Takes in manifest and generates role #68
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Hi @somtochiama. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/XL
|
/assign @justinsb |
tools/rbac-gen/main.go
Outdated
|
|
||
| bytes, err := ioutil.ReadFile(*yamlFile) | ||
| if err != nil { | ||
| log.Fatalf("Error reading files: %v", err) |
There was a problem hiding this comment.
Tip: I like to do this:
func main() {
err := run()
if err != nil {
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
}
func run() error {
... real work....
}
because then we can just return an error. Two advantages:
- A little more compact
- It makes it easier to refactor the code into functions; the top-level function is a special-case in terms of error handling, so I try to make that special-case as small as possible.
There was a problem hiding this comment.
This is nice. Reduce code for error handling
| // generate Group and Kind | ||
| ctx := context.Background() | ||
| objs, err := manifest.ParseObjects(ctx, string(bytes)) | ||
|
|
There was a problem hiding this comment.
Nit: it's clearer (IMO) without the line break between the thing which generates the error and which checks the error
a, err := foo()
if err != nil {
tools/rbac-gen/main.go
Outdated
| Verbs: []string{"create", "update", "delete", "get"}, | ||
| } | ||
| roleInterface.Rules = append(roleInterface.Rules, &newRule) | ||
| m[obj.Kind] = "" |
There was a problem hiding this comment.
Technically the key should include the api group, in case two kinds are named the same in two apigroups.
Two ways to do that:
- Invent some delimiter that is "safe":
m[obj.APIGroup + "::" + obj.Kind] = true - Use a struct:
struct key {
APIGroup string
Kind string
}
For cases like this where I'm not really reading the values back, I tend to just use the string trick. If I'm reading them back or parsing the keys I tend to use a struct.
tools/rbac-gen/main.go
Outdated
| } | ||
|
|
||
| // to deal with duplicates, we keep a map of all the kinds that has been addeed so far | ||
| m := make(map[string]string) |
There was a problem hiding this comment.
Alternatives:
map[string]boollets you doif m[obj.Kind] {and I tend to use thismap[string]struct{}is the go way of writing that there are no values, so it is a little more memory efficient. You have to use the longer way of checking though (as you've done here), so if it's not verified as performance critical I tend to use the simpler boolean form.
tools/rbac-gen/main.go
Outdated
| if _, ok := m[obj.Kind]; !ok { | ||
| newRule := rule { | ||
| ApiGroups: []string{obj.Group}, | ||
| // needs plural of kind |
There was a problem hiding this comment.
There's a pluralize helper in kubebuilder I think, which I guess we should probably use. I agree this is annoying though :-)
It's technically the resource name, which might be completely different to the kind. In practice, it's the plural (and lower cased).
|
This looks great! You pointed out the need to also embed ClusterRoles and Roles. We can do that in a follow on if that's easier. Just a few nits here :-) |
k8s-ci-robot
added
size/XXL
somtochiama
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| saName = flag.String("sa-name", "", "name of service account the role should be binded to") | ||
| ns = flag.String("ns", "kube-system", "namespace of the role to be generated") | ||
| out = flag.String("out", "", "name of output file") | ||
| supervisory = flag.Bool("supervisory", false, "outputs role for operator in supervisory mode") |
There was a problem hiding this comment.
Nit: we might want a string enum (as otherwise we tend to end up with lots of flags :-) )
|
/ok-to-test I'm excited to start using this! We're already finding lots more uses for it (e.g. supervisor mode) so I think it's important to get a version merged and then we can iterate for those. /approve |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, SomtochiAma The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
3 participants
No description provided.