workload/plugin/sync: New clusterRoleBinding for the upsynced policy

kcp-dev · Dec 1, 2022 · 6429938 · 6429938
1 parent ce01332
commit 6429938
Showing 1 changed file with 34 additions and 1 deletion.
diff --git a/pkg/cliplugins/workload/plugin/sync.go b/pkg/cliplugins/workload/plugin/sync.go
@@ -52,6 +52,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kube-openapi/pkg/util/sets"
 
+	kube124 "github.com/kcp-dev/kcp/config/rootcompute/kube-1.24"
 	apiresourcev1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apiresource/v1alpha1"
 	apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
 	workloadv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/workload/v1alpha1"
@@ -67,8 +68,9 @@ var embeddedResources embed.FS
 const (
 	SyncerSecretConfigKey   = "kubeconfig"
 	SyncerIDPrefix          = "kcp-syncer-"
+	UpsyncedSuffix          = "-up"
 	DNSIDPrefix             = "kcp-dns-"
-	MaxSyncTargetNameLength = validation.DNS1123SubdomainMaxLength - (9 + len(SyncerIDPrefix))
+	MaxSyncTargetNameLength = validation.DNS1123SubdomainMaxLength - (9 + len(SyncerIDPrefix) + len(UpsyncedSuffix))
 )
 
 // SyncOptions contains options for configuring a SyncTarget and its corresponding syncer.
@@ -606,6 +608,37 @@ func (o *SyncOptions) enableSyncerForWorkspace(ctx context.Context, config *rest
 		return "", "", "", err
 	}
 
+	// Grant the service account the Upsynced permissions
+	upsyncedSyncerID := syncerID + UpsyncedSuffix
+	upsyncedRoleRef := rbacv1.RoleRef{
+		Kind:     "ClusterRole",
+		Name:     kube124.UpsyncedClusterRoleName,
+		APIGroup: "rbac.authorization.k8s.io",
+	}
+	_, err = kubeClient.RbacV1().ClusterRoleBindings().Get(ctx,
+		upsyncedSyncerID,
+		metav1.GetOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
+		return "", "", "", err
+	}
+	if err == nil {
+		if err := kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, upsyncedSyncerID, metav1.DeleteOptions{}); err != nil {
+			return "", "", "", err
+		}
+	}
+
+	fmt.Fprintf(o.ErrOut, "Creating or updating cluster role binding %q to bind service account %q to cluster role %q.\n", upsyncedSyncerID, syncerID, kube124.UpsyncedClusterRoleName)
+	if _, err = kubeClient.RbacV1().ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            upsyncedSyncerID,
+			OwnerReferences: syncTargetOwnerReferences,
+		},
+		Subjects: subjects,
+		RoleRef:  upsyncedRoleRef,
+	}, metav1.CreateOptions{}); err != nil && !apierrors.IsAlreadyExists(err) {
+		return "", "", "", err
+	}
+
 	// Wait for the service account to be updated with the name of the token secret
 	tokenSecretName := ""
 	err = wait.PollImmediateWithContext(ctx, 100*time.Millisecond, 20*time.Second, func(ctx context.Context) (bool, error) {