io.fabric8.kubernetes.api.model.rbac.SubjectBuilder Java Examples
The following examples show how to use
io.fabric8.kubernetes.api.model.rbac.SubjectBuilder.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: KubernetesWorkspaceServiceAccount.java From che with Eclipse Public License 2.0 | 7 votes |
|
private RoleBinding createExecRoleBinding() {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-exec")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("Role")
.withName("exec")
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
Example #2
| Source File: EntityUserOperator.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
public RoleBinding generateRoleBinding(String namespace, String watchedNamespace) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(EntityOperator.entityOperatorServiceAccountName(cluster))
.withNamespace(namespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName(EntityOperator.EO_CLUSTER_ROLE_NAME)
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
RoleBinding rb = new RoleBindingBuilder()
.withNewMetadata()
.withName(roleBindingName(cluster))
.withNamespace(watchedNamespace)
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
return rb;
}
Example #3
| Source File: EntityTopicOperator.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
public RoleBinding generateRoleBinding(String namespace, String watchedNamespace) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(EntityOperator.entityOperatorServiceAccountName(cluster))
.withNamespace(namespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName(EntityOperator.EO_CLUSTER_ROLE_NAME)
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
RoleBinding rb = new RoleBindingBuilder()
.withNewMetadata()
.withName(roleBindingName(cluster))
.withNamespace(watchedNamespace)
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
return rb;
}
Example #4
| Source File: RoleBindingOperatorIT.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Override
protected RoleBinding getOriginal() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account")
.withNamespace("my-namespace")
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(namespace)
.withLabels(singletonMap("state", "new"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
Example #5
| Source File: RoleBindingOperatorIT.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Override
protected RoleBinding getModified() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account2")
.withNamespace("my-namespace2")
.build();
// RoleRef cannot be changed
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(namespace)
.withLabels(singletonMap("state", "modified"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
Example #6
| Source File: RoleBindingOperatorTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Override
protected RoleBinding resource() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("some-service-account")
.withNamespace(NAMESPACE)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("some-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new RoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withNamespace(NAMESPACE)
.withLabels(singletonMap("foo", "bar"))
.endMetadata()
.withRoleRef(roleRef)
.withSubjects(singletonList(ks))
.build();
}
Example #7
| Source File: ClusterRoleBindingOperatorIT.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Override
protected ClusterRoleBinding getOriginal() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account")
.withNamespace("my-namespace")
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withLabels(singletonMap("state", "new"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
Example #8
| Source File: ClusterRoleBindingOperatorIT.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Override
protected ClusterRoleBinding getModified() {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName("my-service-account2")
.withNamespace("my-namespace2")
.build();
// RoleRef cannot be changed
RoleRef roleRef = new RoleRefBuilder()
.withName("my-cluster-role")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(RESOURCE_NAME)
.withLabels(singletonMap("state", "modified"))
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
}
Example #9
| Source File: KubernetesWorkspaceServiceAccount.java From che with Eclipse Public License 2.0 | 6 votes |
|
private RoleBinding createViewRoleBinding() {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-view")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("Role")
.withName("workspace-view")
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
Example #10
| Source File: KubernetesWorkspaceServiceAccount.java From che with Eclipse Public License 2.0 | 6 votes |
|
private RoleBinding createCustomRoleBinding(String clusterRoleName) {
return new RoleBindingBuilder()
.withNewMetadata()
.withName(serviceAccountName + "-custom")
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef()
.withKind("ClusterRole")
.withName(clusterRoleName)
.endRoleRef()
.withSubjects(
new SubjectBuilder()
.withKind("ServiceAccount")
.withName(serviceAccountName)
.withNamespace(namespace)
.build())
.build();
}
Example #11
| Source File: KafkaCluster.java From strimzi-kafka-operator with Apache License 2.0 | 5 votes |
|
/**
* Creates the ClusterRoleBinding which is used to bind the Kafka SA to the ClusterRole
* which permissions the Kafka init container to access K8S nodes (necessary for rack-awareness).
*
* @param assemblyNamespace The namespace.
* @return The cluster role binding.
