[WIP] Create rbac resources to allow the Job to copy to the server Pod

Currently fails with: ``` Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:hello-kairos" cannot list resource "pods" in API group "" at the cluster scope ``` because we try to list pods with `-A`. This means we are going to get a similar error if we try to copy files to a Pod on another namespace unless we grant permission at the cluster scope or just that namespace. (Is that possible? Maybe if we create the Role in the same namespace as the server.) Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
2025-09-01 07:21:44 +00:00 · 2022-12-08 16:35:45 +02:00
parent 44a48d7890
commit 224291994f
10 changed files with 255 additions and 20 deletions
--- a/controllers/osartifact_controller.go
+++ b/controllers/osartifact_controller.go
@@ -35,12 +35,28 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )

+type ArtifactPodInfo struct {
+	Label     string
+	Namespace string
+	Path      string
+	Role      string
+}
+
 // OSArtifactReconciler reconciles a OSArtifact object
 type OSArtifactReconciler struct {
 	client.Client
 	Scheme                  *runtime.Scheme
 	clientSet               *kubernetes.Clientset
 	ServingImage, ToolImage string
+	ArtifactPodInfo         ArtifactPodInfo
+}
+
+func genObjectMeta(artifact buildv1alpha1.OSArtifact) metav1.ObjectMeta {
+	return metav1.ObjectMeta{
+		Name:            artifact.Name,
+		Namespace:       artifact.Namespace,
+		OwnerReferences: genOwner(artifact),
+	}
 }

 func genOwner(artifact buildv1alpha1.OSArtifact) []metav1.OwnerReference {
@@ -100,6 +116,21 @@ func (r *OSArtifactReconciler) Reconcile(ctx context.Context, req ctrl.Request)

 	logger.Info(fmt.Sprintf("Checking deployment %v", osbuild))

+	// TODO: We need to create the Role in the namespace where the nginx Pod is,
+	// so that the copier container has permissions to copy to that Pod.
+	// The nginx Pod should be defined in the OSArtifact CRD as in "when done
+	// write the results in this Namespace:Pod, under this path".
+	// The controller will try to create RBAC with the proper permissions but
+	// Kubernetes requires us to have the permissions before we grant them to others.
+	// This means the controller should have these permissions already.
+	// Since we control the nginx, we can make it so but if the user specifies
+	// some other Pod it may fail. Also, every OSArtifact will have to specify
+	// the nginx Pod which makes it cumbersome.
+	err = r.createRBAC(ctx, osbuild)
+	if err != nil {
+		return ctrl.Result{Requeue: true}, err
+	}
+
 	desiredJob := r.genJob(osbuild)
 	job, err := r.clientSet.BatchV1().Jobs(req.Namespace).Get(ctx, desiredJob.Name, v1.GetOptions{})
 	if job == nil || apierrors.IsNotFound(err) {