github.com/verrazzano/verrazzano@v1.7.0/platform-operator/internal/vzconfig/validate.go

github.com/verrazzano/verrazzano@v1.7.0/platform-operator/internal/vzconfig/validate.go (about)

     1  // Copyright (c) 2021, 2022, Oracle and/or its affiliates.
     2  // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     3  
     4  package vzconfig
     5  
     6  import (
     7  	"fmt"
     8  	"k8s.io/api/rbac/v1"
     9  )
    10  
    11  // ValidateRoleBindingSubject - Validates the requested subject content, used to validate the Verrazzano CR security customizations
    12  // - refactored from the install_config code
    13  func ValidateRoleBindingSubject(subject v1.Subject, name string) error {
    14  	if len(subject.Name) < 1 {
    15  		err := fmt.Errorf("no name for %s", name)
    16  		return err
    17  	}
    18  	if subject.Kind != "User" && subject.Kind != "Group" && subject.Kind != "ServiceAccount" {
    19  		err := fmt.Errorf("invalid kind '%s' for %s", subject.Kind, name)
    20  		return err
    21  	}
    22  	if (subject.Kind == "User" || subject.Kind == "Group") && len(subject.APIGroup) > 0 && subject.APIGroup != "rbac.authorization.k8s.io" {
    23  		err := fmt.Errorf("invalid apiGroup '%s' for %s", subject.APIGroup, name)
    24  		return err
    25  	}
    26  	if subject.Kind == "ServiceAccount" && (len(subject.APIGroup) > 0 || subject.APIGroup != "") {
    27  		err := fmt.Errorf("invalid apiGroup '%s' for %s", subject.APIGroup, name)
    28  		return err
    29  	}
    30  	if subject.Kind == "ServiceAccount" && len(subject.Namespace) < 1 {
    31  		err := fmt.Errorf("no namespace for ServiceAccount in %s", name)
    32  		return err
    33  	}
    34  	return nil
    35  }