Add groups in impersonate clusterrole (#23)

Signed-off-by: Rokibul Hasan <mdrokibulhasan@appscode.com>
kluster-manager · Sep 9, 2024 · b972916 · b972916
1 parent c6df803
commit b972916
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/pkg/agent/controller/managedclusterrolebinding_controller.go b/pkg/agent/controller/managedclusterrolebinding_controller.go
@@ -84,13 +84,7 @@ func (r *ManagedClusterRoleBindingReconciler) Reconcile(ctx context.Context, req
 	}
 
 	// now give actual permission to the User
-	sub := []rbac.Subject{
-		{
-			APIGroup: "",
-			Kind:     "User",
-			Name:     managedCRB.Subjects[0].Name,
-		},
-	}
+	sub := getSubject(managedCRB)
 
 	if managedCRB.RoleRef.Namespaces == nil {
 		givenClusterRolebinding := &rbac.ClusterRoleBinding{
@@ -210,6 +204,18 @@ func (r *ManagedClusterRoleBindingReconciler) SetupWithManager(mgr ctrl.Manager)
 		Complete(r)
 }
 
+func getSubject(managedCRB authzv1alpah1.ManagedClusterRoleBinding) []rbac.Subject {
+	subs := make([]rbac.Subject, 0, len(managedCRB.Subjects))
+	for _, sub := range managedCRB.Subjects {
+		subs = append(subs, rbac.Subject{
+			APIGroup: sub.APIGroup,
+			Kind:     sub.Kind,
+			Name:     sub.Name,
+		})
+	}
+	return subs
+}
+
 /*
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/pkg/manager/controller/authentication/account_controller.go b/pkg/manager/controller/authentication/account_controller.go
@@ -201,6 +201,12 @@ func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(
 				Verbs:         []string{"impersonate"},
 				ResourceNames: []string{acc.Name},
 			},
+			{
+				APIGroups:     []string{""},
+				Resources:     []string{"groups"},
+				Verbs:         []string{"impersonate"},
+				ResourceNames: acc.Spec.Groups,
+			},
 		},
 	}