feat(applications): 添加 k8s 应用

2025-10-21 15:58:52 +00:00 · 2020-08-07 11:52:34 +08:00
parent 0a242c3e81
commit 91649a3908
30 changed files with 831 additions and 48 deletions
--- a/apps/perms/api/init.py
+++ b/apps/perms/api/init.py
@@ -12,3 +12,6 @@ from .database_app_permission import *
 from .database_app_permission_relation import *
 from .user_database_app_permission import *
 from .system_user_permission import *
+from .k8s_app_permission import *
+from .k8s_app_permission_relation import *
+from .user_k8s_app_permission import *
--- a/apps/perms/api/k8s_app_permission.py
+++ b/apps/perms/api/k8s_app_permission.py
@@ -0,0 +1,21 @@
+# coding: utf-8
+#
+
+from orgs.mixins.api import OrgBulkModelViewSet
+
+from .. import models, serializers
+from common.permissions import IsOrgAdmin
+
+
+__all__ = ['K8sAppPermissionViewSet']
+
+
+class K8sAppPermissionViewSet(OrgBulkModelViewSet):
+    model = models.K8sAppPermission
+    serializer_classes = {
+        'default': serializers.K8sAppPermissionSerializer,
+        'display': serializers.K8sAppPermissionListSerializer
+    }
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdmin,)
--- a/apps/perms/api/k8s_app_permission_relation.py
+++ b/apps/perms/api/k8s_app_permission_relation.py
@@ -0,0 +1,111 @@
+# coding: utf-8
+#
+from rest_framework import generics
+from django.db.models import F, Value
+from django.db.models.functions import Concat
+from django.shortcuts import get_object_or_404
+
+from common.permissions import IsOrgAdmin
+from .base import RelationViewSet
+from .. import models, serializers
+
+
+class K8sAppPermissionUserRelationViewSet(RelationViewSet):
+    serializer_class = serializers.K8sAppPermissionUserRelationSerializer
+    m2m_field = models.K8sAppPermission.users.field
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'user', 'k8sapppermission'
+    ]
+    search_fields = ('user__name', 'user__username', 'k8sapppermission__name')
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.annotate(user_display=F('user__name'))
+        return queryset
+
+
+class K8sAppPermissionUserGroupRelationViewSet(RelationViewSet):
+    serializer_class = serializers.K8sAppPermissionUserGroupRelationSerializer
+    m2m_field = models.K8sAppPermission.user_groups.field
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', "usergroup", "k8sapppermission"
+    ]
+    search_fields = ["usergroup__name", "k8sapppermission__name"]
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset \
+            .annotate(usergroup_display=F('usergroup__name'))
+        return queryset
+
+
+class K8sAppPermissionAllUserListApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.K8sAppPermissionAllUserSerializer
+    filter_fields = ("username", "name")
+    search_fields = filter_fields
+
+    def get_queryset(self):
+        pk = self.kwargs.get("pk")
+        perm = get_object_or_404(models.K8sAppPermission, pk=pk)
+        users = perm.get_all_users().only(
+            *self.serializer_class.Meta.only_fields
+        )
+        return users
+
+
+class K8sAppPermissionK8sAppRelationViewSet(RelationViewSet):
+    serializer_class = serializers.K8sAppPermissionK8sAppRelationSerializer
+    m2m_field = models.K8sAppPermission.k8s_apps.field
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'k8sapp', 'k8sapppermission',
+    ]
+    search_fields = [
+        "id", "k8sapp__name", "k8sapppermission__name"
+    ]
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset \
+            .annotate(k8sapp_display=F('k8sapp__name'))
+        return queryset
+
+
+class K8sAppPermissionAllK8sAppListApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.K8sAppPermissionAllK8sAppSerializer
+    filter_fields = ("name",)
+    search_fields = filter_fields
+
+    def get_queryset(self):
+        pk = self.kwargs.get("pk")
+        perm = get_object_or_404(models.K8sAppPermission, pk=pk)
+        database_apps = perm.get_all_k8s_apps().only(
+            *self.serializer_class.Meta.only_fields
