Best Ginkgo code snippet using watch.Add
role_data.go
Source:role_data.go
1package app2import (3 "github.com/pkg/errors"4 v3 "github.com/rancher/types/apis/management.cattle.io/v3"5 "github.com/rancher/types/config"6 "github.com/sirupsen/logrus"7 "golang.org/x/crypto/bcrypt"8 corev1 "k8s.io/api/core/v1"9 apierrors "k8s.io/apimachinery/pkg/api/errors"10 v1 "k8s.io/apimachinery/pkg/apis/meta/v1"11 "k8s.io/apimachinery/pkg/labels"12)13const (14 bootstrappedRole = "authz.management.cattle.io/bootstrapped-role"15 bootstrapAdminConfig = "admincreated"16 cattleNamespace = "cattle-system"17 defaultAdminLabelKey = "authz.management.cattle.io/bootstrapping"18 defaultAdminLabelValue = "admin-user"19)20var defaultAdminLabel = map[string]string{defaultAdminLabelKey: defaultAdminLabelValue}21func addRoles(management *config.ManagementContext) (string, error) {22 rb := newRoleBuilder()23 rb.addRole("Create Clusters", "clusters-create").addRule().apiGroups("management.cattle.io").resources("clusters").verbs("create").24 addRule().apiGroups("management.cattle.io").resources("templates", "templateversions").verbs("get", "list", "watch").25 addRule().apiGroups("management.cattle.io").resources("nodedrivers").verbs("get", "list", "watch").26 addRule().apiGroups("management.cattle.io").resources("kontainerdrivers").verbs("get", "list", "watch").27 addRule().apiGroups("management.cattle.io").resources("podsecuritypolicytemplates").verbs("get", "list", "watch").28 addRule().apiGroups("management.cattle.io").resources("nodetemplates").verbs("*").29 addRule().apiGroups("*").resources("secrets").verbs("create")30 rb.addRole("Manage Node Drivers", "nodedrivers-manage").addRule().apiGroups("management.cattle.io").resources("nodedrivers").verbs("*")31 rb.addRole("Manage Cluster Drivers", "kontainerdrivers-manage").addRule().apiGroups("management.cattle.io").resources("kontainerdrivers").verbs("*")32 rb.addRole("Manage Catalogs", "catalogs-manage").addRule().apiGroups("management.cattle.io").resources("catalogs", "templates", "templateversions").verbs("*")33 rb.addRole("Use Catalog Templates", "catalogs-use").addRule().apiGroups("management.cattle.io").resources("templates", "templateversions").verbs("get", "list", "watch")34 rb.addRole("Manage Users", "users-manage").addRule().apiGroups("management.cattle.io").resources("users", "globalrolebindings").verbs("*").35 addRule().apiGroups("management.cattle.io").resources("globalroles").verbs("get", "list", "watch")36 rb.addRole("Manage Roles", "roles-manage").addRule().apiGroups("management.cattle.io").resources("roletemplates").verbs("*")37 rb.addRole("Manage Authentication", "authn-manage").addRule().apiGroups("management.cattle.io").resources("authconfigs").verbs("get", "list", "watch", "update")38 rb.addRole("Manage Settings", "settings-manage").addRule().apiGroups("management.cattle.io").resources("settings").verbs("*")39 rb.addRole("Manage Features", "features-manage").addRule().apiGroups("management.cattle.io").resources("features").verbs("get", "list", "watch", "update")40 rb.addRole("Manage PodSecurityPolicy Templates", "podsecuritypolicytemplates-manage").addRule().apiGroups("management.cattle.io").resources("podsecuritypolicytemplates").verbs("*")41 rb.addRole("Create RKE Templates", "clustertemplates-create").addRule().apiGroups("management.cattle.io").resources("clustertemplates").verbs("create")42 rb.addRole("Admin", "admin").addRule().apiGroups("*").resources("*").verbs("*").43 addRule().apiGroups().nonResourceURLs("*").verbs("*")44 rb.addRole("User", "user").addRule().apiGroups("management.cattle.io").resources("principals", "roletemplates").verbs("get", "list", "watch").45 addRule().apiGroups("management.cattle.io").resources("preferences").verbs("*").46 addRule().apiGroups("management.cattle.io").resources("settings").verbs("get", "list", "watch").47 addRule().apiGroups("management.cattle.io").resources("features").verbs("get", "list", "watch").48 addRule().apiGroups("management.cattle.io").resources("templates", "templateversions", "catalogs").verbs("get", "list", "watch").49 addRule().apiGroups("management.cattle.io").resources("clusters").verbs("create").50 addRule().apiGroups("management.cattle.io").resources("nodedrivers").verbs("get", "list", "watch").51 addRule().apiGroups("management.cattle.io").resources("kontainerdrivers").verbs("get", "list", "watch").52 addRule().apiGroups("management.cattle.io").resources("podsecuritypolicytemplates").verbs("get", "list", "watch").53 addRule().apiGroups("management.cattle.io").resources("nodetemplates").verbs("create").54 addRule().apiGroups("*").resources("secrets").verbs("create").55 addRule().apiGroups("management.cattle.io").resources("multiclusterapps", "globaldnses", "globaldnsproviders", "clustertemplaterevisions").verbs("create").56 addRule().apiGroups("project.cattle.io").resources("sourcecodecredentials").verbs("*").57 addRule().apiGroups("project.cattle.io").resources("sourcecoderepositories").verbs("*").58 addRule().apiGroups("management.cattle.io").resources("rkek8ssystemimages").verbs("get", "list", "watch").59 addRule().apiGroups("management.cattle.io").resources("rkek8sserviceoptions").verbs("get", "list", "watch").60 addRule().apiGroups("management.cattle.io").resources("rkeaddons").verbs("get", "list", "watch")61 rb.addRole("User Base", "user-base").addRule().apiGroups("management.cattle.io").resources("preferences").verbs("*").62 addRule().apiGroups("management.cattle.io").resources("settings").verbs("get", "list", "watch").63 addRule().apiGroups("management.cattle.io").resources("features").verbs("get", "list", "watch").64 