Skip to content

Commit 5cfb14c

Browse files
rjeberhardrjeberhard
authored
Separate authorization checks for the operator and domain namespaces (#2138)
* Separate authorization checks for the operator and domain namespaces * Add unit-test
1 parent d8dd609 commit 5cfb14c

File tree

8 files changed

+115
-67
lines changed

8 files changed

+115
-67
lines changed

docs/charts/index.yaml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -3,17 +3,17 @@ entries:
33
weblogic-operator:
44
- apiVersion: v1
55
appVersion: 3.2.0
6-
created: "2021-01-04T15:48:07.645132-05:00"
6+
created: "2021-01-13T12:37:48.514056-05:00"
77
description: Helm chart for configuring the WebLogic operator.
8-
digest: faeabc3c35c580909ff3d35b44b0467bd7cb4376bbd54689df92a44295d9b37f
8+
digest: 77bf9ae96371e779d6fd6faae1966d057d54571f651ec11babd8bc1d86e590af
99
name: weblogic-operator
1010
type: application
1111
urls:
1212
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.2.0.tgz
1313
version: 3.2.0
1414
- apiVersion: v1
1515
appVersion: 3.1.1
16-
created: "2021-01-04T15:48:07.64427-05:00"
16+
created: "2021-01-13T12:37:48.513192-05:00"
1717
description: Helm chart for configuring the WebLogic operator.
1818
digest: 202d148fd3db1ce45d22d4eab3e84bea9bf774addd9e0bc65f9312207a6e4968
1919
name: weblogic-operator
@@ -23,7 +23,7 @@ entries:
2323
version: 3.1.1
2424
- apiVersion: v1
2525
appVersion: 3.1.0
26-
created: "2021-01-04T15:48:07.643256-05:00"
26+
created: "2021-01-13T12:37:48.512149-05:00"
2727
description: Helm chart for configuring the WebLogic operator.
2828
digest: acf600d0951dc3d8a0b05b35f3b9b1e62d827ef483fa863b0e37054ebb61f853
2929
name: weblogic-operator
@@ -32,123 +32,123 @@ entries:
3232
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.1.0.tgz
3333
version: 3.1.0
3434
- apiVersion: v1
35-
created: "2021-01-04T15:48:07.642209-05:00"
35+
created: "2021-01-13T12:37:48.510828-05:00"
3636
description: Helm chart for configuring the WebLogic operator.
3737
digest: 5d3a79a55132c33afd5d2d30e398c3cc508d77c9352129f2e8e127db5f1dcf19
3838
name: weblogic-operator
3939
urls:
4040
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.4.tgz
4141
version: 3.0.4
4242
- apiVersion: v1
43-
created: "2021-01-04T15:48:07.641293-05:00"
43+
created: "2021-01-13T12:37:48.510041-05:00"
4444
description: Helm chart for configuring the WebLogic operator.
4545
digest: c6aeefca88eaa0d431dba66ee5705391c92468f26b27c5af92815ec3c3000406
4646
name: weblogic-operator
4747
urls:
4848
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.3.tgz
4949
version: 3.0.3
5050
- apiVersion: v1
51-
created: "2021-01-04T15:48:07.640176-05:00"
51+
created: "2021-01-13T12:37:48.508963-05:00"
5252
description: Helm chart for configuring the WebLogic operator.
5353
digest: 84b5989fe8f2392d2b3b0f721bdab1562566d7d885324beafd9fc9e658b13cd3
5454
name: weblogic-operator
5555
urls:
5656
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.2.tgz
5757
version: 3.0.2
5858
- apiVersion: v1
59-
created: "2021-01-04T15:48:07.639261-05:00"
59+
created: "2021-01-13T12:37:48.508139-05:00"
6060
description: Helm chart for configuring the WebLogic operator.
6161
digest: e7654ad3f2168f54b3a4b133bf8a86ea12bc474e5ee1d3ab14e1cf53012e9772
6262
name: weblogic-operator
6363
urls:
6464
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.1.tgz
6565
version: 3.0.1
6666
- apiVersion: v1
67-
created: "2021-01-04T15:48:07.638382-05:00"
67+
created: "2021-01-13T12:37:48.507336-05:00"
6868
description: Helm chart for configuring the WebLogic operator.
6969
digest: 5c7c0d3ae797e98592b6fd2191b104f515d6649d0060af0a3ffef215d4c69864
7070
name: weblogic-operator
7171
urls:
7272
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.0.tgz
7373
version: 3.0.0
7474
- apiVersion: v1
75-
created: "2021-01-04T15:48:07.637498-05:00"
75+
created: "2021-01-13T12:37:48.506585-05:00"
7676
description: Helm chart for configuring the WebLogic operator.
7777
