feat: add rbac

pkg/k8s/k8s_role.go

@@ -9,21 +9,15 @@ import (
 )
 
 // CreateRole creates a role
-func CreateRole(name, namespace string, labels map[string]string, apiGroups, resources, verbs []string) error {
+func CreateRole(namespace, name string, labels map[string]string, policyRules []rbacv1.PolicyRule) error {
 
 	role := &rbacv1.Role{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
 			Labels:    labels,
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: apiGroups,
-				Resources: resources,
-				Verbs:     verbs,
-			},
-		},
+		Rules: policyRules,
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
@@ -40,7 +34,7 @@ func CreateRole(name, namespace string, labels map[string]string, apiGroups, res
 }
 
 // DeleteRole deletes a role
-func DeleteRole(name, namespace string) error {
+func DeleteRole(namespace, name string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()

pkg/k8s/k8s_rolebinding.go

@@ -9,7 +9,7 @@ import (
 )
 
 // CreateRoleBinding creates a roleBinding
-func CreateRoleBinding(name, namespace string, labels map[string]string, role, serviceAccount string) error {
+func CreateRoleBinding(namespace, name string, labels map[string]string, role, serviceAccount string) error {
 
 	roleBinding := &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
@@ -44,7 +44,7 @@ func CreateRoleBinding(name, namespace string, labels map[string]string, role, s
 }
 
 // DeleteRoleBinding deletes a roleBinding
-func DeleteRoleBinding(name, namespace string) error {
+func DeleteRoleBinding(namespace, name string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()

pkg/k8s/k8s_serviceaccount.go

@@ -9,7 +9,7 @@ import (
 )
 
 // CreateServiceAccount creates a service account
-func CreateServiceAccount(name, namespace string, labels map[string]string) error {
+func CreateServiceAccount(namespace, name string, labels map[string]string) error {
 
 	serviceAccount := &v1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
@@ -33,7 +33,7 @@ func CreateServiceAccount(name, namespace string, labels map[string]string) erro
 }
 
 // DeleteServiceAccount deletes a service account
-func DeleteServiceAccount(name, namespace string) error {
+func DeleteServiceAccount(namespace, name string) error {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()

pkg/knuu/instance.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	appv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"os"
 	"path/filepath"
 	"strings"
@@ -33,7 +34,7 @@ type Instance struct {
 	memoryRequest         string
 	memoryLimit           string
 	cpuRequest            string
-	serviceAccountName    string
+	policyRules           []rbacv1.PolicyRule
 	livenessProbe         *v1.Probe
 	readinessProbe        *v1.Probe
 	startupProbe          *v1.Probe
@@ -49,24 +50,24 @@ func NewInstance(name string) (*Instance, error) {
 	}
 	// Create the instance
 	return &Instance{
-		name:               name,
-		k8sName:            k8sName,
-		imageName:          "",
-		state:              None,
-		instanceType:       BasicInstance,
-		portsTCP:           make([]int, 0),
-		portsUDP:           make([]int, 0),
-		command:            make([]string, 0),
-		args:               make([]string, 0),
-		env:                make(map[string]string),
-		volumes:            make([]*k8s.Volume, 0),
-		memoryRequest:      "",
-		memoryLimit:        "",
-		cpuRequest:         "",
-		serviceAccountName: "default",
-		livenessProbe:      nil,
-		readinessProbe:     nil,
-		startupProbe:       nil,
+		name:           name,
+		k8sName:        k8sName,
+		imageName:      "",
+		state:          None,
+		instanceType:   BasicInstance,
+		portsTCP:       make([]int, 0),
+		portsUDP:       make([]int, 0),
+		command:        make([]string, 0),
+		args:           make([]string, 0),
+		env:            make(map[string]string),
+		volumes:        make([]*k8s.Volume, 0),
+		memoryRequest:  "",
+		memoryLimit:    "",
+		cpuRequest:     "",
+		policyRules:    make([]rbacv1.PolicyRule, 0),
+		livenessProbe:  nil,
+		readinessProbe: nil,
+		startupProbe:   nil,
 	}, nil
 }
 
@@ -107,7 +108,7 @@ func (i *Instance) SetImage(image string) error {
 			MemoryRequest:      i.memoryRequest,
 			MemoryLimit:        i.memoryLimit,
 			CPURequest:         i.cpuRequest,
-			ServiceAccountName: i.serviceAccountName,
+			ServiceAccountName: i.k8sName,
 			LivenessProbe:      i.livenessProbe,
 			ReadinessProbe:     i.readinessProbe,
 			StartupProbe:       i.startupProbe,
@@ -154,7 +155,7 @@ func (i *Instance) SetImageInstant(image string) error {
 		MemoryRequest:      i.memoryRequest,
 		MemoryLimit:        i.memoryLimit,
 		CPURequest:         i.cpuRequest,
-		ServiceAccountName: i.serviceAccountName,
+		ServiceAccountName: i.k8sName,
 		LivenessProbe:      i.livenessProbe,
 		ReadinessProbe:     i.readinessProbe,
 		StartupProbe:       i.startupProbe,
@@ -541,14 +542,13 @@ func (i *Instance) GetFileBytes(file string) ([]byte, error) {
 	return bytes, nil
 }
 
