feat: check sa before start a job (minio#2024)

* check sa before start a job check sa before start a job * import * apply suggestion --------- Co-authored-by: guozhi.li <guozhi.li@daocloud.io>
jiuker · Mar 8, 2024 · baccdf6 · baccdf6
1 parent 306afd6
commit baccdf6
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/pkg/controller/job-controller.go b/pkg/controller/job-controller.go
@@ -11,6 +11,7 @@ import (
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/operator/pkg/apis/job.min.io/v1alpha1"
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+	stsv1alpha1 "github.com/minio/operator/pkg/apis/sts.min.io/v1alpha1"
 	clientset "github.com/minio/operator/pkg/client/clientset/versioned"
 	jobinformers "github.com/minio/operator/pkg/client/informers/externalversions/job.min.io/v1alpha1"
 	joblisters "github.com/minio/operator/pkg/client/listers/job.min.io/v1alpha1"
@@ -179,7 +180,24 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
 	if tenant.Status.HealthStatus != miniov2.HealthStatusGreen {
 		return WrapResult(Result{RequeueAfter: time.Second * 5}, nil)
 	}
-	fmt.Println("will do somthing next")
+	// check sa
+	pbs := &stsv1alpha1.PolicyBindingList{}
+	err = c.k8sClient.List(ctx, pbs, client.InNamespace(namespace))
+	if err != nil {
+		return WrapResult(Result{}, err)
+	}
+	if len(pbs.Items) == 0 {
+		return WrapResult(Result{}, fmt.Errorf("no policybinding found"))
+	}
+	saFound := false
+	for _, pb := range pbs.Items {
+		if pb.Spec.Application.Namespace == namespace && pb.Spec.Application.ServiceAccount == jobCR.Spec.ServiceAccountName {
+			saFound = true
+		}
+	}
+	if !saFound {
+		return WrapResult(Result{}, fmt.Errorf("no serviceaccount found"))
+	}
 	// Loop through the different supported operations.
 	for _, val := range jobCR.Spec.Commands {
 		operation := val.Operation