digest: 5f4cd8f4f3282b52b5e90a1169f26986e8272671845053606ade9c855fb04151
7878
name: weblogic-operator
7979
urls:
8080
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-3.0.0-rc1.tgz
8181
version: 3.0.0-rc1
8282
- apiVersion: v1
83-
created: "2021-01-04T15:48:07.636461-05:00"
83+
created: "2021-01-13T12:37:48.505796-05:00"
8484
description: Helm chart for configuring the WebLogic operator.
8585
digest: d441888a8deae1b1339e7585e3b437dfd2533303e46e842d7378e16db665e234
8686
name: weblogic-operator
8787
urls:
8888
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.6.0.tgz
8989
version: 2.6.0
9090
- apiVersion: v1
91-
created: "2021-01-04T15:48:07.635531-05:00"
91+
created: "2021-01-13T12:37:48.50504-05:00"
9292
description: Helm chart for configuring the WebLogic operator.
9393
digest: fe41421b7dc45dc8a3b2888d3a626a37f5d3c8e1fa292fb6699deedc5e1db33d
9494
name: weblogic-operator
9595
urls:
9696
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.5.0.tgz
9797
version: 2.5.0
9898
- apiVersion: v1
99-
created: "2021-01-04T15:48:07.633853-05:00"
99+
created: "2021-01-13T12:37:48.504032-05:00"
100100
description: Helm chart for configuring the WebLogic operator.
101101
digest: b36bd32083f67453a62d089a2c09ce38e6655d88ac8a7b38691230c55c40e672
102102
name: weblogic-operator
103103
urls:
104104
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.4.0.tgz
105105
version: 2.4.0
106106
- apiVersion: v1
107-
created: "2021-01-04T15:48:07.632814-05:00"
107+
created: "2021-01-13T12:37:48.503154-05:00"
108108
description: Helm chart for configuring the WebLogic operator.
109109
digest: a3eafe4c2c6ff49384e56421201e59a3737d651af8d5b605b87a19eb1f6f1dc3
110110
name: weblogic-operator
111111
urls:
112112
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.1.tgz
113113
version: 2.3.1
114114
- apiVersion: v1
115-
created: "2021-01-04T15:48:07.630402-05:00"
115+
created: "2021-01-13T12:37:48.49981-05:00"
116116
description: Helm chart for configuring the WebLogic operator.
117117
digest: cbc6caaa6eb28e3c7e906ede14b2ae511a0b35fc12a8e3ab629155b09993e8b2
118118
name: weblogic-operator
119119
urls:
120120
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.3.0.tgz
121121
version: 2.3.0
122122
- apiVersion: v1
123-
created: "2021-01-04T15:48:07.629526-05:00"
123+
created: "2021-01-13T12:37:48.498485-05:00"
124124
description: Helm chart for configuring the WebLogic operator.
125125
digest: 23d5a1c554fa8211cc1e86b7ade09460917cb2069e68fb4bfdddafc8db44fdcd
126126
name: weblogic-operator
127127
urls:
128128
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.1.tgz
129129
version: 2.2.1
130130
- apiVersion: v1
131-
created: "2021-01-04T15:48:07.628426-05:00"
131+
created: "2021-01-13T12:37:48.497434-05:00"
132132
description: Helm chart for configuring the WebLogic operator.
133133
digest: bba303686cb55d84fe8c0d693a2436e7e686b028085b56e012f6381699a3911f
134134
name: weblogic-operator
135135
urls:
136136
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.2.0.tgz
137137
version: 2.2.0
138138
- apiVersion: v1
139-
created: "2021-01-04T15:48:07.626313-05:00"
139+
created: "2021-01-13T12:37:48.494398-05:00"
140140
description: Helm chart for configuring the WebLogic operator.
141141
digest: 391e23c0969ada5f0cd2a088ddc6f11f237f57521801ed3925db2149a8437a0d
142142
name: weblogic-operator
143143
urls:
144144
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.1.tgz
145145
version: "2.1"
146146
- apiVersion: v1
147-
created: "2021-01-04T15:48:07.6254-05:00"
147+
created: "2021-01-13T12:37:48.493567-05:00"
148148
description: Helm chart for configuring the WebLogic operator.
149149
digest: 298acda78ab73db6b7ba6f2752311bfa40c65874e03fb196b70976192211c1a5
150150
name: weblogic-operator
151151
urls:
152152
- https://oracle.github.io/weblogic-kubernetes-operator/charts/weblogic-operator-2.0.1.tgz
153153
version: 2.0.1
154-
generated: "2021-01-04T15:48:07.623889-05:00"
154+
generated: "2021-01-13T12:37:48.491609-05:00"