-// SetServiceAccount sets the service account of the instance
+// AddPolicyRule adds a policy rule to the instance
 // This function can only be called in the states 'Preparing' and 'Committed'
-func (i *Instance) SetServiceAccount(serviceAccount string) error {
+func (i *Instance) AddPolicyRule(rule rbacv1.PolicyRule) error {
 	if !i.IsInState(Preparing, Committed) {
-		return fmt.Errorf("setting service account is only allowed in state 'Preparing' or 'Committed'. Current state is '%s'", i.state.String())
+		return fmt.Errorf("adding policy rule is only allowed in state 'Preparing' or 'Committed'. Current state is '%s'", i.state.String())
 	}
-	i.serviceAccountName = serviceAccount
-	logrus.Debugf("Set service account to '%s' in instance '%s'", serviceAccount, i.name)
+	i.policyRules = append(i.policyRules, rule)
 	return nil
 }
 

pkg/knuu/instance_helper.go

@@ -124,6 +124,21 @@ func (i *Instance) deployPod() error {
 		return fmt.Errorf("failed to get image name: %v", err)
 	}
 
+	// create a service account for the pod
+	if err := k8s.CreateServiceAccount(k8s.Namespace(), i.k8sName, labels); err != nil {
+		return fmt.Errorf("failed to create service account: %v", err)
+	}
+
+	// create a role and role binding for the pod if there are policy rules
+	if len(i.policyRules) > 0 {
+		if err := k8s.CreateRole(k8s.Namespace(), i.k8sName, labels, i.policyRules); err != nil {
+			return fmt.Errorf("failed to create role: %v", err)
+		}
+		if err := k8s.CreateRoleBinding(k8s.Namespace(), i.k8sName, labels, i.k8sName, i.k8sName); err != nil {
+			return fmt.Errorf("failed to create role binding: %v", err)
+		}
+	}
+
 	// Generate the pod configuration
 	podConfig := k8s.PodConfig{
 		Namespace:          k8s.Namespace(),
@@ -137,7 +152,7 @@ func (i *Instance) deployPod() error {
 		MemoryRequest:      i.memoryRequest,
 		MemoryLimit:        i.memoryLimit,
 		CPURequest:         i.cpuRequest,
-		ServiceAccountName: i.serviceAccountName,
+		ServiceAccountName: i.k8sName,
 		LivenessProbe:      i.livenessProbe,
 		ReadinessProbe:     i.readinessProbe,
 		StartupProbe:       i.startupProbe,
@@ -176,6 +191,20 @@ func (i *Instance) destroyPod() error {
 		return fmt.Errorf("failed to delete pod: %v", err)
 	}
 
+	// Delete the service account for the pod
+	if err := k8s.DeleteServiceAccount(k8s.Namespace(), i.k8sName); err != nil {
+		return fmt.Errorf("failed to delete service account: %v", err)
+	}
+	// Delete the role and role binding for the pod if there are policy rules
+	if len(i.policyRules) > 0 {
+		if err := k8s.DeleteRole(k8s.Namespace(), i.k8sName); err != nil {
+			return fmt.Errorf("failed to delete role: %v", err)
+		}
+		if err := k8s.DeleteRoleBinding(k8s.Namespace(), i.k8sName); err != nil {
+			return fmt.Errorf("failed to delete role binding: %v", err)
+		}
+	}
+
 	return nil
 }
 
@@ -219,7 +248,7 @@ func (i *Instance) cloneWithSuffix(suffix string) *Instance {
 		memoryRequest:         i.memoryRequest,
 		memoryLimit:           i.memoryLimit,
 		cpuRequest:            i.cpuRequest,
-		serviceAccountName:    i.serviceAccountName,
+		policyRules:           i.policyRules,
 		livenessProbe:         i.livenessProbe,
 		readinessProbe:        i.readinessProbe,
 		startupProbe:          i.startupProbe,

pkg/knuu/knuu.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"github.com/celestiaorg/knuu/pkg/k8s"
 	"github.com/sirupsen/logrus"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"os"
 	"time"
 )
@@ -111,19 +112,15 @@ func handleTimeout() error {
 		return fmt.Errorf("cannot set command: %s", err)
 	}
 
-	if err := k8s.CreateRole(instance.k8sName, k8s.Namespace(), instance.getLabels(), []string{"*"}, []string{"*"}, []string{"*"}); err != nil {
-		return fmt.Errorf("cannot create role: %s", err)
-	}
-	if err := k8s.CreateServiceAccount(instance.k8sName, k8s.Namespace(), instance.getLabels()); err != nil {
-		return fmt.Errorf("cannot create service account: %s", err)
-	}
-	if err := k8s.CreateRoleBinding(instance.k8sName, k8s.Namespace(), instance.getLabels(), instance.k8sName, instance.k8sName); err != nil {
-		return fmt.Errorf("cannot create role binding: %s", err)
-	}
-	if err := instance.SetServiceAccount(instance.k8sName); err != nil {
-		return fmt.Errorf("cannot set service account: %s", err)
+	rule := rbacv1.PolicyRule{
+		Verbs:     []string{"*"},
+		APIGroups: []string{"*"},
+		Resources: []string{"*"},
 	}
 
+	if err := instance.AddPolicyRule(rule); err != nil {
+		return fmt.Errorf("cannot add policy rule: %s", err)
+	}
 	if err := instance.Start(); err != nil {
 		return fmt.Errorf("cannot start instance: %s", err)
 	}