Merge pull request #961 from Vafilor/feat/remove.community.restrictions

fix: remove namespace creation restriction

db/yaml/workspaces/cvat_1_6_0/20211028205201.yaml

@@ -1,5 +1,5 @@
 metadata:
-  name: CVAT
+  name: CVAT_1.6.0
   kind: Workspace
   version: 20211028205201
   action: create

manifest/abs/deployment.json

@@ -0,0 +1,63 @@
+{
+  "apiVersion": "apps/v1",
+  "kind": "Deployment",
+  "metadata": {
+    "name": "minio-gateway",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "replicas": 1,
+    "selector": {
+      "matchLabels": {
+        "app": "minio-gateway"
+      }
+    },
+    "template": {
+      "metadata": {
+        "labels": {
+          "app": "minio-gateway"
+        },
+        "annotations": {
+          "sidecar.istio.io/inject": "false"
+        }
+      },
+      "spec": {
+        "containers": [
+          {
+            "name": "minio-gateway",
+            "image": "minio/minio:RELEASE.2021-06-17T00-10-46Z.hotfix.49f6035b1",
+            "args": [
+                "gateway",
+                "azure"
+            ],
+            "env": [
+              {
+                "name": "MINIO_ACCESS_KEY",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "name": "onepanel",
+                    "key": "artifactRepositoryS3AccessKey"
+                  }
+                }
+              },
+              {
+                "name": "MINIO_SECRET_KEY",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "name": "onepanel",
+                    "key": "artifactRepositoryS3SecretKey"
+                  }
+                }
+              }
+            ],
+            "ports": [
+              {
+                "containerPort": 9000
+              }
+            ]
+          }
+        ]
+      }
+    }
+  }
+}

manifest/abs/service.json

@@ -0,0 +1,19 @@
+{
+  "apiVersion": "v1",
+  "kind": "Service",
+  "metadata": {
+    "name": "minio-gateway",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "selector": {
+      "app": "minio-gateway"
+    },
+    "ports": [
+      {
+        "port": 9000,
+        "targetPort": 9000
+      }
+    ]
+  }
+}

manifest/clusterrolebinding-models.json

@@ -0,0 +1,19 @@
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1",
+  "kind": "ClusterRoleBinding",
+  "metadata": {
+    "name": "onepanel-kfserving-$(applicationDefaultNamespace)"
+  },
+  "subjects": [
+    {
+      "kind": "ServiceAccount",
+      "name": "$(applicationDefaultNamespace)",
+      "namespace": "$(applicationDefaultNamespace)"
+    }
+  ],
+  "roleRef": {
+    "apiGroup": "rbac.authorization.k8s.io",
+    "kind": "ClusterRole",
+    "name": "onepanel-models"
+  }
+}

manifest/clusterrolebinding-onepanel-namespaces-defaultnamespace.json

@@ -0,0 +1,22 @@
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1beta1",
+  "kind": "ClusterRoleBinding",
+  "metadata": {
+    "labels": {
+      "app": "onepanel"
+    },
+    "name": "onepanel-namespaces"
+  },
+  "roleRef": {
+    "apiGroup": "rbac.authorization.k8s.io",
+    "kind": "ClusterRole",
+    "name": "onepanel-namespaces"
+  },
+  "subjects": [
+    {
+      "kind": "ServiceAccount",
+      "name": "$(applicationDefaultNamespace)",
+      "namespace": "$(applicationDefaultNamespace)"
+    }
+  ]
+}

manifest/configmap-onepanel-defaultnamespace.json

@@ -0,0 +1,11 @@
+{
+  "apiVersion": "v1",
+  "kind": "ConfigMap",
+  "metadata": {
+    "name": "onepanel",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "data": {
+    "artifactRepository": "archiveLogs: true\n$(artifactRepositoryProvider)\n"
+  }
+}