addRule().apiGroups("project.cattle.io").resources("sourcecodecredentials").verbs("*").65 addRule().apiGroups("project.cattle.io").resources("sourcecoderepositories").verbs("*").66 addRule().apiGroups("management.cattle.io").resources("clustertemplaterevisions").verbs("create")67 // TODO user should be dynamically authorized to only see herself68 // TODO enable when groups are "in". they need to be self-service69 if err := rb.reconcileGlobalRoles(management); err != nil {70 return "", errors.Wrap(err, "problem reconciling global roles")71 }72 // RoleTemplates to be used inside of clusters73 rb = newRoleBuilder()74 // K8s default roles75 rb.addRoleTemplate("Kubernetes cluster-admin", "cluster-admin", "cluster", true, true, true, true)76 rb.addRoleTemplate("Kubernetes admin", "admin", "project", true, true, true, false)77 rb.addRoleTemplate("Kubernetes edit", "edit", "project", true, true, true, false)78 rb.addRoleTemplate("Kubernetes view", "view", "project", true, true, true, false)79 // Cluster roles80 rb.addRoleTemplate("Cluster Owner", "cluster-owner", "cluster", true, false, false, true).81 addRule().apiGroups("*").resources("*").verbs("*").82 addRule().apiGroups().nonResourceURLs("*").verbs("*")83 rb.addRoleTemplate("Cluster Member", "cluster-member", "cluster", true, false, false, false).84 addRule().apiGroups("management.cattle.io").resources("clusterroletemplatebindings").verbs("get", "list", "watch").85 addRule().apiGroups("management.cattle.io").resources("projects").verbs("create").86 addRule().apiGroups("management.cattle.io").resources("nodes", "nodepools").verbs("get", "list", "watch").87 addRule().apiGroups("*").resources("nodes").verbs("get", "list", "watch").88 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").89 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").90 addRule().apiGroups("*").resources("apiservices").verbs("get", "list", "watch").91 addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch").92 addRule().apiGroups("management.cattle.io").resources("clusterloggings").verbs("get", "list", "watch").93 addRule().apiGroups("management.cattle.io").resources("clusteralertrules").verbs("get", "list", "watch").94 addRule().apiGroups("management.cattle.io").resources("clusteralertgroups").verbs("get", "list", "watch").95 addRule().apiGroups("management.cattle.io").resources("notifiers").verbs("get", "list", "watch").96 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("get", "list", "watch").97 addRule().apiGroups("management.cattle.io").resources("clustermonitorgraphs").verbs("get", "list", "watch").98 addRule().apiGroups("management.cattle.io").resources("catalogtemplates").verbs("get", "list", "watch").99 addRule().apiGroups("management.cattle.io").resources("catalogtemplateversions").verbs("get", "list", "watch").100 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").101 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch")102 rb.addRoleTemplate("Create Projects", "projects-create", "cluster", true, false, false, false).103 addRule().apiGroups("management.cattle.io").resources("projects").verbs("create")104 rb.addRoleTemplate("View All Projects", "projects-view", "cluster", true, false, false, false).105 addRule().apiGroups("management.cattle.io").resources("projects").verbs("get", "list", "watch").106 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("get", "list", "watch").107 addRule().apiGroups("project.cattle.io").resources("apps").verbs("get", "list", "watch").108 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("get", "list", "watch").109 addRule().apiGroups("").resources("namespaces").verbs("get", "list", "watch").110 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").111 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").112 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("get", "list", "watch").113 addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch").114 setRoleTemplateNames("view")115 rb.addRoleTemplate("Manage Nodes", "nodes-manage", "cluster", true, false, false, false).116 addRule().apiGroups("management.cattle.io").resources("nodes", "nodepools").verbs("*").117 addRule().apiGroups("*").resources("nodes").verbs("*").118 addRule().apiGroups("management.cattle.io").resources("clustermonitorgraphs").verbs("get", "list", "watch")119 rb.addRoleTemplate("View Nodes", "nodes-view", "cluster", true, false, false, false).120 addRule().apiGroups("management.cattle.io").resources("nodes", "nodepools").verbs("get", "list", "watch").121 addRule().apiGroups("*").resources("nodes").verbs("get", "list", "watch").122 addRule().apiGroups("management.cattle.io").resources("clustermonitorgraphs").verbs("get", "list", "watch")123 rb.addRoleTemplate("Manage Storage", "storage-manage", "cluster", true, false, false, false).124 addRule().apiGroups("*").resources("persistentvolumes").verbs("*").125 addRule().apiGroups("*").resources("storageclasses").verbs("*").126 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("*")127 rb.addRoleTemplate("Manage Cluster Members", "clusterroletemplatebindings-manage", "cluster", true, false, false, false).128 addRule().apiGroups("management.cattle.io").resources("clusterroletemplatebindings").verbs("*")129 rb.addRoleTemplate("View Cluster Members", "clusterroletemplatebindings-view", "cluster", true, false, false, false).130 addRule().apiGroups("management.cattle.io").resources("clusterroletemplatebindings").verbs("get", "list", "watch").131 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").132 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch")133 rb.addRoleTemplate("View MacvlanSubnets", "macvlansubnets-view", "cluster", true, false, false, false).134 