You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2021/02/12 16:38:23 UTC

[camel-k] 05/08: chore(rbac): Factorize SelfSubjectAccessReview request

This is an automated email from the ASF dual-hosted git repository.

astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit 16bcb8c42a83793a8db7f546597da514e343be82
Author: Antonin Stefanutti <an...@stefanutti.fr>
AuthorDate: Thu Feb 11 18:19:33 2021 +0100

    chore(rbac): Factorize SelfSubjectAccessReview request
---
 pkg/install/openshift.go          | 22 ++++------------------
 pkg/util/kubernetes/permission.go |  9 +++++----
 2 files changed, 9 insertions(+), 22 deletions(-)

diff --git a/pkg/install/openshift.go b/pkg/install/openshift.go
index 285dc10..2f5ade5 100644
--- a/pkg/install/openshift.go
+++ b/pkg/install/openshift.go
@@ -24,7 +24,6 @@ import (
 
 	"github.com/Masterminds/semver"
 
-	authorization "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -68,25 +67,12 @@ func OpenShiftConsoleDownloadLink(ctx context.Context, c client.Client) error {
 	}
 
 	// Check for permission to create the ConsoleCLIDownload resource
-	sar := &authorization.SelfSubjectAccessReview{
-		Spec: authorization.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &authorization.ResourceAttributes{
-				Group:    "console.openshift.io",
-				Resource: "consoleclidownloads",
-				Name:     KamelCLIDownloadName,
-				Verb:     "create",
-			},
-		},
-	}
-
-	sar, err = c.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
+	ok, err = kubernetes.CheckPermission(ctx, c, console.GroupName, "consoleclidownloads", "", KamelCLIDownloadName, "create")
 	if err != nil {
-		if errors.IsForbidden(err) {
-			// Let's just skip the ConsoleCLIDownload resource creation
-			return nil
-		}
 		return err
-	} else if !sar.Status.Allowed {
+	}
+	if !ok {
+		// Let's just skip the ConsoleCLIDownload resource creation
 		return nil
 	}
 
diff --git a/pkg/util/kubernetes/permission.go b/pkg/util/kubernetes/permission.go
index fe04923..3208ead 100644
--- a/pkg/util/kubernetes/permission.go
+++ b/pkg/util/kubernetes/permission.go
@@ -19,10 +19,12 @@ package kubernetes
 
 import (
 	"context"
-	"github.com/apache/camel-k/pkg/client"
+
 	authorizationv1 "k8s.io/api/authorization/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/apache/camel-k/pkg/client"
 )
 
 // CheckPermission can be used to check if the current user/service-account is allowed to execute a given operation
@@ -49,8 +51,7 @@ func CheckPermission(ctx context.Context, client client.Client, group, resource,
 			return false, nil
 		}
 		return false, err
-	} else if !sar.Status.Allowed {
-		return false, nil
+	} else {
+		return sar.Status.Allowed, nil
 	}
-	return true, nil
 }