WIP

Author: Weeblin

pkg/permissions/generate.go

@@ -73,3 +73,39 @@ func GenerateRoles(dataGatherer []agent.DataGatherer) []rbac.ClusterRole {
 	}
 	return out
 }
+
+// func SelectNamespace(all, include, exclude) selected {
+
+// }
+
+func GenerateBindings(clusterRoles []rbac.ClusterRole) []rbac.ClusterRoleBinding {
+	out := []rbac.ClusterRoleBinding{}
+	for _, cr := range clusterRoles {
+		out = append(out, rbac.ClusterRoleBinding{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "ClusterRoleBinding",
+				APIVersion: "rbac.authorization.k8s.io/v1",
+			},
+
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("jetstack-secure-agent-%s-reader", cr.TypeMeta.Kind),
+			},
+
+			Subjects: []rbac.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      "agent",
+					Namespace: "jetstack-secure",
+				},
+			},
+
+			RoleRef: rbac.RoleRef{
+				Kind:     "ClusterRole",
+				Name:     cr.ObjectMeta.Name,
+				APIGroup: "rbac.authorization.k8s.io",
+			},
+		})
+
+	}
+	return out
+}

pkg/permissions/generate_test.go

@@ -15,23 +15,14 @@ func TestGenerateRBAC(t *testing.T) {
 	// Use these test cases to check if Generate function is correct
 	testCases := []struct {
 		// expectedClusterRoles is the collection of ClusterRole
-		expectedClusterRoles []rbac.ClusterRole
-		dataGatherers        []agent.DataGatherer
-		description          string
+		expectedClusterRoleBindings []rbac.ClusterRoleBinding
+		dataGatherers               []agent.DataGatherer
+		description                 string
 	}{
 		{
 			description: "Generate RBAC struct for pods datagatherer",
 			dataGatherers: []agent.DataGatherer{
-				{
-					Name: "k8s/pods",
-					Kind: "k8s-dynamic",
-					Config: &k8s.ConfigDynamic{
-						GroupVersionResource: schema.GroupVersionResource{
-							Version:  "v1",
-							Resource: "pods",
-						},
-					},
-				},
+
 				{
 					Name: "k8s/secrets",
 					Kind: "k8s-dynamic",
@@ -42,65 +33,31 @@ func TestGenerateRBAC(t *testing.T) {
 						},
 					},
 				},
-				{
-					Name: "k8s/awspcaissuer",
-					Kind: "k8s-dynamic",
-					Config: &k8s.ConfigDynamic{
-						GroupVersionResource: schema.GroupVersionResource{
-							Group:    "awspca.cert-manager.io",
-							Version:  "v1",
-							Resource: "awspcaissuers",
-						},
-					},
-				},
 			},
-			expectedClusterRoles: []rbac.ClusterRole{
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-pods-reader",
-					},
-					Rules: []rbac.PolicyRule{
-						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{""},
-							Resources: []string{"pods"},
-						},
-					},
-				},
+			expectedClusterRoleBindings: []rbac.ClusterRoleBinding{
+
 				{
 					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
+						Kind:       "ClusterRoleBinding",
 						APIVersion: "rbac.authorization.k8s.io/v1",
 					},
+
 					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-secrets-reader",
+						Name: "jetstack-secure-agent-ClusterRole-reader",
 					},
-					Rules: []rbac.PolicyRule{
+
+					Subjects: []rbac.Subject{
 						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{""},
-							Resources: []string{"secrets"},
+							Kind:      "ServiceAccount",
+							Name:      "agent",
+							Namespace: "jetstack-secure",
 						},
 					},
-				},
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-awspcaissuers-reader",
-					},
-					Rules: []rbac.PolicyRule{
-						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{"awspca.cert-manager.io"},
-							Resources: []string{"awspcaissuers"},
-						},
+
+					RoleRef: rbac.RoleRef{
+						Kind:     "ClusterRole",
+						Name:     "jetstack-secure-agent-secret-reader",
+						APIGroup: "rbac.authorization.k8s.io",
 					},
 				},
 			},
@@ -110,9 +67,10 @@ func TestGenerateRBAC(t *testing.T) {
 
 	for _, input := range testCases {
 		got := GenerateRoles(input.dataGatherers)
-		if diff, equal := messagediff.PrettyDiff(input.expectedClusterRoles, got); !equal {
+		toBeTest := GenerateBindings(got)
+		if diff, equal := messagediff.PrettyDiff(input.expectedClusterRoleBindings, toBeTest); !equal {
 			t.Errorf("%s:\n%s", input.description, diff)
-			t.Fatalf("unexpected difference in RBAC cluster role: \ngot \n%v\nwant\n%v", got, input.expectedClusterRoles)
+			t.Fatalf("unexpected difference in RBAC cluster role: \ngot \n%v\nwant\n%v", got, input.expectedClusterRoleBindings)
 		}
 	}
 }