manifest/gcs/deployment.json

@@ -0,0 +1,83 @@
+{
+  "apiVersion": "apps/v1",
+  "kind": "Deployment",
+  "metadata": {
+    "name": "minio-gateway",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "replicas": 1,
+    "selector": {
+      "matchLabels": {
+        "app": "minio-gateway"
+      }
+    },
+    "template": {
+      "metadata": {
+        "labels": {
+          "app": "minio-gateway"
+        },
+        "annotations": {
+          "sidecar.istio.io/inject": "false"
+        }
+      },
+      "spec": {
+        "containers": [
+          {
+            "name": "minio-gateway",
+            "image": "minio/minio:RELEASE.2021-06-17T00-10-46Z.hotfix.49f6035b1",
+            "volumeMounts": [
+              {
+                "name": "gcs-credentials",
+                "mountPath": "/etc/gcs",
+                "readOnly": true
+              }
+            ],
+            "args": [
+                "gateway",
+                "gcs"
+            ],
+            "env": [
+              {
+                "name": "MINIO_ACCESS_KEY",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "name": "onepanel",
+                    "key": "artifactRepositoryS3AccessKey"
+                  }
+                }
+              },
+              {
+                "name": "MINIO_SECRET_KEY",
+                "valueFrom": {
+                  "secretKeyRef": {
+                    "name": "onepanel",
+                    "key": "artifactRepositoryS3SecretKey"
+                  }
+                }
+              },
+              {
+                "name": "GOOGLE_APPLICATION_CREDENTIALS",
+                "value": "/etc/gcs/credentials.json"
+              }
+            ]
+          }
+        ],
+        "volumes": [
+          {
+            "name": "gcs-credentials",
+            "projected": {
+              "sources": [
+                {
+                  "secret": {
+                    "name": "artifact-repository-gcs-credentials"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  }
+}

manifest/gcs/service.json

@@ -0,0 +1,19 @@
+{
+  "apiVersion": "v1",
+  "kind": "Service",
+  "metadata": {
+    "name": "minio-gateway",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "selector": {
+      "app": "minio-gateway"
+    },
+    "ports": [
+      {
+        "port": 9000,
+        "targetPort": 9000
+      }
+    ]
+  }
+}

manifest/kfserving/secret.json

@@ -0,0 +1,19 @@
+{
+  "apiVersion": "v1",
+  "kind": "Secret",
+  "metadata": {
+    "name": "kfserving-storage",
+    "namespace": "$(applicationDefaultNamespace)",
+    "annotations": {
+      "serving.kubeflow.org/s3-endpoint": "$(artifactRepositoryS3Endpoint)",
+      "serving.kubeflow.org/s3-usehttps": "0",
+      "serving.kubeflow.org/s3-region": "$(artifactRepositoryS3Region)",
+      "serving.kubeflow.org/s3-useanoncredential": "false"
+    }
+  },
+  "type": "Opaque",
+  "data": {
+    "AWS_ACCESS_KEY_ID": "$(artifactRepositoryS3AccessKey)",
+    "AWS_SECRET_ACCESS_KEY": "$(artifactRepositoryS3SecretKey)"
+  }
+}

manifest/networkpolicy-onepanel-defaultnamespace.json

@@ -0,0 +1,41 @@
+{
+  "apiVersion": "networking.k8s.io/v1",
+  "kind": "NetworkPolicy",
+  "metadata": {
+    "labels": {
+      "app": "onepanel"
+    },
+    "name": "onepanel",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "egress": [
+      {
+        "to": [
+          {
+            "ipBlock": {
+              "cidr": "0.0.0.0/0",
+              "except": [
+                  "169.254.169.254/32"
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "ingress": [
+      {
+        "from": [
+          {
+            "namespaceSelector": {
+              "matchLabels": {
+                "app.kubernetes.io/part-of": "onepanel"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "podSelector": {}
+  }
+}

manifest/role-onepanel-defaultnamespace.json

@@ -0,0 +1,167 @@
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1beta1",
+  "kind": "Role",
+  "metadata": {
+    "labels": {
+      "app": "onepanel"
+    },
+    "name": "onepanel",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "rules": [
+    {
+      "apiGroups": [
+        ""
+      ],
+      "resources": [
+        "configmaps"
+      ],
+      "verbs": [
+        "get"
+      ]
+    },
+    {
+      "apiGroups": [
+        ""
+      ],
+      "resources": [
+        "pods",
+        "pods/log"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "patch"
+      ]
+    },
+    {
+      "apiGroups": [
+        ""
+      ],
+      "resources": [
+        "persistentvolumeclaims",
+        "services",
+        "secrets"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "apps"
+      ],
+      "resources": [
+        "statefulsets",
+        "deployments"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "networking.istio.io"
+      ],
+      "resources": [
+        "virtualservices"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "argoproj.io"
+      ],
+      "resources": [
+        "workflows",
+        "workflowtemplates",
+        "cronworkflows"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "onepanel.io"
+      ],
+      "resources": [
+        "workspaces"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "onepanel.io"
+      ],
+      "resources": [
+        "services"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [
+        "serving.kubeflow.org"
+      ],
+      "resources": [
+        "inferenceservices"
+      ],
+      "verbs": [
+        "get",
+        "watch",
+        "list",
+        "create",
+        "update",
+        "patch",
+        "delete"
+      ]
+    },
+    {
+      "apiGroups": [""],
+      "resources": ["onepanel-service"],
+      "verbs": ["get", "watch", "list"]
+    }
+  ]
+}

