Merge pull request #355 from eclipse-che/CRW-3328

feat: Delegate only needed roles to user in his namespace
2022-10-06 11:54:28 +03:00 · 2022-10-06 11:54:28 +03:00 · d4e29dfe61
parent 5aa763aab3 dfe5b372c2
commit d4e29dfe61
8 changed files with 91 additions and 169 deletions
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 * which is available at https://www.eclipse.org/legal/epl-2.0/
@ -153,10 +153,10 @@ public class KubernetesNamespace {
        throw new InfrastructureException(
            format("Creating the namespace '%s' is not allowed, yet it was not found.", name));
      }
-      namespace = create(name, client);
+      create(name, client);
    }
-    label(namespace, labels);
-    annotate(namespace, annotations);
+    label(client.namespaces().withName(name).get(), labels);
+    annotate(client.namespaces().withName(name).get(), annotations);
  }

  /**
--- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java
+++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 * which is available at https://www.eclipse.org/legal/epl-2.0/
@ -126,9 +126,14 @@ public class KubernetesNamespaceTest {
  @Test
  public void testKubernetesNamespacePreparingCreationWhenNamespaceDoesNotExist() throws Exception {
    // given
+    doThrow(new KubernetesClientException("error", 403, null))
+        .doReturn(namespaceOperation)
+        .doReturn(namespaceOperation)
+        .when(kubernetesClient)
+        .namespaces();
+    Resource namespaceResource = mock(Resource.class);
+    doReturn(namespaceResource).when(namespaceOperation).withName(anyString());

-    Resource resource = prepareNamespaceResource(NAMESPACE);
-    doThrow(new KubernetesClientException("error", 403, null)).when(resource).get();
    KubernetesNamespace namespace =
        new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID);

@ -232,9 +237,15 @@ public class KubernetesNamespaceTest {

  @Test
  public void testStopsWaitingServiceAccountEventJustAfterEventReceived() throws Exception {
+    // given
+    doThrow(new KubernetesClientException("error", 403, null))
+        .doReturn(namespaceOperation)
+        .doReturn(namespaceOperation)
+        .when(kubernetesClient)
+        .namespaces();
+    Resource namespaceResource = mock(Resource.class);
+    doReturn(namespaceResource).when(namespaceOperation).withName(anyString());

-    final Resource resource = prepareNamespaceResource(NAMESPACE);
-    doThrow(new KubernetesClientException("error", 403, null)).when(resource).get();
    when(serviceAccountResource.get()).thenReturn(null);
    doAnswer(
            invocation -> {
@ -245,8 +256,11 @@ public class KubernetesNamespaceTest {
        .when(serviceAccountResource)
        .watch(any());

-    new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID)
-        .prepare(true, Map.of(), Map.of());
+    KubernetesNamespace namespace =
+        new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID);
+
+    // when
+    namespace.prepare(true, Map.of(), Map.of());

    verify(serviceAccountResource).get();
    verify(serviceAccountResource).watch(any());
--- a/infrastructures/openshift/pom.xml
+++ b/infrastructures/openshift/pom.xml
@ -50,6 +50,10 @@
            <groupId>io.fabric8</groupId>
            <artifactId>kubernetes-model-networking</artifactId>
        </dependency>
+        <dependency>
+            <groupId>io.fabric8</groupId>
+            <artifactId>kubernetes-model-rbac</artifactId>
+        </dependency>
        <dependency>
            <groupId>io.fabric8</groupId>
            <artifactId>openshift-client</artifactId>
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java
@ -54,6 +54,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurato
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.PreferencesConfigMapConfigurator;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator;
+import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPermissionConfigurator;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator;
 import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GatewayTlsProvisioner;
@ -107,6 +108,7 @@ public class OpenShiftInfraModule extends AbstractModule {