*/
public ClusterRoleBinding generateClusterRoleBinding(String assemblyNamespace) {
if (rack != null || isExposedWithNodePort()) {
Subject ks = new SubjectBuilder()
.withKind("ServiceAccount")
.withName(initContainerServiceAccountName(cluster))
.withNamespace(assemblyNamespace)
.build();
RoleRef roleRef = new RoleRefBuilder()
.withName("strimzi-kafka-broker")
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.build();
return new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName(initContainerClusterRoleBindingName(namespace, cluster))
.withOwnerReferences(createOwnerReference())
.withLabels(labels.toMap())
.endMetadata()
.withSubjects(ks)
.withRoleRef(roleRef)
.build();
} else {
return null;
}
}
Example #12
| Source File: RoleBindingIT.java From kubernetes-client with Apache License 2.0 | 5 votes |
|
@Before
public void init() {
currentNamespace = session.getNamespace();
roleBinding = new RoleBindingBuilder()
.withNewMetadata()
.withName("read-jobs")
.withLabels(Collections.singletonMap("type", "io.fabric8.roleBindingIT"))
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("Role")
.withName("job-reader")
.build()
)
.build();
client.rbac().roleBindings().inNamespace(currentNamespace).createOrReplace(roleBinding);
}
Example #13
| Source File: ClusterRoleBindingIT.java From kubernetes-client with Apache License 2.0 | 5 votes |
|
@Before
public void init() {
// Do not run tests on opeshift 3.6.0 and 3.6.1
assumeFalse(client.getVersion().getMajor().equalsIgnoreCase("1")
&& client.getVersion().getMinor().startsWith("6"));
clusterRoleBinding = new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("read-nodes")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("node-reader")
.build()
)
.build();
client.rbac().clusterRoleBindings().createOrReplace(clusterRoleBinding);
}
Example #14
| Source File: RoleBindingTest.java From kubernetes-client with Apache License 2.0 | 5 votes |
|
@Test
public void kubernetesRoleBuilderTest() throws Exception {
// given
final String originalJson = Helper.loadJson("/valid-roleBinding.json");
// when
RoleBinding kubernetesRoleBinding = new RoleBindingBuilder()
.withNewMetadata()
.withName("read-jobs")
.withNamespace("default")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("Role")
.withName("job-reader")
.build()
)
.build();
final String serializedJson = mapper.writeValueAsString(kubernetesRoleBinding);
// then
assertThatJson(serializedJson).when(IGNORING_ARRAY_ORDER, TREATING_NULL_AS_ABSENT, IGNORING_EXTRA_FIELDS)
.isEqualTo(originalJson);
}
Example #15
| Source File: ClusterRoleBindingCrudTest.java From kubernetes-client with Apache License 2.0 | 4 votes |
|
@Test
public void crudTest() {
KubernetesClient client = kubernetesServer.getClient();
ClusterRoleBinding kubernetesClusterRoleBinding = new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("read-nodes")
.endMetadata()
.addToSubjects(0, new SubjectBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("User")
.withName("jane")
.withNamespace("default")
.build()
)
.withRoleRef(new RoleRefBuilder()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("node-reader")
.build()
)
.build();
//test of creation
kubernetesClusterRoleBinding = client.rbac().clusterRoleBindings().create(kubernetesClusterRoleBinding);
assertNotNull(kubernetesClusterRoleBinding);
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBinding.getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBinding.getApiVersion());
assertNotNull(kubernetesClusterRoleBinding.getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBinding.getMetadata().getName());
assertNotNull(kubernetesClusterRoleBinding.getSubjects());
assertEquals(1, kubernetesClusterRoleBinding.getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBinding.getSubjects().get(0).getKind());
assertEquals("jane", kubernetesClusterRoleBinding.getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBinding.getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBinding.getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBinding.getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBinding.getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getRoleRef().getApiGroup());
//test of list
ClusterRoleBindingList kubernetesClusterRoleBindingList = client.rbac().clusterRoleBindings().list();
assertNotNull(kubernetesClusterRoleBindingList);
assertNotNull(kubernetesClusterRoleBindingList.getItems());
assertEquals(1, kubernetesClusterRoleBindingList.getItems().size());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0));
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBindingList.getItems().get(0).getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBindingList.getItems().get(0).getApiVersion());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBindingList.getItems().get(0).getMetadata().getName());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getSubjects());
