Create roles for scheduling (#339)

mhmxs · web-flow · commit eb1b5d5199fc · 2021-06-08T06:45:49.000+02:00
* Create roles for scheduling

* Rename scheduler roles and bindings

* Rename scheduler roles and bindings
diff --git a/pkg/storageos/deploy.go b/pkg/storageos/deploy.go
@@ -109,6 +109,14 @@ func (s *Deployment) Deploy() error {
 		return err
 	}
 
+	if err := s.createClusterRoleForSchedulerExtenderVolumeChecker(); err != nil {
+		return err
+	}
+
+	if err := s.createClusterRoleBindingForSchedulerExtenderVolumeChecker(); err != nil {
+		return err
+	}
+
 	if err := s.createClusterRoleForKeyMgmt(); err != nil {
 		return err
 	}
diff --git a/pkg/storageos/rbac.go b/pkg/storageos/rbac.go
@@ -38,8 +38,11 @@ const (
 	NFSClusterRoleName    = "storageos:nfs-provisioner"
 	NFSClusterBindingName = "storageos:nfs-provisioner"
 
-	SchedulerClusterRoleName    = "storageos:scheduler-extender"
-	SchedulerClusterBindingName = "storageos:scheduler-extender"
+	SchedulerExtenderClusterRoleName    = "storageos:scheduler-extender"
+	SchedulerExtenderClusterBindingName = "storageos:scheduler-extender"
+
+	SchedulerExtenderVolumeCheckerClusterRoleName    = "storageos:scheduler-extender-vol-checker"
+	SchedulerExtenderVolumeCheckerClusterBindingName = "storageos:scheduler-extender-vol-checker"
 
 	InitClusterRoleName    = "storageos:init"
 	InitClusterBindingName = "storageos:init"
@@ -339,9 +342,9 @@ func (s *Deployment) createClusterRoleForResizer() error {
 	return s.k8sResourceManager.ClusterRole(CSIResizerClusterRoleName, nil, rules).Create()
 }
 
-// createClusterRoleForScheduler creates a ClusterRole resource for scheduler
+// createClusterRoleForSchedulerExtender creates a ClusterRole resource for scheduler
 // extender with all the permissions required by kube-scheduler.
-func (s *Deployment) createClusterRoleForScheduler() error {
+func (s *Deployment) createClusterRoleForSchedulerExtender() error {
 	rules := []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},
@@ -386,7 +389,28 @@ func (s *Deployment) createClusterRoleForScheduler() error {
 			Verbs:     []string{"get", "create", "update"},
 		},
 	}
-	return s.k8sResourceManager.ClusterRole(SchedulerClusterRoleName, nil, rules).Create()
+	return s.k8sResourceManager.ClusterRole(SchedulerExtenderClusterRoleName, nil, rules).Create()
+}
+
+// createClusterRoleForSchedulerExtenderVolumeChecker creates a ClusterRole resource for scheduler
+// extender with all the permissions required by custom scheduler extender.
+func (s *Deployment) createClusterRoleForSchedulerExtenderVolumeChecker() error {
+	rules := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"persistentvolumes",
+				"persistentvolumeclaims",
+			},
+			Verbs: []string{"get"},
+		},
+		{
+			APIGroups: []string{"storage.k8s.io"},
+			Resources: []string{"storageclasses"},
+			Verbs:     []string{"get"},
+		},
+	}
+	return s.k8sResourceManager.ClusterRole(SchedulerExtenderVolumeCheckerClusterRoleName, nil, rules).Create()
 }
 
 func (s *Deployment) createClusterRoleBindingForKeyMgmt() error {
@@ -582,9 +606,9 @@ func (s *Deployment) createClusterRoleBindingForSCC() error {
 	return s.k8sResourceManager.ClusterRoleBinding(OpenShiftSCCClusterBindingName, nil, subjects, roleRef).Create()
 }
 
-// createClusterRoleBindingForScheduler creates a cluster role binding for the
-// scheduler extender.
-func (s *Deployment) createClusterRoleBindingForScheduler() error {
+// createClusterRoleBindingForSchedulerExtender creates a cluster role binding for the
+// kube-scheduler.
+func (s *Deployment) createClusterRoleBindingForSchedulerExtender() error {
 	subjects := []rbacv1.Subject{
 		{
 			Kind:      "ServiceAccount",
@@ -594,10 +618,28 @@ func (s *Deployment) createClusterRoleBindingForScheduler() error {
 	}
 	roleRef := &rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     SchedulerClusterRoleName,
+		Name:     SchedulerExtenderClusterRoleName,
+		APIGroup: "rbac.authorization.k8s.io",
+	}
+	return s.k8sResourceManager.ClusterRoleBinding(SchedulerExtenderClusterBindingName, nil, subjects, roleRef).Create()
+}
+
+// createClusterRoleBindingForScheduler creates a cluster role binding for the
+// custom scheduler extender.
+func (s *Deployment) createClusterRoleBindingForSchedulerExtenderVolumeChecker() error {
+	subjects := []rbacv1.Subject{
+		{
+			Kind:      "ServiceAccount",
+			Name:      DaemonsetSA,
+			Namespace: s.stos.Spec.GetResourceNS(),
+		},
+	}
+	roleRef := &rbacv1.RoleRef{
+		Kind:     "ClusterRole",
+		Name:     SchedulerExtenderVolumeCheckerClusterRoleName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}
-	return s.k8sResourceManager.ClusterRoleBinding(SchedulerClusterBindingName, nil, subjects, roleRef).Create()
+	return s.k8sResourceManager.ClusterRoleBinding(SchedulerExtenderVolumeCheckerClusterBindingName, nil, subjects, roleRef).Create()
 }
 