    Multibinder<NamespaceConfigurator> namespaceConfigurators =
        Multibinder.newSetBinder(binder(), NamespaceConfigurator.class);
+    namespaceConfigurators.addBinding().to(UserPermissionConfigurator.class);
    namespaceConfigurators.addBinding().to(UserProfileConfigurator.class);
    namespaceConfigurators.addBinding().to(UserPreferencesConfigurator.class);
    namespaceConfigurators.addBinding().to(CredentialsSecretConfigurator.class);
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 * which is available at https://www.eclipse.org/legal/epl-2.0/
@ -14,11 +14,9 @@ package org.eclipse.che.workspace.infrastructure.openshift.project;
 import static java.lang.String.format;

 import com.google.common.annotations.VisibleForTesting;
-import io.fabric8.kubernetes.client.KubernetesClient;
 import io.fabric8.kubernetes.client.KubernetesClientException;
 import io.fabric8.openshift.api.model.Project;
 import io.fabric8.openshift.api.model.ProjectRequestBuilder;
-import io.fabric8.openshift.api.model.RoleBindingBuilder;
 import io.fabric8.openshift.api.model.Route;
 import io.fabric8.openshift.client.OpenShiftClient;
 import java.util.Map;
@ -116,9 +114,7 @@ public class OpenShiftProject extends KubernetesNamespace {
    String workspaceId = getWorkspaceId();
    String projectName = getName();

-    KubernetesClient kubeClient = clientFactory.create(workspaceId);
-    OpenShiftClient osClient = clientFactory.createOC(workspaceId);
-
+    OpenShiftClient osClient = cheServerOpenshiftClientFactory.createOC();
    Project project = get(projectName, osClient);

    if (project == null) {
@ -130,27 +126,11 @@ public class OpenShiftProject extends KubernetesNamespace {
      }

      if (initWithCheServerSa) {
-        OpenShiftClient openshiftClient = cheServerOpenshiftClientFactory.createOC();
-        create(projectName, openshiftClient);
-        waitDefaultServiceAccount(projectName, openshiftClient);
-        openshiftClient
-            .roleBindings()
-            .inNamespace(projectName)
-            .createOrReplace(
-                new RoleBindingBuilder()
-                    .withNewMetadata()
-                    .withName("admin")
-                    .endMetadata()
-                    .addToUserNames(osClient.currentUser().getMetadata().getName())
-                    .withNewRoleRef()
-                    .withApiVersion("rbac.authorization.k8s.io")
-                    .withKind("RoleBinding")
-                    .withName("admin")
-                    .endRoleRef()
-                    .build());
-      } else {
        create(projectName, osClient);
-        waitDefaultServiceAccount(projectName, kubeClient);
+        waitDefaultServiceAccount(projectName, osClient);
+      } else {
+        create(projectName, clientFactory.createOC(workspaceId));
+        waitDefaultServiceAccount(projectName, clientFactory.create(workspaceId));
      }
    }
    label(osClient.namespaces().withName(projectName).get(), labels);
@ -167,7 +147,7 @@ public class OpenShiftProject extends KubernetesNamespace {
    String workspaceId = getWorkspaceId();
    String projectName = getName();

-    OpenShiftClient osClient = clientFactory.createOC(workspaceId);
+    OpenShiftClient osClient = cheServerOpenshiftClientFactory.createOC(workspaceId);

    try {
      delete(projectName, osClient);
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java
@ -13,23 +13,18 @@ package org.eclipse.che.workspace.infrastructure.openshift.project.configurator;

 import static com.google.common.base.Strings.isNullOrEmpty;

-import io.fabric8.kubernetes.api.model.ObjectReferenceBuilder;
+import io.fabric8.kubernetes.api.model.rbac.*;
+import io.fabric8.kubernetes.client.KubernetesClient;
 import io.fabric8.kubernetes.client.KubernetesClientException;
-import io.fabric8.openshift.api.model.PolicyRuleBuilder;
-import io.fabric8.openshift.api.model.Role;
-import io.fabric8.openshift.api.model.RoleBinding;
-import io.fabric8.openshift.api.model.RoleBindingBuilder;
-import io.fabric8.openshift.api.model.RoleBuilder;
-import io.fabric8.openshift.client.OpenShiftClient;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.inject.Singleton;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
 import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext;
 import org.eclipse.che.commons.annotation.Nullable;
+import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.CheInstallationLocation;
 import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator;
-import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftClientFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@ -42,7 +37,7 @@ import org.slf4j.LoggerFactory;
@Singleton
 public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigurator {

-  private final OpenShiftClientFactory clientFactory;
+  private final CheServerKubernetesClientFactory cheClientFactory;
  private final String installationLocation;
  private final boolean stopWorkspaceRoleEnabled;
  private final String oAuthIdentityProvider;
@ -52,12 +47,12 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur

