You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2021/02/12 16:38:23 UTC
[camel-k] 05/08: chore(rbac): Factorize SelfSubjectAccessReview
request
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 16bcb8c42a83793a8db7f546597da514e343be82
Author: Antonin Stefanutti <an...@stefanutti.fr>
AuthorDate: Thu Feb 11 18:19:33 2021 +0100
chore(rbac): Factorize SelfSubjectAccessReview request
---
pkg/install/openshift.go | 22 ++++------------------
pkg/util/kubernetes/permission.go | 9 +++++----
2 files changed, 9 insertions(+), 22 deletions(-)
diff --git a/pkg/install/openshift.go b/pkg/install/openshift.go
index 285dc10..2f5ade5 100644
--- a/pkg/install/openshift.go
+++ b/pkg/install/openshift.go
@@ -24,7 +24,6 @@ import (
"github.com/Masterminds/semver"
- authorization "k8s.io/api/authorization/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
@@ -68,25 +67,12 @@ func OpenShiftConsoleDownloadLink(ctx context.Context, c client.Client) error {
}
// Check for permission to create the ConsoleCLIDownload resource
- sar := &authorization.SelfSubjectAccessReview{
- Spec: authorization.SelfSubjectAccessReviewSpec{
- ResourceAttributes: &authorization.ResourceAttributes{
- Group: "console.openshift.io",
- Resource: "consoleclidownloads",
- Name: KamelCLIDownloadName,
- Verb: "create",
- },
- },
- }
-
- sar, err = c.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
+ ok, err = kubernetes.CheckPermission(ctx, c, console.GroupName, "consoleclidownloads", "", KamelCLIDownloadName, "create")
if err != nil {
- if errors.IsForbidden(err) {
- // Let's just skip the ConsoleCLIDownload resource creation
- return nil
- }
return err
- } else if !sar.Status.Allowed {
+ }
+ if !ok {
+ // Let's just skip the ConsoleCLIDownload resource creation
return nil
}
diff --git a/pkg/util/kubernetes/permission.go b/pkg/util/kubernetes/permission.go
index fe04923..3208ead 100644
--- a/pkg/util/kubernetes/permission.go
+++ b/pkg/util/kubernetes/permission.go
@@ -19,10 +19,12 @@ package kubernetes
import (
"context"
- "github.com/apache/camel-k/pkg/client"
+
authorizationv1 "k8s.io/api/authorization/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ "github.com/apache/camel-k/pkg/client"
)
// CheckPermission can be used to check if the current user/service-account is allowed to execute a given operation
@@ -49,8 +51,7 @@ func CheckPermission(ctx context.Context, client client.Client, group, resource,
return false, nil
}
return false, err
- } else if !sar.Status.Allowed {
- return false, nil
+ } else {
+ return sar.Status.Allowed, nil
}
- return true, nil
}