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").135 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch")136 rb.addRoleTemplate("Manage Cluster Catalogs", "clustercatalogs-manage", "cluster", true, false, false, true).137 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("*")138 rb.addRoleTemplate("View Cluster Catalogs", "clustercatalogs-view", "cluster", true, false, false, false).139 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("get", "list", "watch")140 rb.addRoleTemplate("Manage Cluster Backups", "backups-manage", "cluster", true, false, false, false).141 addRule().apiGroups("management.cattle.io").resources("etcdbackups").verbs("*")142 rb.addRoleTemplate("Manage Cluster Scans", "clusterscans-manage", "cluster", true, false, false, false).143 addRule().apiGroups("management.cattle.io").resources("clusterscans").verbs("*")144 // Project roles145 rb.addRoleTemplate("Project Owner", "project-owner", "project", true, false, false, false).146 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("*").147 addRule().apiGroups("project.cattle.io").resources("apps").verbs("*").148 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("*").149 addRule().apiGroups("project.cattle.io").resources("pipelines").verbs("*").150 addRule().apiGroups("project.cattle.io").resources("pipelineexecutions").verbs("*").151 addRule().apiGroups("project.cattle.io").resources("pipelinesettings").verbs("*").152 addRule().apiGroups("project.cattle.io").resources("sourcecodeproviderconfigs").verbs("*").153 addRule().apiGroups("").resources("namespaces").verbs("create").154 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").155 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").156 addRule().apiGroups("*").resources("apiservices").verbs("get", "list", "watch").157 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("*").158 addRule().apiGroups("metrics.k8s.io").resources("pods").verbs("*").159 addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch").160 addRule().apiGroups("management.cattle.io").resources("notifiers").verbs("get", "list", "watch").161 addRule().apiGroups("management.cattle.io").resources("projectalertrules").verbs("*").162 addRule().apiGroups("management.cattle.io").resources("projectalertgroups").verbs("*").163 addRule().apiGroups("management.cattle.io").resources("projectloggings").verbs("*").164 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("get", "list", "watch").165 addRule().apiGroups("management.cattle.io").resources("projectcatalogs").verbs("*").166 addRule().apiGroups("management.cattle.io").resources("projectmonitorgraphs").verbs("*").167 addRule().apiGroups("management.cattle.io").resources("catalogtemplates").verbs("*").168 addRule().apiGroups("management.cattle.io").resources("catalogtemplateversions").verbs("*").169 addRule().apiGroups("monitoring.cattle.io").resources("prometheus").verbs("view").170 addRule().apiGroups("monitoring.coreos.com").resources("prometheuses", "prometheusRules", "serviceMonitors").verbs("*").171 addRule().apiGroups("networking.istio.io").resources("destinationrules", "envoyfilters", "gateways", "serviceentries", "sidecars", "virtualservices").verbs("*").172 addRule().apiGroups("config.istio.io").resources("apikeys", "authorizations", "checknothings", "circonuses", "deniers", "fluentds", "handlers", "kubernetesenvs", "kuberneteses", "listcheckers", "listentries", "logentries", "memquotas", "metrics", "opas", "prometheuses", "quotas", "quotaspecbindings", "quotaspecs", "rbacs", "reportnothings", "rules", "solarwindses", "stackdrivers", "statsds", "stdios").verbs("*").173 addRule().apiGroups("authentication.istio.io").resources("policies").verbs("*").174 addRule().apiGroups("rbac.istio.io").resources("rbacconfigs", "serviceroles", "servicerolebindings").verbs("*").175 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").176 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch").177 setRoleTemplateNames("admin")178 rb.addRoleTemplate("Project Member", "project-member", "project", true, false, false, false).179 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("get", "list", "watch").180 addRule().apiGroups("project.cattle.io").resources("apps").verbs("*").181 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("*").182 addRule().apiGroups("project.cattle.io").resources("pipelines").verbs("*").183 addRule().apiGroups("project.cattle.io").resources("pipelineexecutions").verbs("*").184 addRule().apiGroups("").resources("namespaces").verbs("create").185 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").186 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").187 addRule().apiGroups("*").resources("apiservices").verbs("get", "list", "watch").188 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("*").189 addRule().apiGroups("metrics.k8s.io").resources("pods").verbs("*").190 addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch").191 addRule().apiGroups("management.cattle.io").resources("notifiers").verbs("get", "list", "watch").192 addRule().apiGroups("management.cattle.io").resources("projectalertrules").verbs("*").193 addRule().apiGroups("management.cattle.io").resources("projectalertgroups").verbs("*").194 addRule().apiGroups("management.cattle.io").resources("projectloggings").verbs("get", "list", "watch").195 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("get", "list", "watch").196 addRule().apiGroups("management.cattle.io").resources("projectcatalogs").verbs("get", "list", "watch").197 addRule().apiGroups("management.cattle.io").resources("projectmonitorgraphs").verbs("get", "list", "watch").198 addRule().apiGroups("management.cattle.io").resources("catalogtemplates").verbs("get", "list", "watch").199 