  @Inject
  public OpenShiftStopWorkspaceRoleConfigurator(
-      OpenShiftClientFactory clientFactory,
+      CheServerKubernetesClientFactory cheClientFactory,
      CheInstallationLocation installationLocation,
      @Named("che.workspace.stop.role.enabled") boolean stopWorkspaceRoleEnabled,
      @Nullable @Named("che.infra.openshift.oauth_identity_provider") String oAuthIdentityProvider)
      throws InfrastructureException {
-    this.clientFactory = clientFactory;
+    this.cheClientFactory = cheClientFactory;
    this.installationLocation = installationLocation.getInstallationLocationNamespace();
    this.stopWorkspaceRoleEnabled = stopWorkspaceRoleEnabled;
    this.oAuthIdentityProvider = oAuthIdentityProvider;
@ -72,19 +67,20 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur

    try {
      if (stopWorkspaceRoleEnabled && installationLocation != null) {
-        OpenShiftClient osClient = clientFactory.createOC();
+        KubernetesClient client = cheClientFactory.create();
        String stopWorkspacesRoleName = "workspace-stop";
-        if (osClient.roles().inNamespace(projectName).withName(stopWorkspacesRoleName).get()
-            == null) {
-          osClient
-              .roles()
-              .inNamespace(projectName)
-              .createOrReplace(createStopWorkspacesRole(stopWorkspacesRoleName));
-        }
-        osClient
+
+        client
+            .rbac()
+            .roles()
+            .inNamespace(projectName)
+            .createOrReplace(createStopWorkspacesRole(stopWorkspacesRoleName));
+
+        client
+            .rbac()
            .roleBindings()
            .inNamespace(projectName)
-            .createOrReplace(createStopWorkspacesRoleBinding(projectName));
+            .createOrReplace(createStopWorkspacesRoleBinding(stopWorkspacesRoleName));
      }
    } catch (KubernetesClientException e) {
      LOG.warn(
@ -124,18 +120,17 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur
        .build();
  }

-  protected RoleBinding createStopWorkspacesRoleBinding(String projectName) {
+  protected RoleBinding createStopWorkspacesRoleBinding(String name) {
    return new RoleBindingBuilder()
        .withNewMetadata()
-        .withName("che-workspace-stop")
-        .withNamespace(projectName)
+        .withName(name)
        .endMetadata()
        .withNewRoleRef()
-        .withName("workspace-stop")
-        .withNamespace(projectName)
+        .withKind("Role")
+        .withName(name)
        .endRoleRef()
        .withSubjects(
-            new ObjectReferenceBuilder()
+            new SubjectBuilder()
                .withKind("ServiceAccount")
                .withName("che")
                .withNamespace(installationLocation)
--- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java
+++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 * which is available at https://www.eclipse.org/legal/epl-2.0/
@ -26,7 +26,6 @@ import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.assertNotNull;
 import static org.testng.Assert.assertTrue;

-import com.google.common.collect.ImmutableList;
 import io.fabric8.kubernetes.api.model.Namespace;
 import io.fabric8.kubernetes.api.model.NamespaceBuilder;
 import io.fabric8.kubernetes.api.model.ServiceAccount;
@ -42,7 +41,6 @@ import io.fabric8.openshift.api.model.ProjectRequest;
 import io.fabric8.openshift.api.model.ProjectRequestFluent.MetadataNested;
 import io.fabric8.openshift.api.model.RoleBinding;
 import io.fabric8.openshift.api.model.RoleBindingList;
-import io.fabric8.openshift.api.model.UserBuilder;
 import io.fabric8.openshift.client.OpenShiftClient;
 import io.fabric8.openshift.client.dsl.ProjectOperation;
 import io.fabric8.openshift.client.dsl.ProjectRequestOperation;
@ -112,6 +110,9 @@ public class OpenShiftProjectTest {
    lenient().when(clientFactory.createOC(anyString())).thenReturn(openShiftClient);

    lenient().when(cheServerOpenshiftClientFactory.createOC()).thenReturn(openShiftCheServerClient);
+    lenient()
+        .when(cheServerOpenshiftClientFactory.createOC(anyString()))
+        .thenReturn(openShiftCheServerClient);

    lenient().when(openShiftClient.adapt(OpenShiftClient.class)).thenReturn(openShiftClient);