+        )
+        return database_apps
+
+
+class K8sAppPermissionSystemUserRelationViewSet(RelationViewSet):
+    serializer_class = serializers.K8sAppPermissionSystemUserRelationSerializer
+    m2m_field = models.K8sAppPermission.system_users.field
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'systemuser', 'k8sapppermission'
+    ]
+    search_fields = [
+        'k8sapppermission__name', 'systemuser__name', 'systemuser__username'
+    ]
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.annotate(
+            systemuser_display=Concat(
+                F('systemuser__name'), Value('('), F('systemuser__username'),
+                Value(')')
+            )
+        )
+        return queryset
--- a/apps/perms/api/user_k8s_app_permission.py
+++ b/apps/perms/api/user_k8s_app_permission.py
@@ -0,0 +1,119 @@
+# coding: utf-8
+#
+
+import uuid
+from django.shortcuts import get_object_or_404
+from rest_framework.views import APIView, Response
+from common.permissions import IsOrgAdminOrAppUser, IsValidUser
+from common.tree import TreeNodeSerializer
+from orgs.mixins import generics
+from users.models import User, UserGroup
+from applications.serializers import K8sAppSerializer
+from applications.models import K8sApp
+from assets.models import SystemUser
+from .. import utils, serializers
+from .mixin import UserPermissionMixin
+
+
+class UserGrantedK8sAppsApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = K8sAppSerializer
+    filter_fields = ['id', 'name', 'type', 'comment']
+    search_fields = ['name', 'comment']
+
+    def get_object(self):
+        user_id = self.kwargs.get('pk', '')
+        if user_id:
+            user = get_object_or_404(User, id=user_id)
+        else:
+            user = self.request.user
+        return user
+
+    def get_queryset(self):
+        util = utils.K8sAppPermissionUtil(self.get_object())
+        queryset = util.get_k8s_apps()
+        return queryset
+
+    def get_permissions(self):
+        if self.kwargs.get('pk') is None:
+            self.permission_classes = (IsValidUser,)
+        return super().get_permissions()
+
+
+class UserGrantedK8sAppsAsTreeApi(UserGrantedK8sAppsApi):
+    serializer_class = TreeNodeSerializer
+    permission_classes = (IsOrgAdminOrAppUser,)
+
+    def get_serializer(self, k8s_apps, *args, **kwargs):
+        if k8s_apps is None:
+            k8s_apps = []
+        only_k8s_app = self.request.query_params.get('only', '0') == '1'
+        tree_root = None
+        data = []
+        if not only_k8s_app:
+            tree_root = utils.construct_k8s_apps_tree_root()
+            data.append(tree_root)
+        for k8s_app in k8s_apps:
+            node = utils.parse_k8s_app_to_tree_node(tree_root, k8s_app)
+            data.append(node)
+        data.sort()
+        return super().get_serializer(data, many=True)
+
+
+class UserGrantedK8sAppSystemUsersApi(UserPermissionMixin, generics.ListAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.K8sAppSystemUserSerializer
+    only_fields = serializers.K8sAppSystemUserSerializer.Meta.only_fields
+
+    def get_queryset(self):
+        util = utils.K8sAppPermissionUtil(self.obj)
+        k8s_app_id = self.kwargs.get('k8s_app_id')
+        k8s_app = get_object_or_404(K8sApp, id=k8s_app_id)
+        system_users = util.get_k8s_app_system_users(k8s_app)
+        return system_users
+
+
+# Validate
+
+class ValidateUserK8sAppPermissionApi(APIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+
+    def get(self, request, *args, **kwargs):
+        user_id = request.query_params.get('user_id', '')
+        k8s_app_id = request.query_params.get('k8s_app_id', '')
+        system_user_id = request.query_params.get('system_user_id', '')
+
+        try:
+            user_id = uuid.UUID(user_id)
+            k8s_app_id = uuid.UUID(k8s_app_id)
+            system_user_id = uuid.UUID(system_user_id)
+        except ValueError:
+            return Response({'msg': False}, status=403)