addRule().apiGroups("management.cattle.io").resources("catalogtemplateversions").verbs("get", "list", "watch").200 addRule().apiGroups("monitoring.cattle.io").resources("prometheus").verbs("view").201 addRule().apiGroups("monitoring.coreos.com").resources("prometheuses", "prometheusRules", "serviceMonitors").verbs("*").202 addRule().apiGroups("networking.istio.io").resources("destinationrules", "envoyfilters", "gateways", "serviceentries", "sidecars", "virtualservices").verbs("*").203 addRule().apiGroups("config.istio.io").resources("apikeys", "authorizations", "checknothings", "circonuses", "deniers", "fluentds", "handlers", "kubernetesenvs", "kuberneteses", "listcheckers", "listentries", "logentries", "memquotas", "metrics", "opas", "prometheuses", "quotas", "quotaspecbindings", "quotaspecs", "rbacs", "reportnothings", "rules", "solarwindses", "stackdrivers", "statsds", "stdios").verbs("*").204 addRule().apiGroups("authentication.istio.io").resources("policies").verbs("*").205 addRule().apiGroups("rbac.istio.io").resources("rbacconfigs", "serviceroles", "servicerolebindings").verbs("*").206 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").207 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch").208 setRoleTemplateNames("edit")209 rb.addRoleTemplate("Read-only", "read-only", "project", true, false, false, false).210 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("get", "list", "watch").211 addRule().apiGroups("project.cattle.io").resources("apps").verbs("get", "list", "watch").212 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("get", "list", "watch").213 addRule().apiGroups("project.cattle.io").resources("pipelines").verbs("get", "list", "watch").214 addRule().apiGroups("project.cattle.io").resources("pipelineexecutions").verbs("get", "list", "watch").215 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").216 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").217 addRule().apiGroups("*").resources("apiservices").verbs("get", "list", "watch").218 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("get", "list", "watch").219 addRule().apiGroups("metrics.k8s.io").resources("pods").verbs("get", "list", "watch").220 addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch").221 addRule().apiGroups("management.cattle.io").resources("notifiers").verbs("get", "list", "watch").222 addRule().apiGroups("management.cattle.io").resources("projectalertrules").verbs("get", "list", "watch").223 addRule().apiGroups("management.cattle.io").resources("projectalertgroups").verbs("get", "list", "watch").224 addRule().apiGroups("management.cattle.io").resources("projectloggings").verbs("get", "list", "watch").225 addRule().apiGroups("management.cattle.io").resources("clustercatalogs").verbs("get", "list", "watch").226 addRule().apiGroups("management.cattle.io").resources("projectcatalogs").verbs("get", "list", "watch").227 addRule().apiGroups("management.cattle.io").resources("projectmonitorgraphs").verbs("get", "list", "watch").228 addRule().apiGroups("monitoring.coreos.com").resources("prometheuses", "prometheusRules", "serviceMonitors").verbs("get", "list", "watch").229 addRule().apiGroups("networking.istio.io").resources("destinationrules", "envoyfilters", "gateways", "serviceentries", "sidecars", "virtualservices").verbs("get", "list", "watch").230 addRule().apiGroups("config.istio.io").resources("apikeys", "authorizations", "checknothings", "circonuses", "deniers", "fluentds", "handlers", "kubernetesenvs", "kuberneteses", "listcheckers", "listentries", "logentries", "memquotas", "metrics", "opas", "prometheuses", "quotas", "quotaspecbindings", "quotaspecs", "rbacs", "reportnothings", "rules", "solarwindses", "stackdrivers", "statsds", "stdios").verbs("get", "list", "watch").231 addRule().apiGroups("authentication.istio.io").resources("policies").verbs("get", "list", "watch").232 addRule().apiGroups("rbac.istio.io").resources("rbacconfigs", "serviceroles", "servicerolebindings").verbs("get", "list", "watch").233 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").234 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch").235 setRoleTemplateNames("view")236 rb.addRoleTemplate("Create Namespaces", "create-ns", "project", true, false, false, false).237 addRule().apiGroups("").resources("namespaces").verbs("create")238 rb.addRoleTemplate("Manage Workloads", "workloads-manage", "project", true, false, false, false).239 addRule().apiGroups("*").resources("pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "replicationcontrollers",240 "replicationcontrollers/scale", "daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets",241 "replicasets/scale", "statefulsets", "cronjobs", "jobs", "daemonsets", "deployments", "deployments/rollback", "deployments/scale",242 "replicasets", "replicasets/scale", "replicationcontrollers/scale", "horizontalpodautoscalers").verbs("*").243 addRule().apiGroups("*").resources("limitranges", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "bindings").verbs("get", "list", "watch").244 addRule().apiGroups("project.cattle.io").resources("apps").verbs("*").245 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("*").246 addRule().apiGroups("management.cattle.io").resources("projectmonitorgraphs").verbs("get", "list", "watch").247 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlansubnets").verbs("get", "list", "watch").248 addRule().apiGroups("macvlan.cluster.cattle.io").resources("macvlanips").verbs("get", "list", "watch")249 rb.addRoleTemplate("View Workloads", "workloads-view", "project", true, false, false, false).250 