From baccdf626369a96ece83b043826a04e12b912388 Mon Sep 17 00:00:00 2001
From: jiuker <2818723467@qq.com>
Date: Sat, 9 Mar 2024 01:05:26 +0800
Subject: [PATCH] feat: check sa before start a job (#2024)

* check sa before start a job

check sa before start a job

* import

* apply suggestion

---------

Co-authored-by: guozhi.li <guozhi.li@daocloud.io>
---
 pkg/controller/job-controller.go | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/job-controller.go b/pkg/controller/job-controller.go
index e8bedefff06..004d56cc933 100644
--- a/pkg/controller/job-controller.go
+++ b/pkg/controller/job-controller.go
@@ -11,6 +11,7 @@ import (
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/operator/pkg/apis/job.min.io/v1alpha1"
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
+	stsv1alpha1 "github.com/minio/operator/pkg/apis/sts.min.io/v1alpha1"
 	clientset "github.com/minio/operator/pkg/client/clientset/versioned"
 	jobinformers "github.com/minio/operator/pkg/client/informers/externalversions/job.min.io/v1alpha1"
 	joblisters "github.com/minio/operator/pkg/client/listers/job.min.io/v1alpha1"
@@ -179,7 +180,24 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
 	if tenant.Status.HealthStatus != miniov2.HealthStatusGreen {
 		return WrapResult(Result{RequeueAfter: time.Second * 5}, nil)
 	}
-	fmt.Println("will do somthing next")
+	// check sa
+	pbs := &stsv1alpha1.PolicyBindingList{}
+	err = c.k8sClient.List(ctx, pbs, client.InNamespace(namespace))
+	if err != nil {
+		return WrapResult(Result{}, err)
+	}
+	if len(pbs.Items) == 0 {
+		return WrapResult(Result{}, fmt.Errorf("no policybinding found"))
+	}
+	saFound := false
+	for _, pb := range pbs.Items {
+		if pb.Spec.Application.Namespace == namespace && pb.Spec.Application.ServiceAccount == jobCR.Spec.ServiceAccountName {
+			saFound = true
+		}
+	}
+	if !saFound {
+		return WrapResult(Result{}, fmt.Errorf("no serviceaccount found"))
+	}
 	// Loop through the different supported operations.
 	for _, val := range jobCR.Spec.Commands {
 		operation := val.Operation