+
+        user = get_object_or_404(User, id=user_id)
+        k8s_app = get_object_or_404(K8sApp, id=k8s_app_id)
+        system_user = get_object_or_404(SystemUser, id=system_user_id)
+
+        util = utils.K8sAppPermissionUtil(user)
+        system_users = util.get_k8s_app_system_users(k8s_app)
+        if system_user in system_users:
+            return Response({'msg': True}, status=200)
+
+        return Response({'msg': False}, status=403)
+
+
+# UserGroup
+
+class UserGroupGrantedK8sAppsApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = K8sAppSerializer
+
+    def get_queryset(self):
+        queryset = []
+        user_group_id = self.kwargs.get('pk')
+        if not user_group_id:
+            return queryset
+        user_group = get_object_or_404(UserGroup, id=user_group_id)
+        util = utils.K8sAppPermissionUtil(user_group)
+        queryset = util.get_k8s_apps()
+        return queryset
--- a/apps/perms/migrations/0012_k8sapppermission.py
+++ b/apps/perms/migrations/0012_k8sapppermission.py
@@ -0,0 +1,44 @@
+# Generated by Django 2.2.13 on 2020-08-07 07:13
+
+import common.utils.django
+from django.conf import settings
+from django.db import migrations, models
+import django.utils.timezone
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0054_auto_20200807_1032'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('applications', '0005_k8sapp'),
+        ('users', '0028_auto_20200728_1805'),
+        ('perms', '0011_auto_20200721_1739'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='K8sAppPermission',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
+                ('date_start', models.DateTimeField(db_index=True, default=django.utils.timezone.now, verbose_name='Date start')),
+                ('date_expired', models.DateTimeField(db_index=True, default=common.utils.django.date_expired_default, verbose_name='Date expired')),
+                ('created_by', models.CharField(blank=True, max_length=128, verbose_name='Created by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('k8s_apps', models.ManyToManyField(blank=True, related_name='granted_by_permissions', to='applications.K8sApp', verbose_name='KubernetesApp')),
+                ('system_users', models.ManyToManyField(related_name='granted_by_k8s_app_permissions', to='assets.SystemUser', verbose_name='System user')),
+                ('user_groups', models.ManyToManyField(blank=True, to='users.UserGroup', verbose_name='User group')),
+                ('users', models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='User')),
+            ],
+            options={
+                'verbose_name': 'KubernetesApp permission',
+                'ordering': ('name',),
+                'unique_together': {('org_id', 'name')},
+            },
+        ),
+    ]
--- a/apps/perms/models/init.py
+++ b/apps/perms/models/init.py
@@ -4,3 +4,4 @@
 from .asset_permission import *
 from .remote_app_permission import *
 from .database_app_permission import *
+from .k8s_app_permission import *
--- a/apps/perms/models/k8s_app_permission.py
+++ b/apps/perms/models/k8s_app_permission.py
@@ -0,0 +1,39 @@
+# coding: utf-8
+# 
+
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from common.utils import lazyproperty
+from .base import BasePermission
+
+__all__ = [
+    'K8sAppPermission',
+]
+
+
+class K8sAppPermission(BasePermission):
+    k8s_apps = models.ManyToManyField(
+        'applications.K8sApp', related_name='granted_by_permissions',
+        blank=True, verbose_name=_("KubernetesApp")
+    )
+    system_users = models.ManyToManyField(
+        'assets.SystemUser', related_name='granted_by_k8s_app_permissions',
+        verbose_name=_("System user")
+    )
+
+    class Meta:
+        unique_together = [('org_id', 'name')]
+        verbose_name = _('KubernetesApp permission')
+        ordering = ('name',)
+
+    def get_all_k8s_apps(self):
+        return self.k8s_apps.all()
+
+    @lazyproperty