addRule().apiGroups("*").resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "daemonsets", "deployments",251 "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets", "cronjobs", "jobs", "daemonsets",252 "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "replicationcontrollers/scale",253 "horizontalpodautoscalers").verbs("get", "list", "watch").254 addRule().apiGroups("*").resources("limitranges", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "bindings").verbs("get", "list", "watch").255 addRule().apiGroups("project.cattle.io").resources("apps").verbs("get", "list", "watch").256 addRule().apiGroups("project.cattle.io").resources("apprevisions").verbs("get", "list", "watch").257 addRule().apiGroups("management.cattle.io").resources("projectmonitorgraphs").verbs("get", "list", "watch")258 rb.addRoleTemplate("Manage Ingress", "ingress-manage", "project", true, false, false, false).259 addRule().apiGroups("*").resources("ingresses").verbs("*")260 rb.addRoleTemplate("View Ingress", "ingress-view", "project", true, false, false, false).261 addRule().apiGroups("*").resources("ingresses").verbs("get", "list", "watch")262 rb.addRoleTemplate("Manage Services", "services-manage", "project", true, false, false, false).263 addRule().apiGroups("*").resources("services", "services/proxy", "endpoints").verbs("*")264 rb.addRoleTemplate("View Services", "services-view", "project", true, false, false, false).265 addRule().apiGroups("*").resources("services", "endpoints").verbs("get", "list", "watch")266 rb.addRoleTemplate("Manage Secrets", "secrets-manage", "project", true, false, false, false).267 addRule().apiGroups("*").resources("secrets").verbs("*")268 rb.addRoleTemplate("View Secrets", "secrets-view", "project", true, false, false, false).269 addRule().apiGroups("*").resources("secrets").verbs("get", "list", "watch")270 rb.addRoleTemplate("Manage Config Maps", "configmaps-manage", "project", true, false, false, false).271 addRule().apiGroups("*").resources("configmaps").verbs("*")272 rb.addRoleTemplate("View Config Maps", "configmaps-view", "project", true, false, false, false).273 addRule().apiGroups("*").resources("configmaps").verbs("get", "list", "watch")274 rb.addRoleTemplate("Manage Volumes", "persistentvolumeclaims-manage", "project", true, false, false, false).275 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").276 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").277 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("*")278 rb.addRoleTemplate("View Volumes", "persistentvolumeclaims-view", "project", true, false, false, false).279 addRule().apiGroups("*").resources("persistentvolumes").verbs("get", "list", "watch").280 addRule().apiGroups("*").resources("storageclasses").verbs("get", "list", "watch").281 addRule().apiGroups("*").resources("persistentvolumeclaims").verbs("get", "list", "watch")282 rb.addRoleTemplate("Manage Service Accounts", "serviceaccounts-manage", "project", true, false, false, false).283 addRule().apiGroups("*").resources("serviceaccounts").verbs("*")284 rb.addRoleTemplate("View Service Accounts", "serviceaccounts-view", "project", true, false, false, false).285 addRule().apiGroups("*").resources("serviceaccounts").verbs("get", "list", "watch")286 rb.addRoleTemplate("Manage Project Members", "projectroletemplatebindings-manage", "project", true, false, false, false).287 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("*")288 rb.addRoleTemplate("View Project Members", "projectroletemplatebindings-view", "project", true, false, false, false).289 addRule().apiGroups("management.cattle.io").resources("projectroletemplatebindings").verbs("get", "list", "watch")290 rb.addRoleTemplate("Manage Project Catalogs", "projectcatalogs-manage", "project", true, false, false, false).291 addRule().apiGroups("management.cattle.io").resources("projectcatalogs").verbs("*")292 rb.addRoleTemplate("View Project Catalogs", "projectcatalogs-view", "project", true, false, false, false).293 addRule().apiGroups("management.cattle.io").resources("projectcatalogs").verbs("get", "list", "watch")294 rb.addRoleTemplate("Project Monitoring View Role", "project-monitoring-readonly", "project", true, false, true, false).295 addRule().apiGroups("monitoring.cattle.io").resources("prometheus").verbs("view").296 setRoleTemplateNames("view")297 // Not specific to project or cluster298 // TODO When clusterevents has value, consider adding this back in299 //rb.addRoleTemplate("View Events", "events-view", "", true, false, false).300 // addRule().apiGroups("*").resources("events").verbs("get", "list", "watch").301 // addRule().apiGroups("management.cattle.io").resources("clusterevents").verbs("get", "list", "watch")302 if err := rb.reconcileRoleTemplates(management); err != nil {303 return "", errors.Wrap(err, "problem reconciling role templates")304 }305 adminName, err := bootstrapAdmin(management)306 if err != nil {307 return "", err308 }309 err = bootstrapDefaultRoles(management)310 if err != nil {311 return "", err312 }313 return adminName, nil314}315// bootstrapAdmin checks if the bootstrapAdminConfig exists, if it does this indicates rancher has316// already created the admin user and should not attempt it again. Otherwise attempt to create the admin.317func bootstrapAdmin(management *config.ManagementContext) (string, error) {318 var adminName string319 set := labels.Set(defaultAdminLabel)320 admins, err := management.Management.Users("").List(v1.ListOptions{LabelSelector: set.String()})321 if err != nil {322 return "", err323 }324 if len(admins.Items) > 0 {325 adminName = admins.Items[0].Name326 }327 if _, err := management.K8sClient.CoreV1().ConfigMaps(cattleNamespace).Get(bootstrapAdminConfig, v1.GetOptions{}); err != nil {328 if !apierrors.IsNotFound(err) {329 logrus.Warnf("Unable to determine if admin user already created: %v", err)330 return "", nil331 }332 } else {333 // config map already exists, nothing to do334 return adminName, nil335 }336 users, err := management.Management.Users("").List(v1.ListOptions{})337 if err != nil {338 return "", err339 }340 if len(users.Items) == 0 {341 // Config map does not exist and no users, attempt to create the default admin user342 hash, _ := bcrypt.GenerateFromPassword([]byte("admin"), bcrypt.DefaultCost)343 admin, err := management.Management.Users("").Create(&v3.User{344 ObjectMeta: v1.ObjectMeta{345 GenerateName: "user-",346 Labels: defaultAdminLabel,347 },348 DisplayName: "Default Admin",349 Username: "admin",350 Password: string(hash),351 MustChangePassword: true,352 })353 if err != nil && !apierrors.IsAlreadyExists(err) {354 return "", errors.Wrap(err, "can not ensure admin user exists")355 }356 adminName = admin.Name357 bindings, err := management.Management.GlobalRoleBindings("").List(v1.ListOptions{LabelSelector: set.String()})358 if err != nil {359 return "", err360 }361 if len(bindings.Items) == 0 {362 _, err = management.Management.GlobalRoleBindings("").Create(363 &v3.GlobalRoleBinding{364 ObjectMeta: v1.ObjectMeta{365 GenerateName: "globalrolebinding-",366 Labels: defaultAdminLabel,367 },368 UserName: adminName,369 GlobalRoleName: "admin",370 })371 if err != nil {372 logrus.Warnf("Failed to create default admin global role binding: %v", err)373 } else {374 logrus.Info("Created default admin user and binding")375 }376 }377 }378 adminConfigMap := corev1.ConfigMap{379 ObjectMeta: v1.ObjectMeta{380 Name: bootstrapAdminConfig,381 Namespace: cattleNamespace,382 },383 }384 _, err = management.K8sClient.CoreV1().ConfigMaps(cattleNamespace).Create(&adminConfigMap)385 if err != nil {386 if !apierrors.IsAlreadyExists(err) {387 logrus.Warnf("Error creating admin config map: %v", err)388 }389 }390 return adminName, nil391}392// bootstrapDefaultRoles will set the default roles for user login, cluster create393// and project create. If the default roles already have the bootstrappedRole394// annotation this will be a no-op as this was done on a previous startup and will395// now respect the currently selected defaults.396func bootstrapDefaultRoles(management *config.ManagementContext) error {397 user, err := management.Management.GlobalRoles("").Get("user", v1.GetOptions{})398 if err != nil {399 return err400 }401 if _, ok := user.Annotations[bootstrappedRole]; !ok {402 copy := user.DeepCopy()403 copy.NewUserDefault = true404 if copy.Annotations == nil {405 copy.Annotations = make(map[string]string)406 }407 copy.Annotations[bootstrappedRole] = "true"408 _, err := management.Management.GlobalRoles("").Update(copy)409 if err != nil {410 return err411 }412 }413 clusterRole, err := management.Management.RoleTemplates("").Get("cluster-owner", v1.GetOptions{})414 if err != nil {415 return nil416 }417 if _, ok := clusterRole.Annotations[bootstrappedRole]; !ok {418 copy := clusterRole.DeepCopy()419 copy.ClusterCreatorDefault = true420 if copy.Annotations == nil {421 copy.Annotations = make(map[string]string)422 }423 copy.Annotations[bootstrappedRole] = "true"424 _, err := management.Management.RoleTemplates("").Update(copy)425 if err != nil {426 return err427 }428 }429 projectRole, err := management.Management.RoleTemplates("").Get("project-owner", v1.GetOptions{})430 if err != nil {431 return nil432 }433 if _, ok := projectRole.Annotations[bootstrappedRole]; !ok {434 copy := projectRole.DeepCopy()435 copy.ProjectCreatorDefault = true436 if copy.Annotations == nil {437 copy.Annotations = make(map[string]string)438 }439 copy.Annotations[bootstrappedRole] = "true"440 _, err := management.Management.RoleTemplates("").Update(copy)441 if err != nil {442 return err443 }444 }445 return nil446}...
tree_recursive.go
Source:tree_recursive.go
2// Use of this source code is governed by the MIT license that can be3// found in the LICENSE file.4package notify5import "sync"6// watchAdd TODO(rjeczalik)7func watchAdd(nd node, c chan<- EventInfo, e Event) eventDiff {8 diff := nd.Watch.Add(c, e)9 if wp := nd.Child[""].Watch; len(wp) != 0 {10 e = wp.Total()11 diff[0] |= e12 diff[1] |= e13 if diff[0] == diff[1] {14 return none15 }16 }17 return diff18}19// watchAddInactive TODO(rjeczalik)20func watchAddInactive(nd node, c chan<- EventInfo, e Event) eventDiff {21 wp := nd.Child[""].Watch22 if wp == nil {23 wp = make(watchpoint)24 nd.Child[""] = node{Watch: wp}25 }26 diff := wp.Add(c, e)27 e = nd.Watch.Total()28 diff[0] |= e29 diff[1] |= e30 if diff[0] == diff[1] {31 return none32 }33 return diff34}35// watchCopy TODO(rjeczalik)36func watchCopy(src, dst node) {37 for c, e := range src.Watch {38 if c == nil {39 continue40 }41 watchAddInactive(dst, c, e)42 }43 if wpsrc := src.Child[""].Watch; len(wpsrc) != 0 {44 wpdst := dst.Child[""].Watch45 for c, e := range wpsrc {46 if c == nil {47 continue48 }49 wpdst.Add(c, e)50 }51 }52}53// watchDel TODO(rjeczalik)54func watchDel(nd node, c chan<- EventInfo, e Event) eventDiff {55 diff := nd.Watch.Del(c, e)56 if wp := nd.Child[""].Watch; len(wp) != 0 {57 diffInactive := wp.Del(c, e)58 e = wp.Total()59 // TODO(rjeczalik): add e if e != all?60 diff[0] |= diffInactive[0] | e61 diff[1] |= diffInactive[1] | e62 if diff[0] == diff[1] {63 return none64 }65 }66 return diff67}68// watchTotal TODO(rjeczalik)69func watchTotal(nd node) Event {70 e := nd.Watch.Total()71 if wp := nd.Child[""].Watch; len(wp) != 0 {72 e |= wp.Total()73 }74 return e75}76// watchIsRecursive TODO(rjeczalik)77func