docs/charts/weblogic-operator-3.2.0.tgz

-3 Bytes
Binary file not shown.

kubernetes/charts/weblogic-operator/templates/_domain-namespaces.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
{{- $args := include "utils.cloneDictionary" . | fromYaml -}}
1818
{{- /*
1919
Split terms on commas not contained in parentheses. Unfortunately, the regular expression
20-
support included with Helm tempalates does not include lookarounds.
20+
support included with Helm templates does not include lookarounds.
2121
*/ -}}
2222
{{- $working := dict "rejected" (list) "terms" (list $args.domainNamespaceLabelSelector) }}
2323
{{- if contains "," $args.domainNamespaceLabelSelector }}

kubernetes/charts/weblogic-operator/templates/_operator-role.tpl

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ metadata:
1212
weblogic.operatorName: {{ .Release.Namespace | quote }}
1313
rules:
1414
- apiGroups: [""]
15-
resources: ["secrets", "configmaps", "events"]
15+
resources: ["secrets", "configmaps"]
16+
verbs: ["get", "list", "watch"]
17+
- apiGroups: [""]
18+
resources: ["events"]
1619
verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
1720
{{- end }}

operator/src/main/java/oracle/kubernetes/operator/DomainRecheck.java

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,15 @@
1010
import java.util.Objects;
1111
import java.util.Optional;
1212
import java.util.Set;
13+
import java.util.concurrent.atomic.AtomicBoolean;
1314
import java.util.function.Function;
1415
import java.util.stream.Collectors;
1516
import javax.annotation.Nonnull;
1617

1718
import io.kubernetes.client.openapi.models.V1Namespace;
1819
import io.kubernetes.client.openapi.models.V1NamespaceList;
1920
import io.kubernetes.client.openapi.models.V1ObjectMeta;
21+
import io.kubernetes.client.openapi.models.V1SubjectRulesReviewStatus;
2022
import oracle.kubernetes.operator.calls.CallResponse;
2123
import oracle.kubernetes.operator.helpers.CallBuilder;
2224
import oracle.kubernetes.operator.helpers.EventHelper;
@@ -61,11 +63,11 @@ class DomainRecheck {
6163
}
6264

6365
NamespaceRulesReviewStep createOperatorNamespaceReview() {
64-
return new NamespaceRulesReviewStep(getOperatorNamespace());
66+
return new NamespaceRulesReviewStep(getOperatorNamespace(), false);
6567
}
6668

6769
NamespaceRulesReviewStep createNamespaceReview(String namespace) {
68-
return new NamespaceRulesReviewStep(namespace);
70+
return new NamespaceRulesReviewStep(namespace, true);
6971
}
7072

7173
Step createReadNamespacesStep() {
@@ -78,9 +80,11 @@ Step createReadNamespacesStep() {
7880
*/
7981
class NamespaceRulesReviewStep extends Step {
8082
private final String ns;
83+
private final boolean isDomainNamespace;
8184

82-
private NamespaceRulesReviewStep(@Nonnull String ns) {
85+
private NamespaceRulesReviewStep(@Nonnull String ns, boolean isDomainNamespace) {
8386
this.ns = ns;
87+
this.isDomainNamespace = isDomainNamespace;
8488
}
8589

8690
@Override
@@ -93,19 +97,24 @@ public NextAction apply(Packet packet) {
9397
LoggingContext.LOGGING_CONTEXT_KEY,
9498
Component.createFor(new LoggingContext().namespace(ns)));
9599

96-
nss.getRulesReviewStatus().updateAndGet(prev -> {
100+
V1SubjectRulesReviewStatus status = nss.getRulesReviewStatus().updateAndGet(prev -> {
97101
if (prev != null) {
98102
return prev;
99103
}
100104

101105
try {
102-
return HealthCheckHelper.getAccessAuthorizations(ns);
106+
return HealthCheckHelper.getSelfSubjectRulesReviewStatus(ns);
103107
} catch (Throwable e) {
104108
LOGGER.warning(MessageKeys.EXCEPTION, e);
105109
}
106110
return null;
107111
});
108112

113+
AtomicBoolean guard = isDomainNamespace ? nss.verifiedAsDomainNamespace() : nss.verifiedAsOperatorNamespace();
114+
if (!guard.getAndSet(true)) {
115+
HealthCheckHelper.verifyAccess(status, ns, isDomainNamespace);
116+
}
117+
109118
return doNext(packet);
110119
}
111120

operator/src/main/java/oracle/kubernetes/operator/NamespaceStatus.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,21 @@
1111
public class NamespaceStatus {
1212
private final AtomicBoolean isNamespaceStarting = new AtomicBoolean(false);
1313
private final AtomicReference<V1SubjectRulesReviewStatus> rulesReviewStatus = new AtomicReference<>();
14+
private final AtomicBoolean verifiedAsOperatorNamespace = new AtomicBoolean(false);
15+
private final AtomicBoolean verifiedAsDomainNamespace = new AtomicBoolean(false);
1416

1517
public AtomicBoolean isNamespaceStarting() {
1618
return isNamespaceStarting;
1719
}
1820

21+
public AtomicBoolean verifiedAsOperatorNamespace() {
22+
return verifiedAsOperatorNamespace;
23+
}
24+
25+
public AtomicBoolean verifiedAsDomainNamespace() {
26+
return verifiedAsDomainNamespace;
27+
}
28+
1929
public AtomicReference<V1SubjectRulesReviewStatus> getRulesReviewStatus() {
2030
return rulesReviewStatus;
2131
}

0 commit comments

Comments
 (0)