manifest/rolebinding-onepanel-defaultnamespace.json

@@ -0,0 +1,28 @@
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1beta1",
+  "kind": "RoleBinding",
+  "metadata": {
+    "labels": {
+      "app": "onepanel"
+    },
+    "name": "onepanel",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "roleRef": {
+    "apiGroup": "rbac.authorization.k8s.io",
+    "kind": "Role",
+    "name": "onepanel"
+  },
+  "subjects": [
+    {
+      "kind": "ServiceAccount",
+      "name": "default",
+      "namespace": "$(applicationDefaultNamespace)"
+    },
+    {
+      "kind": "ServiceAccount",
+      "name": "$(applicationDefaultNamespace)",
+      "namespace": "$(applicationDefaultNamespace)"
+    }
+  ]
+}

manifest/secret-onepanel-default-env-defaultnamespace.json

@@ -0,0 +1,9 @@
+{
+  "apiVersion": "v1",
+  "kind": "Secret",
+  "metadata": {
+    "name": "onepanel-default-env",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "type": "Opaque"
+}

manifest/secret-onepanel-defaultnamespace.json

@@ -0,0 +1,21 @@
+{
+  "apiVersion": "v1",
+  "kind": "Secret",
+  "metadata": {
+    "name": "onepanel",
+    "namespace": "$(applicationDefaultNamespace)",
+    "labels": {
+      "app.kubernetes.io/component": "onepanel",
+      "app.kubernetes.io/instance": "onepanel-v0.5.0",
+      "app.kubernetes.io/managed-by": "onepanel-cli",
+      "app.kubernetes.io/name": "onepanel",
+      "app.kubernetes.io/part-of": "onepanel",
+      "app.kubernetes.io/version": "v0.5.0"
+    }
+  },
+  "data": {
+    "artifactRepositoryS3AccessKey": "$(artifactRepositoryS3AccessKey)",
+    "artifactRepositoryS3SecretKey": "$(artifactRepositoryS3SecretKey)"
+  },
+  "type": "Opaque"
+}

manifest/service-account.json

@@ -0,0 +1,8 @@
+{
+  "kind": "ServiceAccount",
+  "apiVersion": "v1",
+  "metadata": {
+    "name": "$(applicationDefaultNamespace)",
+    "namespace": "$(applicationDefaultNamespace)"
+  }
+}

manifest/service-minio-onepanel.json

@@ -0,0 +1,37 @@
+{
+  "apiVersion": "networking.istio.io/v1alpha3",
+  "kind": "VirtualService",
+  "metadata": {
+    "name": "minio",
+    "namespace": "$(applicationDefaultNamespace)"
+  },
+  "spec": {
+    "hosts": [
+      "sys-storage-$(applicationDefaultNamespace).$(applicationDomain)"
+    ],
+    "gateways": [
+      "istio-system/ingressgateway"
+    ],
+    "http": [
+      {
+        "match": [
+          {
+            "uri": {
+              "prefix": "/"
+            }
+          }
+        ],
+        "route": [
+          {
+            "destination": {
+              "port": {
+                "number": 9000
+              },
+              "host": "minio-gateway.$(applicationDefaultNamespace).svc.cluster.local"
+            }
+          }
+        ]
+      }
+    ]
+  }
+}

server/auth/auth.go

@@ -105,10 +105,6 @@ func getClient(ctx context.Context, kubeConfig *v1.Config, db *v1.DB, sysConfig
 }
 
 func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (allowed bool, err error) {
-	if resource == "namespaces" && verb == "create" {
-		return false, status.Error(codes.PermissionDenied, "creating namespaces is not supported in the community edition")
-	}
-
 	review, err := c.AuthorizationV1().SelfSubjectAccessReviews().Create(&authorizationv1.SelfSubjectAccessReview{
 		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationv1.ResourceAttributes{