watchIsRecursive(nd node) bool {78 ok := nd.Watch.IsRecursive()79 // TODO(rjeczalik): add a test for len(wp) != 0 change the condition.80 if wp := nd.Child[""].Watch; len(wp) != 0 {81 // If a watchpoint holds inactive watchpoints, it means it's a parent82 // one, which is recursive by nature even though it may be not recursive83 // itself.84 ok = true85 }86 return ok87}88// recursiveTree TODO(rjeczalik)89type recursiveTree struct {90 rw sync.RWMutex // protects root91 root root92 // TODO(rjeczalik): merge watcher + recursiveWatcher after #5 and #693 w interface {94 watcher95 recursiveWatcher96 }97 c chan EventInfo98}99// newRecursiveTree TODO(rjeczalik)100func newRecursiveTree(w recursiveWatcher, c chan EventInfo) *recursiveTree {101 t := &recursiveTree{102 root: root{nd: newnode("")},103 w: struct {104 watcher105 recursiveWatcher106 }{w.(watcher), w},107 c: c,108 }109 go t.dispatch()110 return t111}112// dispatch TODO(rjeczalik)113func (t *recursiveTree) dispatch() {114 for ei := range t.c {115 dbgprintf("dispatching %v on %q", ei.Event(), ei.Path())116 go func(ei EventInfo) {117 nd, ok := node{}, false118 dir, base := split(ei.Path())119 fn := func(it node, isbase bool) error {120 if isbase {121 nd = it122 } else {123 it.Watch.Dispatch(ei, recursive)124 }125 return nil126 }127 t.rw.RLock()128 defer t.rw.RUnlock()129 // Notify recursive watchpoints found on the path.130 if err := t.root.WalkPath(dir, fn); err != nil {131 dbgprint("dispatch did not reach leaf:", err)132 return133 }134 // Notify parent watchpoint.135 nd.Watch.Dispatch(ei, 0)136 // If leaf watchpoint exists, notify it.137 if nd, ok = nd.Child[base]; ok {138 nd.Watch.Dispatch(ei, 0)139 }140 }(ei)141 }142}143// Watch TODO(rjeczalik)144func (t *recursiveTree) Watch(path string, c chan<- EventInfo, events ...Event) error {145 if c == nil {146 panic("notify: Watch using nil channel")147 }148 // Expanding with empty event set is a nop.149 if len(events) == 0 {150 return nil151 }152 path, isrec, err := cleanpath(path)153 if err != nil {154 return err155 }156 eventset := joinevents(events)157 if isrec {158 eventset |= recursive159 }160 t.rw.Lock()161 defer t.rw.Unlock()162 // case 1: cur is a child163 //164 // Look for parent watch which already covers the given path.165 parent := node{}166 self := false167 err = t.root.WalkPath(path, func(nd node, isbase bool) error {168 if watchTotal(nd) != 0 {169 parent = nd170 self = isbase171 return errSkip172 }173 return nil174 })175 cur := t.root.Add(path) // add after the walk, so it's less to traverse176 if err == nil && parent.Watch != nil {177 // Parent watch found. Register inactive watchpoint, so we have enough178 // information to shrink the eventset on eventual Stop.179 // return t.resetwatchpoint(parent, parent, c, eventset|inactive)180 var diff eventDiff181 if self {182 diff = watchAdd(cur, c, eventset)183 } else {184 diff = watchAddInactive(parent, c, eventset)185 }186 switch {187 case diff == none:188 // the parent watchpoint already covers requested subtree with its189 // eventset190 case diff[0] == 0:191 // TODO(rjeczalik): cleanup this panic after implementation is stable192 panic("dangling watchpoint: " + parent.Name)193 default:194 if isrec || watchIsRecursive(parent) {195 err = t.w.RecursiveRewatch(parent.Name, parent.Name, diff[0], diff[1])196 } else {197 err = t.w.Rewatch(parent.Name, diff[0], diff[1])198 }199 if err != nil {200 watchDel(parent, c, diff.Event())201 return err202 }203 watchAdd(cur, c, eventset)204 // TODO(rjeczalik): account top-most path for c205 return nil206 }207 if !self {208 watchAdd(cur, c, eventset)209 }210 return nil211 }212 // case 2: cur is new parent213 //214 // Look for children nodes, unwatch n-1 of them and rewatch the last one.215 var children []node216 fn := func(nd node) error {217 if len(nd.Watch) == 0 {218 return nil219 }220 children = append(children, nd)221 return errSkip222 }223 switch must(cur.Walk(fn)); len(children) {224 case 0:225 // no child watches, cur holds a new watch226 case 1:227 watchAdd(cur, c, eventset) // TODO(rjeczalik): update cache c subtree root?228 watchCopy(children[0], cur)229 err = t.w.RecursiveRewatch(children[0].Name, cur.Name, watchTotal(children[0]),230 watchTotal(cur))231 if err != nil {232 // Clean inactive watchpoint. The c chan did not exist before.233 cur.Child[""] = node{}234 delete(cur.Watch, c)235 return err236 }237 return nil238 default:239 watchAdd(cur, c, eventset)240 // Copy children inactive watchpoints to the new parent.241 for _, nd := range children {242 watchCopy(nd, cur)243 }244 // Watch parent subtree.245 if err = t.w.RecursiveWatch(cur.Name, watchTotal(cur)); err != nil {246 // Clean inactive watchpoint. The c chan did not exist before.247 cur.Child[""] = node{}248 delete(cur.Watch, c)249 return err250 }251 // Unwatch children subtrees.252 var e error253 for _, nd := range children {254 if watchIsRecursive(nd) {255 e = t.w.RecursiveUnwatch(nd.Name)256 } else {257 e = t.w.Unwatch(nd.Name)258 }259 if e != nil {260 err = nonil(err, e)261 // TODO(rjeczalik): child is still watched, warn all its watchpoints262 // about possible duplicate events via Error event263 }264 }265 return err266 }267 // case 3: cur is new, alone node268 switch diff := watchAdd(cur, c, eventset); {269 case diff == none:270 // TODO(rjeczalik): cleanup this panic after implementation is stable271 panic("watch requested but no parent watchpoint found: " + cur.Name)272 case diff[0] == 0:273 if isrec {274 err = t.w.RecursiveWatch(cur.Name, diff[1])275 } else {276 err = t.w.Watch(cur.Name, diff[1])277 }278 if err != nil {279 watchDel(cur, c, diff.Event())280 return err281 }282 default:...
