lburgazzoli closed pull request #7: Fix operator role to have lower privileges
than the standard user and standardize command options
URL: https://github.com/apache/camel-k/pull/7
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/Gopkg.lock b/Gopkg.lock
index cf518d5..a5a82a6 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -585,6 +585,6 @@
[solve-meta]
analyzer-name = "dep"
analyzer-version = 1
- inputs-digest =
"d79b669e9448950b8210a635a4857097167f8cdbec4ece89a268a3c881fbd61a"
+ inputs-digest =
"405777dfb5657ae94b83be9b95d4b4121f15b8ef87415d8f1b525cdffbb388cb"
solver-name = "gps-cdcl"
solver-version = 1
diff --git a/deploy/operator-role.yaml b/deploy/operator-role.yaml
index 7dea8d3..ac0ab7a 100644
--- a/deploy/operator-role.yaml
+++ b/deploy/operator-role.yaml
@@ -16,17 +16,46 @@ rules:
- services
- endpoints
- persistentvolumeclaims
- - events
- configmaps
- secrets
verbs:
- - "*"
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
- apiGroups:
- apps
resources:
- deployments
- - daemonsets
- replicasets
- statefulsets
verbs:
- - "*"
\ No newline at end of file
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apps
+ attributeRestrictions: null
+ resources:
+ - daemonsets
+ verbs:
+ - get
+ - list
+ - watch
\ No newline at end of file
diff --git a/deploy/resources.go b/deploy/resources.go
index 1048333..4dd9f89 100644
--- a/deploy/resources.go
+++ b/deploy/resources.go
@@ -101,20 +101,49 @@ rules:
- services
- endpoints
- persistentvolumeclaims
- - events
- configmaps
- secrets
verbs:
- - "*"
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
- apiGroups:
- apps
resources:
- deployments
- - daemonsets
- replicasets
- statefulsets
verbs:
- - "*"
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apps
+ attributeRestrictions: null
+ resources:
+ - daemonsets
+ verbs:
+ - get
+ - list
+ - watch
`
Resources["operator-service-account.yaml"] =
`
diff --git a/pkg/client/cmd/get.go b/pkg/client/cmd/get.go
index 39a45d9..05be2e3 100644
--- a/pkg/client/cmd/get.go
+++ b/pkg/client/cmd/get.go
@@ -27,18 +27,25 @@ import (
"github.com/operator-framework/operator-sdk/pkg/sdk"
)
-func NewCmdGet() *cobra.Command {
+type GetCmdOptions struct {
+ *RootCmdOptions
+}
+
+func NewCmdGet(rootCmdOptions *RootCmdOptions) *cobra.Command {
+ options := GetCmdOptions{
+ RootCmdOptions: rootCmdOptions,
+ }
cmd := cobra.Command{
Use: "get",
Short: "Get all integrations deployed on Kubernetes",
Long: `Get the status of all integrations deployed on on
Kubernetes.`,
- RunE: run,
+ RunE: options.run,
}
return &cmd
}
-func run(cmd *cobra.Command, args []string) error {
+func (o *GetCmdOptions) run(cmd *cobra.Command, args []string) error {
integrationList := v1alpha1.IntegrationList{
TypeMeta: metav1.TypeMeta{
APIVersion: v1alpha1.SchemeGroupVersion.String(),
@@ -46,7 +53,7 @@ func run(cmd *cobra.Command, args []string) error {
},
}
- namespace := cmd.Flag("namespace").Value.String()
+ namespace := o.Namespace
err := sdk.List(namespace, &integrationList)
if err != nil {
diff --git a/pkg/client/cmd/install.go b/pkg/client/cmd/install.go
index edeece4..e57257c 100644
--- a/pkg/client/cmd/install.go
+++ b/pkg/client/cmd/install.go
@@ -25,10 +25,14 @@ import (
)
type InstallCmdOptions struct {
+ *RootCmdOptions
+ ClusterSetupOnly bool
}
-func NewCmdInstall() *cobra.Command {
- options := InstallCmdOptions{}
+func NewCmdInstall(rootCmdOptions *RootCmdOptions) *cobra.Command {
+ options := InstallCmdOptions{
+ RootCmdOptions: rootCmdOptions,
+ }
cmd := cobra.Command{
Use: "install",
Short: "Install Camel K on a Kubernetes cluster",
@@ -47,7 +51,7 @@ func (o *InstallCmdOptions) install(cmd *cobra.Command, args
[]string) error {
return nil // TODO better error handling: if here we return err
the help page is shown
}
- namespace := cmd.Flag("namespace").Value.String()
+ namespace := o.Namespace
err = installutils.InstallOperator(namespace)
if err != nil {
diff --git a/pkg/client/cmd/root.go b/pkg/client/cmd/root.go
index f310f10..4849a8c 100644
--- a/pkg/client/cmd/root.go
+++ b/pkg/client/cmd/root.go
@@ -25,13 +25,13 @@ import (
"github.com/pkg/errors"
)
-type rootCmdOptions struct {
+type RootCmdOptions struct {
KubeConfig string
Namespace string
}
func NewKamelCommand() (*cobra.Command, error) {
- options := rootCmdOptions{}
+ options := RootCmdOptions{}
var cmd = cobra.Command{
Use: "kamel",
Short: "Kamel is a awesome client tool for running Apache Camel
integrations natively on Kubernetes",
@@ -60,9 +60,9 @@ func NewKamelCommand() (*cobra.Command, error) {
cmd.AddCommand(NewCmdCompletion())
cmd.AddCommand(NewCmdVersion())
- cmd.AddCommand(NewCmdRun())
- cmd.AddCommand(NewCmdGet())
- cmd.AddCommand(NewCmdInstall())
+ cmd.AddCommand(NewCmdRun(&options))
+ cmd.AddCommand(NewCmdGet(&options))
+ cmd.AddCommand(NewCmdInstall(&options))
return &cmd, nil
}
diff --git a/pkg/client/cmd/run.go b/pkg/client/cmd/run.go
index 1fb90d4..889b326 100644
--- a/pkg/client/cmd/run.go
+++ b/pkg/client/cmd/run.go
@@ -33,11 +33,14 @@ import (
)
type RunCmdOptions struct {
+ *RootCmdOptions
Language string
}
-func NewCmdRun() *cobra.Command {
- options := RunCmdOptions{}
+func NewCmdRun(rootCmdOptions *RootCmdOptions) *cobra.Command {
+ options := RunCmdOptions{
+ RootCmdOptions: rootCmdOptions,
+ }
cmd := cobra.Command{
Use: "run [file to run]",
Short: "Run a integration on Kubernetes",
@@ -71,7 +74,7 @@ func (o *RunCmdOptions) run(cmd *cobra.Command, args
[]string) error {
return err
}
- namespace := cmd.Flag("namespace").Value.String()
+ namespace := o.Namespace
name := kubernetes.SanitizeName(args[0])
if name == "" {
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