@ -202,13 +203,6 @@ public class OpenShiftProjectTest {
    when(namespaceOperation.withName(anyString())).thenReturn(serviceAccountResource);
    when(serviceAccountResource.get()).thenReturn(mock(ServiceAccount.class));
    doReturn(projectRequestOperation).when(openShiftCheServerClient).projectrequests();
-    // doReturn(metadataNested).when(metadataNested).withName(anyString());
-    when(openShiftCheServerClient.roleBindings()).thenReturn(mixedRoleBindingOperation);
-    lenient()
-        .when(mixedRoleBindingOperation.inNamespace(anyString()))
-        .thenReturn(nonNamespaceRoleBindingOperation);
-    when(openShiftClient.currentUser())
-        .thenReturn(new UserBuilder().withNewMetadata().withName("user").endMetadata().build());
    // when
    openShiftProject.prepare(true, true, Map.of(), Map.of());

@ -218,46 +212,6 @@ public class OpenShiftProjectTest {
    Assert.assertEquals(captor.getValue().getMetadata().getName(), PROJECT_NAME);
    verifyNoMoreInteractions(openShiftCheServerClient);
    verifyNoMoreInteractions(kubernetesClient);
-    ArgumentCaptor<RoleBinding> roleBindingArgumentCaptor =
-        ArgumentCaptor.forClass(RoleBinding.class);
-    verify(nonNamespaceRoleBindingOperation).createOrReplace(roleBindingArgumentCaptor.capture());
-    assertNotNull(roleBindingArgumentCaptor.getValue());
-  }
-
-  @Test(dependsOnMethods = "testOpenShiftProjectPreparingWhenProjectDoesNotExistWithCheServerSA")
-  public void testOpenShiftProjectPreparingRoleBindingWhenProjectDoesNotExistWithCheServerSA()
-      throws Exception {
-    // given
-    prepareNamespaceGet(PROJECT_NAME);
-
-    Resource resource = prepareProjectResource(PROJECT_NAME);
-    doThrow(new KubernetesClientException("error", 403, null)).when(resource).get();
-    final MixedOperation mixedOperation = mock(MixedOperation.class);
-    final NonNamespaceOperation namespaceOperation = mock(NonNamespaceOperation.class);
-    doReturn(mixedOperation).when(openShiftCheServerClient).serviceAccounts();
-    when(mixedOperation.inNamespace(anyString())).thenReturn(namespaceOperation);
-    when(namespaceOperation.withName(anyString())).thenReturn(serviceAccountResource);
-    when(serviceAccountResource.get()).thenReturn(mock(ServiceAccount.class));
-    doReturn(projectRequestOperation).when(openShiftCheServerClient).projectrequests();
-    // doReturn(metadataNested).when(metadataNested).withName(anyString());
-    when(openShiftCheServerClient.roleBindings()).thenReturn(mixedRoleBindingOperation);
-    lenient()
-        .when(mixedRoleBindingOperation.inNamespace(anyString()))
-        .thenReturn(nonNamespaceRoleBindingOperation);
-    when(openShiftClient.currentUser())
-        .thenReturn(new UserBuilder().withNewMetadata().withName("jdoe").endMetadata().build());
-    // when
-    openShiftProject.prepare(true, true, Map.of(), Map.of());
-
-    // then
-    ArgumentCaptor<RoleBinding> roleBindingArgumentCaptor =
-        ArgumentCaptor.forClass(RoleBinding.class);
-    verify(nonNamespaceRoleBindingOperation).createOrReplace(roleBindingArgumentCaptor.capture());
-    RoleBinding roleBinding = roleBindingArgumentCaptor.getValue();
-    assertNotNull(roleBinding);
-    assertEquals(roleBinding.getMetadata().getName(), "admin");
-    assertEquals(roleBinding.getRoleRef().getName(), "admin");
-    assertEquals(roleBinding.getUserNames(), ImmutableList.of("jdoe"));
  }

  @Test(expectedExceptions = InfrastructureException.class)
@ -596,13 +550,13 @@ public class OpenShiftProjectTest {

    ProjectOperation projectOperation = mock(ProjectOperation.class);
    doReturn(projectResource).when(projectOperation).withName(projectName);
-    doReturn(projectOperation).when(openShiftClient).projects();
+    doReturn(projectOperation).when(openShiftCheServerClient).projects();

    when(projectResource.get())
        .thenReturn(
            new ProjectBuilder().withNewMetadata().withName(projectName).endMetadata().build());