+    def k8s_apps_amount(self):
+        return self.k8s_apps.count()
+
+    @lazyproperty
+    def system_users_amount(self):
+        return self.system_users.count()
--- a/apps/perms/serializers/init.py
+++ b/apps/perms/serializers/init.py
@@ -9,3 +9,5 @@ from .asset_permission_relation import *
 from .database_app_permission import *
 from .database_app_permission_relation import *
 from .base import *
+from .k8s_app_permission import *
+from .k8s_app_permission_relation import *
--- a/apps/perms/serializers/k8s_app_permission.py
+++ b/apps/perms/serializers/k8s_app_permission.py
@@ -0,0 +1,50 @@
+# coding: utf-8
+#
+from django.db.models import Count
+from rest_framework import serializers
+
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from .. import models
+
+__all__ = [
+    'K8sAppPermissionSerializer', 'K8sAppPermissionListSerializer'
+]
+
+
+class AmountMixin:
+    @classmethod
+    def setup_eager_loading(cls, queryset):
+        """ Perform necessary eager loading of data. """
+        queryset = queryset.annotate(
+            users_amount=Count('users', distinct=True), user_groups_amount=Count('user_groups', distinct=True),
+            k8s_apps_amount=Count('k8s_apps', distinct=True),
+            system_users_amount=Count('system_users', distinct=True)
+        )
+        return queryset
+
+
+class K8sAppPermissionSerializer(AmountMixin, BulkOrgResourceModelSerializer):
+    class Meta:
+        model = models.K8sAppPermission
+        fields = [
+            'id', 'name', 'users', 'user_groups', 'k8s_apps', 'system_users',
+            'comment', 'is_active', 'date_start', 'date_expired', 'is_valid',
+            'created_by', 'date_created', 'users_amount', 'user_groups_amount',
+            'k8s_apps_amount', 'system_users_amount',
+        ]
+        read_only_fields = [
+            'created_by', 'date_created', 'users_amount', 'user_groups_amount',
+            'k8s_apps_amount', 'system_users_amount', 'id'
+        ]
+
+
+class K8sAppPermissionListSerializer(AmountMixin, BulkOrgResourceModelSerializer):
+    is_expired = serializers.BooleanField()
+
+    class Meta:
+        model = models.K8sAppPermission
+        fields = [
+            'id', 'name', 'comment', 'is_active', 'users_amount', 'user_groups_amount',
+            'date_start', 'date_expired', 'is_valid', 'k8s_apps_amount', 'system_users_amount',
+            'created_by', 'date_created', 'is_expired'
+        ]
--- a/apps/perms/serializers/k8s_app_permission_relation.py
+++ b/apps/perms/serializers/k8s_app_permission_relation.py
@@ -0,0 +1,73 @@
+# coding: utf-8
+#
+from perms.serializers.base import PermissionAllUserSerializer
+from rest_framework import serializers
+
+from common.drf.serializers import BulkModelSerializer
+
+from .. import models
+
+
+class K8sAppPermissionUserRelationSerializer(BulkModelSerializer):
+    user_display = serializers.ReadOnlyField()
+    k8sapppermission_display = serializers.ReadOnlyField()
+
+    class Meta:
+        model = models.K8sAppPermission.users.through
+        fields = [
+            'id', 'user', 'user_display', 'k8sapppermission',
+            'k8sapppermission_display'
+        ]
+
+
+class K8sAppPermissionUserGroupRelationSerializer(BulkModelSerializer):
+    usergroup_display = serializers.ReadOnlyField()
+    k8sapppermission_display = serializers.ReadOnlyField()
+
+    class Meta:
+        model = models.K8sAppPermission.user_groups.through
+        fields = [
+            'id', 'usergroup', 'usergroup_display', 'k8sapppermission',
+            'k8sapppermission_display'
+        ]
+
+
+class K8sAppPermissionAllUserSerializer(PermissionAllUserSerializer):
+    class Meta(PermissionAllUserSerializer.Meta):
+        pass
+
+
+class K8sAppPermissionK8sAppRelationSerializer(BulkModelSerializer):
+    k8sapp_display = serializers.ReadOnlyField()
+    k8sapppermission_display = serializers.ReadOnlyField()
+
+    class Meta:
+        model = models.K8sAppPermission.k8s_apps.through