assertEquals(1, kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getKind());
assertEquals("jane", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBindingList.getItems().get(0).getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBindingList.getItems().get(0).getRoleRef().getApiGroup());
//test of updation
kubernetesClusterRoleBinding = client.rbac().clusterRoleBindings().withName("read-nodes").edit()
.editSubject(0).withName("jane-new").endSubject().done();
assertNotNull(kubernetesClusterRoleBinding);
assertEquals("ClusterRoleBinding", kubernetesClusterRoleBinding.getKind());
assertEquals("rbac.authorization.k8s.io/v1", kubernetesClusterRoleBinding.getApiVersion());
assertNotNull(kubernetesClusterRoleBinding.getMetadata());
assertEquals("read-nodes", kubernetesClusterRoleBinding.getMetadata().getName());
assertNotNull(kubernetesClusterRoleBinding.getSubjects());
assertEquals(1, kubernetesClusterRoleBinding.getSubjects().size());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getSubjects().get(0).getApiGroup());
assertEquals("User", kubernetesClusterRoleBinding.getSubjects().get(0).getKind());
assertEquals("jane-new", kubernetesClusterRoleBinding.getSubjects().get(0).getName());
assertEquals("default", kubernetesClusterRoleBinding.getSubjects().get(0).getNamespace());
assertNotNull(kubernetesClusterRoleBinding.getRoleRef());
assertEquals("ClusterRole", kubernetesClusterRoleBinding.getRoleRef().getKind());
assertEquals("node-reader", kubernetesClusterRoleBinding.getRoleRef().getName());
assertEquals("rbac.authorization.k8s.io", kubernetesClusterRoleBinding.getRoleRef().getApiGroup());
//test of deletion
boolean deleted = client.rbac().clusterRoleBindings().delete();
assertTrue(deleted);
kubernetesClusterRoleBindingList = client.rbac().clusterRoleBindings().list();
assertEquals(0,kubernetesClusterRoleBindingList.getItems().size());
}
Example #16
| Source File: SystemtestsKubernetesApps.java From enmasse with Apache License 2.0 | 4 votes |
|
public static void deployAMQBroker(String namespace, String name, String user, String password, BrokerCertBundle certBundle) throws Exception {
kube.createNamespace(namespace);
kube.getClient().rbac().roles().inNamespace(namespace).createOrReplace(new RoleBuilder()
.withNewMetadata()
.withName(name)
.withNamespace(namespace)
.endMetadata()
.withRules(new PolicyRuleBuilder()
.addToApiGroups("")
.addToResources("secrets")
.addToResourceNames(name)
.addToVerbs("get")
.build())
.build());
kube.getClient().rbac().roleBindings().inNamespace(namespace).createOrReplace(new RoleBindingBuilder()
.withNewMetadata()
.withName(name)
.withNamespace(namespace)
.endMetadata()
.withNewRoleRef("rbac.authorization.k8s.io", "Role", name)
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("address-space-controller")
.withNamespace(kube.getInfraNamespace())
.build())
.build());
kube.createSecret(namespace, getBrokerSecret(name, certBundle, user, password));
kube.createDeploymentFromResource(namespace, getBrokerDeployment(name, user, password), 3, TimeUnit.MINUTES);
ServicePort tlsPort = new ServicePortBuilder()
.withName("amqps")
.withPort(5671)
.withTargetPort(new IntOrString(5671))
.build();
ServicePort mutualTlsPort = new ServicePortBuilder()
.withName("amqpsmutual")
.withPort(55671)
.withTargetPort(new IntOrString(55671))
.build();
Service service = getSystemtestsServiceResource(name, name, new ServicePortBuilder()
.withName("amqp")
.withPort(5672)
.withTargetPort(new IntOrString(5672))
.build(),
tlsPort,
mutualTlsPort);
kube.createServiceFromResource(namespace, service);
kube.createExternalEndpoint(name, namespace, service, tlsPort);
kube.getClient()
.apps().deployments()
.inNamespace(namespace)
.withName(name)
.waitUntilReady(5, TimeUnit.MINUTES);
Thread.sleep(5000);
}
Example #17
| Source File: KubernetesResource.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
public static List<ClusterRoleBinding> clusterRoleBindingsForAllNamespaces(String namespace) {
LOGGER.info("Creating ClusterRoleBinding that grant cluster-wide access to all OpenShift projects");
List<ClusterRoleBinding> kCRBList = new ArrayList<>();
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-cluster-operator-namespaced")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-cluster-operator-namespaced")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-entity-operator")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-entity-operator")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
kCRBList.add(
new ClusterRoleBindingBuilder()
.withNewMetadata()
.withName("strimzi-topic-operator")
.endMetadata()
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("strimzi-topic-operator")
.endRoleRef()
.withSubjects(new SubjectBuilder()
.withKind("ServiceAccount")
.withName("strimzi-cluster-operator")
.withNamespace(namespace)
.build()
)
.build()
);
return kCRBList;
}
