capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Support ServiceAccount Tenant owner with SA name

Open maxgio92 opened this issue 3 years ago • 0 comments

Describe the feature

The proposal is to support in the ownerSpec, ServiceAccount-kind owners with name as Service Account name, besides the related user's name (i.e. system:serviceaccount:<namespace>:<service account name>).

What would the new user story look like?

As a cluster/platform admin I would like to specify ServiceAccount tenant owners with the ServiceAccount name instead of the related user's name.

Proposed behavior

The tenant controller would keep the subject of the role binding either from the user name (name and namespace splitted by ':'):

func (r *Manager) ownerClusterRoleBindings(owner capsulev1beta1.OwnerSpec, clusterRole string) capsulev1beta1.AdditionalRoleBindingsSpec {
    ...
    if owner.Kind == "ServiceAccount" {
		splitName := strings.Split(owner.Name, ":")

		subject = rbacv1.Subject{
			Kind:      owner.Kind.String(),
			Name:      splitName[len(splitName)-1],
			Namespace: splitName[len(splitName)-2],
		}
                ...

or the subject.Name directly from the owner.Name and subject.Namespace from the Tenant's Namespace, e.g.:

func (r *Manager) ownerClusterRoleBindings(tenant *capsulev1beta1.Tenant, owner capsulev1beta1.OwnerSpec, clusterRole string) capsulev1beta1.AdditionalRoleBindingsSpec {
    ...
    if owner.Kind == "ServiceAccount" {
		...
		subject = rbacv1.Subject{
			Kind:      owner.Kind.String(),
			Name:      owner.Name,
			Namespace: tenant.Namespace,
		}
                ...

maxgio92 avatar Aug 13 '22 15:08 maxgio92