
		Verbs: []string{
65
			"create",
66
			"delete",
67
			"get",
68
			"list",
69
			"watch",
70
		},
71
	},
72
	{
73
		APIGroups: []string{"workspace.gitpod.io"},
74
		Resources: []string{"snapshots/status"},
75
		Verbs: []string{
76
			"get",
77
		},
78
	},
79
	{
80
		APIGroups: []string{""},
81
		Resources: []string{"secrets"},
82
		Verbs: []string{
83
			"create",
84
			"delete",
85
			"get",
86
			"list",
87
			"watch",
88
		},
89
	},
90
	{
91
		APIGroups: []string{""},
92
		Resources: []string{"configmaps"},
93
		Verbs: []string{
94
			"create",
95
			"delete",
96
			"get",
97
			"list",
98
			"patch",
99
			"update",
100
			"watch",
101
		},
102
	},
103
}
104

105
var controllerClusterRules = []rbacv1.PolicyRule{
106
	{
107
		APIGroups: []string{""},
108
		Resources: []string{"nodes"},
109
		Verbs: []string{
110
			"get",
111
			"list",
112
			"watch",
113
		},
114
	},
115
}
116

117
// ConfigMap, Leases, and Events access is required for leader-election.
118
var leaderElectionRules = []rbacv1.PolicyRule{
119
	{
120
		APIGroups: []string{"coordination.k8s.io"},
121
		Resources: []string{"leases"},
122
		Verbs: []string{
123
			"create",
124
			"delete",
125
			"get",
126
			"list",
127
			"patch",
128
			"update",
129
			"watch",
130
		},
131
	},
132
	{
133
		APIGroups: []string{""},
134
		Resources: []string{"events"},
135
		Verbs: []string{
136
			"create",
137
			"patch",
138
		},
139
	},
140
}
141

142
func role(ctx *common.RenderContext) ([]runtime.Object, error) {
143
	labels := common.DefaultLabels(Component)
144

145
	return []runtime.Object{
146
		&rbacv1.Role{
147
			TypeMeta: common.TypeMetaRole,
148
			ObjectMeta: metav1.ObjectMeta{
149
				Name:      Component,
150
				Namespace: ctx.Namespace,
151
				Labels:    labels,
152
			},
153
			Rules: append(controllerRules, leaderElectionRules...),
154
		},
155

156
		&rbacv1.Role{
157
			TypeMeta: common.TypeMetaRole,
158
			ObjectMeta: metav1.ObjectMeta{
159
				Name:      Component,
160
				Namespace: common.WorkspaceSecretsNamespace,
161
				Labels:    labels,
162
			},
163
			Rules: controllerRules,
164
		},
165

166
		&rbacv1.ClusterRole{
167
			TypeMeta: common.TypeMetaClusterRole,
168
			ObjectMeta: metav1.ObjectMeta{
169
				Name:   Component,
170
				Labels: labels,
171
			},
172
			Rules: controllerClusterRules,
173
		},
174
	}, nil
175
}
176

177
Product

Resources

Company
