From 208a728ba68a0f4ce5d9cf263007197fbdbf1fc8 Mon Sep 17 00:00:00 2001 From: Le Zhang Date: Mon, 8 Apr 2024 14:37:19 -0400 Subject: [PATCH] Issue open-horizon#4013 - For cluster-scoped agent, Kubeworker should add namespace for serviceaccount in clusterrolebinding, if namespace ommits Signed-off-by: Le Zhang --- kube_operator/api_objects.go | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/kube_operator/api_objects.go b/kube_operator/api_objects.go index 842de9ad9..567b8294c 100644 --- a/kube_operator/api_objects.go +++ b/kube_operator/api_objects.go @@ -385,20 +385,18 @@ type ClusterRolebindingRbacV1 struct { func (crb ClusterRolebindingRbacV1) Install(c KubeClient, namespace string) error { glog.V(3).Infof(kwlog(fmt.Sprintf("creating cluster role binding %v", crb))) - // checking the serviceaccount for clusterrolebinding if it is namespace-scoped agent: - // - If the namespace of serviceaccount is defined in yaml, but is different from namespace for operator, replace the sa namespace with namespace to deploy operator. - if cutil.IsNamespaceScoped() { - // normalize the namespace of service account for namespace scoped agent - subs := []rbacv1.Subject{} - for _, sub := range crb.ClusterRolebindingObject.Subjects { - rb_sub := &sub - if sub.Namespace != "" && sub.Namespace != namespace { - rb_sub.Namespace = namespace - } - subs = append(subs, *rb_sub) + // checking the serviceaccount for clusterrolebinding: + // - namespace-scoped agent: Normalize the namespace of service account for namespace scoped agent. If the namespace of serviceaccount is defined in yaml, but is different from namespace for operator, replace the sa namespace with namespace to deploy operator. + // - cluster-scoped agent: If the namespace of the serviceaccount is absent, add namespace + subs := []rbacv1.Subject{} + for _, sub := range crb.ClusterRolebindingObject.Subjects { + rb_sub := &sub + if (cutil.IsNamespaceScoped() && sub.Namespace != "" && sub.Namespace != namespace) || (!cutil.IsNamespaceScoped() && sub.Namespace == "") { + rb_sub.Namespace = namespace } - crb.ClusterRolebindingObject.Subjects = subs + subs = append(subs, *rb_sub) } + crb.ClusterRolebindingObject.Subjects = subs // get clusterrolebinding existingCRB, err := c.Client.RbacV1().ClusterRoleBindings().Get(context.Background(), crb.Name(), metav1.GetOptions{})