-    openShiftClient.projects().withName(projectName).get();
+    openShiftCheServerClient.projects().withName(projectName).get();
    return projectResource;
  }

@ -611,7 +565,7 @@ public class OpenShiftProjectTest {
        new NamespaceBuilder().withNewMetadata().withName(namespaceName).endMetadata().build();

    NonNamespaceOperation nsOperation = mock(NonNamespaceOperation.class);
-    doReturn(nsOperation).when(openShiftClient).namespaces();
+    doReturn(nsOperation).when(openShiftCheServerClient).namespaces();

    Resource nsResource = mock(Resource.class);
    doReturn(nsResource).when(nsOperation).withName(namespaceName);
--- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java
+++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2021 Red Hat, Inc.
+ * Copyright (c) 2012-2022 Red Hat, Inc.
 * This program and the accompanying materials are made
 * available under the terms of the Eclipse Public License 2.0
 * which is available at https://www.eclipse.org/legal/epl-2.0/
@ -20,22 +20,15 @@ import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.testng.Assert.assertEquals;

-import io.fabric8.kubernetes.api.model.ObjectReferenceBuilder;
+import io.fabric8.kubernetes.api.model.rbac.*;
 import io.fabric8.kubernetes.client.KubernetesClient;
 import io.fabric8.kubernetes.client.dsl.MixedOperation;
 import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation;
+import io.fabric8.kubernetes.client.dsl.RbacAPIGroupDSL;
 import io.fabric8.kubernetes.client.dsl.Resource;
-import io.fabric8.openshift.api.model.PolicyRuleBuilder;
-import io.fabric8.openshift.api.model.Role;
-import io.fabric8.openshift.api.model.RoleBinding;
-import io.fabric8.openshift.api.model.RoleBindingBuilder;
-import io.fabric8.openshift.api.model.RoleBindingList;
-import io.fabric8.openshift.api.model.RoleBuilder;
-import io.fabric8.openshift.api.model.RoleList;
-import io.fabric8.openshift.client.OpenShiftClient;
 import org.eclipse.che.api.workspace.server.spi.InfrastructureException;
+import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.CheInstallationLocation;
-import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftClientFactory;
 import org.mockito.Mock;
 import org.mockito.testng.MockitoTestNGListener;
 import org.testng.annotations.BeforeMethod;
@ -54,9 +47,8 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
  @Mock private CheInstallationLocation cheInstallationLocation;
  private OpenShiftStopWorkspaceRoleConfigurator stopWorkspaceRoleProvisioner;

-  @Mock private OpenShiftClientFactory clientFactory;
-  @Mock private OpenShiftClient osClient;
-  @Mock private KubernetesClient kubernetesClient;
+  @Mock private CheServerKubernetesClientFactory cheClientFactory;
+  @Mock private KubernetesClient client;

  @Mock private MixedOperation<Role, RoleList, Resource<Role>> mixedRoleOperation;

@ -74,6 +66,7 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
  @Mock private Resource<RoleBinding> roleBindingResource;
  @Mock private Role mockRole;
  @Mock private RoleBinding mockRoleBinding;
+  @Mock private RbacAPIGroupDSL rbacAPIGroupDSL;

  private final Role expectedRole =
      new RoleBuilder()
@ -106,15 +99,14 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
  private final RoleBinding expectedRoleBinding =
      new RoleBindingBuilder()
          .withNewMetadata()
-          .withName("che-workspace-stop")
-          .withNamespace("developer-che")
+          .withName("workspace-stop")
          .endMetadata()
          .withNewRoleRef()
+          .withKind("Role")
          .withName("workspace-stop")
-          .withNamespace("developer-che")
          .endRoleRef()
          .withSubjects(
-              new ObjectReferenceBuilder()
+              new SubjectBuilder()
                  .withKind("ServiceAccount")
                  .withName("che")
                  .withNamespace("che")
@ -126,10 +118,11 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
    lenient().when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn("che");
    stopWorkspaceRoleProvisioner =
        new OpenShiftStopWorkspaceRoleConfigurator(
-            clientFactory, cheInstallationLocation, true, "yes");
-    lenient().when(clientFactory.createOC()).thenReturn(osClient);
-    lenient().when(osClient.roles()).thenReturn(mixedRoleOperation);
-    lenient().when(osClient.roleBindings()).thenReturn(mixedRoleBindingOperation);
+            cheClientFactory, cheInstallationLocation, true, "yes");
+    lenient().when(cheClientFactory.create()).thenReturn(client);
+    lenient().when(client.rbac()).thenReturn(rbacAPIGroupDSL);
+    lenient().when(rbacAPIGroupDSL.roles()).thenReturn(mixedRoleOperation);
+    lenient().when(rbacAPIGroupDSL.roleBindings()).thenReturn(mixedRoleBindingOperation);
    lenient()
        .when(mixedRoleOperation.inNamespace(anyString()))
        .thenReturn(nonNamespaceRoleOperation);
@ -156,7 +149,7 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
  @Test
  public void shouldCreateRoleBinding() throws InfrastructureException {
    assertEquals(
-        stopWorkspaceRoleProvisioner.createStopWorkspacesRoleBinding("developer-che"),
+        stopWorkspaceRoleProvisioner.createStopWorkspacesRoleBinding("workspace-stop"),
        expectedRoleBinding);
  }

