in lambdas/kf_profile_manager/index.py [0:0]
def apply_servicerolebinding(user_name: str, user_email: str, group: str):
custom_objects_api = client.CustomObjectsApi(api_client)
servicerolebindings = custom_objects_api.list_namespaced_custom_object(
group="rbac.istio.io",
version="v1alpha1",
namespace=f"{group}",
plural="servicerolebindings",
pretty="true"
)
create_srb = True # by default create profile
# iterate over servicerolebindings to find if new one should be created or old one exists
for srb in servicerolebindings['items']:
srb_metadata_name = srb['metadata']['name']
if srb_metadata_name == f"user-{user_name}-kubeflow-org-clusterrole-edit":
logger.info(f"servicerolebinding user-{user_name}-kubeflow-org-clusterrole-edit already exists")
create_srb = False
if create_srb:
manifest_servicerolebinding = {
"apiVersion": "rbac.istio.io/v1alpha1",
"kind": "ServiceRoleBinding",
"metadata": {
"annotations": {
"role": "edit",
"user": user_email
},
"generation": 1,
"name": f"user-{user_name}-kubeflow-org-clusterrole-edit",
"namespace": f"{group}"
},
"spec": {
"roleRef": {
"kind": "ServiceRole",
"name": "ns-access-istio"
},
"subjects": [
{
"properties": {
"request.headers[kubeflow-userid]": user_email
}
}
]
},
"status": {}
}
logger.info(f"create_namespaced_custom_object:manifest_servicerolebinding for user: {user_email}")
servicerolebindings = custom_objects_api.create_namespaced_custom_object(
group="rbac.istio.io",
version="v1alpha1",
plural="servicerolebindings",
namespace=f"{group}",
body=manifest_servicerolebinding,
pretty="true"
)
logger.info(f"created servicerolebindings for user: {user_email}")