chore: rename RBACRequirements to ResourceRequirements, add Version f…

…ield
coder · johnstcn · Aug 27, 2021 · Aug 25, 2021 · Aug 26, 2021 · Aug 26, 2021
commit 7e37c5fd99f37328f5fa3d20b85b1719e78e064b
diff --git a/internal/checks/kube/kubernetes.go b/internal/checks/kube/kubernetes.go
@@ -22,7 +22,7 @@ type KubernetesChecker struct {
 	writer           api.ResultWriter
 	coderVersion     *semver.Version
 	log              slog.Logger
-	rbacRequirements []*RBACRequirement
+	rbacRequirements []*ResourceRequirement
 }
 
 type Option func(k *KubernetesChecker)

diff --git a/internal/checks/kube/rbac.go b/internal/checks/kube/rbac.go
@@ -16,45 +16,6 @@ import (
 	authorizationclientv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
 )
 
-type RBACRequirement struct {
-	APIGroup string
-	Resource string
-	Verbs    []string
-}
-
-type VersionedRBACRequirements struct {
-	VersionConstraints *semver.Constraints
-	RBACRequirements   []*RBACRequirement
-}
-
-var verbsCreateDeleteList = []string{"create", "delete", "list"}
-
-func NewRBACRequirement(apiGroup, resource string, verbs ...string) *RBACRequirement {
-	return &RBACRequirement{
-		APIGroup: apiGroup,
-		Resource: resource,
-		Verbs:    verbs,
-	}
-}
-
-var allVersionedRBACRequirements = []VersionedRBACRequirements{
-	{
-		VersionConstraints: api.MustConstraint(">= 1.20"),
-		RBACRequirements: []*RBACRequirement{
-			NewRBACRequirement("", "pods", verbsCreateDeleteList...),
-			NewRBACRequirement("", "roles", verbsCreateDeleteList...),
-			NewRBACRequirement("", "rolebindings", verbsCreateDeleteList...),
-			NewRBACRequirement("", "secrets", verbsCreateDeleteList...),
-			NewRBACRequirement("", "serviceaccounts", verbsCreateDeleteList...),
-			NewRBACRequirement("", "services", verbsCreateDeleteList...),
-			NewRBACRequirement("apps", "deployments", verbsCreateDeleteList...),
-			NewRBACRequirement("apps", "replicasets", verbsCreateDeleteList...),
-			NewRBACRequirement("apps", "statefulsets", verbsCreateDeleteList...),
-			NewRBACRequirement("extensions", "ingresses", verbsCreateDeleteList...),
-		},
-	},
-}
-
 func (k *KubernetesChecker) CheckRBAC(ctx context.Context) []*api.CheckResult {
 	const checkName = "kubernetes-rbac"
 	authClient := k.client.AuthorizationV1()
@@ -75,7 +36,7 @@ func (k *KubernetesChecker) CheckRBAC(ctx context.Context) []*api.CheckResult {
 	return results
 }
 
-func (k *KubernetesChecker) checkOneRBAC(ctx context.Context, authClient authorizationclientv1.AuthorizationV1Interface, req *RBACRequirement) error {
+func (k *KubernetesChecker) checkOneRBAC(ctx context.Context, authClient authorizationclientv1.AuthorizationV1Interface, req *ResourceRequirement) error {
 	have := make([]string, 0, len(req.Verbs))
 	for _, verb := range req.Verbs {
 		sar := &authorizationv1.SelfSubjectAccessReview{
@@ -109,7 +70,7 @@ func (k *KubernetesChecker) checkOneRBAC(ctx context.Context, authClient authori
 	return nil
 }
 
-func findClosestVersionRequirements(v *semver.Version) []*RBACRequirement {
+func findClosestVersionRequirements(v *semver.Version) []*ResourceRequirement {
 	for _, vreqs := range allVersionedRBACRequirements {
 		if vreqs.VersionConstraints.Check(v) {
 			return vreqs.RBACRequirements

diff --git a/internal/checks/kube/resources_list.go b/internal/checks/kube/resources_list.go
@@ -0,0 +1,53 @@
+package kube
+
+import (
+	"github.com/Masterminds/semver/v3"
+
+	"github.com/cdr/coder-doctor/internal/api"
+)
+
+var allVersionedRBACRequirements = []VersionedResourceRequirements{
+	{
+		VersionConstraints: api.MustConstraint(">= 1.20"),
+		RBACRequirements: []*ResourceRequirement{
+			NewResourceRequirement("", "v1", "pods", verbsCreateDeleteList...),
+			NewResourceRequirement("", "v1", "secrets", verbsCreateDeleteList...),
+			NewResourceRequirement("", "v1", "serviceaccounts", verbsCreateDeleteList...),
+			NewResourceRequirement("", "v1", "services", verbsCreateDeleteList...),
+			NewResourceRequirement("", "rbac.authorization.k8s.io/v1", "roles", verbsCreateDeleteList...),
+			NewResourceRequirement("", "rbac.authorization.k8s.io/v1", "rolebindings", verbsCreateDeleteList...),
+			NewResourceRequirement("apps", "apps/v1", "deployments", verbsCreateDeleteList...),
+			NewResourceRequirement("apps", "apps/v1", "replicasets", verbsCreateDeleteList...),
+			NewResourceRequirement("apps", "apps/v1", "statefulsets", verbsCreateDeleteList...),
+			NewResourceRequirement("extensions", "ingresses", "networking.k8s.io/v1", verbsCreateDeleteList...),
+		},
+	},
+}
+
+// ResourceRequirement describes a set of requirements on a specific version of a resource:
+// whether it exists with that specific version, and what verbs the current user is permitted to perform
+// on the resource.
+type ResourceRequirement struct {
+	APIGroup string
+	Resource string
+	Verbs    []string
+	Version  string
+}
+
+// VersionedResourceRequirements is a set of ResourceRequirements for a specific version of Coder.
+type VersionedResourceRequirements struct {
+	VersionConstraints *semver.Constraints
+	RBACRequirements   []*ResourceRequirement
+}
+
+var verbsCreateDeleteList = []string{"create", "delete", "list"}
+
+// NewResourceRequirement is just a convenience function for creating ResourceRequirements.uname
+func NewResourceRequirement(apiGroup, version, resource string, verbs ...string) *ResourceRequirement {
+	return &ResourceRequirement{
+		APIGroup: apiGroup,
+		Resource: resource,
+		Verbs:    verbs,
+		Version:  version,
+	}
+}