Adding pod security policy template cluster binding type

Adding a pod security policy template project binding resource type so that separate permissions between projects and editing their pspts can be established. Issue: https://github.com/rancher/rancher/issues/12049
2025-08-31 21:00:16 +00:00 · 2018-03-16 09:19:38 -07:00
parent 1e2d576b83
commit eebf4c9eaa
3 changed files with 47 additions and 18 deletions
--- a/apis/management.cattle.io/v3/authz_types.go
+++ b/apis/management.cattle.io/v3/authz_types.go
@@ -27,6 +27,7 @@ type Project struct {

 type ProjectStatus struct {
 	Conditions []ProjectCondition `json:"conditions"`
+	PodSecurityPolicyTemplateName string `json:"podSecurityPolicyTemplateId"`
 }

 type ProjectCondition struct {
@@ -45,10 +46,9 @@ type ProjectCondition struct {
 }

 type ProjectSpec struct {
-	DisplayName                   string `json:"displayName,omitempty" norman:"required"`
-	Description                   string `json:"description"`
-	ClusterName                   string `json:"clusterName,omitempty" norman:"required,type=reference[cluster]"`
-	PodSecurityPolicyTemplateName string `json:"podSecurityPolicyTemplateName,omitempty" norman:"type=reference[podSecurityPolicyTemplate]"`
+	DisplayName string `json:"displayName,omitempty" norman:"required"`
+	Description string `json:"description"`
+	ClusterName string `json:"clusterName,omitempty" norman:"required,type=reference[cluster]"`
 }

 type GlobalRole struct {
@@ -91,6 +91,15 @@ type PodSecurityPolicyTemplate struct {
 	Spec        extv1.PodSecurityPolicySpec `json:"spec,omitempty"`
 }

+type PodSecurityPolicyTemplateProjectBinding struct {
+	types.Namespaced
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	PodSecurityPolicyTemplateName string `json:"podSecurityPolicyTemplateId" norman:"required,type=reference[podSecurityPolicyTemplate]"`
+	TargetProjectName                   string `json:"projectId" norman:"required,type=reference[project]"`
+}
+
 type ProjectRoleTemplateBinding struct {
 	types.Namespaced
 	metav1.TypeMeta   `json:",inline"`
@@ -116,3 +125,7 @@ type ClusterRoleTemplateBinding struct {
 	ClusterName        string `json:"clusterName,omitempty" norman:"required,type=reference[cluster]"`
 	RoleTemplateName   string `json:"roleTemplateName,omitempty" norman:"required,type=reference[roleTemplate]"`
 }
+
+type SetPodSecurityPolicyTemplateInput struct {
+	PodSecurityPolicyTemplateName string `json:"podSecurityPolicyTemplateId" norman:"required,type=reference[podSecurityPolicyTemplate]"`
+}
--- a/apis/management.cattle.io/v3/cluster_types.go
+++ b/apis/management.cattle.io/v3/cluster_types.go
@@ -72,19 +72,20 @@ type ClusterStatus struct {
 	Conditions []ClusterCondition `json:"conditions,omitempty"`
 	//Component statuses will represent cluster's components (etcd/controller/scheduler) health
 	// https://kubernetes.io/docs/api-reference/v1.8/#componentstatus-v1-core
-	Driver              string                   `json:"driver"`
-	AgentImage          string                   `json:"agentImage"`
-	ComponentStatuses   []ClusterComponentStatus `json:"componentStatuses,omitempty"`
-	APIEndpoint         string                   `json:"apiEndpoint,omitempty"`
-	ServiceAccountToken string                   `json:"serviceAccountToken,omitempty"`
-	CACert              string                   `json:"caCert,omitempty"`
-	Capacity            v1.ResourceList          `json:"capacity,omitempty"`
-	Allocatable         v1.ResourceList          `json:"allocatable,omitempty"`
-	AppliedSpec         ClusterSpec              `json:"appliedSpec,omitempty"`
-	FailedSpec          *ClusterSpec             `json:"failedSpec,omitempty"`
-	Requested           v1.ResourceList          `json:"requested,omitempty"`
-	Limits              v1.ResourceList          `json:"limits,omitempty"`
-	ClusterName         string                   `json:"clusterName,omitempty"`
+	Driver                               string                   `json:"driver"`
+	AgentImage                           string                   `json:"agentImage"`
+	ComponentStatuses                    []ClusterComponentStatus `json:"componentStatuses,omitempty"`
+	APIEndpoint                          string                   `json:"apiEndpoint,omitempty"`
+	ServiceAccountToken                  string                   `json:"serviceAccountToken,omitempty"`
+	CACert                               string                   `json:"caCert,omitempty"`
+	Capacity                             v1.ResourceList          `json:"capacity,omitempty"`
+	Allocatable                          v1.ResourceList          `json:"allocatable,omitempty"`
+	AppliedSpec                          ClusterSpec              `json:"appliedSpec,omitempty"`
+	FailedSpec                           *ClusterSpec             `json:"failedSpec,omitempty"`
+	Requested                            v1.ResourceList          `json:"requested,omitempty"`
+	Limits                               v1.ResourceList          `json:"limits,omitempty"`
+	ClusterName                          string                   `json:"clusterName,omitempty"`
+	AppliedPodSecurityPolicyTemplateName string                   `json:"appliedPodSecurityPolicyTemplateId"`
 }

 type ClusterComponentStatus struct {
--- a/apis/management.cattle.io/v3/schema/schema.go
+++ b/apis/management.cattle.io/v3/schema/schema.go
@@ -154,14 +154,29 @@ func authzTypes(schemas *types.Schemas) *types.Schemas {
 			&m.Embed{Field: "status"}).
 		AddMapperForType(&Version, v3.GlobalRole{}, m.DisplayName{}).
 		AddMapperForType(&Version, v3.RoleTemplate{}, m.DisplayName{}).
+		AddMapperForType(&Version,
+			v3.PodSecurityPolicyTemplateProjectBinding{},
+			&mapper.NamespaceIDMapper{}).
 		AddMapperForType(&Version, v3.ProjectRoleTemplateBinding{},
 			&mapper.NamespaceIDMapper{},
 		).
-		MustImport(&Version, v3.Project{}).
+		MustImport(&Version, v3.SetPodSecurityPolicyTemplateInput{}).
+		MustImportAndCustomize(&Version, v3.Project{}, func(schema *types.Schema) {
+			schema.ResourceActions = map[string]types.Action{
+				"setpodsecuritypolicytemplate": {
+					Input:  "setPodSecurityPolicyTemplateInput",
+					Output: "project",
+				},
+			}
+		}).
 		MustImport(&Version, v3.GlobalRole{}).
 		MustImport(&Version, v3.GlobalRoleBinding{}).
 		MustImport(&Version, v3.RoleTemplate{}).
 		MustImport(&Version, v3.PodSecurityPolicyTemplate{}).
+		MustImportAndCustomize(&Version, v3.PodSecurityPolicyTemplateProjectBinding{}, func(schema *types.Schema) {
+			schema.CollectionMethods = []string{http.MethodGet, http.MethodPost}
+			schema.ResourceMethods = []string{}
+		}).
 		MustImport(&Version, v3.ClusterRoleTemplateBinding{}).
 		MustImport(&Version, v3.ProjectRoleTemplateBinding{}).
 		MustImport(&Version, v3.GlobalRoleBinding{})