@ -164,24 +157,8 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
  public void shouldCreateRoleAndRoleBindingWhenRoleDoesNotYetExist()
      throws InfrastructureException {
    stopWorkspaceRoleProvisioner.configure(null, "developer-che");
-    verify(osClient, times(2)).roles();
-    verify(osClient.roles(), times(2)).inNamespace("developer-che");
-    verify(osClient.roles().inNamespace("developer-che")).withName("workspace-stop");
-    verify(osClient.roles().inNamespace("developer-che")).createOrReplace(expectedRole);
-    verify(osClient).roleBindings();
-    verify(osClient.roleBindings()).inNamespace("developer-che");
-    verify(osClient.roleBindings().inNamespace("developer-che"))
-        .createOrReplace(expectedRoleBinding);
-  }
-
-  @Test
-  public void shouldCreateRoleBindingWhenRoleAlreadyExists() throws InfrastructureException {
-    lenient().when(roleResource.get()).thenReturn(expectedRole);
-    stopWorkspaceRoleProvisioner.configure(null, "developer-che");
-    verify(osClient, times(1)).roles();
-    verify(osClient).roleBindings();
-    verify(osClient.roleBindings()).inNamespace("developer-che");
-    verify(osClient.roleBindings().inNamespace("developer-che"))
+    verify(client.rbac().roles().inNamespace("developer-che")).createOrReplace(expectedRole);
+    verify(client.rbac().roleBindings().inNamespace("developer-che"))
        .createOrReplace(expectedRoleBinding);
  }

@ -190,11 +167,9 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
      throws InfrastructureException {
    OpenShiftStopWorkspaceRoleConfigurator disabledStopWorkspaceRoleProvisioner =
        new OpenShiftStopWorkspaceRoleConfigurator(
-            clientFactory, cheInstallationLocation, false, "yes");
+            cheClientFactory, cheInstallationLocation, false, "yes");
    disabledStopWorkspaceRoleProvisioner.configure(null, "developer-che");
-    verify(osClient, never()).roles();
-    verify(osClient, never()).roleBindings();
-    verify(osClient.roleBindings(), never()).inNamespace("developer-che");
+    verify(client, never()).rbac();
  }

  @Test
@ -204,11 +179,9 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
    OpenShiftStopWorkspaceRoleConfigurator
        stopWorkspaceRoleProvisionerWithoutValidInstallationLocation =
            new OpenShiftStopWorkspaceRoleConfigurator(
-                clientFactory, cheInstallationLocation, true, "yes");
+                cheClientFactory, cheInstallationLocation, true, "yes");
    stopWorkspaceRoleProvisionerWithoutValidInstallationLocation.configure(null, "developer-che");
-    verify(osClient, never()).roles();
-    verify(osClient, never()).roleBindings();
-    verify(osClient.roleBindings(), never()).inNamespace("developer-che");
+    verify(client, never()).rbac();
  }

  @Test
@ -217,10 +190,10 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest {
    when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn("something");
    OpenShiftStopWorkspaceRoleConfigurator configurator =
        new OpenShiftStopWorkspaceRoleConfigurator(
-            clientFactory, cheInstallationLocation, true, null);
+            cheClientFactory, cheInstallationLocation, true, null);

    configurator.configure(null, "something");

-    verify(clientFactory, times(0)).createOC();
+    verify(cheClientFactory, times(0)).create();
  }
 }