 // createClusterRoleForInit creates cluster role for the init container. This is
diff --git a/pkg/storageos/scheduler_extender.go b/pkg/storageos/scheduler_extender.go
@@ -29,13 +29,13 @@ func (s *Deployment) createSchedulerExtender() error {
 	}
 
 	// Create RBAC related resources.
-	if err := s.createClusterRoleForScheduler(); err != nil {
+	if err := s.createClusterRoleForSchedulerExtender(); err != nil {
 		return err
 	}
 	if err := s.createServiceAccountForScheduler(); err != nil {
 		return err
 	}
-	if err := s.createClusterRoleBindingForScheduler(); err != nil {
+	if err := s.createClusterRoleBindingForSchedulerExtender(); err != nil {
 		return err
 	}
 
@@ -103,13 +103,13 @@ func (s Deployment) deleteSchedulerExtender() error {
 	if err := s.k8sResourceManager.ConfigMap(policyConfigMapName, namespace, nil, nil).Delete(); err != nil {
 		return err
 	}
-	if err := s.k8sResourceManager.ClusterRoleBinding(SchedulerClusterBindingName, nil, nil, nil).Delete(); err != nil {
+	if err := s.k8sResourceManager.ClusterRoleBinding(SchedulerExtenderClusterBindingName, nil, nil, nil).Delete(); err != nil {
 		return err
 	}
 	if err := s.k8sResourceManager.ServiceAccount(SchedulerSA, namespace, nil).Delete(); err != nil {
 		return err
 	}
-	if err := s.k8sResourceManager.ClusterRole(SchedulerClusterRoleName, nil, nil).Delete(); err != nil {
+	if err := s.k8sResourceManager.ClusterRole(SchedulerExtenderClusterRoleName, nil, nil).Delete(); err != nil {
 		return err
 	}
 	return nil
diff --git a/test/e2e.sh b/test/e2e.sh
@@ -211,14 +211,14 @@ operator-sdk-e2e-cleanup() {
     kubectl delete clusterrole storageos:csi-attacher \
         storageos:csi-provisioner storageos:driver-registrar \
         storageos:openshift-scc storageos:pod-fencer \
-        storageos:scheduler-extender storageos:init \
+        storageos:scheduler-extender storageos:scheduler-extender-vol-checker storageos:init \
         storageos:nfs-provisioner --ignore-not-found=true
 
     # Delete all the cluster role bindings.
     kubectl delete clusterrolebinding storageos:csi-attacher \
         storageos:csi-provisioner storageos:driver-registrar \
         storageos:k8s-driver-registrar storageos:openshift-scc \
-        storageos:pod-fencer storageos:scheduler-extender \
+        storageos:pod-fencer storageos:scheduler-extender storageos:scheduler-extender-vol-checker \
         storageos:init storageos:nfs-provisioner --ignore-not-found=true
 
     # Delete NFSServer statefulset.

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,14 @@ func (s *Deployment) Deploy() error {`
`109`	`109`	`return err`
`110`	`110`	`}`
`111`	`111`
	`112`	`+ if err := s.createClusterRoleForSchedulerExtenderVolumeChecker(); err != nil {`
	`113`	`+ return err`
	`114`	`+ }`
	`115`	`+`
	`116`	`+ if err := s.createClusterRoleBindingForSchedulerExtenderVolumeChecker(); err != nil {`
	`117`	`+ return err`
	`118`	`+ }`
	`119`	`+`
`112`	`120`	`if err := s.createClusterRoleForKeyMgmt(); err != nil {`
`113`	`121`	`return err`
`114`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,13 +29,13 @@ func (s *Deployment) createSchedulerExtender() error {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`// Create RBAC related resources.`
`32`		`- if err := s.createClusterRoleForScheduler(); err != nil {`
	`32`	`+ if err := s.createClusterRoleForSchedulerExtender(); err != nil {`
`33`	`33`	`return err`
`34`	`34`	`}`
`35`	`35`	`if err := s.createServiceAccountForScheduler(); err != nil {`
`36`	`36`	`return err`
`37`	`37`	`}`
`38`		`- if err := s.createClusterRoleBindingForScheduler(); err != nil {`
	`38`	`+ if err := s.createClusterRoleBindingForSchedulerExtender(); err != nil {`
`39`	`39`	`return err`
`40`	`40`	`}`
`41`	`41`
`@@ -103,13 +103,13 @@ func (s Deployment) deleteSchedulerExtender() error {`
`103`	`103`	`if err := s.k8sResourceManager.ConfigMap(policyConfigMapName, namespace, nil, nil).Delete(); err != nil {`
`104`	`104`	`return err`
`105`	`105`	`}`
`106`		`- if err := s.k8sResourceManager.ClusterRoleBinding(SchedulerClusterBindingName, nil, nil, nil).Delete(); err != nil {`
	`106`	`+ if err := s.k8sResourceManager.ClusterRoleBinding(SchedulerExtenderClusterBindingName, nil, nil, nil).Delete(); err != nil {`
`107`	`107`	`return err`
`108`	`108`	`}`
`109`	`109`	`if err := s.k8sResourceManager.ServiceAccount(SchedulerSA, namespace, nil).Delete(); err != nil {`
`110`	`110`	`return err`
`111`	`111`	`}`
`112`		`- if err := s.k8sResourceManager.ClusterRole(SchedulerClusterRoleName, nil, nil).Delete(); err != nil {`
	`112`	`+ if err := s.k8sResourceManager.ClusterRole(SchedulerExtenderClusterRoleName, nil, nil).Delete(); err != nil {`
`113`	`113`	`return err`
`114`	`114`	`}`
`115`	`115`	`return nil`