tree_nonrecursive.go
Source:tree_nonrecursive.go
...86 if eset == internal {87 t.rw.Unlock()88 continue89 }90 err := nd.Add(ei.Path()).AddDir(t.recFunc(eset))91 t.rw.Unlock()92 if err != nil {93 dbgprintf("internal(%p) error: %v", rec, err)94 }95 }96}97// watchAdd TODO(rjeczalik)98func (t *nonrecursiveTree) watchAdd(nd node, c chan<- EventInfo, e Event) eventDiff {99 if e&recursive != 0 {100 diff := nd.Watch.Add(t.rec, e|Create|omit)101 nd.Watch.Add(c, e)102 return diff103 }104 return nd.Watch.Add(c, e)105}106// watchDelMin TODO(rjeczalik)107func (t *nonrecursiveTree) watchDelMin(min Event, nd node, c chan<- EventInfo, e Event) eventDiff {108 old, ok := nd.Watch[t.rec]109 if ok {110 nd.Watch[t.rec] = min111 }112 diff := nd.Watch.Del(c, e)113 if ok {114 switch old &^= diff[0] &^ diff[1]; {115 case old|internal == internal:116 delete(nd.Watch, t.rec)117 if set, ok := nd.Watch[nil]; ok && len(nd.Watch) == 1 && set == 0 {118 delete(nd.Watch, nil)119 }120 default:121 nd.Watch.Add(t.rec, old|Create)122 switch {123 case diff == none:124 case diff[1]|Create == diff[0]:125 diff = none126 default:127 diff[1] |= Create128 }129 }130 }131 return diff132}133// watchDel TODO(rjeczalik)134func (t *nonrecursiveTree) watchDel(nd node, c chan<- EventInfo, e Event) eventDiff {135 return t.watchDelMin(0, nd, c, e)136}137// Watch TODO(rjeczalik)138func (t *nonrecursiveTree) Watch(path string, c chan<- EventInfo, events ...Event) error {139 if c == nil {140 panic("notify: Watch using nil channel")141 }142 // Expanding with empty event set is a nop.143 if len(events) == 0 {144 return nil145 }146 path, isrec, err := cleanpath(path)147 if err != nil {148 return err149 }150 eset := joinevents(events)151 t.rw.Lock()152 defer t.rw.Unlock()153 nd := t.root.Add(path)154 if isrec {155 return t.watchrec(nd, c, eset|recursive)156 }157 return t.watch(nd, c, eset)158}159func (t *nonrecursiveTree) watch(nd node, c chan<- EventInfo, e Event) (err error) {160 diff := nd.Watch.Add(c, e)161 switch {162 case diff == none:163 return nil164 case diff[1] == 0:165 // TODO(rjeczalik): cleanup this panic after implementation is stable166 panic("eset is empty: " + nd.Name)167 case diff[0] == 0:168 err = t.w.Watch(nd.Name, diff[1])169 default:170 err = t.w.Rewatch(nd.Name, diff[0], diff[1])171 }172 if err != nil {173 nd.Watch.Del(c, diff.Event())174 return err175 }176 return nil177}178func (t *nonrecursiveTree) recFunc(e Event) walkFunc {179 return func(nd node) error {180 switch diff := nd.Watch.Add(t.rec, e|omit|Create); {181 case diff == none:182 case diff[1] == 0:183 // TODO(rjeczalik): cleanup this panic after implementation is stable184 panic("eset is empty: " + nd.Name)185 case diff[0] == 0:186 t.w.Watch(nd.Name, diff[1])187 default:188 t.w.Rewatch(nd.Name, diff[0], diff[1])189 }190 return nil191 }192}193func (t *nonrecursiveTree) watchrec(nd node, c chan<- EventInfo, e Event) error {194 var traverse func(walkFunc) error195 // Non-recursive tree listens on Create event for every recursive196 // watchpoint in order to automagically set a watch for every197 // created directory.198 switch diff := nd.Watch.dryAdd(t.rec, e|Create); {199 case diff == none:200 t.watchAdd(nd, c, e)201 nd.Watch.Add(t.rec, e|omit|Create)202 return nil203 case diff[1] == 0:204 // TODO(rjeczalik): cleanup this panic after implementation is stable205 panic("eset is empty: " + nd.Name)206 case diff[0] == 0:207 // TODO(rjeczalik): BFS into directories and skip subtree as soon as first208 // recursive watchpoint is encountered.209 traverse = nd.AddDir210 default:211 traverse = nd.Walk212 }213 // TODO(rjeczalik): account every path that failed to be (re)watched214 // and retry.215 if err := traverse(t.recFunc(e)); err != nil {216 return err217 }218 t.watchAdd(nd, c, e)219 return nil220}221type walkWatchpointFunc func(Event, node) error222func (t *nonrecursiveTree) walkWatchpoint(nd node, fn walkWatchpointFunc) error {223 type minode struct {224 min Event225 nd node226 }227 mnd := minode{nd: nd}228 stack := []minode{mnd}229Traverse:230 for n := len(stack); n != 0; n = len(stack) {231 mnd, stack = stack[n-1], stack[:n-1]232 // There must be no recursive watchpoints if the node has no watchpoints...
Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.
You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.
Get 100 minutes of automation test minutes FREE!!