+        fields = [
+            'id', "k8sapp", "k8sapp_display", 'k8sapppermission',
+            'k8sapppermission_display'
+        ]
+
+
+class K8sAppPermissionAllK8sAppSerializer(serializers.Serializer):
+    k8sapp = serializers.UUIDField(read_only=True, source='id')
+    k8sapp_display = serializers.SerializerMethodField()
+
+    class Meta:
+        only_fields = ['id', 'name']
+
+    @staticmethod
+    def get_k8sapp_display(obj):
+        return str(obj)
+
+
+class K8sAppPermissionSystemUserRelationSerializer(BulkModelSerializer):
+    systemuser_display = serializers.ReadOnlyField()
+    k8sapppermission_display = serializers.ReadOnlyField()
+
+    class Meta:
+        model = models.K8sAppPermission.system_users.through
+        fields = [
+            'id', 'systemuser', 'systemuser_display', 'k8sapppermission',
+            'k8sapppermission_display'
+        ]
--- a/apps/perms/serializers/user_permission.py
+++ b/apps/perms/serializers/user_permission.py
@@ -14,6 +14,7 @@ __all__ = [
    'ActionsSerializer', 'AssetSystemUserSerializer',
    'RemoteAppSystemUserSerializer',
    'DatabaseAppSystemUserSerializer',
+    'K8sAppSystemUserSerializer',
 ]


@@ -53,6 +54,16 @@ class DatabaseAppSystemUserSerializer(serializers.ModelSerializer):
        read_only_fields = fields


+class K8sAppSystemUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = SystemUser
+        only_fields = (
+            'id', 'name', 'username', 'priority', 'protocol', 'login_mode',
+        )
+        fields = list(only_fields)
+        read_only_fields = fields
+
+
 class AssetGrantedSerializer(serializers.ModelSerializer):
    """
    被授权资产的数据结构
--- a/apps/perms/urls/api_urls.py
+++ b/apps/perms/urls/api_urls.py
@@ -6,6 +6,7 @@ from .asset_permission import asset_permission_urlpatterns
 from .remote_app_permission import remote_app_permission_urlpatterns
 from .database_app_permission import database_app_permission_urlpatterns
 from .system_user_permission import system_users_permission_urlpatterns
+from .k8s_app_permission import k8s_app_permission_urlpatterns

 app_name = 'perms'

@@ -16,5 +17,6 @@ old_version_urlpatterns = [
 urlpatterns = asset_permission_urlpatterns + \
              remote_app_permission_urlpatterns + \
              database_app_permission_urlpatterns + \
+              k8s_app_permission_urlpatterns + \
              old_version_urlpatterns + \
              system_users_permission_urlpatterns
--- a/apps/perms/urls/k8s_app_permission.py
+++ b/apps/perms/urls/k8s_app_permission.py
@@ -0,0 +1,45 @@
+# coding: utf-8
+#
+
+from django.urls import path, include
+from rest_framework_bulk.routes import BulkRouter
+from .. import api
+
+
+router = BulkRouter()
+router.register('k8s-app-permissions', api.K8sAppPermissionViewSet, 'k8s-app-permission')
+router.register('k8s-app-permissions-users-relations', api.K8sAppPermissionUserRelationViewSet, 'k8s-app-permissions-users-relation')
+router.register('k8s-app-permissions-user-groups-relations', api.K8sAppPermissionUserGroupRelationViewSet, 'k8s-app-permissions-user-groups-relation')
+router.register('k8s-app-permissions-k8s-apps-relations', api.K8sAppPermissionK8sAppRelationViewSet, 'k8s-app-permissions-k8s-apps-relation')
+router.register('k8s-app-permissions-system-users-relations', api.K8sAppPermissionSystemUserRelationViewSet, 'k8s-app-permissions-system-users-relation')
+
+user_permission_urlpatterns = [
+    path('<uuid:pk>/k8s-apps/', api.UserGrantedK8sAppsApi.as_view(), name='user-k8s-apps'),
+    path('k8s-apps/', api.UserGrantedK8sAppsApi.as_view(), name='my-k8s-apps'),
+
+    # k8sApps as tree
+    path('<uuid:pk>/k8s-apps/tree/', api.UserGrantedK8sAppsAsTreeApi.as_view(), name='user-k8ss-apps-tree'),
+    path('k8s-apps/tree/', api.UserGrantedK8sAppsAsTreeApi.as_view(), name='my-k8ss-apps-tree'),
+
+    path('<uuid:pk>/k8s-apps/<uuid:k8s_app_id>/system-users/', api.UserGrantedK8sAppSystemUsersApi.as_view(), name='user-k8s-app-system-users'),
