()
| 251 | } |
| 252 | |
| 253 | func (c *Controller) initRoleBinding() { |
| 254 | |
| 255 | // service account on its own lacks any rights starting with k8s v1.8 |
| 256 | // operator binds it to the cluster role with sufficient privileges |
| 257 | // we assume the role is created by the k8s administrator |
| 258 | if c.opConfig.PodServiceAccountRoleBindingDefinition == "" { |
| 259 | stringValue := fmt.Sprintf(` |
| 260 | { |
| 261 | "apiVersion": "rbac.authorization.k8s.io/v1", |
| 262 | "kind": "RoleBinding", |
| 263 | "metadata": { |
| 264 | "name": "%s" |
| 265 | }, |
| 266 | "roleRef": { |
| 267 | "apiGroup": "rbac.authorization.k8s.io", |
| 268 | "kind": "ClusterRole", |
| 269 | "name": "%s" |
| 270 | }, |
| 271 | "subjects": [ |
| 272 | { |
| 273 | "kind": "ServiceAccount", |
| 274 | "name": "%s" |
| 275 | } |
| 276 | ] |
| 277 | }`, c.PodServiceAccount.Name, c.PodServiceAccount.Name, c.PodServiceAccount.Name) |
| 278 | c.opConfig.PodServiceAccountRoleBindingDefinition = compactValue(stringValue) |
| 279 | } |
| 280 | c.logger.Info("Parse role bindings") |
| 281 | // re-uses k8s internal parsing. See k8s client-go issue #193 for explanation |
| 282 | decode := scheme.Codecs.UniversalDeserializer().Decode |
| 283 | obj, groupVersionKind, err := decode([]byte(c.opConfig.PodServiceAccountRoleBindingDefinition), nil, nil) |
| 284 | |
| 285 | switch { |
| 286 | case err != nil: |
| 287 | panic(fmt.Errorf("unable to parse the role binding definition from the operator configuration: %v", err)) |
| 288 | case groupVersionKind.Kind != "RoleBinding": |
| 289 | panic(fmt.Errorf("role binding definition in the operator configuration defines another type of resource: %v", groupVersionKind.Kind)) |
| 290 | default: |
| 291 | c.PodServiceAccountRoleBinding = obj.(*rbacv1.RoleBinding) |
| 292 | c.PodServiceAccountRoleBinding.Namespace = "" |
| 293 | c.logger.Info("successfully parsed") |
| 294 | |
| 295 | } |
| 296 | |
| 297 | // actual roles bindings ar*logrus.Entrye deployed at the time of Postgres/Spilo cluster creation |
| 298 | } |
| 299 | |
| 300 | func logMultiLineConfig(log *logrus.Entry, config string) { |
| 301 | lines := strings.Split(config, "\n") |
no test coverage detected