Add support for omitting RBAC rules on organization namespaces (#54)

--------- Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch> Co-authored-by: Simon Gerber <simon.gerber@vshn.ch>
appuio · Feb 23, 2023 · 3677d04 · 3677d04
1 parent b14e457
commit 3677d04
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/controllers/org_rbac_controller.go b/controllers/org_rbac_controller.go
@@ -33,6 +33,10 @@ type OrganizationRBACReconciler struct {
 // In that case the controller will update it to bind to the organization.
 const LabelRoleBindingUninitialized = "appuio.io/uninitialized"
 
+// LabelNamespaceNoRBAC is used to speficy if RBAC rules should be created for a namespace.
+// If not specified it defaults to `admin` privileges on the namespace owned by the organization
+const LabelNamespaceNoRBAC = "appuio.io/no-rbac-creation"
+
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;patch;update
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
@@ -56,6 +60,10 @@ func (r *OrganizationRBACReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, nil
 	}
 
+	if r.skipRBACManagement(ns) {
+		return ctrl.Result{}, nil
+	}
+
 	var errs []error
 	for rb, cr := range r.DefaultClusterRoles {
 		if err := r.putRoleBinding(ctx, ns, rb, cr, org); err != nil {
@@ -64,6 +72,7 @@ func (r *OrganizationRBACReconciler) Reconcile(ctx context.Context, req ctrl.Req
 			errs = append(errs, err)
 		}
 	}
+
 	return ctrl.Result{}, multierr.Combine(errs...)
 }
 
@@ -76,6 +85,16 @@ func (r *OrganizationRBACReconciler) getOrganization(ns corev1.Namespace) string
 	return org
 }
 
+func (r *OrganizationRBACReconciler) skipRBACManagement(ns corev1.Namespace) bool {
+	label := ""
+	nsLabels := ns.Labels
+	if nsLabels != nil {
+		label = nsLabels[LabelNamespaceNoRBAC]
+	}
+	result, err := strconv.ParseBool(label)
+	return err == nil && result
+}
+
 func (r *OrganizationRBACReconciler) putRoleBinding(ctx context.Context, ns corev1.Namespace, name string, clusterRole string, group string) error {
 
 	rb := &rbacv1.RoleBinding{

diff --git a/controllers/org_rbac_controller_test.go b/controllers/org_rbac_controller_test.go
@@ -74,6 +74,30 @@ func TestOrganizationRBACReconciler(t *testing.T) {
 				orgLabel: "",
 			},
 		},
+		"NoAccessOrgNs": {
+			clusterRoles: defaultCRs,
+			namespace:    "buzz",
+			nsLabels: map[string]string{
+				"appuio.io/no-rbac-creation": "true",
+				orgLabel:                     "foo",
+			},
+		},
+		"NoRbacCreationFalseOrgNs_CreateRole": {
+			clusterRoles: defaultCRs,
+			namespace:    "buzz",
+			nsLabels: map[string]string{
+				"appuio.io/no-rbac-creation": "false",
+				orgLabel:                     "foo",
+			},
+
+			expected: []rb{
+				{
+					name:    "admin",
+					roleRef: "admin",
+					groups:  []string{"foo"},
+				},
+			},
+		},
 
 		"OrgNs_CreateRole": {
 			clusterRoles: defaultCRs,