+    path('k8s-apps/<uuid:k8s_app_id>/system-users/', api.UserGrantedK8sAppSystemUsersApi.as_view(), name='user-k8s-app-system-users'),
+]
+
+user_group_permission_urlpatterns = [
+    path('<uuid:pk>/k8s-apps/', api.UserGroupGrantedK8sAppsApi.as_view(), name='user-group-k8s-apps'),
+]
+
+permission_urlpatterns = [
+    path('<uuid:pk>/users/all/', api.K8sAppPermissionAllUserListApi.as_view(), name='k8s-app-permission-all-users'),
+    path('<uuid:pk>/k8s-apps/all/', api.K8sAppPermissionAllK8sAppListApi.as_view(), name='k8s-app-permission-all-k8s-apps'),
+
+    path('user/validate/', api.ValidateUserK8sAppPermissionApi.as_view(), name='validate-user-k8s-app-permission'),
+]
+
+k8s_app_permission_urlpatterns = [
+    path('users/', include(user_permission_urlpatterns)),
+    path('user-groups/', include(user_group_permission_urlpatterns)),
+    path('k8s-app-permissions/', include(permission_urlpatterns))
+]
+
+k8s_app_permission_urlpatterns += router.urls
--- a/apps/perms/utils/init.py
+++ b/apps/perms/utils/init.py
@@ -4,3 +4,4 @@
 from .asset_permission import *
 from .remote_app_permission import *
 from .database_app_permission import *
+from .k8s_app_permission import *
--- a/apps/perms/utils/k8s_app_permission.py
+++ b/apps/perms/utils/k8s_app_permission.py
@@ -0,0 +1,93 @@
+# coding: utf-8
+#
+
+from django.utils.translation import ugettext as _
+from django.db.models import Q
+
+from orgs.utils import set_to_root_org
+from ..models import K8sAppPermission
+from common.tree import TreeNode
+from applications.models import K8sApp
+from assets.models import SystemUser
+
+
+def get_user_k8s_app_permissions(user, include_group=True):
+    if include_group:
+        groups = user.groups.all()
+        arg = Q(users=user) | Q(user_groups__in=groups)
+    else:
+        arg = Q(users=user)
+    return K8sAppPermission.objects.all().valid().filter(arg)
+
+
+def get_user_group_k8s_app_permission(user_group):
+    return K8sAppPermission.objects.all().valid().filter(
+        user_groups=user_group
+    )
+
+
+class K8sAppPermissionUtil:
+    get_permissions_map = {
+        'User': get_user_k8s_app_permissions,
+        'UserGroup': get_user_group_k8s_app_permission
+    }
+
+    def __init__(self, obj):
+        self.object = obj
+        self.change_org_if_need()
+
+    @staticmethod
+    def change_org_if_need():
+        set_to_root_org()
+
+    @property
+    def permissions(self):
+        obj_class = self.object.__class__.__name__
+        func = self.get_permissions_map[obj_class]
+        _permissions = func(self.object)
+        return _permissions
+
+    def get_k8s_apps(self):
+        k8s_apps = K8sApp.objects.filter(
+            granted_by_permissions__in=self.permissions
+        ).distinct()
+        return k8s_apps
+
+    def get_k8s_app_system_users(self, k8s_app):
+        queryset = self.permissions
+        kwargs = {'k8s_apps': k8s_app}
+        queryset = queryset.filter(**kwargs)
+        system_users_ids = queryset.values_list('system_users', flat=True)
+        system_users_ids = system_users_ids.distinct()
+        system_users = SystemUser.objects.filter(id__in=system_users_ids)
+        system_users = system_users.order_by('-priority')
+        return system_users
+
+
+def construct_k8s_apps_tree_root():
+    tree_root = {
+        'id': 'ID_K8S_APP_ROOT',
+        'name': _('KubernetesApp'),
+        'title': 'K8sApp',
+        'pId': '',
+        'open': False,
+        'isParent': True,
+        'iconSkin': '',
+        'meta': {'type': 'k8s_app'}
+    }
+    return TreeNode(**tree_root)
+
+
+def parse_k8s_app_to_tree_node(parent, k8s_app):
+    pid = parent.id if parent else ''
+    tree_node = {
+        'id': k8s_app.id,
+        'name': k8s_app.name,
+        'title': k8s_app.name,
+        'pId': pid,
+        'open': False,
+        'isParent': False,
+        'iconSkin': 'file',
+        'meta': {'type': 'k8s_app'}
+    }
+    return TreeNode(**tree_node)